Document directory
- 1. programming methods and techniques for anti-Debug decryption
- 2. Programming Method for anti-"listening simulation" software protection lock
This article will introduce some programming skills of Software Encryption locks, as well as how software developers can write secure and reliable code, and how to deal with various dongle attacks, some issues that should be avoided when writing encryption programs. The following is the full text.
I. Basic principles of dongle Encryption
The developer program calls the hardware dongle interface module to operate the hardware dongle. The hardware dongle responds to the operation and returns the corresponding data to the developer's application through the interface module. The developer's application can determine the return value and take corresponding actions. If an invalid response is returned, it indicates that there is no correct dog. The developer can terminate the application or let the application be executed incorrectly. The following is a brief example:
Ii. Common decryption Methods
1. Static Analysis after disassembly: w32dasm, Ida pro
2. Use debugging tools to track dynamic analysis: SoftICE and trw2000
3. disassembly tools for various languages: VB, Delphi, Java, etc.
4. other monitoring tools: Filemon and regmon
3. How to Increase the encryption strength
Next, we will take the Sentinel superpro encryption lock as an example to introduce in detail how to increase the encryption strength in the programming process.
1. programming methods and techniques for anti-Debug decryption
Do not immediately make a judgment after visiting a dog. Do not prompt immediately or not after judging that the dog is incorrect. The developer inserts the verification algorithm code in each part of the program to increase the complexity of the program code and prevent the decrypted from easily tracking and discovering all the verification code. The more frequently the code is inserted, the more difficult it is to crack, and the more secure the software is.
Important strings should not appear in plain text in the program. They should be dynamically generated using algorithms.
If the program efficiency is not affected, write as many dog-checking functions as possible. There must be differences between them. Different algorithms should be used to identify more dog-checking errors, make these flags involved in the operation and use different dog lookup functions in different modules.
For a specific query check, the query result is composed of three steps: Obtain the response string from the query, compare whether the response string and the query string match, and execute the corresponding steps based on the check result. It is recommended that the execution be delayed in three steps. It is best to keep the three steps away from each other and even place them in different subprograms or functions. For example, after you run "query to obtain response strings", execute "compare response strings and query strings matching" in 50 rows. If the program needs to call a function. Then, execute "execute the corresponding steps" in this function ". During the tracing process, even if some program code is found, it is difficult for the decrypted to find the association between the other two codes and all three parts. The program is difficult to crack.
Use the response string returned by the encryption lock as a parameter in the program. For example, if an algorithm unit returns the "response string" as "87611123", the "123" parameter must be used in the program. After obtaining the "response string" in the program, subtract "87611000" from the "response string" to obtain the parameter. If the decryptor modifies the code to skip the query and verification encryption lock section, the parameter will be an error value, which will cause program running disorder.
When the program verifies the encryption algorithm, the program will choose to exit if the verification data is incorrect. In this way, it is easy for the decrypted to discover the code features and skip the query validation section. When the developer designs the query validation part, if the program verification data is incorrect and the program does not exit, it can continue to execute some useless operations to disorder the program, so as to conceal the code and confuse the decrypted.
The developer's software may have multiple modules. Do not name Dog modules or interfaces with obvious names. This will make it easier for the decrypted to find encryption points, of course, you can also use some names to confuse the decrypted, especially the DLL. You can even skip the function name when calling a function.
Add certain randomness to the dog query function. For example, you can randomly execute an API function or define a small area in the dog's storage area for random read/write, the read/write address, read/write content, and read/write length are all random, which can effectively prevent the simulation tools.
The trial version and the official version should be separated. The functions not provided by the trial version, and the code has been deleted, making it impossible to use the trial version to crack the official version.
In most cases, cracking is implemented by modifying the EXE or DLL file. You need to check the integrity of the EXE or DLL file in the program, that is, you can use an algorithm to calculate the checksum of the entire file, in the program, if the file is changed, the checksum will change. There are many such algorithms available on the Internet and can be found. In addition, mutual authentication is required between EXE and DLL. On the one hand, the replacement of DLL is prevented, and on the other hand, the access to DLL is prevented from illegal exe.
Summary: issues that should be avoided as much as possible
1) Visit the dog, make judgments, and prompt users to write them together
2) Important strings appear in plain text in the program
3) store the string in the dog and read and compare it in the program
4) call the same function or identify the same global flag to check the dog
5) The trial version is the same as the official version.
6) The module or Interface Name of the dog is too obvious.
7) The program is not random, and the execution path is the same each time.
8) the integrity of the EXE or DLL file is not checked, and there is no mutual authentication between the EXE and the DLL.
2. Programming Method for anti-"listening simulation" software protection lock
1) random query method: developers use superpro development tools to generate a large number of query and response pairs, such as 1000 pairs, and use the verification data in the program. During the program running, the system randomly extracts one of the 1000 pairs of query and response pairs to verify the superpro encryption algorithm. Because there are a lot of validation data, the "query response pairs" used for each verification encryption algorithm may be different. Even if some "query response pairs" are recorded by the "monitoring simulation" software ", however, you cannot record all "query response pairs ". During each running of the software, the new query response validation data may be used. The "listening simulation" software cannot respond to these new queries. Therefore, "monitoring simulation" has lost the role of simulating and simulating the superpro software protection lock.
2) latency method: developers can use development tools in advance to generate a large amount of validation data, that is, "query, response" pairs, such as 200000 "query, response" pairs, during the development process, the developer designs a mechanism for regular query and validation of encryption locks. During the program running, the system queries and verifies the encryption lock every 10 minutes. The used verification data will not be reused for four years. Even if the monitoring software records data 24 hours a day, it takes four years to complete recording. Four years later, the software had passed the "hot sale period", and the decryption using the listening software also lost the meaning of action.
3) Grouping and time-sharing method: developers can group query response pairs in the program. For example, 1200 pairs of validation data can be divided into 12 groups, each with 100 pairs. The program uses the first group of verification data in January of the year, and the second group of verification data in February, and so on. Even if the monitoring software records the verification data for January 1, January, the verification data after the second three months has not been recorded, and the software still cannot be used normally in the future, thus "monitoring simulation" becomes meaningless.
4) random noise data method: developers can randomly generate query data in the program. Random data and real data are mixed together. Even if the monitoring software records the query data, it will also be confused by its randomness. At the same time, it will not be able to simulate the random number generated by another software operation, and the encryption software will not be able to crack.
Note: This article is based on the instructions and related technical documents of the rainbow encryption lock sentinel superpro.