

Using ARM Inline Assembly and Naked Functions to Fool Disassemblers - lame_r
http://www.evilsocket.net/2015/05/02/using-inline-assembly-and-naked-functions-to-fool-disassemblers/

======
kw71
Terrible javascript on this page, all I see is a Mr Clean lookalike. Not going
to bother fiddling to read it.

Sorry for the rude comment but I've finally lost it.

~~~
evilsocket
Mr Clean lookalike here :D Do you have any specific navigation problem on the
website? i recently switched to a new blog theme, maybe it's that?

~~~
jarman
When js is disabled, fixed-positioned, 100% width, 100% height sidebar takes
all page, hiding text

~~~
evilsocket
i see, well that's the default behaviour ... apparently js is not optional for
that theme, im sorry :)

------
userbinator
That's a bit surprising (particularly the IDA case), and probably an
indication that the ARM code/data separator in these disassemblers needs some
work... because my experience with x86 IDA is that it is not going to think
some address is the start of a function and disassemble it unless it actually
finds a control flow instruction like call/jump leading to it, and it starts
at the entry point when it does code/data separation so it shouldn't falsely
identify data as code (indirect jumps, however, do tend to make it stumble, so
code that doesn't get disassembled is the more common case.)

Another possibility could be blind reliance on debug information that's
causing it to think that symbol is a function; strip the binary and try again.

~~~
evilsocket
good point although the post is just a simple PoC ... to fool the kind of
behaviour you're talking about, one could simply install a signal handler,
call the fake function, handle the sigsegv or whatever, and then use the
function as data ... also, since ARM instrutions are 4 bytes each, you could
play with 3 bytes declaration ... funny things happen ;)

------
pjmlp
And so yet another young developer discovers the tricks of the Assembly
programming golden age. :)

~~~
evilsocket
more than 15 yr experience actually, I just thought that sharing some simple
tricks would be a good thing

~~~
pjmlp
Sorry about that then, it is just that HN tends to be full of young Web devs
rediscovering the ways of old. :)

Nice idea though.

~~~
evilsocket
no offence taken at all :D and I totally agree with you, that's why it's so
important to share old tricks despite their simplicity :)

------
legulere
Basically what you're doing is marking data as a function in the
executable/library metadata.

