Yo,

I found this some time ago while reversing a packed binary. Even tho it's kinda useless, I wrote some code which shows the proof of concept (mainly because I got bored).

Code:

//__stdcall ONLY!
void ObfuscateCall(uintptr_t pCallAddr, int iNumberOfArgs, int iAdd, int iAdd2)
{
DWORD dwOldProtect;
PVOID pHiddenCaller = _alloca(0x100);
VirtualProtect(pHiddenCaller, 0x100, PAGE_EXECUTE_READWRITE, &dwOldProtect);

//push ebp
//mov ebp, esp
//sub esp, 0
BYTE pProlog[] = { 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x0 };


//mov esp, ebp
//pop ebp
//ret sizeofargs
//this will not work if sizeofargs > 0xFF, easy fixable tho
BYTE pEpilog[] = { 0x8B, 0xE5, 0x5D, 0xC2, (4 /*sizeof(pCallAddr)*/ + sizeof(iAdd) + sizeof(iAdd2)), 0x00 };


BYTE pArgs[256];

for (int i = 0; i < iNumberOfArgs; i++)
{
int iArrayAccess = i * 10;

//relative jmp (E9 02000000)
pArgs[iArrayAccess] = 0xE9;
*(uintptr_t*)(pArgs + (iArrayAccess + 1)) = 0x2;

pArgs[iArrayAccess + 5] = 0xC3; //junkbyte

pArgs[iArrayAccess + 6] = (BYTE)iArrayAccess; //another junkbyte, i chose iArrayAccess here to make it different each push

//push dword ptr[ebp + (i * 0x4)]
pArgs[iArrayAccess + 7] = 0xFF;
pArgs[iArrayAccess + 8] = 0x75;
pArgs[iArrayAccess + 9] = 0x0C + (i * 0x4);
}


BYTE pJump[5];

//relative jmp (E9 02000000), this one jumps to our call
pJump[0] = 0xE9; //JMP
*(uintptr_t*)((uintptr_t)pJump + 1) = 0x2;

//first argument (pCallAddr) is located at ebp + 8
BYTE pCall[5] = { 0xC3 /*junkbyte*/, 0xC2/*junkbyte*/, 0xFF /*call*/, 0x55/*dword ptr*/, 0x08/*ebp + 8*/ };



//copy all those sweet bytes
memcpy((PVOID)pHiddenCaller, pProlog, 6);
memcpy((PVOID)((uintptr_t)pHiddenCaller + 6), (PBYTE)pArgs, 10 * iNumberOfArgs);
memcpy((PVOID)((uintptr_t)pHiddenCaller + (6 + (10 * iNumberOfArgs))), (PBYTE)pJump, 5);
memcpy((PVOID)((uintptr_t)pHiddenCaller + (6 + (10 * iNumberOfArgs) + 5)), (PBYTE)pCall, 5);
memcpy((PVOID)((uintptr_t)pHiddenCaller + (6 + (10 * iNumberOfArgs) + 10)), (PBYTE)pEpilog, 6);



//push args and call address to our caller
__asm
{
push iAdd2
push iAdd

mov eax, pCallAddr
push eax

call pHiddenCaller
}

}

//Usage:
void __stdcall AddMe(int iAdd, int iAdd2)
{
printf("%i\n", iAdd + iAdd2);
}

ObfuscateCall((uintptr_t)pCallAddr, 2, 5, 10);

//Output: 15

I kinda rushed through this when I was writing this, I didn't care about the code being ugly or uncomfortable to use.

But what is this even doing? Basically this is just wrapping around the function you want to call. By adding some junk bytes (which you're going to skip by using JMP's then) inside the opcode debuggers get confused (only tested this with OllyDbg).

This is how such a call looks like, I've marked the beginning and the end of my code.

http://www11.pic-upload.de/25.06.15/gpi8kd456s.png

I know you can just step through this and it will fix the opcode as long as you don't scroll up/down. But still it was fun to write.


Original Writen by 1337floesen in Assembly Category, the date of 26-06-2015 21:18.