Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another new worm??? (technical)

From: vision () WHITEHATS COM (Max Vision)
Date: Fri, 23 Jun 2000 13:56:53 -0700

I really don't have time to get into this, but I need to at least clarify
that I was *not* talking about an after-the-fact insertion of NOPs, I was
talking about having code enginered from the start.  Offsets, byte/word
boundaries, etc are not an issue at the level that I was refering to :)

Max

On Fri, 23 Jun 2000, Pierre Vandevenne wrote:

On Fri, 23 Jun 2000 12:24:35 -0700 (PDT), Max Vision wrote:


On Fri, 23 Jun 2000 15:08:16 +0200, Bluefish wrote:
Change random bytes in a worm like Love Letter, it will keep to work in
90% of the cases.

Change random bytes in a virus written in assembly language, it crashes
in 99.9% of the cases.


disclaimer: the following is just speculation

I realize this is terribly inefficient, however, these percentages can
probably be greatly reduced by adding nop instructions every other
instruction.


1) you can't add them randomly because they would split multi byte/word
instructions and lead to a crash anyway.

8Bh 44h 24h 4h

move eax, [esp+4]

has three wrong places for the nop for example

2) there are many techniques to achieve polymorphism in assembler, such
as modifying nibbles, inserting streams meaningless instructions (push
pop pairs, do nothing logical operators, shifts of unused registers
etc... but these require complex coding (which was the point : it is
not easy to do.).

Pierre


---
http://www.datarescue.com/idabase/ida.htm
IDA Pro 4.1 - Yes, we have done it again !
Previous By Date Next
Previous By Thread Next

Current thread: