Replies: 1 comment 2 replies
-
|
Thanks @utkonos - looks like a nice addition! Thanks also for the details and screenshots :) Here's a draft description - any edits would be appreciated: "A fake function call is used to call an address which confuses a disassembler and results in incorrect disassembly. Manually undefining a fake function call can enable the disassembler to produce the true code." |
Beta Was this translation helpful? Give feedback.
-
Looks good. |
Beta Was this translation helpful? Give feedback.
-
|
great - thanks @utkonos! |
Beta Was this translation helpful? Give feedback.
-
This is in a packer that I am analyzing at the moment. There is a lot of code in the packer that is never executed. It's all dead/junk/decoy code not actually part of the packer. It is all made to look like legitimate software. In this case, VLC. In many locations in that dead/junk/decoy code are fake function calls which call an address in the middle of the API hash resolver function. This causes the resulting disassembly to be incorrect unless the function at that location is undefined. Once the function has been undefined the real function is revealed.
Technique:
MBC::Anti-Static Analysis::Disassembler EvasionProposed Method:
Fake Function Call [B0012.007]Exemplar Sample:
0a7fd836d36ed8e8e9aa7bc41fdc9242333e8469059dec8886b7d935f3651679Address of fake function:
0x100019f0Broken disassembly:
Calls to fake function from dead code:
API hash resolver function after fix with fake function address highlighted and tagged:
Beta Was this translation helpful? Give feedback.
All reactions