Reverse Engineering Asked by stokdam on September 30, 2021
I’m working on an obfuscated binary. I recognized some patterns used to confuse the disassembler, some used to obfuscate function calls, some other for conditional jumps and so on.
The idea was to search these patterns along the binary. The problem is that such patterns are often interleaved with unconditional jumps.
For example this code is used to replace a simple conditional jump:
push offset loc_123456
push ebx
push eax
mov ebx, [esp+8]
mov eax, offset loc_654321
cmovz ebx, eax
mov [esp+8], ebx
pop eax
pop ebx
retn
The problem is that this pattern is often split in two or more parts (because the whole code is split in several blocks that are spread everywhere in the binary and then connected with unconditional jumps), and of course I cannot find it with a simple byte pattern search.
Is there any way to look for all the pieces of code that satisfy a pattern even if they are broken in 2 (or more) pieces and connected with an unconditional jump?
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP