System for obfuscating computer code upon disassembly
First Claim
1. A method for obfuscating computer program instructions upon disassembly, the method comprising:
- inserting an obfuscating instruction for causing a disassembler to not disassemble one or more bytes subsequent to the obfuscating instruction, wherein said obfuscating instruction is an INT instruction; and
inserting a branch instruction to invoke execution of one or more bytes subsequent to the obfuscating instruction, said method including the step of inserting the following code;
JMP $+4INT 35h.
7 Assignments
0 Petitions
Accused Products
Abstract
A system for preventing accurate disassembly of computer code. Such code masking, referred to as “obfuscation,” is useful to prevent unwanted parties from making copies of an original author'"'"'s software, obtaining valuable information from the software for purposes of breaking into a program, stealing secrets, making derivative works, etc. The present invention uses assembly-language instructions so as to confuse the disassembler to produce results that are not an accurate representation of the original assembly code. In one embodiment, a method is provided where an interrupt, or software exception instruction, is used to mask several subsequent instructions. The instruction used can be any instruction that causes the disassembler to assume that one or more subsequent words, or bytes, are associated with the instruction. The method, instead, jumps directly to the bytes assumed associated with the instruction and executes those bytes for a different purpose. A preferred embodiment works with a popular Microsoft “ASM” assembler language and “DASM” disassembler. The instructions used to achieve the obfuscation include “INT” instructions. Using this approach up to 17 bytes of obfuscation can be achieved with five instructions. Each instruction remains obfuscated until executed and returns to an obfuscated state afterwards.
63 Citations
1 Claim
-
1. A method for obfuscating computer program instructions upon disassembly, the method comprising:
-
inserting an obfuscating instruction for causing a disassembler to not disassemble one or more bytes subsequent to the obfuscating instruction, wherein said obfuscating instruction is an INT instruction; and inserting a branch instruction to invoke execution of one or more bytes subsequent to the obfuscating instruction, said method including the step of inserting the following code; JMP $+4 INT 35h.
-
Specification