Introduction to Windows program Anti-wolf technique

Originally for some reasons and interest, learning for a period of time software reverse, for software encryption and decryption has a bit of a rough understanding. And then see some students worked hard to make a software, their own effort to encrypt, but often get out after the second break, real bear heart. Today probably summarizes some basic software encryption means, for reference, master do not spray.

About decryption

　　Software decryption has 2 levels, a commonly known as blasting, is not to analyze the encryption algorithm, only modify some of the verification related to the jump command to make the software run normally, the other is to really crack the encryption algorithm, and then write a register machine. There are usually two methods of static analysis and dynamic analysis, and the present tool is Ida and OllyDbg (OD).

Encryption algorithms and code

　　Encryption must first design a set of cryptographic algorithms, which can be used out of the box such as Md5,sha algorithm, you can also design a slightly simpler algorithm. In general, as a developer, design a simple encryption algorithm should not be a problem, but the design of the algorithm must be rigorous, can not appear through the cracks. For example, a time-limited algorithm, if only to record the start of the end time, and then use the current time to judge, such an algorithm by modifying the system time to go around, it is not strict enough, need to improve; For example, you can record a last run time so that you can handle the bug that modifies the system time.

With a perfect encryption algorithm, the most straightforward and most easily thought of is the user input password with the algorithm after the conversion with the saved key contrast, the same validation passed, inconsistent validation failed. This encryption program estimates that the novice can also explode quickly. So in code writing, you need to pay attention to the following points

First, the encryption algorithm does not come out of the program as much as possible. For example, your encryption algorithm is \ (f\), the user enters the password \ (x\), the program holds the secret key is \ (y\), then only in \ (y==f (x) \) to verify the pass. Avoid the implementation of \ (f\) in the program, you can prevent the cracker analysis of your encryption algorithm to write a register machine, then you can design another set of algorithms \ (g\) and \ (h\) make \ (y==f (x) \;\leftrightarrow \; g (y) ==h (f (x)) \) , remember \ (s=hf\), this will only appear in the program \ (g\) and \ (s\) and will not appear \ (f\). For example, the following code:

1 #defineMax_len 2562 intValidation (Char*py,Char*px)3 {    4     CharAzy[max_len] = {0};5     CharAzx[max_len] = {0};6     Char*ptmp =NULL;7 8     //In essence, the encryption algorithm converts numbers to lowercase letters .9     //but here, respectively, the matching key py and user password px to uppercase and lowercase characters are comparedTen     //Instead of turning px to lowercase, compare to py OnePtmp =Azy; A      while(*py! =' /') -     { -*ptmp++ = (*py++) & (~0x20);//This is to capitalize all the letters . the     } -  -Ptmp =azx; -      while(*px! =' /') +     { -*ptmp++ = (*px++) +0x10;//here, turn all the numbers into capital letters . +     } A  at     returnstrcmp (Azy, AZX); -  -}

View Code

The encryption algorithm \ (f\) is to map the numbers to lowercase letters, but during the verification process, the user input password is mapped directly to the uppercase letter (that is, the \ (s\) function), and the saved password is also converted to the uppercase (\ (g\) function), and then compared, so that the encryption algorithm \ (f\) appears in the program Of course, the algorithm here is very simple, perhaps can deduce the \ (f\), but as the algorithm complexity increases will be very difficult.

Second, try not to use If...else to judge the results of verification. Judging by the IF...ELSE structure, there is bound to be a JMP directive that is completely exploded when someone else navigates to the command to modify JMP conditions. The validation results can be used as an index to achieve the goal, such as the above encryption algorithm, if the user input 12345 print verification success, otherwise failure. The following code:

1 intMain ()2 {3     CharAkey[] ="ABCDE";4     CharApassword[max_len] = {0};5printf"input password:\n");6 gets (apassword);7     8     intNres =Validation (Akey, apassword);9 Ten     //use If...else to judge directly here One     if(Nres! =0) A     { -printf"Validation failed!\n"); -         return 1; the     } -printf"Validation success!\n"); -  -     //The validation results are shown here as an index +     CharAaprintinfo[][max_len] = {"Validation success!","Validation failed!"}; -printf"%s\n", Aaprintinfo[nres]); +      A  at     return 0; -}

View Code

If you have to use the IF...ELSE structure, you can separate the if statement from the validation function, which can be more difficult for static analysis of the code.

The third is that some key information is not placed in the heap and placed inside the stack. OD has a Find string function can put the string in the program heap out, the novice favorite to use this to locate jump point blasting.

1 voidMain ()2 {3     Chara[]="This are in stack";4     Char*b ="This was in heap";5 6printf"%s\n%s\n", A, B,"also in Heap");7}

View Code

This code has 3 strings (A, B, and "Also in Heap") that are loaded and looked up by OD after compiling, such as:

You can see that the strings stored in the heap are searched, so that you can quickly navigate to the corresponding code location:

The edx in the selected row holds the string a, but it is not searched.

Add shell

　　Have to say, although the above do some work, for the crack also only added a little bit of difficulty, the general novice effort is not difficult to fix. Then the software shell to the way that those who will not be shelling out of the door.

For ordinary PE file, it can directly parse its internal data or instructions by binary opening, the shell is equivalent to a lock box, so that people can not directly see the real contents of the PE file and can only see the encrypted content, when the program is running when it is decrypted to memory to run. In other words, for the shell of the program, static analysis is not feasible, must be shelled after the analysis, even if the dynamic debugging can be very difficult.

Software shell has compression shell and encryption shell, the general compression shell is mainly to reduce the size of the PE file, and the shell is to prevent the PE file is anti-compilation, debugging and modification. Some commonly used shells such as upx,asp and so have special shell and shelling tools, is said to be the most difficult to fix or vmprotect, in the snow Web site has a variety of shell tools, we can refer to their own.

The size of the PE file after the shell and the entry point of the program will change, you can use Peid to view the relevant shell information. is the program before and after the shell information, you can see the PE file a lot of information is different:

Anti-debug

It would be nice if the program was protected by a shell. But at present most of the shells have a shelling machine, there is a great risk of being taken off, then we have to strengthen the prevention, this is the program counter-debugging. The basic idea of anti-debugging is whether the test program is currently being debugged, if it is to do some protective measures, such as exit, crash and other means.

To run a program, there are many places in the process that identify whether the current process is being debugged, and by detecting these variables it can be simply judged to be processed. The Windows system also provides a Isdebuggerpresent API for calls, but the function has a reputation for being too big and many debuggers will bypass it. This blog is listed in more detail, worthy of reference.

In addition, if you hit a software breakpoint somewhere in the program, it will be modified by the debugger to 0xCC, and when it is executed, it will be changed back, so there is a class of methods, such as a CRC check or MD5 check. The basic approach is to make the current PE file input and generate a string that determines whether the program is debugged or modified by judging whether the string changes.

There is also a more brutal approach. Currently the Windows program debugger with more time OD and SoftICE, you can enumerate the system current process to determine whether the two debugger is running, if the operation is that the program is being debugged. Maybe others are debugging other programs, no matter how much, for security reasons, have to "better to kill 3,000 and never escape from a person." Determine if the system has OD in the running code as follows:

1#include"tlhelp32.h" 2 BOOLisodruning ()3 { 4 HANDLE hwnd;5PROCESSENTRY32 TP32;//Structural Body6Tp32.dwsize =sizeof(PROCESSENTRY32);7TCHAR *str= _text ("ollydbg. EXE"); 8     BOOLBfindod=false; 9Hwnd=:: CreateToolhelp32Snapshot (th32cs_snapprocess,null);Ten     if(invalid_handle_value!=hwnd) One     {  AProcess32First (hwnd,&TP32);  -          Do{  -              the             if(0==wcsicmp (str,tp32.szexefile)) -             {  -Bfindod=true;  -                  Break;  +             }  -} while(Process32Next (hwnd,&tp32));  +     }  A CloseHandle (HWND); at      -     returnBfindod; -}

View Code

Finally, there are methods of using exception handling. For example, the following code, by artificially generated an interrupt exception, and then in the exception processing to verify, so that when debugging the interrupt exception is a breakpoint, so that the program will not enter the exception processing. The code is as follows:

1 LongG_label =0;2LONG Handle (Exception_pointers *pexceptioninfo)3 {4     if(Exception_breakpoint = = pexceptioninfo->exceptionrecord->Exceptioncode)5     {6         //Validation7 8         if(/*Success*/)9         {TenPexceptioninfo->contextrecord->eip =G_label; One                         A             returnexception_continue_execution; -         }         -     } the     returnException_execute_handler; - } -  - voidMain () + { -  +     //===exception Validation Begin A Lptop_level_exception_filter Lpold; atLpold =SetUnhandledExceptionFilter ((lptop_level_exception_filter) Handle); -  - __asm -     { - push LABEL_OK; - pop G_label; in         int 3; -     } to  + LABEL_OK: - SetUnhandledExceptionFilter (lpold); the     //===exception Validation End *     //Do your things ... $}

View Code

Of course also can take other exceptions (such as except 0 exception), but with the exception of one drawback is that you write code debugging time is also very inconvenient.

The above is I probably understand the anti-debugging technology, but the encryption and decryption is strongly adversarial, now some debuggers have added anti-reverse debugging means, so that the program's anti-debugging failure.

Driver protection with hardware dongle

　　Procedures to do the above protection, basically has a certain degree of self-protection, the general personal writing software is enough. If you are writing commercial software that requires a high level of protection against cracking, that can be driven by a driver or dongle. Depending on the software to determine the specific use.

If the software is some professional strong, can be used to protect the hardware dongle; if the software is like online games for a wide range of popular groups, the use of the dongle is not realistic, generally use drive protection, Penguin game basically have tenprotect drive protection, The Grand GPK protection is a more typical example.

The dongle I did not study carefully, it is not much to say. The above anti-debugging means are running at the ring3 level, while the driver is running the RING0 level, the main driver protection is the hook system of some of the underlying API, by verifying the caller to distinguish between external debugging modification or the program's own operations. For example, the operation of the open process, all the debugger needs to call, through the driver layer hook the function to prevent the debugger to open or attach to the program process.

Conclusion

　　Since the contact with these things, only to know the "related to the Internet, the Internet does not involve the real meaning of the secret." To know that this line is a lot of experts, even if the use of various means, it is impossible to ensure that the software is absolutely safe, as long as the software run will leave traces, there is the possibility of being cracked.

Now more than a year has not engaged in these, and later estimated that there is no time to engage in, the original study although very tired, but feel very full of interest, and even want to change the direction of the work, I would like to that period of time to learn the summary.

Although wrote all these encryption things, I personally still more advocating open source, if not so necessary, or hope that we can more of the source and people to share, and common progress.

Introduction to Windows program Anti-wolf technique