"Armadillo nanomites" (NANOBEGIN, NANOEND)

[hjkghvjb 0]

/* 40250 client src */
#define NANOBEGIN     __asm _emit 0xEB __asm _emit 0x03 __asm _emit 0xD6 __asm _emit 0xD7 __asm _emit 0x01
#define NANOEND       __asm _emit 0xEB __asm _emit 0x03 __asm _emit 0xD6 __asm _emit 0xD7 __asm _emit 0x00

I am curious how this works. Why are the bytes inserted after function preamble and before function end ? And why these specific bytes.

I believe it protects the bin from reverse engineering by inserting these bytes (perhaps arbitrarily chosen). There is literally no other logical explanation why would anyone stack allocate 10 bytes that do nothing in every function.

This is what happens when looking at the bin
...
RANDOM BYTES
VALID BYTES
RANDOM BYTES
VALID BYTES
...

Am I correct ?

[Exynox 1560]

Firstly, I found this article online, it might be interesting: https://www.codeproject.com/Articles/621236/Nanomite-and-Debug-Blocker-for-Linux-Applications

Those bytes that you see are essentially a marker for the actual protection tool to process the machine code after compilation. Without this tool, the bytes don't do much other than be interpreted as code. If we take a look at the x86-32 instructions for NANOBEGIN we'll see the following:

0:  eb 03                   jmp    0x5
2:  d6                      (data)
3:  d7                      (data)
4:  01                      (data) 

Essentially, the CPU short jumps by setting the EIP register 5 bytes ahead, effectively skipping the byte sequence.

Therefore, without the proper tooling, NANOBEGIN & friends don't do much else than to waste a few CPU cycles here and there. Probably you'd just want to remove any references to this protection from your source code.

[hjkghvjb 0]

It makes sense. Thanks.