What could this sequence of assembly instructions possibly mean?

Question

I have recently came across the following sequence of assembly instructions.

call    ds:WSAStartup
push    ecx
push    edi
mov     ecx, 69E65AC4h
mov     edi, 2776452Ah
pop     edi
pop     ecx
jmp     short loc_ABCD

Please help me make sense of these particular 4 instructions below:

mov     ecx, 69E65AC4h
mov     edi, 2776452Ah
pop     edi
pop     ecx

Why would you move direct values into registers, just to over write them with next 2 instructions?

ADDED: In regards to Rolf Rolles and peter ferrie comments bellow. First off, thank you, guys, for your input. I really appreciate it. What puzzles me the most and seems to be relatively interesting is the fact the the executable in question seems to be clean and clear of code obfuscation of any sort. How relevant is such a small amount of obfuscation for AV defeating purposes? I would assume, not too relevant.

I have also came across the post here on RE What is the purpose of 'mov edi, edi'? . RE user QAZ on the accepted answer mentioned something about support of run time hot patching. Could it be something along those lines?

Hi. Could you post the hash of the file? I'd like to check out the obfuscation. Thanks. — alexanderh, Jun 02 '13 at 07:43
@alexanderh. I might not be understanding something here, but how hash of the file could let you check it for obfuscation? Thanks. — PSS, Jun 02 '13 at 13:26
With regards to your addendum: no, that code was not inserted for hot-patching purposes. — Rolf Rolles, Jun 03 '13 at 02:00

score 8 · Accepted Answer · answered Jun 02 '13 at 03:36

8

Without further information, it looks like deliberate obfuscation: instructions with no ultimate effect inserted into the code to make it harder to read. I doubt that code was generated by a compiler.

answered Jun 02 '13 at 03:36

Rolf Rolles

9,198
1
23
33

I thought about it as well. But it is in line after normal "making total" sense instructions. I don't even see it being any useful for obfuscation purposes. 4 instructions inside perfectly easy to ready and follow assembly. Totally weird :) – PSS Jun 02 '13 at 03:39
Post some more of the context, then; some more instructions before and after. – Rolf Rolles Jun 02 '13 at 03:40
1

Updated. Calls WSStartup and then jumps right after. Nothing extraordinary. – PSS Jun 02 '13 at 03:45
1

It seems definitely to be obfuscation. The compiler is pretty good about eliminating useless code like that (through non-memory-based liveness analysis, one of the oldest and simplest global data flow analyses) so I doubt that code would be generated by a compiler, except perhaps with optimizations disabled (and even then I am skeptical, since the values are not used in any computation). – Rolf Rolles Jun 02 '13 at 07:29
2

it's used to attempt to defeat AV signatures, by inserting useless instructions that would otherwise allow a match against the call. – peter ferrie Jun 02 '13 at 21:27
It could be an anti-AV mechanism, but obfuscation has plenty of purposes in the anti-comprehension realm as well. It could even be both. – Rolf Rolles Jun 02 '13 at 22:01

What could this sequence of assembly instructions possibly mean?

1 Answers1