Program Design to implement shell encryption using different or Algorithms

 

Abstract: For the current software industry, the purpose of encryption is to seek as long as possible not to be decrypted, during which time the development investment and new product versions are withdrawn. The shell method can be used to encrypt executable files in windows. Algorithm Key to files Code To prevent you from using soft-ice or other debugging software. Program Disassemble the program to prevent the source program from being analyzed to protect the software. Keywords: encryption shell XOR algorithm additional code segment 0 Introduction Computer software is a special product with intensive knowledge. It requires a lot of manpower and material resources to produce a software product. It is difficult to produce, costly, and slow. However, the replication of software products is quite easy. This has led to the proliferation of illegal copies and pirated software. Encryption is an effective way to protect intellectual property rights. However, any encryption software may be deciphered, and we cannot discard it for any reason. Encryption and decryption are the relationship between spear and shield. To prevent being interpreted, encryption technology must be improved. 1 shell Encryption Method The encryption system on the Windows platform is an exploration of the Windows Kernel. The software encryption technology generally includes four aspects: Anti-copy, anti-tampering, anti-tracking and anti-interpretation. This article mainly solves one of the problems-anti-interpretation, that is, preventing program disassembly by Using Soft-ice or other debugging software and blocking the source program analysis, in this way, the software is protected. The shell encryption method can be used to encrypt executable files in windows. It directly processes the software to be encrypted, and a "shell" is placed on the external mask of the original software ", this layer of shell is executed before the original software is run to achieve encryption. This method is relatively difficult to implement. You need to have a clear understanding of the format of Windows executable files and solve the connection problem between the shell and the original software, however, if advanced anti-tracking and deformation technologies are adopted, the encrypted software not only requires no changes in operations, but also provides good confidentiality. "Shell" means adding a shell to the executable file. It is a special small program that compresses executable files under DOS. The compressed files are generally only half of the original size, but it is not difficult to execute. It is to add a shell to the original program, and the user is actually executing this shell program. The shell program is responsible for unzipping the user's original program in the memory and executing the real program after unzipping. Since all work is performed in the memory, you do not know or need to know the running process. The encryption method is Shell-based, which aims to prevent static analysis. Static analysis is to use disassembly software (such as w32dasm and unasm) to disassemble the executable file itself. The result of disassembly is directly translated according to the instruction code in the file. 2. Implement shell encryption using an exclusive or Algorithm The shell is that the encryption software attaches a piece of code to the execution program and points the program entry to the additional code. Before that, we first encrypt the code section and key section with a program. After the encrypted program is loaded into the memory, the additional code is first executed. It is a decryption module that decrypts the encrypted module and restores the original program, and transferred to the original program for execution. However, when someone tries to read and modify the program through static analysis, they will only get an encrypted ciphertext. This is because we have encrypted key sections, so that the original program can completely resist Static Analysis of powerful disassembly software such as w32dasm. However, the shell program cannot guarantee that it will not be dynamically analyzed and modified by the disassembly software, which is determined by its special role and the vulnerability of anti-tracking. The core encryption code is mainly implemented by Win32 assembly. First, we create a buffer, and then read the content of the Code section as a string into the buffer, and perform the XOR operation in the buffer to write the inconsistent or later data into the register. We will also generate a new file as our encrypted file. Therefore, we use the filestream. writebuffer method to write the modified file header and code segment into a new file. Now, some modifications have been made to the original file through its own encryption module. The biggest change is the exception or difference to the code segment. The current Code segment is a piece of ciphertext, but in this case, the original program cannot run directly, so it also loses the significance of software protection. To make the program run normally, you must decrypt it before running it. Therefore, you need to modify the entry address of the original program so that the encrypted software can execute our decryption module first. In the PE file, we only need to point addressofentrypoint to our own additional code segment, so that the additional code segment can be executed first. The main program of the unique or algorithm encryption is as follows: Procedure xorcode (const paddress: DWORD; const count: integer ); Begin ASM Push ESI Push EDI Push ECx Push EBX MoV ECx, count MoV EBX, paddress @ L2: mov ah, [EBX] XOR ah, 0ffh // one byte is different from one value or MoV [EBX], ah INC EBX Dec ECx CMP ECx, 0 JNE @ L2 Pop EBX Pop ECx Pop EDI Pop ESI End; End; Main Program of the unique or code section: With fntheaders. Sections [I] Do Begin If I = 0 then // if it is the first section (Code Section), it is different or Begin Ppecodebuffer: = allocmem (sizeofrawdata ); MoV (DWORD (pointer (ffilebase + virtualaddress), DWORD (ppecodebuffer), sizeofrawdata ); Xorcode (DWORD (ppecodebuffer), sizeofrawdata ); Newfile. Position: = pointertorawdata; Newfile. writebuffer (ppecodebuffer ^, sizeofrawdata ); End Else Begin // copy all sections except the Code Section Newfile. Position: = pointertorawdata; Newfile. writebuffer (pointer (ffilebase + virtualaddress) ^, sizeofrawdata ); End; End; A udf mov is defined as follows: Procedure mov (const SRC: DWORD; const DEST: DWORD; count: integer); // move the same or Begin ASM Push ESI Push EDI Push ECx MoV ESI, SRC MoV EDI, dest MoV ECx, count Rep movsb Pop ECx Pop EDI Pop ESI End; End; By running this encryption program, the most important block of a file is that the Code section. Text (or code) required for each file is encrypted. This program implements the encryption of executable files in Windows NT, which can basically meet the needs of Program Encryption in general. Therefore, executable files encrypted by the program can prevent unauthorized users from directly modifying the original program and conducting static analysis.

[Statement]: This article is indexed by chinacnet and is for reference only in the thesis writing research. The copyright belongs to the original author.