RECON06 . A PLATFORM INDEPENDENT MULTI-CAVITY NOP VIRUS
Fixing jumps that jump foward:- » The key to fixing jumps in general is keeping track of which instruction we are on in parallell in both the old and new infected executables.
- » This is a similar idea to instruction set translation (e.g. Rosetta stone or whatever from Apple)
- » We walk the instructions by knowing the size of each instruction.
- » In memory we have a copy of the previously infected .text and the [broken] new infected .text.
- » Walking the instructions in parallell in both data sets, when we see a jump (0xe9 or 0xe8) then we do a calculation to determine what the operand of the jump should be by walking forward more, until the 'current' pointer in the old executable is equal to the operand of the jump in question plus its address in that executable.
- » Now since we also have a 'current' pointer for the new executable being infected we can just do some basic subtraction and realize the real distance and overwrite the jump's operand with that.