Encryption in another way-Liu taotao, a famous programmer, talks about the technology of distorted encryption Transformation

Encryption in another way

-Liu taotao, a famous programmer, talks about the distorted encryption and transformation technology
 
 
What is distorted encryption transformation? This is a software I developed. The official term may be "mixed encryption". I name my software "distorted encryption transformation technology. I spent more than a year developing this software on and off, but I didn't do any promotion. This software has not been made public until now.

Encryption transformation is now applicable to VC6, VS2005, VS2008, and other platforms. I will give you some ideas about the software development process and some of my solutions.

I. Current Situation of encryption software

Currently, common encryption software can be divided:

Shelling class, such as ASProtect;
Virtual Machine class, such as VMProtect.
For the shelling class, the shell is always the shell, and there is always a clear line between it and the content to be protected. Although the shell software always tries its best to strengthen the connection between the shell and the core, the shell can always be removed. At the beginning, I developed a tracking synthesizer to deal with this type of shelling software, because in general, the shelling software is in a new section, that is, the original PE program has data segments and code segments, and the shell is difficult to be in the same segment as the original program, usually in the new segment, which is its demarcation line. So when debugging a software with shell, the jump from one segment to another stops, and the entry point of the original program is found at this time, this is also the weakness of shell software, that is, it is difficult to seamlessly integrate with the original program.

After finding its entry point, run DumpPE to save the current memory image as a file. Then, I added a command MakePE, used this command to reorganize the image, and the program was shelled. At that time, in the Win98 era, the shell was relatively simple at that time. My TRW2000 was really easy to use and I took off the shell with three commands.

Later, the shelling found that this was not the case. In general, they will also provide some functions that are hard to trace and difficult to debug. We recommend shelling, recommendation developers, and call your functions. I will shell them again, such a program cannot simply use the above method. However, functions that can be called are usually relatively simple.

When we want to crack a software, the first step we need to do is usually to shell a software and shell it into the first step of cracking, and also become the basic skills of all the hackers. The attacker said, who will not be shelled? If he doesn't get off the shell, he won't be able to crack it. So shell removal is the basic skill for cracking. You should first take off the shell and then analyze it.

However, if we want to reverse a program, we don't want to crack it. We want to turn the entire program into a source file, and I want to understand it. This is actually simple. I don't need to take off this shell at all. I just need to run the program and save the memory image for analysis. I don't need to shell it at all. Most of the API functions provided by the shelling software you call in the program are unimportant. Generally, shell software has no protection for reverse engineering.

For encryption of another virtual machine class, you need to select one or more functions for encryption. It can only protect several key functions and cannot protect your entire software from reverse engineering. It usually converts several lines of code into several hundred or even higher lines after the virtual machine expands. Therefore, virtual machine encryption software usually only allows you to encrypt several functions in your code, or a part of the function. We recommend that you add a sign before programming, this section is encrypted by virtual machines. This decides to use virtual machine encryption. Generally, only a small amount of code can be encrypted, and the vast majority of your software code will be exposed, which is obviously insecure.

Also, let's look at the VMProtect statement, which clearly states that it is designed to protect your registration mechanism, and it cannot protect your software design ideas.

In short, the existing encryption software can only defend against cracking, not reverse.

2. Terrible Reverse Engineering

Based on experience, if you work hard, one person can reverse 1000 lines of C ++ code a day. I have many years of experience working on software reverse engineering and often do this kind of thing, and recently, A reverse training course was also held to teach students some reverse knowledge. Until last month, I had just completed a 60 thousand-line C ++ Code project. Based on experience, if you work hard, you can reverse 1000 lines of C ++ code a day! That is to say, if the software you developed over the past few years is not protected, the whole code may be reversed at 1000 lines per person per day. This is a terrible thing. Especially the driver. We know that drivers are the most technical, and driver development is the most difficult. The people who can drive development are the top experts who are highly paid. The driver is the most serious problem in software protection. We can see that the drivers in our system are very short and small. That is to say, we may have spent a lot of energy developing a driver for a long time, including all the core technologies of our software, but it may only be dozens of KB. An experienced reverse engineer may reverse all source code in a few days.

This may also tell you that the software I recently worked on is WinMount. The idea of this software is to combine the functions of WinRAR and Daemon Tools, that is, I can expand a compressed package or a virtual optical drive file, in this way, the necessary software of the two computers is merged. I have added my own ideas. You have a package. I virtualized this package into a non-existent disk and put it in a virtual disk. This is my idea. So the software I am working on is the idea of instant decompression, which is the main software I am working on.

What do I want to tell you? Even a good programmer has an idea. Can the program be compiled out of thin air? Very difficult. Generally, we should refer to other software and their ideas. I had this idea at the time. I had this idea to do WinMount for this software, and I made it by referring to a similar software. Of course, the functions of the software are completely different from those of the software. The software has a sub-function that can be virtualized into a disk. I think this software is good, I want to develop this function into the project I was thinking of at that time, so I reversed the software and took out the content needed in it.

Therefore, it is not terrible to be cracked. What is terrible is that it is reversed. If your software is reversed, multiple software with the same features will emerge, and all your technologies will no longer exist.

3. How to access encryption products?

How can we develop an encryption product?

Just now, we have overturned the traditional encryption software. We say that shelling is not good, and virtual machines are not good. First, we need to consider the first question: what should we use as our encryption input. For example, if I use the C ++ source code as the input, how is it hard to understand? This is a hard job, because your source code is messy and the compiler will be optimized, so this step won't work. So, most programs choose to use the final execution file EXE as the input. Now the shell software and virtual machines use this method. I usually use the methods they use, the software with shelling is called baozi. EXE already exists there. If you want to protect him, can you just package a layer? Virtual machines are called holes. For example, if a house has been built, the house has been built, but it is not being built. You feel insecure. I knocked the two bricks down and changed them to stone, is this safe? Therefore, we think their approach is inappropriate. In actual analysis, there are also problems. For example, a function occupies 2 kb of space. Generally, virtual machine software fills in the 2 kb space with some random code. The previous function of this function cannot be moved, and the latter function cannot be moved, this is a hole. A good analyzer, he must be able to identify it. Before I analyze this function, I know how big it is, you have failed in the encryption war.

After analyzing the above two possibilities, we feel that the method is not good, so I came up with a method that uses compiling the intermediate file OBJ as the encrypted input. I didn't know it later. So far, I have only used this method for one software. I think it is a good method. What are the advantages? That is, my encrypted code is seamlessly connected to the project. Another is the analysis of the OBJ format, which is much simpler than the C ++ source code. There is a symbol in my OBJ file. This OBJ will tell me that there is a symbol here. So I think the disassembly obj is safer than the disassembly exe.

The specific method is to parse the OBJ file, keep the data part unchanged, decompile the code part, convert it into hard-to-understand code, and then output an ASM, call the ASM compiler to generate a new OBJ file and link it to the final target file.

If you want to ensure code security, you should not use data that easily discloses your information. You can mask the data or use code to calculate it.

Because the distorted encryption transformation uses OBJ as the input. As you know, the library file Lib is actually a collection of multiple OBJ files, so that we can encrypt the OBJ in lib one by one and replace it with the Lib tool, it is safer to use such libraries to compile our projects.

To analyze a program, we always need to first understand some library functions and find printf and cstring. formats, fopen, and other key functions. These basic functions are found and it is not difficult to understand a software. On the contrary, if these basic functions cannot be found or understood, the analysis cannot be started.

Iv. Problems Encountered

The OBJ generated by C ++ compilation is not always compiled from ASM, such as the common section, such as weak symbol. Currently, the method of changing the symbol name is used, change the symbol to symbol-name-weak, compile it to OBJ, And Then patch it back. Change the symbol name and replace it with it after compilation. This is a solution.

V. Thinking about Deformation

Virtual Machine deformation is very powerful and complicated, which is also its disadvantage. Its transformation is not mysterious, not terrible. You can also think of a virtual machine. You can think of it boldly. If I have a CPU of 8 bits, then when you encounter a 32-bit command, to use your 8-bit CPU to implement this code, you have to compile a long string of programs to complete a 32-bit command.

It has a high rate, but the rate is not adjustable. In my choice, I use a variety of low-rate transformations and iterative use, so that the rate can be adjusted freely, and the intensity is not bad at all. Most importantly, I can encrypt all files at a low speed, and the key part at a high speed.

In fact, it is not necessary to make the code difficult. Isn't it about code distortion? Isn't it necessary to confuse the code? Is it not a virtual machine? I mean, we don't have to use virtual machines. I think Virtual Machine transformation is just a set of well-designed transformations, but a set of transformations and rules, although this set of rules is very complicated, but after all, you are a set of rules. As long as I have the energy to learn, I can still understand it. I think it is better for us to use multiple simple transformations to encrypt and transform code with a complex set of rules.

It is my idea to use lightweight transformations and then focus on changes to a few parameters.

So if someone gave me a piece of software and said it was shelled, I 'd say it was okay and there was a way to solve it. If someone gives me a piece of software and uses virtual machine encryption, I will also say that this is okay, because most functions are clearly coded and only a few are encrypted. I have understood more than 90% of the functions. Although the remaining functions are encrypted by virtual machines, I know where the entry points are. I know what the entry parameters are, I can even regard it as a black box to see what it returns. Now I understand it.

However, if someone gives me a software program encrypted using the method I mentioned, every function is encrypted, and every simple function requires a lot of effort to understand, I will say that this thing cannot be done. This is my idea.

In the actual software analysis process, if you see an expert analyzing a software, what is the process like? Is to understand the software step by step. First, find some of the simplest functions and understand them. For example, if this function is used to open a file and what this function is, you must first start with these simplest functions, then, in this process, the analyst gradually increased his confidence, his ideas gradually became clearer, he became more confident, and the software was finally settled. However, if he is constantly under attack according to my ideas, he is struggling. As I said above, if he analyzes a function for a day, it is found that two numbers are added, and he will get angry and quit.

We need to encrypt the function. My approach is to encrypt and transform the function. First, I will analyze the function stack, that is, I want to know how the technical variables are implemented. With some obscure assembly code, assembly commands cannot be identified. Next, perform flag analysis, that is, the flag register. If we do not dare to destroy this sign every step of encryption transformation, it will be too constrained and this change will not be rich and colorful. The code written in advanced languages and C ++ is mostly independent of the Mark register.

In fact, the encryption transformation here is just a process from simplicity to complexity. It should be said that everyone can compile their own transformation, but it happens that this is the transformation I wrote. Every transformation here is not terrible. What's terrible is that I can iterate this transformation. My name is very simple. It's called Transformation 1, transformation 2, and transformation 3. I came up with a piece of software. I want to encrypt it. Let's make a one-two-one change. Let's make a one-transform, then a two-transform, and then a change, this code is terrible after the change.

As you can imagine, as long as we have completed engine development, it is easy to add new deformation methods. We can hold a meeting of several programmers. within ten minutes, let me think about two encryption transformations. There is no problem with this. The traditional method is unique, but there are too many simple methods. After some complicated operations, we finally reverse it. Therefore, this change can give full play to our imagination. For example, you can make your EAX always take an inverse of the real EAX.

After several steps above, the Code is difficult to understand, but it is still sequential. Another transformation is to use the JMP command to disrupt the system. At this time, I cannot tell where the function starts and ends. If you cannot find a call, it's hard to find one. The result is false. At this time, the analyst cannot find a function.

Some people say, why don't you give a single command a hop? I think the expansion of a single command hop code is too large, and the 2 k code must be changed to 2 MB. I hope our transformation has the technical content in the first one or two, there is no technical content for redirection. It is enough for me to jump every three or five entries.

The last step is winding. The above JMP disruption is only internal disruption of the function. If multiple functions are wrapped together, one function cannot be divided from the memory area.

Through the combination and iteration of the above various transformation schemes, we can freely choose to control the encryption depth. A 200 kb software can encrypt to kb, 2 MB, or even MB, there is no spam code, and the MB code is useful. If you want to understand it, you need to analyze it. A large amount of code makes analysis impossible.

After I developed this distorted encryption and transformation, I did not make public or make a lot of advertisements. I only told a few friends, and many people intentionally contacted me, sell this item to me. I don't want to sell it. The first one I think is a set of encryption software. If users can buy it and download it, it is actually not safe. For example, the most famous encryption products are priced. When you analyze a software, the virtual machine is used for encryption. Buy one first, and then we can see how the encryption works, first, let's give it a simple function to see how to change, trace, and add two more lines to see how to implement it. That is to say, the attacker can use this method to test the encryption behavior of your virtual machine encryption software. At this time, your encryption is actually insecure. That is to say, if the software is not sold, you will not be able to get it. At this time, I think my encryption is safe. You can't say that I will use a small function to change it and try again. This is one, this means that you can buy encryption software, which is insecure. For example, we often need to beat a dog. A set of software is encrypted with a dongle. The attacker will buy a dog that is exactly the same as you. Read the dog's user manual and what call functions are provided, he learned how to adjust it. It's not hard for him to solve your dog. Therefore, I think encryption software cannot be sold.

Another one, I think, is better than their encryption software. Why? Because we have overturned all of their encryption software just now, and it is not possible to add shells or virtual machines. However, if I use this set of encryption, it will make it impossible for the hacker to analyze it. And I am very easy to use. You only need to compile a project with VC, and then repeat the code, expand it, And then accept it. Then, you will not be able to analyze it. One of my worries is that, if I spread this software, all the programs we use on the market will expand with me, why don't we have enough food for these experts?

6. Will it affect efficiency?

The vast majority of code in a software is actually only run once, or rarely once. You encrypt the entire software two or three times without affecting the efficiency, for the current fast CPU, this loss is nothing. A few key functions can be either unencrypted or not. When you have a function, a few megabytes of software, only two or three functions are not encrypted, and the cracker cannot find these two functions, the efficiency is not a problem.

7. Is it safe to encrypt data with distortion changes?

There is no absolute security. It can only be said that this encryption scheme makes it easier to fully protect your software, making reverse and cracking harder, and the software is distorted and encrypted, it is more scary and tiring for the cracker and the reverse engineer.

 
 

From the red black guest Union (www.7747.net) Original: http://www.7747.net/Article/200901/31444.html