Yes. Assembly is barely abstracted from the actual machine instructions, to the point where the process of translating it is easily reversible. Reading assembly code is a thing all on it’s own, though.
There’s specialised software available for this kind of reverse-engineering now, too, if you’re doing something more complicated than just looking for and cutting out a system call.
Yeah. At the lowest level, the CPU reads a program as a bunch of numbers, where each number is a very simple instruction such as “add 2 values together”. Assembly language is a more human-readable version of machine code, where you can see something more like add r1,r2 instead of 35397176 or whatever numeric code means “add the value in register 1 to 2” for some hypothetical processor. (Registers are where the processor keeps values loaded in from the RAM.)
So in my case, if I saw that the program was making some system call to the random number generator and the calling conventions used by the operating system always put the return value in register 0, I could replace the call with something like clr r0 (clear the value in register 0). It’s a pretty simple hack. So the “generator” now always generates zero.
These days, programs are often code-signed and if you start messing around like that, they’ll get flagged as malware. But it worked fine back in those open and trusting days.
That’s a good question. It may depend on the platform?
Right now, I’m doing most of my coding on a Mac. I noticed I get into trouble when trying to move the program to another machine. The OS seems to tag the executable with some metadata that runs afoul of Gatekeeper. Removing said metadata seems to get you past that. But that’s for in-house software that has never been registered with Apple or anything. I’ve never actually tried modifying a program that has been registered, so I’m not sure if there are any extra levels to this?
Yes. Assembly is barely abstracted from the actual machine instructions, to the point where the process of translating it is easily reversible. Reading assembly code is a thing all on it’s own, though.
There’s specialised software available for this kind of reverse-engineering now, too, if you’re doing something more complicated than just looking for and cutting out a system call.
Yeah. At the lowest level, the CPU reads a program as a bunch of numbers, where each number is a very simple instruction such as “add 2 values together”. Assembly language is a more human-readable version of machine code, where you can see something more like
add r1,r2instead of35397176or whatever numeric code means “add the value in register 1 to 2” for some hypothetical processor. (Registers are where the processor keeps values loaded in from the RAM.)So in my case, if I saw that the program was making some system call to the random number generator and the calling conventions used by the operating system always put the return value in register 0, I could replace the call with something like
clr r0(clear the value in register 0). It’s a pretty simple hack. So the “generator” now always generates zero.These days, programs are often code-signed and if you start messing around like that, they’ll get flagged as malware. But it worked fine back in those open and trusting days.
Isn’t there a way to manually whitelist modified software on your AV, if it’s your own machine?
With modern software, there’s also the problem of just learning whatever weird stack the game is running on, to know where to look.
That’s a good question. It may depend on the platform?
Right now, I’m doing most of my coding on a Mac. I noticed I get into trouble when trying to move the program to another machine. The OS seems to tag the executable with some metadata that runs afoul of Gatekeeper. Removing said metadata seems to get you past that. But that’s for in-house software that has never been registered with Apple or anything. I’ve never actually tried modifying a program that has been registered, so I’m not sure if there are any extra levels to this?