tags:

views:

152

answers:

4
+5  Q: 

SP (Stack Pointer) Anti-debug Trick - x86

Listing 7.1 The Decryptor of the Cascade Virus

lea si, Start ; position to decrypt (dynamically set)

mov     sp, 0682    ; length of encrypted body (1666 bytes)

Decrypt:
xor     [si],si ; decryption key/counter 1
xor     [si],sp ; decryption key/counter 2
inc     si  ; increment one counter
dec     sp  ; decrement the other
jnz     Decrypt ; loop until all bytes are decrypted

Start:  ; Encrypted/Decrypted Virus Body

Note that this decryptor has antidebug features because the SP (stack pointer) register is used as one of the decryption keys.

Can somebody explain why using the SP register is acting like an anti-debug feature? Correct me if I'm wrong but I don't think having a debugger running changes the stack layout...

Thanks in advance

+1  A: 

My x86-fu is rusty, but I seem to recall most breakpoint debugging tools work by triggering a fault in the CPU and asserting themselves as a supervisor process - which would give you a new stack, and a correspondingly-altered stack pointer. Thus, stepping through that code would give you values of sp which are different to those the process would normally see had it not been trapped by a debugger.

Jonners  2010-09-20 11:24:56
A: 

Most debuggers expect [e]sp to be valid and pointing to a stack area. I guess it's possible that some debuggers crash if sp does not point to valid memory, but I don't know of any.

Igor Skochinsky  2010-09-20 11:41:27
By definition, (e)sp is valid. Most debuggers if they are intelligently designed use their *own* stack area to avoid overrunning the stack space used by the application program. See my answer for why using its own stack won't enable the debugger to debug this code.
Ira Baxter  2010-10-09 23:57:34
Ah, that makes sense. I did not think of interrupt handlers.
Igor Skochinsky  2010-10-11 11:24:07
+2  A: 

If the stack segment is equal to the data segment (is it .com or .exe virus? seems .com, because the DS is already equal to CS) then any use of stack (debugger or even interrupt) will modify the memory where ss:[sp] is pointing, and it will be pointing somewhere in the virus body (because it's used as counter).

ruslik  2010-09-20 23:47:50
+4  A: 

Taking a breakpoint or an interrupt will "push data onto the stack", which will damage the data bytes in the area that the stack pointer references. Thus, if you put a breakpoint (INT n) in the code using a debugger, your very act of debugging (encountering the breakpoint) will destroy the data that this code is trying to decrypt.

This code might work under DOS if no interrupts happen; maybe they disable interrupts first. You can't realistically use this under Windows or Linux (its 16 bit code anyway).

Ira Baxter  2010-10-09 23:55:30
Just to elaborate on your answer: "INT n generally behaves like a far call except that the flags register is pushed onto the stack before the return address. Interrupt procedures return via the IRET instruction, which pops the flags and return address from the stack." - http://pdos.csail.mit.edu/6.828/2008/readings/i386/INT.htm
Shiftbit  2010-10-21 01:14:27

related questions

Wrapping Visual C++ in C#
Open source ER diagramming tool for mysql
What are the best ways to understand an unfamiliar database?
Is reverse engineering evil?
Best way to inject functionality into a binary...
Good techniques for understanding someone else's code
How is the photoshop cutout filter implemented?
Best way to reverse-engineer a web service interface from a WSDL file?
How to reverse engineer undocumented legacy application?
Is there a C++ decompiler?
What's a good C decompiler?
Reverse engineering war stories
How do I decompile a .NET EXE into readable C# source code?
Creating a new rrd database based on an existing one
how are serial generators / cracks developed?
Is it legal to reverse engineer binary file formats
How would you go about reverse engineering a set of binary data pulled from a device?
Reverse Engineering C# code using StarUML
What are the best tools for reverse engineering z80 machine code?
Sequence Diagram Reverse Engineering
Stored procedures reverse engineering
How do I disassemble a VC++ application?
best tool to reverse-engineer a WinXP PS/2 touchpad driver?
Reverse engineer (oracle) schema to ERD
Annotating YouTube videos programatically