1

I am trying to attach debug a program that has an "anti-debug" feature on it. When stepping through, it seems to step through a maze of call and jmp commands that eventually just loop around. The loop only happens when stepping line by line and I am trying to understand it.

I don't know if there is added obfuscation, but why would lines such as this appear?

014D658C   0FCA    BSWAP EDX
014D658E   0FCA    BSWAP EDX

If I understand correctly, BSWAP will just invert the bits, but twice in a row should leave the EDX register untouched. I've also noticed other strange things like comparing registers and then seemingly doing nothing with the result (no jump calls after or setcc or anything like that)

014D657C   66:81FF 8408     CMP DI,884
014D6581   30D8             XOR AL,BL
014D6583   8D96 1A30A4DD    LEA EDX,DWORD PTR DS:[ESI+DDA4301A]
Chemistpp
  • 133
  • 1
  • 4
  • Yes, this looks like obfuscation. The two BSWAPs don't do anything (watch out for code jumping to the second BSWAP however, and the CMP DI,884 doesn't do anything either (as the the next instruction resets the flags). This may be an attempt to evade antivirus signatures as well, by introducing nonsense into the code that can be modified to different nosense easily. – Guntram Blohm Jul 30 '15 at 20:01
  • Okay, I am currently going through the loop each process at a time trying to resolve what is actually important. This is kind of fun, like a puzzle. – Chemistpp Jul 30 '15 at 20:11
  • BSWAP does not invert bits, but swaps the low and high-order 16 bits of a 32 bit register. Two in a row (with the same register) are a NOP. – josh Jul 30 '15 at 22:19
  • Yeah, I meant invert them from end to end, but I can see how that is confusing. I meant swap the order is all. Twice in a row, still is pointless. – Chemistpp Jul 30 '15 at 22:25
  • Done some reading about this, apparently people can get serious and send you into a loop softly at first that is nonsensical just to waste your time... filthy. I've learned about assembly language though. – Chemistpp Jul 31 '15 at 18:17
  • @GuntramBlohm Is it better to repost another question related to the same problem or edit this one? – Chemistpp Aug 01 '15 at 15:46
  • Depends on whether that is a clarification of the current question. Rule of thumb: if the other question is comprehensible without refering to this one, write another. I generally don't edit questions unless i made a mistake, or a comment prompts me to amend some information. – Guntram Blohm Aug 01 '15 at 16:26

0 Answers0