+- +-

+-User

Welcome, Guest.
Please login or register.
 
 
 
Forgot your password?

+-Stats

Members
Total Members: 129
Latest: dilpreetkaur
New This Month: 1
New This Week: 1
New Today: 0
Stats
Total Posts: 319
Total Topics: 160
Most Online Today: 2
Most Online Ever: 68
(October 18, 2019, 12:38:07 am)
Users Online
Members: 0
Guests: 2
Total: 2

Author Topic: Question about how functions are being called.  (Read 1314 times)

XutaxKamay

  • Newbie
  • *
  • Posts: 12
    • View Profile
Question about how functions are being called.
« on: May 22, 2018, 04:43:10 am »
Hello, this might be a very noob question sorry for that, but, does anyone has meet in a compiled executable where the start address of a function is being called without the "call" (0xE8) opcode?


Code: [Select]
10000000 call ...
Code: [Select]
10000000 ??? ...
I know the jmp(s) instructions are usually used for jumping somewhere else into a function, but I don't know if any compiler would do a jmp to another function directly.

Thank your for your replies.

Sarka

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Question about how functions are being called.
« Reply #1 on: May 22, 2018, 05:31:41 pm »
If you use options that control various sorts of optimization such as -O3 (gcc), call instructions are most likely gonna be replaced by jumps

xchg

  • Administrator
  • Newbie
  • *****
  • Posts: 35
    • View Profile
Re: Question about how functions are being called.
« Reply #2 on: July 02, 2018, 08:26:44 am »
If you use options that control various sorts of optimization such as -O3 (gcc), call instructions are most likely gonna be replaced by jumps

This may very possibly be the case..

Watch your compiler settings :)

guest113

  • Guest
Re: Question about how functions are being called.
« Reply #3 on: August 13, 2018, 12:01:15 pm »
Yes, O3 will try to heavily replace calls with jmps. If you use LLVM you can write a new LLVM instrinsic that then uses a LLVM pass which searches the LLVM IR for all 'calls' and replaces with your defined settings.

If you want to add to your code with inline assembly or create a LLVM instrinsic you may find the following below to be helpful.

TLDR; I would suggest reading thesis papers from 2000 -> 2010 regarding call and branch obfuscations. They cover a lot of information and heavily reference analysis of the early days of heavily obfuscated assembly viruses.

There are three known ways to "call" when doing assembly. A lot of the posts I've seen online tell you how to write them but don't really show it is all set up in the esp. Notice that the esp stack looks the same through out all examples.

First, the normal style approach with call:
Code: [Select]
PUSH eax ; pushing the function parameter to top stack esp
CALL DeleteFileA ; branch transfering control to DeleteFileA
RET_LOC: ; will push following address after call to top stack esp for reference on a return point
;------------------------
; preload call: esp stack visual ↓
[esp+0] DeleteFileA
[esp+4] RET_LOC
[esp+8] eax
;------------------------
; after CALL popping [esp+0] to eip: esp stack visual ↓
[esp+0] RET_LOC
[esp+4] eax
; eip visual:
10000000  DeleteFileA

Second, the hook style approach with jmp:
Code: [Select]
PUSH eax ; pushing the function parameter to stack esp
PUSH $+10 ; push RET_LOC aka (current ip + 10) to top stack esp (will return to this address after jmp)
JMP DeleteFileA ; transfering control to DeleteFileA
RET_LOC: ; following address is need for a return point, hence PUSH $+10
;------------------------
; preload call: esp stack visual ↓
[esp+0] DeleteFileA
[esp+4] RET_LOC
[esp+8] eax
;------------------------
; after JMP popping [esp+0] to eip: esp stack visual ↓
[esp+0] RET_LOC
[esp+4] eax
; eip visual:
10000000  DeleteFileA

Third, the rop style approach with ret:
Code: [Select]
PUSH eax ; pushing the function parameter to top stack esp
PUSH $+11 ; push RET_LOC aka (current ip + 11) to top stack esp (will return to this address after jmp)
PUSH offset DeleteFileA ; pushing the actual function address to top stack esp
RET ; transfering control to DeleteFileA, it pops the last value from the stack
RET_LOC: ; following address is need for a return point, hence PUSH $+11
;------------------------
; preload call: esp stack visual ↓
[esp+0] DeleteFileA
[esp+4] RET_LOC
[esp+8] eax
;------------------------
; after RET popping [esp+0] to eip: esp stack visual ↓
[esp+0] RET_LOC
[esp+4] eax
; eip visual:
10000000  DeleteFileA

All approaches build up to the same esp output then move the top stack (DeleteFileA) to the eip with (call, jmp, or ret). Basically we need to output the same structure onto the esp and then set the top stack of esp to eip. This can be done in various other ways and we can obfuscate the required parameter instructions and continue to layer the obfuscations until we get a satisfied result. I have provided some simple instruction alternatives below that can be used to add confusion.

Code: [Select]
PUSH reg:

SUB ESP, 4 
MOV [ESP], reg

Code: [Select]
POP reg:

MOV reg, [ESP]
ADD ESP, 4

Code: [Select]
RET:  // pops off the esp stack till return address is at the top of stack; ret depends on number of params used

ADD ESP, 4

Code: [Select]
RET 4:

ADD ESP, 4
RET

Code: [Select]
MOV reg_1, reg_2:

PUSH reg_2
POP reg_1

or

SUB ESP, 4 
MOV [ESP], reg_2
MOV reg_1, [ESP]
ADD ESP, 4

Code: [Select]
MOV reg, data:

PUSH data
POP reg

or

SUB ESP, 4 
MOV [ESP], data
MOV reg, [ESP]
ADD ESP, 4

or

PUSH data
ADD esp, 4 ; stack junk :
SUB esp, 4 ; stack junk : terminate stack increase
MOV reg, [esp]



 

+-Recent Topics

Independent Call Girls in Chandigarh by dilpreetkaur
June 21, 2021, 01:02:52 pm

Hi zwclose7. How to create process by using NT apis? by zwclose7
June 01, 2021, 03:09:52 pm

Poison of the Day by zwclose7
March 16, 2020, 06:45:08 pm

IRC by AzeS
February 17, 2020, 08:18:01 am

Native API tutorial by hMihaiDavid
January 08, 2019, 02:11:02 am

The properties of GP nerve agent by xchg
October 19, 2018, 07:40:57 pm

A new route of synthesis for G-series agents by Basquyatti
October 15, 2018, 06:12:57 am

Synthesis of Methylisobutylcarbinylsarin (GH) by APC process by Basquyatti
October 14, 2018, 07:55:33 am

Synthesis conventional of Sarin by Basquyatti
October 02, 2018, 07:57:32 am

Reaction CX-7 (Experimental) by zwclose7
October 02, 2018, 12:46:47 am