Dynamic obfuscation by self-modifying code

Question

Here what's i am trying to do:

assume you have two fonction

void f1(int *v)
{
   *v = 55;
}
void f2(int *v)
{
   *v = 44;
}

char *template;
template = allocExecutablePages(...);

char *allocExecutablePages (int pages)
{
    template = (char *) valloc (getpagesize () * pages);
    if (mprotect (template, getpagesize (),
        PROT_READ|PROT_EXEC|PROT_WRITE) == -1) {
            perror (“mprotect”);
    }
}

I would like to do a comparison between f1 and f2 (so tell what is identical and what is not) (so get the assembly lines of those function and make a line by line comparison) And then put those line in my template.

Is there a way in C to do that?

THanks

Update

Thank's for all you answers guys but maybe i haven't explained my need correctly.

basically I'm trying to write a little obfuscation method. The idea consists in letting two or more functions share the same location in memory. A region of memory (which we will call a template) is set up containing some of the machine code bytes from the functions, more specifically, the ones they all have in common. Before a particular function is executed, an edit script is used to patch the template with the necessary machine code bytes to create a complete version of that function. When another function assigned to the same template is about to be executed, the process repeats, this time with a different edit script. To illustrate this, suppose you want to obfuscate a program that contains two functions f1 and f2. The first one (f1) has the following machine code bytes

Address Machine code
0          10
1          5
2          6
3          20
and the second one (f2) has
Address Machine code
0          10
1          9
2          3
3          20
At obfuscation time, one will replace f1 and f2 by the template
Address Machine code
0           10
1           ?
2           ? 
3           20
and by the two edit scripts e1 = {1 becomes 5, 2 becomes 6} and e2 = {1
becomes 9, 2 becomes 3}.


#include <stdlib.h>
#include <string.h>

typedef unsigned int uint32;
typedef char * addr_t;

typedef struct {
uint32 offset;
char value;
} EDIT;

EDIT script1[200], script2[200];
char *template;
int template_len, script_len = 0;
typedef void(*FUN)(int *);
int val, state = 0;

void f1_stub ()
{
if (state != 1) {
patch (script1, script_len, template);
state = 1;
}
((FUN)template)(&val);
}

void f2_stub () {
if (state != 2) {
patch (script2, script_len, template);
state = 2;
}
((FUN)template)(&val);
}

int new_main (int argc, char **argv)
{
f1_stub ();
f2_stub ();
return 0;
}

void f1 (int *v) { *v = 99; }
void f2 (int *v) { *v = 42; }

int main (int argc, char **argv)
{
int f1SIZE, f2SIZE;
/* makeCodeWritable (...); */
/* template = allocExecutablePages(...); */
/* Computed at obfuscation time */
diff ((addr_t)f1, f1SIZE,
(addr_t)f2, f2SIZE,
script1, script2,
&script_len,
template,
&template_len);
/* We hide the proper code */
memset (f1, 0, f1SIZE);
memset (f2, 0, f2SIZE);
return new_main (argc, argv);
}

So i need now to write the diff function. that will take the addresses of my two function and that will generate a template with the associated script.

So that is why i would like to compare bytes by bytes my two function

Sorry for my first post who was not very understandable!

Thank you

Answer 1

Having read through some of the answers and the comments there, I'm not sure I fully understand your question, but maybe you're looking for a gcc invocation like the following:
gcc -S -xc - -o -

This tells gcc to input C code from stdin and output assembly to stdout.

If you use a vi-like editor, you can highlight the function body in visual mode and then run the command:
:'<,'>!gcc -S -xc - -o - 2> /dev/null
...and this will replace the function body with assembly (the "stderr > /dev/null" business is to skip errors about #include's).

You could otherwise use this invocation of gcc as part of a pipeline in a script.

Answer 2

If you are using Visual Studio, go to

Project Properties -> Configuration -> C/C++ -> Output Files -> Assembler output

or use compiler switches /FA, /FAc, /FAs, /FAcs. Lower-case c means output machine code, s-source code side-by-side with assembly code. And don't forget to disable compiler optimizations.

Answer 3

Do you want to do this at runtime or during authorship?

You can probably instruct your C compiler to produce assembly language output, for example gcc has the -S option which will produce output in file.s Your compiler suite may also have a program like objdump which can decompile an object file or entire executable. However, you generally want to leave optimizations up to a modern compiler rather than do it yourself.

At runtime the & operator can take the address of a function and you can read through it, though you have to be prepared for the possibility of encountering a branch instruction before anything interesting, so you actually have to programatically "understand" at least a subset of the instruction set. What you will run into when reading function pointers will of course vary all over the place by machine, ABI, compiler, optimization flags, etc.

Answer 4

Put the functions into t1.c and t2.c use gcc -S to generate assembly output:

gcc -S t1.c
gcc -S t2.c

Now compare t1.s and t2.s.