Computer encryption anti-tracking technology ciphertext Technology

Computer encryption anti-tracking technology ciphertext Technology

1) Tracking Technology
We all know that DOS has a powerful dynamic tracing debugging software debug, which can implementProgramIn fact, this is because of the single-step interruption and breakpoint interruption, and most of the current tracing debugging software uses these two interruptions.

One-step interruption (int1) is an interruption caused by the internal state of the machine. When the TF mark (one-step tracking mark) of the system flag register is set, A single-step interruption is automatically generated, so that the CPU can stop after executing a command and display the content of each register.
Breakpoint interrupt (int3) is a soft interrupt, also known as a self-trapping command. When the CPU executes the self-trapping command, it enters the breakpoint interrupt service program, the breakpoint interrupt service program displays the content of each register at the breakpoint.
G Command Execution Process: The G command in debug is used to run the program. However, when the G command is followed by a breakpoint parameter, the program can be interrupted at the breakpoint, and display the content of each register, which can greatly improve the tracking speed. It is implemented by calling the breakpoint interrupt: de-bug first saves the Set breakpoint command, instead of the breakpoint interrupt int3 command, when the program executes the int3 command at the breakpoint, it will interrupt the breakpoint and replace the command at the previously saved breakpoint with int3. This completes a complete set of breakpoint g commands. A reasonable combination of single-step interruptions and breakpoint interruptions can generate powerful dynamic debugging and tracking functions, which poses a huge deterrent to the disk encryption technology, therefore, it is necessary to destroy single-step interruptions and breakpoint interruptions in anti-tracking technology and become a "Required Course" in anti-tracking technology ".

2) Anti-Tracking Technology
As the protector of the anti-Copy technology, the anti-tracking technology is the most technically visible part of the entire disk encryption technology. If it has a slight vulnerability, it will affect the reliability of the entire disk encryption technology. however, no vulnerability-free anti-tracking technology is available. With the passage of time, the update of programming tools, and the accumulation of experience, anti-tracking technology will only approach perfectly, but it is certain that: it will not be perfect. This is the same principle as "absolute and relative" in philosophy. Although an excellent anti-tracking technology certainly has minor vulnerabilities, its other technologies can make up for and minimize this vulnerability. This is the excellence of this anti-tracking technology. An effective anti-tracking technology should have three major features:

Important program segments cannot be changed or changed: the decryption process of prolok is implemented by modifying the fingerprint interpretation program segment, which is actually a failure of the anti-tracking technology in the laser encryption system, an effective anti-tracking technology should protect some or even all of the program segments in the encryption system. If any of the content is modified, an error will occur, the main methods include methods such as accumulate, accumulate, or exclusive, and program segments. At the same time, ensure that important program segments must be executed. The methods mainly include encryption program segmentation encryption and layer-by-layer decryption during running, layer-by-layer clearing method, that is, only when an important program segment is run can the nextCodeConvert from password to plaintext;
Decoding without the encryption systemAlgorithmPassword cannot be decrypted: in order to create a closed encryption system and prevent the use of external self-compiled subprograms or even manual password conversion, the password can only be converted by the encryption system's decoding program;
The encryption system cannot be dynamically tracked and executed: the dynamic tracking is a glimpse of the encryption system, so the anti-tracking technology should definitely prohibit the dynamic tracking of the encryption system.
The anti-tracking technology mainly uses the following methods:

Suppress trace interruption: the debug T and G commands respectively run the system's one-step interrupt and breakpoint interrupt service programs. In the system vector table, the two interrupt vectors are 1 and 3, respectively, the endpoint address of the interrupt service program is stored in the four bytes starting at and starting at 0000: 000c. Therefore, after the content in these cells is modified, the T and G commands cannot be executed normally. The specific implementation method is as follows:
(1) Use these units as stacks;
(2) Send necessary data for software operation in these units;
(3) store the address of a subroutine in the software in these units, and use the int1 and int3 commands to replace the call command when calling the software;
(4) The entry address of the punitive program.

Block keyboard input: all kinds of tracing debugging software must receive commands issued by the operator from the keyboard while working, and display the debugging tracing results from the screen, this is also the minimum requirement of various tracing debugging software for the running environment. Therefore, anti-tracking technology is designed to address this "weakness" of tracing debugging software. These peripheral devices are disabled when the encryption system does not need to input or output information from the keyboard or screen, to damage the running environment of the tracing and debugging software. The hardware interrupt mode is used for keyboard information input. The keyboard interrupt service program in the BIOS receives, recognizes, and converts the information, and finally sends it to a keyboard buffer that can store 16 characters. The anti-tracking technology for these processes can adopt the following methods:
(1) Change the entry address of the keyboard interrupt service program and bios keyboard I/O interrupt service program: the interrupt vector of the keyboard interrupt is 9, biOS keyboard I/O interrupt vectors are 16 h, and their interrupt service program entry addresses are stored in the memory addresses 0000: 0000 h and: in the four bytes starting from H, if the content in these addresses is changed, the keyboard information cannot be entered normally.
(2) prohibit keyboard interruption: a keyboard interrupt is a blocking interrupt. You can send a blocking control word to the 8259 interrupt controller to shield the keyboard interrupt. The keyboard is controlled by the 1st-bit Interrupt Mask register. You only need to set this position to 1 to disable the keyboard interrupt.
Inal, 21 h
Oral, 02 h
Out21h, Al
When you need to enable keyboard interruption, you also need to use three commands:
Inal, 21 h
Andal, FDH
Out21h, Al

(3) prohibit receiving of keyboard data: the receiving of keyboard data is completed by the 8255a parallel interface on the motherboard. Port A is used to receive the Keyboard Scan code, and port B's 7th bits are used to control the reception of port A. The value 0 indicates that the keyboard is allowed to input and 1 indicates that the keyboard is cleared. Under normal circumstances, after receiving the scan code from the keyboard from Port A, you must clear the keyboard and then allow the keyboard input. In order to block the keyboard input, we only need to set port B's 7th position 1:
Inal, 61 H
Oral, 80hout61h, Al
To restore the keyboard input, run the following three commands:
Inal, 61 H
Andal, 7fh
Out61h, Al

(4) do not accept the specified key method: In debug, T, P, and g are key commands used for Dynamic Tracing. If the key commands of the encryption system are, if the encryption system must receive information from the keyboard during operation (in this case, the encryption system is easily intercepted by various tracing and debugging software, so we should avoid it as much as possible ), you can modify and expand the keyboard interrupt service program so that it does not accept sensitive key codes such as T, P, and g to achieve the purpose of anti-tracking. Of course, this is a method that cannot be taken because it has considerable limitations and vulnerabilities: First, if the encryption system is receiving information, this method may involve T, P, and other key codes. Second, the dynamic Debugging commands in debug are T, P, and G. What about other tracing debugging software? Obviously, other software may not necessarily be these commands, and there are also dynamic Debugging commands consisting of two key codes, three key codes, and more key codes.
3. set the display performance of the monitor: When the encryption system does not need to display information on the screen, you can disable the screen in various ways, so that the decryption cannot obtain any information returned by the tracing debugging software, to prevent the decryptor From deciphering the encryption system. This anti-tracking technology also has five types of implementation methods:

(1) screen blocking: You can reset the screen features to set the foreground color and background color to the same color, so that the decrypted cannot see debugging information during tracking:
Movah, 0bh
Movbh, 0
Movbl, 0
Int10h

At this time, the background color and Character Color of the screen are set to black. To restore the display characteristics of the screen, you can replace the BL value in the above 3rd instructions with 1 ~ 7, the character color becomes deep blue, green and red.

2) check whether the encryption system is under monitoring: When information is displayed for various tracing and debugging software, operations such as on-screen volume and page feed will inevitably occur, therefore, you can often check the status of some locations on the screen. If there is a change, someone must be tracking the program. The following command can be used to obtain screen information:
Movah, 02
Movbh, 0
Movdh, row cursor Value
Movdl, column cursor Value
Int10h
Movah, 08
Int10h

In this way, you can read the characters and attributes at the cursor.
(3) modify the entry address of the display I/O interrupt service program: the interrupt entry address of the display I/O interrupt int10h is stored in four bytes starting from the memory address 0000: H, modifying the content in these four bytes can destroy or expand the display I/O interrupt service program.
(4) timed Screen Cleaning: by expanding the clock interruption, You can regularly clear the screen when the clock is interrupted.
(5) direct operations on the video buffer zone: Each machine has a fixed position and length of the video buffer zone (the specific position and length vary with the display type ), however, all information on various monitors is the response of information in the video buffer zone. If the software operates the video buffer directly, the display speed of Billy's display interruption is much faster. Now many advanced tracing debugging software adopts this method. First, the speed is improved; second, it is aimed at the anti-tracking technology. Therefore, it is far from enough to modify only the entry address of the display interrupt. It also needs to modify and expand the clock interrupt, regularly and frequently refresh the content in the new video buffer.
Detection tracing method: When the decryption uses various tracing debugging software to analyze and execute the encryption system, it will inevitably cause many inconsistencies with the normal execution of the encryption system, such as running environment, interrupt entry, and time difference. If some measures are taken for inconsistencies in the anti-tracking technology, it can also protect the encryption system. The key to implementing this method lies in the following two aspects: first, if the encryption system is detected to be tracked, and second, how to process it after detection, the previous implementation mainly relies on the in-depth understanding of the DOS kernel and tracing debugging software by the encryptor, the latter is generally an endless loop, a machine is started, or a program is prompted to illegally track and stop running, but it does not rule out programs with punitive actions, here we will only focus on the first aspect: (1) Timing Detection: the time taken by a program to run normally and be tracked varies greatly, it can be imagined that a tracked program usually takes a very long time. The anti-tracking technology captures this feature and determines whether the program is tracked based on the execution duration. Note: ① determine the time required for normal running of the program: the value of this time is generally a little longer than the running time of the least slow machine (8088, if we find that the execution time is greater than the specified time value, we can ensure that the current program is tracked and executed. ② we find that the execution time is less than the specified time value, and cannot be considered? Never tracked. This is because the T and G commands of DEBUG disable all blocked interruptions during execution, and the clock interruption used for timing is no exception, therefore, if you use the T and P commands to dynamically track and execute the program, the clock count will be completely stopped, there may be situations where the execution time is much smaller than the specified time value (or even time-consuming exceptions ). In addition to the suppression trace interruption Method, the solution can also be solved through the interruption of time 1ah: If the clock does not move, it enters an endless loop.
Movah, 0

Int1ah; read the current clock Value

Movbx, DX; the read clock is low and stored in the BX

Loop: movah, 0

Int1ah

Cmpbx, DX; compare whether the lower part of the clock changes
Jzloop; re-reading is returned if the clock is not moving

another possibility is that the decryption tool simplifies the encryption program, which may cause the execution time to be less than the specified value, the Countermeasure of this method is to add regular detection of data changes in key parts in the anti-tracking technology and to implement the Code Protection Law. (2) Occasional Detection: The time judgment function is added to the encryption system, and the key parts of the encryption system are determined when the time meets certain conditions, if the key part does not exist or changes are detected, it can be determined that the encryption system has been damaged and the corresponding response should be made immediately. Such anti-tracking technologies can appear everywhere in the encryption system. To increase the difficulty of decryption, such anti-tracking technologies can also be closely linked and linked, this makes it impossible to decrypt data. If this type of technology is used in large programs, it can greatly improve the reliability of the disk encryption technology, and even almost cannot be decrypted. (3) Clock interruption: int8 is executed every 55 ms. It mainly handles two tasks: one is timing, the other is to manage the Opening and Closing Time of the floppy disk drive, and the other is to call int1ah and int1ch interrupt again when it is executed, the int1ch interrupt is essentially an interruption of an empty operation. It is mainly used to replace a user with a self-designed interrupt service program when the user has certain periodic work. In the anti-tracking technology, when clock interruption is used, you can regularly check the execution of foreground tasks. If you find that foreground programs are illegally tracked and debugged, You can take appropriate measures immediately, the interrupt vector table can also be periodically checked, the execution time of the computing program, the ciphertext decoding operation, and the timer clear screen mentioned above. The clock interrupt method is a very effective anti-tracking technology. By extending the int1ch interrupt, the clock interrupt can complete many tasks. However, it should be noted that the extended program should not be too large, to avoid affecting the execution speed of the foreground program. (4) PSP method: each program must create a corresponding program segment prefix PSP during execution. When the program is not tracked and executed, the two bytes starting from 14h and 16h in PSP are the same, the content will not be the same when the trail is running. (5) interrupt Detection: if an executed program is not tracked, the endpoint addresses of int1 and int3 are the same and all are dumb interruptions. If it is tracked, the opposite is true, therefore, you can check the entries of int1 and int3 to determine whether the entries are tracked.

Damage interrupt vector table: DOS provides 256 interrupt calls from 0 to FFH (see table 1), which reside in a low memory address, the corresponding entry address is located in memory from to 0000: 03ffh. Each entry address consists of four bytes. The first two bytes are the program offset addresses, the last two bytes are the segment address of the program. Debugging and other tracing debugging software use various interruptions provided by DOS in a large amount during operation, which is more powerful than debug, even the advanced anti-backtracing debugging software designed for anti-tracking technology also calls dos interruptions. A typical example is to use other interruptions to replace the anti-backtracing Technology of breakpoint interruptions. Damage to the interrupt vector table can obviously fundamentally damage the operating environment of all tracing and debugging software, so as to achieve the ultimate goal of "not to renew. DOS and bios have a 40-segment data zone, which is located in the memory of 0040: 0000 to 0040: 00ffh. These 256 bytes are stored in the current system configuration, modifications to this content will directly affect the normal operation of various trace debugging software. Since lock89, we have already used the reverse tracking technology that destroys the interrupt vector table and some 40-segment data blocks, because of its outstanding performance, until lock93 is retained and used. The damage interrupt table has also appeared in other anti-tracking technologies, such as restraining the trace interrupt, changing the keyboard interrupt service program endpoint address, and modifying the display interrupt service program endpoint address, therefore, destroying an interrupt table is an anti-tracking technique that involves a wide range of excellent results. It can prevent the decrypted from directly or indirectly dynamic tracking of the encryption system to the maximum extent, the decryption technology faces a new problem.
Set the stack pointer method: When the debugging software is running, operation actions on the stack will be generated, for example, saving the breakpoint. Therefore, the use of the stack pointer is very important in the anti-tracking technology. For example, to design the value of the stack pointer, and strive to make the design results have a certain degree of anti-modification, in this case, the decryption will not attempt to continue tracking by modifying the value of the stack pointer again .! Tb1_13100.gif
(1) set the stack pointer to the ROM area: the ROM in the read-only storage area cannot store data. If the stack pointer points to the ROM area, data cannot be saved, this will make the tracing debugging unable to continue.
(2) In the program segment: If the stack pointer is located in the program segment to be executed, any stack operation will destroy the program code and make the program unable to run normally.
(3) In the interrupt vector table: int1 and int3 are the interruptions that the anti-tracking technology must destroy. Therefore, the stack pointer is located in the low address segment of the memory, A small amount of stack operations can be performed (tracing debugging software usually requires a large number of stacks to store data), and the entry address of single-step and breakpoint interruption can be broken.
(4) use the stack pointer for its purpose: If you confirm that there is no stack operation, you can use the stack pointer for other purposes, such as saving frequently-changing data, in this way, the value of the stack pointer can be changed frequently, so that it cannot store data at all. The stack pointer setting method is an anti-tracking technique designed for dynamic tracking, but its application has certain limitations: (1) Ensure that the program segment to be executed cannot carry out effective stack operations; (2) to perform stack operations, you must first restore the correct Stack pointer. Setting the stack pointer does not affect the data storage during clock interruption, because system stacks are used for data storage during system interruption such as clock and keyboard, unlike a single-step or breakpoint interrupt, a stack is used to save a breakpoint.
Implements block encryption for Programs: to prevent the encryption program from being decompiled, it is best to load the encryption program into the memory in the form of block ciphertext. During execution, the encryption program performs decoding on it by the previous encryption program, in addition, you must immediately clear a part after execution, so that you cannot obtain the complete decryption program code from the memory at any time. This method not only prevents disassembly, but also prevents the decrypted from setting breakpoints, thus preventing dynamic tracing from one side.
Verify the program segment: the decryption of an encryption program is often only a modification to several key commands. Therefore, it is necessary to verify the protection of the program segment, especially the key commands, in this way, attackers can prevent unauthorized instruction tampering. The specific methods include accumulate, or exclusive, and program segment.
Confusing and dragging the decryption staff: to confuse and paralyze the decryption staff, you can set a "trap" for the decryption staff in the encryption system, which can consume the time and energy of the decryption staff, it can also erase the morale and perseverance of the decrypted.
(1) setting a large loop: The simpler the program, the easier it will be to read, and the more convenient it will be to trace. In the encryption system, setting a large loop can consume the decryption efforts, extend the time for tracking and deciphering the encryption system. This anti-tracking technology has been widely used and achieved good results. The specific implementation method is: set multiple cycles in the encryption program, and enable the previous loop to start the next loop, and the next loop to start the next loop, in addition, subprograms can be called frequently, and a loop cannot be omitted or executed.
(2) Waste Instruction Method: This method is called the waste Instruction Method in anti-tracking technology. It is used to set an appropriate useless program segment in the encryption program and set a program such as a large loop. There are three points to ensure the implementation of the waste Instruction Method: ① The Waste instruction should be carefully organized and arranged, so that the decryption personnel should not be informed of the organs. This is the basic point that the waste instruction method should possess, because it aims to induce the decrypted to study and crack themselves and drag the decrypted during the cracking process, it is very important to disguise the waste instruction method itself; ② The waste commands used should use a large number of unfamiliar commands or calls of dos internal functions to consume the decrypted energy and deciphering time to the maximum extent; ③ to ensure that the waste instruction segment that does not implement any function cannot be exceeded, this is an important issue that should be paid attention to by the waste instruction method, because if it can be easily exceeded, this indicates that the waste instruction method adopted by the encryption system is a failed anti-tracking technology.
(3) program self-generation technology: program self-generation refers to the use of the above program to generate the command code to be executed during the running process of the program, and set various anti-Tracking Techniques in the program. In this way, the disassembly instruction is not the code of the command to be executed, but the key instruction code can also be concealed. However, due to the high implementation cost, it is generally only applicable to some key commands.

Command stream queue Method: In order to improve the running speed of the CPU, a command stream queue is specially opened to store the commands to be executed, which saves the CPU time to wait for the command. However, the use of IT can also confuse the decrypted and prevent dynamic tracking of encryption programs. When the program runs normally, its subsequent commands are stored in the Command stream queue, and the tracing debugging program is completely different, because it involves the dynamic modification of the program instruction code (including subsequent instructions), no matter whether the subsequent instructions are stored in the instruction flow queue, all the modified commands will be executed (including Subsequent commands), which is the opposite of normal execution of the program, because during normal execution, the CPU only reads the commands from the instruction flow queue, even if the subsequent commands have just been modified by the commands being executed. This is a well-conceived anti-tracking technology. Now we list a anti-tracking program based on this principle:
Jmps2

S1: jmps1; endless loop

S2: leasi, S1

Leadi, S3

Pushcs

Pushcs

POPPS

Popes

ClD

Lodsw
Stosw

; Designed to store the commands at S1 in S3. If other commands at S3 have been stored in the Command Flow queue during normal execution, the commands will run normally, otherwise, execute the endless loop command S3 at S1: Other commands.
9. reverse instruction stream method: the instruction code is stored in the memory from a low address to a high address, and the CPU executes commands in the same order. This process is implemented by hardware, this rule has been firmly accepted by humans and tracing and debugging software. In this regard, the reverse instruction flow is designed to change the way in which commands are executed in order, so that the CPU executes commands in reverse order, so that the decrypted cannot read the instructions that have been in reverse order, this prevents the decryptor from tracking the program. Because the sequential execution of commands is determined by the hardware, it is very difficult and cumbersome to design the CPU to execute commands in reverse order in the way of software, however, the reverse instruction stream method is a very attractive and promising anti-tracking technology. If we can successfully apply this technology to disk encryption, it is bound to cause huge pressure and deterrence to the decrypted. In recent years, various newspapers and periodicals have made in-depth discussions on this anti-tracking technology. This article will extract the essence of this technology to introduce you to the implementation of the reverse instruction flow method. One-step interruption is a means that DOS provides tracing programs. This interruption is widely used in tracing debugging software and is a "dead enemy" of anti-tracking technology. However, if it is used properly, it can also become a "friend". The reverse instruction flow method is an example: Because the sequential execution commands are controlled by hardware, so the method to change this rule using software only uses the following two points: ① reverse arrangement of the instruction code in the memory, that is, from the high address to the low address; ② when executing a command, then, sort the commands in the normal order to meet the hardware requirements. The former is static and can be properly arranged during the design, while the latter is complicated. First, how to reverse the Code while executing commands continuously; second, the command length is different. How can we quickly understand how long the next command code is to be followed? This is done by setting the single-step interrupt mark and modifying the single-step interrupt service program.

(1) set the one-step interrupt flag so that the CPU switches to the int1 interrupt service program every time it executes a command, and simultaneously modifies the int1 interrupt service program, this enables the forward direction of reverse commands and the function of modifying the Cs: IP address value and decreasing the IP pointer artificially. Set the one-step interrupt flag, that is, set the 8th-bit t of the sign register to 1. The program is as follows:
Pushf

Popax

Orax, 0100 hpushax

Popf

(2) modify the Cs: IP value: After the command at the X address is executed, the hardware automatically completes the incremental modification of the IP value (sequential execution ), change the IP value to Y (Y> X) and point to the next command to be executed (normally ). Then, based on the value of X and Y, we can determine the exact length (Y-X) of the instruction code at the X address, so as to roll out the address Z (z <X) of the next instruction at the reverse time ): z = x-(Y-X) = 2x-y, knowing the address of the next instruction in the reverse direction, you can change the IP address in the protected interrupt scene in int1 interrupt service program from Y to Z.
(3) command direction: first, to ensure the system speed and reduce the length of the extended int1 interrupt service program, when determining the length of the forward instruction code, the maximum instruction code of a PC is 6 bytes. The length of the instruction code is determined, and the rest is the direction of the instruction code: Because the CPU can only execute the instruction in the direction, therefore, you must copy the content of the first five bytes of the Z address to the unit behind the Z address, and in order to avoid damaging the information, you need to temporarily Save the content in the five units following the Z address so that it can be restored next time. Problems that should be paid attention to during the implementation of the reverse instruction Flow Method: ① because of the existence of the instruction flow queue, the addresses that enter int1 for the first time are different, this is because the size of the instruction stream queue varies with the CPU: the size of the 8088cpu instruction stream queue is 4 bytes, 80286 is 6 bytes, and 80386 is 16 bytes, therefore, the number of subsequent commands in the Command Flow queue is also different, which leads to different CPUs and different addresses for the first int1 call. The solution is to insert the appropriate null Operation Command Nop (90) instead of arranging the execution command immediately after setting the single-step interrupt mark ); ② If there are Soft Interrupt commands in the reverse instruction flow program (starting with the command code CDH), the normal sequence of execution commands must be restored; otherwise, the program will run in reverse order in the Soft Interrupt service program. After the Soft Interrupt command is executed, set it to the reverse instruction stream running mode.
Hybrid programming: the primary task of deciphering an encryption system is to read programs, clarify program ideas, and address the vulnerabilities. In order to obstruct the decryption's analysis of the encryption program, you can try to design the program as disorder as much as possible to reduce the readability of the program. This method is specifically used in the anti-tracking technology, such as the mixed programming method, because the program readability of the advanced compilation language itself is poor (such as compiled basic, COBOL program, etc ), if several advanced languages are combined for writing and using, the readability of the program will be greatly reduced.
Self-developed Soft Interrupt 13 Technology: Because the fingerprint produced by the anti-Copy technology is generally stored on a floppy disk, the current disk encryption system has an obvious external feature: that is, you must call int13 to determine the authenticity of the fingerprint on the floppy disk. To call int13, ensure the correctness of the interrupt table (at least part of the interrupt table, such as int40 and int1e related to int13, even if we have previously used anti-tracking techniques such as destroying the interrupt table, we have to restore the content of the interrupt table at this time, which exposes our weaknesses too early, the entry parameters for int13 interruption are public. You can use the entry parameters to find out which sectors or channels the encryption program reads, we can even find out which anti-Copy technology is used by the encryption system. This gives the decryption a chance to attack the encryption system and poses a huge threat.