Redundancy of x86 Machine Code
There are many ways to encode the same assembly language program in machine computer code. The encoding of ModR/M and also SIB bytes is redundant; the SHL teaching Cheap Hollister Hoodies has two equivalent opcodes; your operands can be swapped for some instructions. You can use this redundancy to identify the compiler, or even to hide some information inside your executable files.
Some examples are listed below.
An average instruction of x86 Michael Kors Jet Set Small Travel Tote architecture provides two opcodes. The first of them carries a register as the first operand plus a register or a memory location as the second one (which is abbreviated "reg, reg/mem32" in Hollister Clothing Clearance the opcode reference or perhaps "Gv, Ev" in the opcode table). The operands for your second opcode are reversed (which is abbreviated "reg/mem32, reg" Abercrombie Melbourne Florida or "Ev, Gv"). This makes sensation: the processor must know whether or not it copies to the memory, or maybe from the memory. But when either operands are registers, the and also multimedia becomes redundant:
; mod reg r/m
03C3 add eax, ebx ; 14 000 011
01D8 add eax, ebx ; 11 011 1,000
The opcode 03 (ADD reg, r/m) advises the processor to take the primary operand from the reg field, and the minute from the r/m field. 000 would be the encoding for eax register, as well as 011 means ebx register. So 03C3 is usually disassembled as "add eax, ebx".
The opcode 02 means "ADD r/m, reg", so the first operand will be from r/m (000, which means eax), and second will be from reg (011, which means ebx). This again gives us "add eax, ebx".
The encodings for these instructions are redundant: add, adc, as well as, xor, or, sbb, sub, cmp, and port. Some assemblers emit 03C3 for "add eax, ebx", and some emit 01D8, so this technique can be used to identify the compiler that produced the particular executable file.
You can also swap the base and the index signup if the index is not scaly (if the scale factor will be 1):
; base index
C60418 05 transport byte[eax + ebx1],5
C60403 05 mov byte[ebx + eax1],5
Two distinct opcode extensions for SAL/SHL
: /4 and /6 (100 and 110 within binary). Intel's manual documents only /4; AMD's information mentions both of them (however, /6 functions okay on Pentiums). Cheap Hollister Clothes This again can often distinguish between compilers.
The TEST instruction with the immediate operand also has 2 opcode extensions (/0 and /1):
F7C3 05000000 test ebx, 5
F7CB 05000000 examination ebx, 5
Again, the alternative coding is documented only throughout AMD's manual, but also works on Intel processors. Many disassemblers and debuggers (which include OllyDbg) cannot Mont Blanc Pen Price recognize the second training, so you can use it in anti debugging code.
Alternative opcode for instructions with an immediate byte operand
Some instructions (namely, add, or, adc, sbb, along with, sub, xor, and cmp) have a couple opcodes when used with a rapid byte operand. Here is an example:
8000 00 add byte[eax],0
8200 00 put byte[eax],0
The second opcode is ill in 64 bit style, so the trick can be used merely in 32 bit style.
There is a steganographical tool, Hydan, that alterations x86 instructions to their equivalents and hides your message in executable files. Hydan uses the actual tricks described above (not every one of them: it doesn't "know" about SAL/SHL factor). It also can reorder the separate instructions and use more active tricks, for example, it variations "XOR eax, eax" to "SUB eax, eax" or vice versa. Hydan is definitely an open source program; you should have GCC installed to compile it via sources.
The x86 architecture features a long history, and the creepy encodings are often maintained for if it is compatible with old software. The complicated addressing modes are very redundant themselves. So, you do have a good chance to hide something "between the particular lines" of your code.
http://www.straight.com/node/add/article
http://www.getenglishaccess.com/forum/newtopic
http://npl.rice.edu/search/node/
http://fukustock.com/viewtopic.php?pid=4071934#p4071934
http://arabic.colegioo.com/node/add/article |
