Go: Encrypt applications with Vmprotect and Asprotect SDK

Recently want to use Vmprotect and Asprotect SDK encryption a program, the results of a half-day did not make, the internet did not see how to use the Vmprotect in the VC SDK encryption, and then pondering a bit, finally succeeded, a little bit of experience, and share with you, Lest anyone else be as crooked as I am.
In fact, Vmprotect and Asprotect SDK programming are similar, are programmed to insert a tag in the statement (Marker), and then in the shell, the Packers will recognize the markings, and in the marked place to protect. I think this is the most basic of the so-called Shell Program SDK programming bar.
1. Vmprotect
The new version of the Vmprotect did not see good, so here with the Vmprotect v1.2.  (Please say something new and useful). Compilation Environment Vs.net 2003. The main reference is the article. Vmprotect sdk+asprotect SDK Hybrid Programming [code Demo] Author: Anskya Link: http://bbs.pediy.com/showthread.php?threadid=20317

1.1 Protecting intrinsic functions
Delphi needs to set the map file, that Vs.net 2003 also need to set up, in order to produce a map file, so that Vmprotect can recognize the internal function, if there is no map file, Vmprotect can only recognize the export function, then you will add the address of the function.
Vs.net 2003, open the project--Project1 property (assuming the project name is Project1), debug-build Map file, linker---"Yes (/MAP)" so that the program generates PROJECT1.M at the same time.  AP files.  The Project1.exe and Project1.map are copied to the Vmprotect folder, and when you encrypt with vmprotect, you can list many intrinsic functions when adding new functions, just select the intrinsic function that you want to encrypt. If there is no map, there is only one input basket with the input function address and no internal function list.
Here can save some friends in order to encrypt a function, but also with the OLLYDBG analysis program, find the function entry address, and then enter into the vmprotect to protect the trouble.

1.2 Protecting arbitrary location codes
On the homepage of Anskya and the Russian author, Delphi was added to the program by adding the SDK tag. The tag mode in Delphi is:
Code:

[Plain]View PlainCopy

1. DB $EB, $ A, ' vmprotect begin ', 0//Mark start.
2. End
3. program code that you want to protect
4. Asm
5. DB $EB, $0e, ' Vmprotect end ', 0//Mark end.
6. End

In Delphi can directly use this kind of MASM-like assembly language, more convenient, but in the VC does not support the DB statement, only support the insertion of a single byte of the _emit statement. I figured out a more troublesome way, that is, all insert 16 binary byte code, I do not know there is a better way to do it. This method is learned from the Asprotect SDK example inside the aspr.h.
The tag mode in VC is:
Reference:

[CPP]View PlainCopy

2. __asm //mark at the beginning.
4. {
6. _emit 0xEB
8. _emit 0x10 //jmp 0x10
10. _emit 0x56 //ascii "vmprotect begin", 0
12. _emit 0x4d
14. _emit 0x50
16. _emit 0x72
18. _emit 0x6F
20. _emit 0x74
22. _emit 0x65
24. _emit 0x63
26. _emit 0x74
28. _emit 0x20
30. _emit 0x62
32. _emit 0x65
34. _emit 0x67
36. _emit 0x69
38. _emit 0x6e
40. _emit 0x00
42. }
44. //program code that you want to protect
46. __asm //Mark end.
48. {
50. _emit 0xEB
52. _emit 0x0E //jmp 0x0E
54. _emit 0x56 //ascii "Vmprotect End", 0
56. _emit 0x4d
58. _emit 0x50
60. _emit 0x72
62. _emit 0x6F
64. _emit 0x74
66. _emit 0x65
68. _emit 0x63
70. _emit 0x74
72. _emit 0x20
74. _emit 0x65
76. _emit 0x6e
78. _emit 0x64
80. _emit 0x00
82. }

Insert this pair of tags into any program code you want to protect. This method can penetrate inside the function to precisely protect a piece of code that you want to protect. After the insert is successful, you can find the function "VMProtectMarker1" where the Vmprotect is selected, which is where the tag is used, and the number of functions is incremented if there are multiple protections, such as VMProtectMarker2, VMProtectMarker3 and so on. Remember to select these functions and then protect them.

2. Asprotect
Asprotect's SDK programming is relatively studious, as it brings a very detailed documentation asprotect.chm. Here I am equivalent to translating a part of this file. I use Asprotect SKE 2.2 Release Build 0425 this version, after installation not only has the documentation, there are many examples, actually see these examples can learn, very simple.

2.1 How to use the Asprotect mark
Recent versions of Asprotect support the use of tags in the following programming languages: Delphi, C + +, and Visual Basic. It is important to note that these markup macros cannot be supported. NET language and visual Basic compiled with Pcode mode.
Limit:
In order to successfully insert the Asprotect tag into your program, you need to meet the following criteria:
§ polymorphic deformation markers (polymorphic) cannot be in a circular statement, such as for, do, and so on,
§CRC The check mark cannot be nested, that is, you cannot put a CRC tag inside the CRC tag,
§ The code within the registered sections (Registration section) and CRC check mark requires a minimum of 5 bytes in size.

The markup of the C + + form is defined by the include (*.h or *.inc files) folder and will be compiled as assembly code for special sequences that will be automatically detected by the Asprotect when the shell is added.
You can find examples of how to use tags in the Asprotect installation folder.

2.2 Polymorphic deformation markers (polymorphic markers)
You can use polymorphic deformation markers to protect code anywhere within the program. In order to use polymorphic deformation markers, you need to insert a morph marker instance anywhere inside the function you want to protect. For example, place a polymorphic deformation marker at the top of the code inside the function. All code fragments from this marker to the end of the function will be erased and replaced with a polymorphic deformation simulation. Asprotect uses emulation to change the contents of this function (such as entry point protection), so it is impossible to recover or even understand how the original program works.
In order to use the new code fragment protection, you need to insert the new markup as follows:
Code:

[CPP]View PlainCopy

1. #include "Include\aspr.h"
2. VOID Test
3. {
4. User_polybuffer
5. //Some code
6. }

Attention! In order to avoid the operators that change the program logic before the polymorphic morph markers, this version does not support the use of tags within a looping statement, so place these tags outside the loop body and do not use code similar to the following:
Code:

[CPP]View PlainCopy

1. do {
2. User_polybuffer
3. //Some code
4. } while ();
5. //Some code

2.3 Enclosure Integrity Check (Envelope Checks)
The Asprotect directly wraps the program in a secure enclosure that contains all the protection options. So it is important for the protector to check whether the shell is present or whether it has been attempted to be removed manually. In order to use the shell check, you need to insert either of the two shell check marks as follows:
Mode 1-If the asprotect shell is removed, it will produce an exception, you can handle the exception and do some evil things at this time. @[email protected]
Code:

[CPP]View PlainCopy

1. #include "Include\aspr.h"
2. MessageBox (0,"Begin", "" ", 0);
3. #include "include\cppenvelopecheck.inc"//can insert this sentence at any location.
4. MessageBox (0,"End", "" ", 0);

Mode 2-If the asprotect shell is removed, this way will work like a function, returning a false value. If it is false you can do some evil things.
Code:

[CPP]View PlainCopy

1. BOOL Envelopecheck () //This function is placed in front of the program.
2. {
3. #include "Include\cppenvelopecheckfunc.inc"
4. }
6. if (! Envelopecheck ()) //: The evil thing

2.4 CRC Check
This chapter applies only to executable programs. The CRC check of the Code section is very effective against the loader (loaders). So if you want to set a CRC check for some extra code snippet, simply place the CRC check mark at the beginning and end of the snippet, as shown below:
Code:

[CPP]View PlainCopy

1. #include "Include\aspr.h"
3. #include "Include\cppcrcbegin.inc"
4. //Some code
5. #include "Include\cppcrcend.inc"

Attention! This version does not support nested tags, so do not use the following code method:
Code:

[CPP]View PlainCopy

1. #include   "Include\aspr.h"      
2.   
3. #include   " Include\cppcrcbegin.inc "    
4.  // some  code    
5.    #include   " Include\cppcrcbegin.inc "    
6.  // some  code    
7.    #include   " Include\cppcrcend.inc "    
8.  // some  code    
9. #include   "include\ Cppcrcend.inc "    

There are all kinds of registration, the expiration time of the encryption method needs to use the Asprotect API, in that help document has, want to see it, this Part I still useless, so did not translate. After compiling the above program, use Asprotect to automatically identify the tag, in the shell process can see the hint.

The above SDK encryption method, you can asprotect and vmprotect random mixed encryption (first with Vmprotect, and then with Asprotect), the strength of encryption should be pretty high bar. But it's best to make your program work.
It is important to note that some tokens are completely composed of bytecode, which may cause problems when a tag is damaged by the protection of another tag. So don't use a lot of tags with the same piece of code, and these are all going to be tested.
Also, sometimes the SDK-programmed executables cannot be run directly, and can be run after the shell has been added.

Add: The Vmprotect SDK logo in front of the use is not much good, use more words better define, streamline a bit. As follows:

Reference:

[CPP]View PlainCopy

2. #define Vmpbegin __asm\
4. {                   \
6. __asm _emit 0xEB \
8. __asm _emit 0x10 \
10. __asm _emit 0x56 \
12. __asm _emit 0x4d \
14. __asm _emit 0x50 \
16. __asm _emit 0x72 \
18. __asm _emit 0x6F \
20. __asm _emit 0x74 \
22. __asm _emit 0x65 \
24. __asm _emit 0x63 \
26. __asm _emit 0x74 \
28. __asm _emit 0x20 \
30. __asm _emit 0x62 \
32. __asm _emit 0x65 \
34. __asm _emit 0x67 \
36. __asm _emit 0x69 \
38. __asm _emit 0x6e \
40. __asm _emit 0x00\
42. }
46. #define Vmpend __asm\
48. {                   \
50. __asm _emit 0xEB \
52. __asm _emit 0x0E \
54. __asm _emit 0x56 \
56. __asm _emit 0x4d \
58. __asm _emit 0x50 \
60. __asm _emit 0x72 \
62. __asm _emit 0x6F \
64. __asm _emit 0x74 \
66. __asm _emit 0x65 \
68. __asm _emit 0x63 \
70. __asm _emit 0x74 \
72. __asm _emit 0x20 \
74. __asm _emit 0x65 \
76. __asm _emit 0x6e \
78. __asm _emit 0x64 \
80. __asm _emit 0x00 \
82. }

With the above define, in the need to encrypt the place only need two words, you can plug a little bit:

Code:

[CPP]View PlainCopy

1. Vmpbegin
2. Code snippets that require encryption
3. Vmpend

Vmprotect Options Introduction

Explanations of each of these: (see the instructions for use, just a rough explanation here)

(1) Memory protection: detects the integrity of the entity and stops running if the runtime finds it incomplete
(2) Input table protection: This option hides the APIs used in the program.
(3) Compressed output file: If you only use Vmprotect to protect, you can check this, if you will also use Asprotect to protect, you can remove this. (Note: If Asprotect and Vmprotect are used together, use Vmprotect for asprotect protection first)
(4) Detection debugger: This option will organize the debugger to monitor the program, when entering the protection section of the program, if detected that the debugger will display information and end the program run
(5) Virtual tools: When a program runs in a virtual environment always, it will show Ixnxi and end the program running
(6) The VM segment, which is the display when viewing resources with PE explore, changes the default ". Vmp" to ". Upx" to confuse the protection tool used.
(7) Debug mode: In the Vmprotect execution of the protection program compile, will check the program to add the Protection section is correct, if there is a problem, will give a hint.
(8) Check the virtual machine object: When the program runs, it will detect the integrity of the Virtual section table and the Vmprotect insertion point, if not complete and will not give a hint, but will introduce the program to the wrong address, resulting in a program error or even crash.
(9) Encrypt register when leaving virtual machine: The output of vmprotect will be encrypted.
(10) Hide constant: will block the address to query the variable or address to find the address of a call method, but this option is not useful for strings.
(11) Remove fixed elements: compilers such as Delphi will produce a list of fixed elements, but these elements will not be used by the operating system execution program, and Vmprotect is processed according to this list, saving only the list needed during the protection process.
(12) Move the resource to the end of the file: put the resource file to the tail, the sample resource.

Dump--if there is a case of nesting in use of vmprotect, in this panel you can locate it by looking for "Unpaire".
Finish compiling--click the Compile button to complete the compilation. The *.VMP and *.vms files are then generated next to *.exe (if a script is added to generate *.vms files)

Go: Encrypt applications with Vmprotect and Asprotect SDK