Jump With Same Target

Created the Monday 18 March 2019. Updated 1 year, 1 month ago.

Jump with the same target is an anti-disassembling technique that involves using back-to-back conditional jump instructions that both point to the same target. This can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.

For example, suppose a program contains the following instructions:

mov eax, 0x12345678
jz loc_512
jnz loc_512

In this case, the jz and jnz instructions are back-to-back conditional jump instructions that both point to the same target, loc_512. This means that the program will always jump to the loc_512 location, regardless of the value of the eax register. However, a disassembler that is working correctly would not be able to determine this intended behavior, as it only disassembles one instruction at a time and does not consider the behavior of the program as a whole.

Technique Identifier

U0210

Technique Tags

Jump with the same target Anti-disassembling Disassembler Conditional jump Target address Disassembly output Disassembly accuracy Unconditionnal jum

Code Snippets

Description

This allows the code to demonstrate the intended behavior of the original instructions, which is to always call the my_function function, regardless of the value of the eax register. This technique can make it difficult for a disassembler to accurately reconstruct the original instructions of the program, as the disassembler will not be able to determine the intended behavior of the program without actually executing it.

#include <stdio.h>

void my_function() {
    printf("Hello, world!\n");
}

int main() {
    int eax = 0x12345678;

    // Original instructions
    if (eax == 0) {
        my_function();
    }
    if (eax != 0) {
        my_function();
    }

    // Obfuscated instructions using back-to-back conditional jumps
    if (eax == 0) {
        my_function();
    }
    my_function();

    return 0;
}

About Author Open Snippet

Author: Unprotect / Target Platform: Windows

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://www.malwinator.com/2015/11/22/anti-disassembly-used-in-malware-a-primer/