Design and Implementation of net Software shelling Technology

1 Introduction To protect the technical kernel of your software from being easily stolen by others, software developers use various encryption technologies to protect the copyright of the software from infringement, shell is a common software protection method. The software shelling Technology in Win32 already has very mature commercial products. However, for software in the. NET environment Program The compilation result is not a machine language. Code It is a kind of msil intermediate code, so it cannot use the traditional shelling technology. Currently. NET software implementation shelling business software mainly include maxtocode, In addition, SafeNet also launched its software protection product shengtian dog latest shell tool, to meet the wishes of software developers. The St. dog shell encryption tool can automatically encrypt executable files, allowing developers to quickly and conveniently complete Software Encryption and authorization management. This article introduces a simple software shelling Technology in the. NET environment, which uses technologies such as digital signature, msil code obfuscation, and encryption to achieve high-strength software protection. Compared with maxtocode, this technology has the following advantages: it can prevent unauthorized software copying and authorize the hardware fingerprint of the computing machine (fingerprint: a permanent identification number in hardware information, such as the serial number of the CPU and hard disk, the same below). For the network version, it can prevent non-local clients from accessing the service. 2. Understanding "shell" Shell is an image of the encryption software. As the name suggests, shell is a "coat" outside the software and a protection barrier of the software. With this vulnerability, malicious attackers cannot directly find the core code of the software after disassembling the software. A shell is a program that runs before it runs. After it runs, it obtains control of the software and uses its protection function to protect the software. The working principle of shell is roughly: first run the shell program, and the shell decrypts the encrypted main program (the main program is the program to be shelled, the same below) code to the memory, run the corresponding functions and return control of the program to the main program. The shelling technology studied in this article is based on this principle, but it is also used as a shell.. 3 principle of shelling Technology Compile the original main program into a DLL, write a shell program, compile it into an EXE, and move the program's running entry (that is, the main function) to the shell, run the entire program from the shell. First, you can use a self-developed encryption tool to encrypt all DLL files (enter a specific key) before the software is released, and temporarily decrypt the DLL files to the memory when loading the shell, and load and run. Because the decryption DLL results only exist in the memory, attackers cannot obtain the decrypted DLL unless they can find the decryption key of the DLL. At the same time, in order to prevent attackers from analyzing the shell program logic and looking for decryption keys, they can also compile the shell into an EXE file and use third-party software for obfuscation (for example, xenocode) or encryption (such as maxtocode), attackers will not be able to understand Algorithm And processing logic. Thus, the main program DLL is more effective. Principle 1 of shelling and shelling is shown in. Figure 1 net Software shelling Principle 4 software release and user registration process To promote software, developers generally put the trial version of the software on the Internet, so that users can freely download and try it out. After the users are satisfied, they can register the official version. The process of software release and user registration is shown in step 2.

5 software release and user registration 5.1 Registration Application To achieve the anti-copy function of software, developers must create different installation files for different users. A set of programs can only run on one machine. To this end, when creating the installation file, the developer must obtain the fingerprints of the target machine and the name of the user's organization on which the software will run. For the online software with an application server, you only need to obtain the fingerprint of the application server. Fingerprint data can be obtained by the user using a specific program and sent to the developer via SMS or email. There are two methods for fingerprint extraction: first, through the trial version of the software. In the trial version, the module is designed to apply for registration. You can use this module to extract the fingerprint data of your local machine. The software trial file is not created for the fingerprint of the target machine, and can be run on any machine. To prevent the cracker from cracking the trial version after finding the DLL decryption key. You can usually set functional limitations for the trial software (for example, removing some key code), so that even if the trial version is cracked, it cannot be put into formal applications. Method 2: Use a procedure dedicated to registration application. For online application service programs, if there is no user interface or users who do not need to try it out, they can only use the dedicated registration program provided by the developer to extract machine fingerprints. 5.2 calculate the registration code This shelling technology can save the process of entering the registration code for manual registration, because each released version can only run on a specified machine, but in order to customize user unit information and limit the number of users, the registration process is still required. The registration code is obtained by encrypting the user unit, Machine Fingerprint, number of users, and other information. You can use a self-developed registration code calculation tool to process the registration code. 5.3 encrypt DLL files One of the core technologies of this shelling technology is to encrypt DLL files. The encryption process can be completed using self-made encryption tools. You can choose to provide any encryption algorithm in the. NET Framework or design your own encryption algorithm. Algorithms do not need public algorithms, because encryption and decryption are performed in their own programs. Therefore, the security of this solution can be completely guaranteed by the developer, rather than by a third party. 5.4 create an installation disk Before making the installation, you only need to replace the corresponding files in the installation project with the DLL files and authorization files encrypted for this user, and then generate the installation disk. The installation disk can store an encrypted DLL file and an authorization file separately, so that users can directly copy the file when upgrading the official version. In general, the installation file cannot directly contain the registration code or authorization file, but in this technology, you can package the authorization file into the installation disk, because even if the installation file is copied, it cannot run on an unauthorized machine. 5.5 official version installation If you have not installed a trial version, you can directly use the installation disk to install the official version. For machines that have installed the trial version, you can replace the corresponding file with the official file on the installation disk to become the official version. 5.6 User Registration Call the "help" à "about" à "Registration" function in the official version, enter the registration code or select an authorization file for registration. Because the installation file contains an authorization file, you can also automatically register it through the authorization file during the first running of the official version, eliminating the need for manual registration. 6. Implementation of shelling during program running Shelling actually decrypts the encrypted program code and loads it into the memory program area. Shelling requires a specific decryption key or a specific decryption algorithm. For a simple program, if there is only one or two DLL files, the shell program can perform one-time shelling and put all the files in the memory. This is not technically difficult, but consumes a lot of memory. For programs with multiple DLL files, not all DLL files must be used. Sometimes only some of them are used. Therefore, it is not necessary to shell them at a time, and they are all occupied in the memory. You can shell them as needed. Shelling involves techniques such as DLL decryption and capturing DLL call requests. 6.1 DLL decryption The general shelling technology uses user-independent keys, and the keys are fixed in the middle shell code. Therefore, shelling can be implemented on any machine, and software anti-copy protection cannot be implemented. In this solution, the DLL encryption key is related to the hardware fingerprint of the user's computing machine. Of course, the decryption key is not fixed in the shell code. Instead, you need to temporarily extract the fingerprint from the target computer to generate the key, can be decrypted, so shelling can only be performed on an authorized computer, which can effectively prevent illegal copies of software. The decryption key is generated by the hardware fingerprint. the fingerprint extraction algorithm is the same as the fingerprint extraction algorithm when the application is registered. In addition, the fingerprint is converted to the encryption and decryption key through the same security algorithm. Therefore, fingerprint extraction algorithms exist in shell and dedicated registration applications in a software trial. To prevent these algorithms from being cracked, you need to use third-party tools (such as xenocode and maxtocode) obfuscation or encryption of msil code for these programs. For network software, it is best to obtain the decryption key from the application server temporarily by the shell; but for simplicity, you can also save the decryption key to the authorization file, after the authorization file is encrypted, it is installed with the client software. The decryption key is extracted from the authorization file during shelling. DLL decryption can only be performed in the memory. Temporary files cannot be generated to prevent cracker from intercepting the decrypted DLL. This requires the technology of file stream and encrypted stream. The code for shelling is as follows: public static Assembly asmload (string asmname) {Assembly asmsvr = NULL; filestream FSR = NULL; byte [] byvec = new byte [16], bykey = new byte [32]; // asmname: name of the set of programs to be loaded, which is brought into string toload = appdomain by the parameter. currentdomain. basedirectory + asmname + "E. DLL "; if (! File. exists (toload) return NULL; FSR = new filestream (toload, filemode. open, fileaccess. read); byte [] rawassembly = new byte [FSR. length]; // extract the Machine Fingerprint and generate the DES encryption key and initial vector create1_eyvec (ref byvec, ref bykey); then ricalgorithm des = symmetricalgorithm. create (); cryptostream encstream = new cryptostream (FSR, Des. create decryptor (bykey, byvec), cryptostream mode. read); // read and decrypt it to the buffer zone encstream. read (rawassembly, 0, (INT) FSR. length); encstream. close (); FSR. close (); asmsvr = appdomain. currentdomain. load (rawassembly);} 6.2 DLL call request capture Shelling as needed, that is, when an assembly is called, it is temporarily shelled and loaded. Once the Assembly is loaded, it can run directly from the memory when it needs to call its functions, this avoids the waste of memory and does not affect the running speed. The key is that the Assembly call is not necessarily called from the shell, but can be called from any running program in a centralized manner. How can we intercept the Assembly call request? First, you need to understand the application domain, which is represented by the appdomain object and provides isolation, uninstallation, and security boundaries for the execution of managed code. Multiple application domains can run in one process. However, there is no one-to-one association between application domains and threads. Multiple Threads can belong to one application domain. Although the given thread is not limited to one application domain, the thread is executed in one application domain at any given time. When the program runs, the application domain is automatically created. The appdomain instance is used to load and execute an assembly. The appdomain class implements a group of events, these events enable the application to respond when it loads the Assembly, detaches the application domain, or raises an unprocessed exception. This solution uses the event assemblyresolve to capture assembly call requests. Implementation Method: First, register the response code of event assemblyresolve in the shell main () function, for example: appdomain. currentdomain. assemblyresolve + = new
Resolveeventhandler (currentdomain_assemblyresolve ); Then, write an event response code to implement Assembly shelling and loading. In this way, you can directly call any assembly, because the Assembly is automatically shelled. The following is part of the event response code: // <returns> returns the found or temporarily loaded Assembly </returns> Private Static Assembly currentdomain_assemblyresolve (Object sender, resolveeventargs ARGs) {Assembly ret = NULL; try {appdomain dm = (appdomain) sender; string dllname = args. name. split (',') [0]; // files starting with XX indicate encryption and DLL, different from other DLL if (dllname. startswith ("XX ")&&! Dllname. endswith ("Resources") ret = asmload (dllname);} catch (exception AE) {MessageBox. show ("load dataset" + args. name + "error");} return ret;} 7 Summary The security performance of the above software protection scheme is determined by the security of the DES algorithm (if used) and Machine Fingerprint. The security of the DES algorithm mainly depends on key protection. In addition, because the key comes from the Machine Fingerprint and the fingerprint data comes from the machine hardware information, although the fingerprint retrieval algorithm must be released along with the software shell program, however, the algorithms from fingerprints to keys must be converted by self-designed confidentiality algorithms, which are not public. Therefore, the algorithms are secure. Therefore, the security of keys also depends on the security of fingerprint extraction algorithms and fingerprint-to-key algorithms, and their security depends on the strength of third-party encryption or obfuscation, this is beyond the control of this solution, which may be the weakest link in the security of this solution. There are many attacks on commercial shelling software. Therefore, once commercial shelling technology is cracked, the software encrypted with it is no longer secure. However, for self-developed shelling technology, encryption technology can be self-designed (confidential) and can be adjusted at any time. Moreover, there are not many users, so there are fewer attackers, the security of software encrypted with this technology is relatively better. Using the shelling technology in this article, we can more effectively resist various common software cracking methods such as copy, decompilation, distribution of serial numbers, and registration machines. However, although this self-developed shelling technology is secure, software distribution is very complicated, which is also a weakness of this solution.