Software Protection Mechanism

Protection Mechanism

[Statement]
I write articles mainly for communication, and hope that you can maintain the integrity of the article during reprinting.

[Preface]
This time I focused on the protection mechanism and did not write any shell removal method. In fact, I have misled many kind audiences. The most important thing to know about a shell software is its protection mechanism, which I learned later. The following describes some protection mechanisms. This is only for everyone and me to learn and understand the knowledge of protection mechanisms.

Author: ljttt
Factory Date)

① First, let's look at a simple self-protection method. The Code is as follows:

0040cc54: 03f3 add ESI, EBX <-- ESI points to a code segment. ECx indicates the code length (DWORD)
0040cc56: 8b06 mov eax, dword ptr [esi] <-- retrieve the four bytes in the code
0040cc58: 33d0 XOR edX, eax <-- XOR exclusive or
0040cc5a: f7d2 not edX <-- reverse
0040cc5c: 33D1 XOR edX, ECx <-- different from ECx (code length) or
0040cc5e: 03d0 add edX, eax <-- add to four bytes in the code
0040cc60: 83c604 add ESI, 00000004 <-- locate the next four bytes in the code
0040cc63: 49 dec ECx <-- code length minus one
0040cc64: 75f0 jnz 0040cc56 <-- loop

Let's first describe the function of this Code: we can see that this Code uses ESI as a pointer, and uses ECx to save the length. Perform an exclusive or inverse operation on the data pointed to by ESI, and finally obtain a "value" in EDX ".

So what does it have to do with its own protection? To put it simply, if ESI = 0040cc54, ECx = 0040cc64-0040cc54. Is this Code an operation (XOR or inversion) of its own code? OK!

So what changes will happen if you set the next breakpoint in the Code section? Will the calculated "value" be the same as when it was not set to be disconnected?

Let's give a brief introduction to SoftICE. When you set a breakpoint in the debugging environment of SoftICE, the first byte of the Code where the breakpoint is located will become 0xcc.
As a result, the code is changed when the breakpoint is set, and the "value" of the operation is different from that of the operation when the breakpoint is not set. If you think of this value, you can use a comparison method to determine whether a breakpoint has been set. Yes, this is a method, but it is very easy to use this "value" as the restoring key in Shell software to restore the next piece of code.
That is, the SMC technique to restore the code.

(However, if you use the D command in SoftICE to display this line of code, no changes are found. Haha, but if you start another debugger, trw2000, to display this line of code, then look at it again? Haha, do you understand ?)

②. SMC skills to restore the code.
In the shelling software, the multipart restoration code is a common method. Maybe you have had this experience. (Why is it like prose ?!) You have tracked a software and found a piece of code, such as cpuid (the corresponding hexadecimal code is 0x0f 0xa2 ). However, when you use the hexadecimal editing software to search for 0x0f 0xa2, why can't you find it? Why?

In fact, the principle is very simple, that is, stored encrypted data in the executable file of the program, only when the program is running will the program decrypt the encrypted data by a restored code at a certain point, (The restored data is the actual code that you can "see" in the debugger ). Then, the program executes the restored code. Now you know it! For example, the code described in Figure ① is used to form a restored key. when the key is correct, that is to say, it first looks at the key four times, when I find that I have not been modified (or set a breakpoint), I will "quietly" restore another piece of encrypted code. Then proceed!
A little interesting! In Shell software, if it "wants" to protect a piece of code, it will encrypt it, and then use another piece of code to form a key to restore it when running the program! This prevents you from static analysis. Of course, to prevent you from using the dynamic tracking method, it also integrates the self-protection method described in section ①. In this way, if you accidentally enter the trap (a breakpoint is set at a certain point under its own protection), the restored code is a pile of junk code. In this case, do not write a letter to the author, saying that the program has a problem ?!

(Of course, SMC skills can be used for multiple purposes. Do not have the concept of preemptible. The SMC technique can be used as a method for self-protection by shelling software, or as a method for cracking by cracker, so ...... how to use it? It's still you !...... Why do you want to compile a virus !)

The previous section introduced simple self-protection techniques. You may have been thinking about how to deal with them, for example:
Use the single-step tracking method without any breakpoints
Or, you can trace the correct key at a time and set it to be disconnected at any time. You can only "give" the correct key when it is used.
Alternatively, you can use BPM breakpoint to dynamically track data and code without tracing.
You can think more ....

Of course, in order to better protect yourself, it is not just so simple to protect yourself in the shelling software. You guess what protection methods will be used in the shelling software to prevent the above methods?

③ Anti-tracking method: Deformation of API calls.
You may like to first break a key API function before entering the program code for tracking. But in Shell software, you must be careful about this method.
Let's take a look at this Code:

015f: 00411b6a 33c0 XOR eax, eax <-- ESI points to the API function address entry, such as createfilea ()
015f: 00411b6c AC lodsb <-- get a byte
015f: 00411b6d 3c50 CMP Al, 50 <-- determine whether it is 50
015f: 00411b6f 720f JB 00411b80 <-- less than 50, jump to 00411b80
015f: 00411b71 3c57 CMP Al, 57 <-- judge whether it is 57
015f: 00411b73 770b ja 00411b80 <-- greater than 57, jump to 00411b80
......
015f: 00411bd3 897a01 mov [edX + 01], EDI
015f: 00411bd6 8b831f7b0000 mov eax, [EBX + 20177b1f]
015f: 00411bdc 8b8b237b0000 mov ECx, [EBX + 20177b23]
015f: 00411be2 8b93277b0000 mov edX, [EBX + 20177b27]
015f: 00411be8 8bbb3b7b0000 mov EDI, [EBX + rj7b3b]
015f: 00411bee 8bb3377b0000 mov ESI, [EBX + 4157b37]
015f: 00411bf4 8bab337b0000 mov EBP, [EBX + 20177b33]
015f: 00411bfa 8b9b2b7b0000 mov EBX, [EBX + rj7b2b]
015f: 00411c00 e900000000 JMP 00411c05 <-- the jump here will be changed to a command in the API function address

(Note: When you enter this code, ESI points to the entry address of an API function, and ESP points to the stack with medium-pressure parameters required for this API function. Because the code is long, it is not fully listed)

The role of the above Code is to analyze (or disassemble) some code starting from the API function, and then copy the code to its own process space for execution, go to the internal code of the API function and continue to execute the API function.

In this way, when you set a disconnection at the entrance of the API function (for example, BPX createfilea), it will "Block" it. Why? Because it is not executed from the API function entrance. Instead, it enters from the "side door. Look, how interesting shell software is! Maybe, you will think, isn't it enough to set the code to be disconnected somewhere inside the API function? You must be careful that shelling software is good or "prank". It starts part of the code by analyzing API functions. On the one hand, it implements "disassembly" and on the other hand, if you set a break point in the code it analyzes, it may also hurt the killer, because the breakpoint code is 0xcc, it does not like to show such commands in API functions. If you are down ..........

④ Anti-dynamic tracking method.
Of course, shell software may not only focus on preventing you from setting breakpoints, but may also directly focus on preventing debugging. For example, the most direct method is to check whether a debugger or some tool software is loaded in your current environment. For example:

This method is most known as 'meltice' because it has been freely distributed
Via www.winfiles.com. However it was first used by numdeskpeople to allow symbol
Loader to check if SoftICE was active or not (the code is located inside nmtrans. dll ).

The way it works is very simple:
It tries to open SoftICE drivers handles (sice, siwvid for Win9x, ntice For WinNT)
With the createfilea API.

Here is a sample (checking for 'sice '):

Bool issoftice95loaded ()
{
Handle hfile;
Hfile = createfile ("//. // sice", generic_read | generic_write,
File_pai_read | file_pai_write,
Null, open_existing, file_attribute_normal, null );
If (hfile! = Invalid_handle_value)
{
Closehandle (hfile );
Return true;
}
Return false;
}

The above is a document from frogsice. Use createfile () to open some special "Files". If the returned value is not-1, it can "find" SoftICE is loaded. Of course, this method is common because it can be used in Win98/NT.
Similarly, if you change the detected string //./sice
/// Ntice: Detect SoftICE under NT
/// Filemon detection Filemon
/// Regmon Detection
/// TRW detection TRW
/// Trwdebug detection TRW
/// Icedump detection icedump
You can "find" other trails.

Another common method for detecting SoftICE is as follows, which is also taken from frogsice documents.

** SoftICE shocould not be loaded so that frogsice can detect this method **

This method of detection of SoftICE (as well as the following one) is
Used by the majority of packers/Encryptors found on Internet.
It seeks the signature of boundschecker in SoftICE

MoV EBP, 0100003484bh; 'bchk'
MoV ax, 04 H
INT 3
CMP Al, 4
Jnz softice_detected

In fact, there are many SoftICE detection methods, which are described in the frogsice document. Here we will just look at it. If you have the most "new" anti-tracking method, you must notify me. Pai_^

⑤ Combination of self-protection and anti-Dynamic Tracking:
Finally, let's take a look at this Code:

015f: 0040ddd8 01ff add EDI, EDI
015f: 0040 ddda c783cb1800009000000mov dword ptr [EBX + 000018cb], 00000190
015f: 0040dde4 8beb mov EBP, EBX
015f: 0040dde6 ba561e0000 mov edX, limit 1e56
015f: 0040 ddeb 03d3 add edX, EBX
015f: 0040 dded 52 push edX
015f: 0040 ddee 6467ff360000 push dword ptr fs: [0000] <-- seh
015f: 0040ddf4 646789260000 mov FS: [0000], esp <-- seh
015f: 0040 ddfa 89a3a3760000 mov [EBX + 10976a3], ESP
015f: 0040de00 becd1e0000 mov ESI, 1_1mcm
015f: 0040de05 03f3 add ESI, EBX
015f: 0040de07 8bfe mov EDI, ESI <-- EDI = 40 decd
015f: 0040de09 b90f0a0000 mov ECx, 00000a0f <-- ECx = 0xa0f, ECx stores the number of cycles
015f: 0040de0e 8b93fc760000 mov edX, [EBX + 201776fc]

; Timeout ;--------------------------------------------------------------------------------------------------
The following code is similar to the code described in 1.
That is, the code between the code segment (015f: 40d8e6-015f: 40 DECA) and the initial value of edX are computed to form a "key"
; The result is still saved in EDX.
; Timeout ;--------------------------------------------------------------------------------------------------
015f: 0040de14 56 push ESI <-- start of the loop
015f: 0040de15 51 push ECx <-- save in the stack. ECx stores the number of cycles = a0f.
015f: 0040de16 b979010000 mov ECx, 00000179
015f: 0040de1b bee6180000 mov ESI, 201718e6
015f: 0040de20 03f3 add ESI, EBX <-- ESI = 40c000 + 18e6 = 40d8e6. (40c000 is the program entry)
015f: 0040de22 8b06 mov eax, [esi] <-- 4 bytes in the code
015f: 0040de24 33d0 XOR edX, eax
015f: 0040de26 33D1 XOR edX, ECx
015f: 0040de28 83c604 add ESI, 04
015f: 0040de2b 49 dec ECx <-- Reduce the number of cycles by one. The initial value of ECx is 179.
015f: 0040de2c 75f4 jnz 0040de22 <-- This section is the same as the preceding Method for self-protection.
015f: 0040de2e 59 pop ECx <-- output Stack
015f: 0040de2f 5E pop ESI <-- output Stack
; Timeout ;--------------------------------------------------------------------------------------------------
This Code uses the "key" in edX to restore the encrypted code pointed to by EDI. The initial value of EDI is 40 decd.
; Timeout ;--------------------------------------------------------------------------------------------------
015f: 0040de30 ad lodsd
015f: 0040de31 33c2 XOR eax, EDX
015f: 0040de33 AB stosd
; Timeout ;--------------------------------------------------------------------------------------------------
This code is used for anti-tracking
; Timeout ;--------------------------------------------------------------------------------------------------
015f: 0040de34 0f018ba57a0000 sidt fword PTR [EBX + 20177aa5] <-- Obtain idtr content
015f: 0040de3b 8bb3a77a0000 mov ESI, [EBX + 20177aa7] <-- Obtain the base address of the IDT table
015f: 0040de41 894e08 mov [ESI + 08], ECx <-- modify the address of the int 1 processor to ECx, so that you can die.
; Timeout ;--------------------------------------------------------------------------------------------------
; Convert the "key.
; Timeout ;--------------------------------------------------------------------------------------------------
015f: 0040de44 3393521e0000 XOR edX, [EBX + 20171e52]
015f: 0040de4a 8bf7 mov ESI, EDI
015f: 0040de4c eb70 JMP 0040 debe
... (Omitted)
015f: 0040 debe ff834e1e0000 Inc dword ptr [EBX + rj1e4e]
015f: 0040dec4 33D1 XOR edX, ECx
; Timeout ;--------------------------------------------------------------------------------------------------
; Determine whether the loop ends, that is, all the encrypted code after this time has been restored
; Timeout ;--------------------------------------------------------------------------------------------------
015f: 0040dec6 49 dec ECx <-- Reduce the number of cycles by one. The initial value of ECx is a0f.
015f: 0040dec7 0f8547ffffff jnz 0040de14 <-- end of the loop
015f: 0040 decd 5f pop EDI <-- encrypted code
015f: 0040 dece 44 Inc ESP <-- unrestored code

This code is relatively long, so it takes some time to understand it. This is a combination of "anti-dynamic tracking" and "self-protection.
We can see that the Code after 015f: 0040 decd has been encrypted. This code is used to restore the encrypted code. After the code loop ends, the encrypted code is restored. This is the application of SMC techniques. In this Code, the "key" is calculated by all the previous code. In addition, each cycle is changed once. This is the self-protection introduced in section 1. It prevents you from modifying its code or setting a breakpoint tracking.
In addition, an "anti-dynamic tracking" method is added to the program, that is, the address of the interrupt processing program with one-step interruption is modified. In this way, your tracing environment will be damaged.

015f: 0040de34 0f018ba57a0000 sidt fword PTR [EBX + 20177aa5] <-- Obtain idtr content
015f: 0040de3b 8bb3a77a0000 mov ESI, [EBX + 20177aa7] <-- Obtain the base address of the IDT table
015f: 0040de41 894e08 mov [ESI + 08], ECx <-- modify the address of the int 1 processor to ECx, so that you can die.

This is what shell software features, combining attack and defense. So when you are not careful, you may fall into the trap set by it and see "Buddha ". So in order to prevent it from being sent to westday. You have to work hard to understand the features and skills of your own protection and anti-tracking. Shell software is generally such a trap. Of course, the protection mechanism of shell software also has its weakness. As long as your program instructs the machine to "read", dynamic tracking will fail, and static analysis or combination of dynamic and static analysis will occur. Therefore, the appearance of various shell removal machines will occur. Of course, this is the relationship between the "Spear" and "shield". I think the key lies in the proper use and innovation. For example, I often use MD5, RSA, blowfish, and other encryption algorithms to calculate registration codes. How can this problem be solved ?! Haha, then use the if command for registration and judgment !?...................

[Postscript]
Because these protection mechanisms are frequently used, it is okay to introduce them. In fact, these things have been available for a long time. However, I often like to try new bottles and old wines. In addition, I do not fully understand anti-Debug. I also hope that more experts can be introduced to prevent counterfeiting.