|
You hit the nail on the head.
The only way to effectively dis-assm this stuff is to use a virtual machine kinda enviroment
or dump while debugging ...
Now as for junk macros ... any opcode which is more than 1 byte can be turned into a junk opcode.... obviously the most effective at the really long ones like Far calls and Far jmps but obscure 2-3 byte instructions work jsut as well...
I still think self-modifying code is the most effective way to beat dis-assming is to write a full code generator
like this psuedo code
<--code-->
Data = array (0a,85,de,09,87, 45, 34, 12)
@1:
Load data element
xor it by key
push onto stack
loop @1
jmp to stack
<--code-->
so dis-asming this will just result in understanding the loading routine and not the XOR of the actual code stored in DATA array.
So basically all your program is is a loader of stuff into areas of memory with jmps to that memory.... (ie using calls to allocmem() )
That would represent the best anti - dis-asm routines... unfortunately high level languages dont compile code like this ... so you have two options
1. Write a compiler which does this.
2. Write / use an exe protection tool.
Now 1 is hard but the best bet in the long run
and 2 is a fuck up cause you know that no matter how obscure the exe protector, somebody somewhere will always unpack it.....
|