Writing a self-modifying x86 factorial program
Self-modifying programs seem to be viewed as something magical, but they’re quite simple.
To demonstrate this, I’ll be writing a self-modifying factorial program in x86, specifically in nasm.
Basic factorial
To write a self-modifying factorial program, we first need a normal factorial program.
factorial:
push ebp
mov ebx, eax
factorial_start:
sub ebx, 1
cmp ebx, 0
je factorial_end
mul ebx
jmp factorial_start
factorial_end:
pop ebp
ret
This is quite simple, if it needs explanation then this isn’t for you.
Self-modifying factorial
In the factorial algorithm, there are 2 places where it makes somewhat sense to be modifying in values during runtime: the initial starting value, and the value multiplied by.
Technical issues
First of all, self-modifying programs are a bit special. By default, nasm will assemble the program into something which can’t self-modify, because the .text section is marked as not writable for security reasons. objcopy and a custom program need to be used to change the flags on the .text section to allow for it to be written to during runtime.
You can see my script for building these programs here.
Starting value
In the original code, the starting number is passed in through the eax register.
To use self-modifying code for this, first there needs to be an empty mov into eax at the start of the function.
_start:
mov dword [factorial+2], 0x5
call factorial
factorial:
push ebp
mov eax, 0
As you can see, to pass in the starting value, the program modifies the mov eax, 0 instruction. The instruction’s 0 value is 2 bytes offsetted from the start of the factorial method.
Multiplier
factorial_start:
; multiply
mov ebx, 0
mul ebx
Here is the stub used for the multiplication. Next is needed the logic for setting up the mov ebx, 0, decrementing it, and exiting the loop.
Multiplier init
To setup the multiplier, take ebx, which stores the first value of the multiplier, and copy it into mov eax, 0 at the start of the factorial_start method.
factorial:
...
mov dword [factorial_start+1], ebx ; init decrementer
Multiplier decrement
In a standard program, the logic is as follows:
- Decrement the multiplier
- Exit if it’s at 0
- Jump back
The only part of this which changes in this self-modfying program is decrementing the multiplier.
To decrement the multipler, it needs to fetch what it is currently, decrement it, and copy it back in.
factorial_start:
...
; decrement
mov ebx, dword [factorial_start+1]
sub ebx, 1
mov dword [factorial_start+1], ebx
Result
Putting it all together, here’s what it ends up as:
extern printf
section .data
format: db "num: %d",10,0
section .text
global _start
_start:
mov dword [factorial+2], 0x5 ; start number
call factorial
; print result
push eax
push format
call printf
; exit
mov eax, 1
mov ebx, 0
int 80h
factorial:
push ebp
mov eax, 0
mov ebx, eax
sub ebx, 1
mov dword [factorial_start+1], ebx ; init decrementer
mov ebx, 0
factorial_start:
; multiply
mov ebx, 0
mul ebx
; decrement
mov ebx, dword [factorial_start+1]
sub ebx, 1
mov dword [factorial_start+1], ebx
; exit if at 0
; could exit at 1, but then it doesn't handle 0x2
cmp ebx, 0
je factorial_end
; loop back
jmp factorial_start
factorial_end:
pop ebp
ret
Conclusion
Self-modifying programs are interesting. Their code looks a bit different, a bit messy and with empty values, but they’re definitely interesting to think through the logic for.
There’s several applications for these types of programs, mainly around obfuscation, such as license protection and malware. I’m thinking of writing an interesting packer to utilize this, or at least a fun crackme.
If you wish to see more examples of self modifying x86 programs, you can view them on my git repo.