Distorted transformation Encryption

Distortion and transformation encryption 1. In general, encryption is shelling. We often consider how to encrypt an executable file to ensure security? Generally, shells are used. The working principle of the shelling tool is to encrypt and convert the code and data of executable files and store them as data. The generated target file entry code is the anti-tracking code prepared by the shelling software. After a long period of anti-tracking code, the code and Data Segment of the original executable file will be restored, and then jump to the original entrance to continue running. The disadvantage of this is that, no matter how powerful your encryption is and the anti-tracking code is too powerful, all data will be restored in the memory as long as it runs. You just need to dump the memory image and disassemble it. Even some tools can directly Save the dump memory image as an executable file. In this way, the encryption will fail completely. It is not safe to simply shell it, as we all know. We generally call the simple shelling method "compression shell ". So now the shelling software has done more work on the basis of the above "compression shell", such as: * to prevent the memory from being dump. This is actually impossible. Because Windows is not a security system, how can you avoid dump of memory? Once there was a shell, I used a variety of methods, dump was not successful. However, we finally found a method to successfully dump it. I was amazed at the fact that dump had so many methods that it was hard to prevent. * Modify the file entry code. Generally, software is compiled using several commonly used compilers. If the shelling software knows what compiler you are using (which is easy to compile), destroy the entry code and replace it with another functional code. In this way, the dump code is more difficult to find the correct entry, and it is much less likely to be directly stored as an EXE. But it will still be decompiled. * There are also shell software that supports encryption of one or more key functions. Even virtual machines are used. However, they can only focus on encrypting a few functions and cannot encrypt all functions. There are also many requirements for this function. As you can imagine. If you write a function using a function, you may not be able to find the function end address without ret, how can we encrypt it? ****** although the shelling software can use the above technologies to prevent tracking, analysis, and restoration, I think, they still don't get rid of the central idea of "shell. The above technologies are just some small episodes made under the premise of "shell. It is still insecure, and the idea of distorted compilation is a metaphor. Shell protection is like a baby on your desk. To protect it, you have a wire mesh around the perimeter of the house. As long as someone breaks through the wire mesh and enters your room, you can see the baby on the desk at a glance. Of course, this is not safe. The idea of key function encryption is like a wire mesh around the perimeter of my house. I also put the baby in the safe. If someone breaks through the wire mesh and enters the room, they can see the safe at a glance. Although the coffee box won't be opened easily, what if he moves the coffee box slowly? This is not safe enough. The safest thing is to enter the room, but nothing can be found. No goals. This is the biggest headache. The current compilers are all pursuing efficient code execution. The code mode remains unchanged. Experienced programmers look at the disassembly code as simple as the source code, there is no secret. If we have a compiler, its compilation goal is not to be efficient, but to prevent being read, that would be nice! I have C ++ source code. I can understand it. Once compiled, no one wants to understand what I want to do through disassembly, or it is difficult. Unfortunately, such a compiler does not yet exist. What if we compile such a compiler ourselves? Unrealistic. The workload is too heavy. Even finding an open-source C ++ compiler is not enough. An encrypted compiler does not work. Once the EXE is generated by compiling the connection, it can only be shelled. Is there no way? I came up with an idea: encrypt and compile the intermediate file OBJ, output the ASM file, compile it into OBJ with ML, and then link it! This method has several advantages: * The OBJ file format is relatively simple. It is not as heavy as processing C ++ source files. * The OBJ file contains many source file information, such as the symbol name, code, data, and label. Easy encryption. Many of the information is lost in the LINK process. So it is very inconvenient to process LINK after it is EXE. * This is a brand new idea! Encryption of code is not limited to shelling, but encryption of every function and every instruction. There is no clear compilation at a glance. * You can easily set the encryption intensity. You can perform lightweight encryption on some codes as needed, while focusing on encryption on other codes. * Nested encryption is supported. Repeat several encryption transformations to expand the code without restrictions. * because the OBJ file is encrypted, both DLL and EXE can be encrypted smoothly. The driver can also be based on this idea, our encryption software is coming soon! We call it twist converter 1.0 3 for the moment. If the distorted converter has an idea, it will start coding. Originally, the OBJ file format was documented and the project progress should be fast. I did not expect that there is still a lot of content to consider. Every time it is said that this is the last problem, it will be okay if it is solved, but it will always be postponed. I wrote about half a year ago and later. Major technical problems: * compiler ML puts all the code in one segment, which is not feasible. CL is usually a function segment. * The assembler ML cannot generate COMDAT segments. Although it supports COMMON in the document, adding this keyword is ineffective. * The assembler ML does not support WEAKEXTERN * the assembler ML only supports the drectve keyword defaultlib and other export and include keywords. in short, many of the CL-compiled OBJ attributes cannot be generated by ML. Microsoft's masm should have been upgraded. There are still some problems: * The code and data cannot be clearly identified. The data segment must be data, but it may not be code or data in the code segment. In this case, if you try to disassemble it, an error will occur. *????? In any case, these problems are solved one by one (don't ask me how to do it ). The Code distortion method used: * use JMP to disrupt the code. This is not a new trick, but it still works. * Use JMP to wrap multiple functions together. In this way, the analysts cannot find where the function starts and ends. * Change call. The attacker is extremely sensitive to call, which makes it impossible to find a call. For example, I can change call sub1 to mov eax, offset sub1 + 3 push offset @ 1sub eax, 3jmp eax @ 1: * To Change ret. The attacker is extremely sensitive to ret, so that he cannot find a ret. For example, I can push the ret writing to ecxmov ecx, [esp + 4] add esp, 8jmp ecx * to change the conditional hop. Conditional hops are also extremely sensitive commands. For example, we can set cmp reg1, reg2 jge L_DST L_NEXT: Write: push eax mov eax, reg1 sub eax, reg2 shr eax, 1fh neg eax and eax, L2-L1 add eax, L1 jmp eax L1: pop eax jmp L_DST L2: pop eax L_NEXT: Check this again, what do you mean by push offset @ L-offset L_3 + 23 hjmp L_1L_2: jz L_3 ret 4L_3: add dword ptr [esp + 4], offset L_3-23 h add esp, 4 retL_1: call L_2... call and ret appear here, but they are not the expected ones. The call here does not mean that you have found a function call. The ret here does not mean the end of a function. * Use a stack instead of a register. For example: mov eax, dword ptr [ECX + 0AD8h] push eaxmov ecx, dword ptr [EAX] can write: push eaxpush ecxmov eax, dword ptr [ESP] add eax, 0AD8hMOV EAX, dword ptr [EAX] mov dword ptr [ESP + 04 h], eaxpush dword ptr [ESP + 04 h] mov eax, dword ptr [ESP] mov dword ptr [ESP + 08 h], eaxmov eax, dword ptr [ESP] mov eax, dword ptr [EAX] mov dword ptr [ESP + 04 h], eaxmov eax, dword ptr [ESP] mov ecx, dword ptr [ESP + 04 h] add esp, 08h Can you understand it? Obviously, this transformation cannot be reversed. There is no way to know which register it used. *...... You can also come up with a lot of ways to distort the transformation. There is only one method to simplify the traditional mode. There are infinite ways to simplify the traditional mode. There are also some features: * in C, use # pragma code_seg (". code $ curve_NoChange") to indicate that the subsequent code is not encrypted. Because sometimes some code contains a lot of loops, encryption will seriously affect the efficiency. * In the C language, use # pragma code_seg (". code $ curve_Max") to indicate that the subsequent code focuses on encryption. For example, it is related to the registration algorithm. Now I call the twist converter Version 1.0, which is very stable. I used the keystore to process all the Libs of the vc6database file, and then used the lib.exe tool to write it back to the LIB file. We now have an encrypted library. If you use this library to LINK your software, it is difficult for analysts to find out which is printf and which is strcpy from the assembly, and IDA cannot identify the library function of the MFC static LINK. You can encrypt all the VC6 databases without making any mistakes. I believe it is strong and stable. Using it to encrypt a shared software, No one writes a registration machine. It is unimaginable to read a large number of transformed codes. But some people are still violent. I really admire him. I will continue to enrich the encryption methods so that all the attackers will give up. The current distortion converter only supports the COFF format OBJ used by VC6. Next, analyze the OBJ format of VS2005 and support it as soon as possible. I often like to disassemble and analyze something. I have many friends who often work on disassembly or cracking. I do not want to publish the distorted converter on the Internet and it is widely used. One day I want to analyze something, but I cannot help. Therefore, this software is not yet available for download or sale. If you want to test a small program, you can send OBJ to me and I will encrypt it for you. If you have a business project that requires secure encryption, You can also talk about it. A crackme written for CCG is attached, which is encrypted with a distorted converter with some source code for your reference. Http://liutaotao.com/CrackMe.zipLiuTaoTao2006.7.7