SDK programming for vmprotect and asprotect in VC

Recently, I want to encrypt a program using the vmprotect and asprotect sdks. I didn't figure out how to use vmprotect SDK encryption in VC after a long time, so I thought about it, at last, I had a little bit of experience and shared it with everyone, so that no one else could make a detour like me.
In fact, vmprotect and asprotect have similar SDK programming. They all insert a mark (Marker) in the statement during programming. Then, when shelling, the shelling program will recognize these marks, and protection is performed in marked areas. I think this is the most basic so-called shell program SDK programming.
1. vmprotect
The new version of vmprotect is not easy to use, so vmprotect v1.2 is used here. (Please give me a new try ). compiling environment. NET 2003. I mainly refer to the article. vmprotect SDK + asprotect SDK hybrid programming [Code demo] Author: anskya link: http://bbs.pediy.com/showthread.php? Threadid = 20317

1.1 protect internal functions
Delphi needs to set the map file. NET 2003 also needs to be set to generate a map file so that vmprotect can identify internal functions. If there is no map file, vmprotect can only identify the export function, and then add the function address.
Vs. in NET 2003, open "Project-> project1 properties (assuming the project name is project1)-> linker-> debug-> Generate ing file" and change it to "Yes (/MAP )", in this way, the project1.map file is generated at the same time. Copy project1.exe and project1.map to the vmprotect folder. When using vmprotect for encryption, you can list many internal functions when adding new functions. In this case, you only need to select the internal function you want to encrypt. If there is no map, there is only an input basket of input function addresses, and there is no internal function list.
This saves some friends the trouble of using the ollydbg analysis program to encrypt a function, finding the function entry address, and entering it in vmprotect.

1.2 protect code from any location
On anskya and the home page of the Russian author, only Delphi adds the SDK tag to the program. The tag mode in Delphi is:

Code:

ASM dB $ EB, $10, 'vprotect begint', 0 // mark the start point. end; // the program code ASM dB $ EB, $ 0e, 'vmprotect end', 0 // mark the end. end;

In Delphi, this compilation language similar to MASM can be used directly, which is more convenient. However, in VC, DB statements are not supported, and only single-byte _ emit statements can be inserted. I figured out a more troublesome method, that is, to insert all hexadecimal bytecode. I don't know if there are any better methods. This law is derived from aspr. h In the SDK example of asprotect.
The tag mode in VC is:

Reference:

_ ASM // mark start.
{
_ Emit 0xeb
_ Emit 0x10 // JMP 0x10
_ Emit 0x56 // ASCII "vmprotect begin", 0
_ Emit 0x4d
_ Emit 0x50
_ Emit 0x72
_ Emit 0x6f
_ Emit 0x74
_ Emit 0x65
_ Emit 0x63
_ Emit 0x74
_ Emit 0x20
_ Emit 0x62
_ Emit 0x65
_ Emit 0x67
_ Emit 0x69
_ Emit 0x6e
_ Emit 0x00
}
// Program code to be protected
_ ASM // mark the end.
{
_ Emit 0xeb
_ Emit 0x0e // JMP 0x0e
_ Emit 0x56 // ASCII "vmprotect end", 0
_ Emit 0x4d
_ Emit 0x50
_ Emit 0x72
_ Emit 0x6f
_ Emit 0x74
_ Emit 0x65
_ Emit 0x63
_ Emit 0x74
_ Emit 0x20
_ Emit 0x65
_ Emit 0x6e
_ Emit 0x64
_ Emit 0x00
}

Insert this pair of tags to any program code you want to protect. This method can penetrate into the function to precisely protect a piece of code that you want to protect. After the insertion is successful, you can find the internal function "vmprotectmarker1" in the case of vmprotect shelling. This is where the mark is used, if there are multiple protections, the number of these functions increases, such as vmprotectmarker2 and vmprotectmarker3. remember to select these functions for protection.

2. asprotect
The SDK programming of asprotect is relatively studious, because it carries a very detailed description file asprotect. CHM. Here I translate part of this file. The version of asprotect ske 2.2 release build 0425 I used not only has the instruction documents but also many examples after the installation. In fact, I have learned these examples, which is very simple.

2.1 How to Use asprotect flag
The latest version of asprotect supports the use of tags in the following programming languages: Delphi, C/C ++, and Visual Basic. note that these tag macros are not supported.. Net Language and Visual Basic compiled in pcode mode.
Restrictions:
To successfully Insert the asprotect tag to your program, the following conditions must be met:
§ Polymorphic cannot be in a loop statement, such as for or do while,
§ CRC check mark cannot be nested, that is, another CRC mark cannot be placed inside the CRC mark,
§ The code in the registered sections (Registration Section) and CRC check mark must be at least 5 bytes in size.

C/C ++ is marked by include (*. h or *. inc files) is defined in the folder, and will be reflected in some special Sequence Assembly Code after compilation, these assembly code will be automatically detected by asprotect during shelling.
You can find the example of how to use the tag in the installation folder of asprotect.

2.2 polymorphic markers)
You can use polymorphism to mark the code at any location in the program. To use polymorphism to mark the code, you need to insert a variant tag instance anywhere inside the function you want to protect. For example, place the polymorphism deformation mark at the top of the Code in the function. All code snippets marked from this to the end of the function will be erased and replaced with a multi-state deformation simulation body. Asprotect uses a simulation method to change the content of this function (such as entry point protection), so it is impossible to restore or even understand the working principle of the original program.
To use new code snippet protection, you need to insert a new tag, as shown in the following code:

#include "include\aspr.h"   VOID Test    {   USER_POLYBUFFER   // some code   }  

Note! To avoid the operators that change the program logic before the polymorphism deformation mark, this version does not support the use of the mark in the loop statement. Therefore, place the mark outside the loop body, do not use code similar to the following:

do {  USER_POLYBUFFER   // some code  } while();   // some code  

2.3 envelope checks)
Asprotect encapsulates the program directly in a secure shell that contains all protection options. Therefore, it is important for the Protection Program to check whether the shell exists or whether it has been manually removed. To use the shell check, you need to insert either of the two shell check marks, as shown below:
Method 1-if the asprotect shell is removed, it will generate an exception. You can handle this exception and do some evil at this time. @-@ Code:

# Include "include \ aspr. H "MessageBox (0," begin "," ", 0); # include" include \ cppenvelopecheck. INC "// you can insert this sentence anywhere. messageBox (0, "end", "", 0 );

Method 2-if the asprotect shell is removed, this method will work like a function and return a false value. If it is false, you can do some evil. Code:

Bool envelopecheck () // put this function in front of the program. {# Include "include \ cppenvelopecheckfunc. Inc"} If (! Envelopecheck () // .. evil thing

2.4 CRC Check
This Chapter applies only to executable programs. The CRC check of the code segment is very effective against the loaders. If you want to set some additional CRC checks for code snippets, you only need to mark the CRC check at the beginning and end of the code snippet, as shown in the following code:

 #include "include\aspr.h"    #include "include\cppCrcBegin.inc"    // some code    #include "include\cppCrcEnd.inc"  

Note! This version does not support nested tags, so do not use the following code:

 #include "include\aspr.h"   #include "include\cppCrcBegin.inc"    // some code     #include "include\cppCrcBegin.inc"    // some code     #include "include\cppCrcEnd.inc"    // some code   #include "include\cppCrcEnd.inc"  

There are also a variety of registration methods, the expiration time encryption method needs to use the asprotect API method, there are in the help documentation, you can look at it if you want to use, this part of I have not used, so there is no translation. After the above program is compiled, the asprotect shelling will automatically identify the mark, and the prompt will be displayed during shelling.

After the above SDK encryption method is mastered, you can mix asprotect and vmprotect randomly and encrypt it (first use vmprotect and then use asprotect). The encryption intensity should be quite high. But it is best to make your program run.
It is worth noting that some tags are fully composed of bytecode. When shelling, some tags may be damaged by the protection of other tags. So do not use a lot of tags for the same piece of code. These should be tested.
In addition, sometimes executable files programmed by the SDK cannot be run directly. They can only run after being shelled.

Supplement: If the SDK logo of the previous vmprotect is not used much better, it is better to define it and streamline it. As follows:

Reference:

# Define vmpbegin \
_ ASM _ emit 0xeb \
_ ASM _ emit 0x10 \
_ ASM _ emit 0x56 \
_ ASM _ emit 0x4d \
_ ASM _ emit 0x50 \
_ ASM _ emit 0x72 \
_ ASM _ emit 0x6f \
_ ASM _ emit 0x74 \
_ ASM _ emit 0x65 \
_ ASM _ emit 0x63 \
_ ASM _ emit 0x74 \
_ ASM _ emit 0x20 \
_ ASM _ emit 0x62 \
_ ASM _ emit 0x65 \
_ ASM _ emit 0x67 \
_ ASM _ emit 0x69 \
_ ASM _ emit 0x6e \
_ ASM _ emit 0x00

# Define vmpend \
_ ASM _ emit 0xeb \
_ ASM _ emit 0x0e \
_ ASM _ emit 0x56 \
_ ASM _ emit 0x4d \
_ ASM _ emit 0x50 \
_ ASM _ emit 0x72 \
_ ASM _ emit 0x6f \
_ ASM _ emit 0x74 \
_ ASM _ emit 0x65 \
_ ASM _ emit 0x63 \
_ ASM _ emit 0x74 \
_ ASM _ emit 0x20 \
_ ASM _ emit 0x65 \
_ ASM _ emit 0x6e \
_ ASM _ emit 0x64 \
_ ASM _ emit 0x00

With the define above, you only need two sentences to encrypt it. you can insert a bit more here: code:

Vmpbegin // code snippet to be encrypted vmpend