Encryption in another way-Liu taotao, a famous programmer, talks about the technology of distorted encryption Transformation

What is distorted encryption transformation? This is a software I developed. The official term may be "mixed encryption". I name my software "distorted encryption transformation technology. I spent more than a year developing this software on and off, but I didn't do any promotion. This software has not been made public until now.

Encryption transformation is now applicable to VC6, VS2005, VS2008, and other platforms. I will give you some ideas about the software development process and some of my solutions.

I. Current Situation of encryption software

Currently, common encryption software can be divided:

• Shelling class, such as ASProtect;
• Virtual Machine class, such as VMProtect.

For the shelling class, the shell is always the shell, and there is always a clear line between it and the content to be protected. Although the shell software always tries its best to strengthen the connection between the shell and the core, the shell can always be removed. At the beginning, I developed a tracking synthesizer to deal with this type of shelling software, because in general, the shelling software is in a new section, that is, the original PE program has data segments and code segments, and the shell is difficult to be in the same segment as the original program, usually in the new segment, which is its demarcation line. So when debugging a software with shell, the jump from one segment to another stops, and the entry point of the original program is found at this time, this is also the weakness of shell software, that is, it is difficult to seamlessly integrate with the original program.

After finding its entry point, run DumpPE to save the current memory image as a file. Then, I added a command MakePE, used this command to reorganize the image, and the program was shelled. At that time, in the Win98 era, the shell was relatively simple at that time. My TRW2000 was really easy to use and I took off the shell with three commands.

Later, the shelling found that this was not the case. In general, they will also provide some functions that are hard to trace and difficult to debug. We recommend shelling, recommendation developers, and call your functions. I will shell them again, such a program cannot simply use the above method. However, functions that can be called are usually relatively simple.

When we want to crack a software, the first step we need to do is usually to shell a software and shell it into the first step of cracking, and also become the basic skills of all the hackers. The attacker said, who will not be shelled? If he doesn't get off the shell, he won't be able to crack it. So shell removal is the basic skill for cracking. You should first take off the shell and then analyze it.

However, if we want to reverse a program, we don't want to crack it. We want to turn the entire program into a source file, and I want to understand it. This is actually simple. I don't need to take off this shell at all. I just need to run the program and save the memory image for analysis. I don't need to shell it at all. Most of the API functions provided by the shelling software you call in the program are unimportant. Generally, shell software has no protection for reverse engineering.

For encryption of another virtual machine class, you need to select one or more functions for encryption. It can only protect several key functions and cannot protect your entire software from reverse engineering. It usually converts several lines of code into several hundred or even higher lines after the virtual machine expands. Therefore, virtual machine encryption software usually only allows you to encrypt several functions in your code, or a part of the function. We recommend that you add a sign before programming, this section is encrypted by virtual machines. This decides to use virtual machine encryption. Generally, only a small amount of code can be encrypted, and the vast majority of your software code will be exposed, which is obviously insecure.

Also, let's look at the VMProtect statement, which clearly states that it is designed to protect your registration mechanism, and it cannot protect your software design ideas.

In short, the existing encryption software can only defend against cracking, not reverse.

2. Terrible Reverse Engineering

Based on experience, if you work hard, one person can reverse 1000 lines of C ++ code a day. I have many years of experience working on software reverse engineering and often do this kind of thing, and recently, A reverse training course was also held to teach students some reverse knowledge. Until last month, I had just completed a 60 thousand-line C ++ Code project. Based on experience, if you work hard, you can reverse 1000 lines of C ++ code a day! That is to say, if the software you developed over the past few years is not protected, the whole code may be reversed at 1000 lines per person per day. This is a terrible thing. Especially the driver. We know that drivers are the most technical, and driver development is the most difficult. The people who can drive development are the top experts who are highly paid. The driver is the most serious problem in software protection. We can see that the drivers in our system are very short and small. That is to say, we may have spent a lot of energy developing a driver for a long time, including all the core technologies of our software, but it may only be dozens of KB. An experienced reverse engineer may reverse all source code in a few days.

This may also tell you that the software I recently worked on is WinMount. The idea of this software is to combine the functions of WinRAR and Daemon Tools, that is, I can expand a compressed package or a virtual optical drive file, in this way, the necessary software of the two computers is merged. I have added my own ideas. You have a package. I virtualized this package into a non-existent disk and put it in a virtual disk. This is my idea. So the software I am working on is the idea of instant decompression, which is the main software I am working on.

What do I want to tell you? Even a good programmer has an idea. Can the program be compiled out of thin air? Very difficult. Generally, we should refer to other software and their ideas. I had this idea at the time. I had this idea to do WinMount for this software, and I made it by referring to a similar software. Of course, the functions of the software are completely different from those of the software. The software has a sub-function that can be virtualized into a disk. I think this software is good, I want to develop this function into the project I was thinking of at that time, so I reversed the software and took out the content needed in it.

Therefore, it is not terrible to be cracked. What is terrible is that it is reversed. If your software is reversed, multiple software with the same features will emerge, and all your technologies will no longer exist.

3. How to access encryption products?

How can we develop an encryption product?

Just now, we have overturned the traditional encryption software. We say that shelling is not good, and virtual machines are not good. First, we need to consider the first question: what should we use as our encryption input. For example, if I use the C ++ source code as the input, how is it hard to understand? This is a hard job, because your source code is messy and the compiler will be optimized, so this step won't work. So, most programs choose to use the final execution file EXE as the input. Now the shell software and virtual machines use this method. I usually use the methods they use, the software with shelling is called baozi. EXE already exists there. If you want to protect him, can you just package a layer? Virtual machines are called holes. For example, if a house has been built, the house has been built, but it is not being built. You feel insecure. I knocked the two bricks down and changed them to stone, is this safe? Therefore, we think their approach is inappropriate. In actual analysis, there are also problems. For example, a function occupies 2 kb of space. Generally, virtual machine software fills in the 2 kb space with some random code. The previous function of this function cannot be moved, and the latter function cannot be moved, this is a hole. A good analyzer, he must be able to identify it. Before I analyze this function, I know how big it is, you have failed in the encryption war.

After analyzing the above two possibilities, we feel that the method is not good, so I came up with a method that uses compiling the intermediate file OBJ as the encrypted input. I didn't know it later. So far, I have only used this method for one software. I think it is a good method. What are the advantages? That is, my encrypted code is seamlessly connected to the project. Another is the analysis of the OBJ format, which is much simpler than the C ++ source code. There is a symbol in my OBJ file. This OBJ will tell me that there is a symbol here. So I think the disassembly OBJ is safer than the disassembly EXE.

The specific method is to parse the OBJ file, keep the data part unchanged, decompile the code part, convert it into hard-to-understand code, and then output an ASM, call the ASM compiler to generate a new OBJ file and LINK it to the final target file.

If you want to ensure code security, you should not use data that easily discloses your information. You can mask the data or use code to calculate it.

Because the distorted encryption transformation uses OBJ as the input. As you know, the library file LIB is actually a collection of multiple OBJ files, so that we can encrypt the OBJ in LIB one by one and replace it with the LIB tool, it is safer to use such libraries to compile our projects.

To analyze a program, we always need to first understand some library functions and find printf and CString. formats, fopen, and other key functions. These basic functions are found and it is not difficult to understand a software. On the contrary, if these basic functions cannot be found or understood, the analysis cannot be started.

Iv. Problems Encountered

The OBJ generated by C ++ compilation is not always compiled from ASM, such as the COMMON section, such as WEAK Symbol. Currently, the method of changing the Symbol name is used, change the symbol to symbol-name-weak, compile it to OBJ, And Then patch it back. Change the symbol name and replace it with it after compilation. This is a solution.

V. Thinking about Deformation

Virtual Machine deformation is very powerful and complicated, which is also its disadvantage. Its transformation is not mysterious, not terrible. You can also think of a virtual machine. You can think of it boldly. If I have a CPU of 8 bits, then when you encounter a 32-bit command, to use your 8-bit CPU to implement this code, you have to compile a long string of programs to complete a 32-bit command.

It has a high rate, but the rate is not adjustable. In my choice, I use a variety of low-rate transformations and iterative use, so that the rate can be adjusted freely, and the intensity is not bad at all. Most importantly, I can encrypt all files at a low speed, and the key part at a high speed.

In fact, it is not necessary to make the code difficult. Isn't it about code distortion? Isn't it necessary to confuse the code? Is it not a virtual machine? I mean, we don't have to use virtual machines. I think Virtual Machine transformation is just a set of well-designed transformations, but a set of transformations and rules, although this set of rules is very