The next example we’ll look at will instead be able to fool the recursive traversal algorithm. We’ve just seen an example that fools the linear sweep algorithm, but not a recursive traversal algorithm.
Not to mention that after that, the offsets for all the other instructions are wrong and all the instructions following that data instruction are also incorrectly disassembled. Since WinDbg uses a linear sweep algorithm to disassemble the executable, it tried to use the “DB 0F” instruction as part of the code instructions, which is incorrect and disassembles into incorrect instruction. At first it has correctly disassembled the jmp instruction, but all of the subsequent instructions are not correct, which is because of the “DB 0F” data instruction. We can see that WinDbg wasn’t able to correctly disassemble the code. But what if we load the executable into WinDbg and observe our interesting piece of code? We can see the disassembled code on the picture below. Since Olly and Ida are using the recursive traversal approach to disassembly, they have been able to correctly disassemble the executable. We can also see that Ida has correctly identified the data inside the instructions at address 0x00411A10 and it automatically placed the comments around it to make it stand out as a non-used instruction, which is correct since it’s a data instruction and shouldn’t be executed. We can see the disassembled piece of code on the picture below:Ĭool, we can see that Ida was quite successful at the disassembly and it also preserved the actual label names that we’re using for jumping around the executable. Let’s take a look at how successful Ida is at disassembling the above code. This proves that Olly can correctly disassemble the executable and execute all the instructions the way they should be executed. If we then press the step into button (F7 in Olly), the execution will of course jump to the 0x00411A11 instruction right after the “DB 0F” instruction, which will never be executed. If we place a breakpoint on the “jmp short 00411A11” instruction and run the program, the program execution will hit that breakpoint and pause the execution. Then there is one byte of data that Olly has correctly assigned the “DB 0F” instruction.
First, there is the jmp short 00411A11 call that corresponds to our “jmp B” instruction in C++ source code. We can see that Olly has properly disassembled the executable. Let’s first load the compiled executable in Olly disassembler, which produces the result that can be seen on the picture below: What’s important is how different disassemblers disassemble the executable. I won’t describe this here in detail, because it’s really not important for the purpose of this exercise. This is because we’re pushing something onto the stack (the “push eax” instruction), so when the function returns, the EIP and ESP cannot be properly restored, since we’re now trying to load a different value in the ESP register when returning (because of an additional push instruction). If we compile and run the program, a notification dialog such as the one seen on the picture below, will be displayed: Let’s take a look at the following example, which is written in C++ in Visual Studio: The most common linear sweep disassemblers are objdump, WinDbg and SoftICE. This makes the algorithm very simple, but also susceptible to any mistakes intentionally left in the code to derail the linear sweep algorithm from its path. It starts with the first byte in the code section and proceeds by decoding each byte, including any intermediate data byte, as code, until an illegal instruction is encountered. text sections of the executable and disassembling everything sequentially. When using the linear sweep algorithm, we’re going through the.