Software Encryption Technology and Realization of Lei Peng (Guilin Electronics Industry College Computer System) Abstract Today's pirated software has almost become the disaster of our Chinese national software, in order to prevent illegal copying, piracy, and protection of software developers It is necessary to encrypt the software. There are many anti-piracy software on the market, but this type of software is mostly single-machine processing, and only simple encryption means is easy to crack. This article describes a perfect software protection scheme that is registered with Internet, set encryption and electronics. This program is based on a variety of cryptographic sense, such as symmetrical encryption algorithms, hash algorithms, digital signatures, key exchange, and more. Through the structure of the PE executable under Windows and the loading mechanism, the smartly use of these cryptographic algorithms and a variety of anti-cracking schemes to encrypt the PE file. In the implementation of the scheme, using the digital signature algorithm in CryptoAPI, the encryption algorithm RC2 and RC4, hash algorithm SHA, and written a summary using the MD5 algorithm for quick calculation of large amounts of data; network interface uses Winsocket; programming Language selection assembly language and C hybrid programming method; anti-cracking scheme has detection document integrity, detection code integrity, anti-tracking, anti-disassembly, anti-DUMP, code deformation, etc. Due to the use of a reliable cryptographic algorithm, the intensity of software encryption is greatly improved; the user use is also very convenient due to the use of Internet online registration.
Keywords encryption; digital signature; hash; anti-tracking; electronic registration Software Protection technique and its realizationLEI Peng (GuiLin Institute of Electronic Technology The Department of Computing.) Abstract The flooding of pirate software has been a calamity of our national software industry. in order to prevent software from pirate, and protect the profit of the software developer, they must encrypt their software to get a protection. There are several software protection tools in the market currently, but these tools were standalone nine tenths, and they only used simple encryption algorithms, so they could be cracked easily by the crackers .This thesis describes a perfect software encryption and protection scheme which integrate the encryption and electronic register. This scheme is based on multiple reliable cryptographic algorithms such as symmetric encryption algorithm, digital signature, Hashing and key exchange. The pe file format (Portable Executable file format) And ITS Loading Mechanism Under Wi ndows are dissected thoroughly in this thesis. Then these cryptographic algorithms and several anti-crack method are used gracefully to encrypt and protect the PE file .Within the realization of this scheme, the RSA digital signature algorithm, RC2 and RC4 encryption algorithm, SHA hasing algorithm etc in MicroSoft CryptoAPI are used. in order to increase the performace of caculate the digest of large number of data, MD5 hashing algorithm was rewritten. WinSocket API is used as the network interface. The blend of C
and assembly are used for easily contoling the bottom layer of the system and simplify the programming. The anti-crack method consits the integralization of the file checking, the integralization of the code checking, and anti-debug, anti-disassembly, anti-dump and code metamorphose etc .The reliable cyrpto algorithms guarantee the crypto strength As a result of online register, the retail users and the software developers get convenience .Key words Encrypt;. Digital Signature; Hashing; Anti-Debug; Electronic Register
Directory 1 Overview 12 Clears 32.2 Symmetrical Cryptographic Code Algorithm 62.3 Public Password Algorithm 62.4 One-way Hatory Operating 72.5 Digital Sign 83 Windows Environment PE File Introduction 3.1 Win32 and PE Basic Concept 103.2 PE First 123.3 PE file Import Table 144 Some of the current popular software protection technology 4.1 Serial number protection 214.2 Time limit 224.3 Key File protection 234.4 CD-CHECK 234.5 anti-tracking technology (Anti-Debug) 234.6 Anti-disassembly technology (Anti- Disassmbly) 244.7 Dog 254.8 VBOX protection technology 254.9 Salesagent protection technology 264.10 Securom protection technology 264.11 Floppy disk encryption 264.12 combined software and machine hardware information 264.13 Housing 275 This software Design Ideas 5.1 Traditional Protection 285.2 Network of popular 295.3 My program 295.4 The feasibility analysis of the program 296 Overall architecture, development tool and method 6.1 Demand analysis 326.2 Overall framework 356.3 Each section (compilation and C / C ) 356.4 C / C and assembly language mixed programming intermodulation agreement 366.5 Modules in this software Restrictions and solutions for language characteristics 406.6 C / C and assembly language pre-compilation 457 This software implementation and technical details 7.1 CryptoAPI Introduction 477.2 Several public functions and macro 497.3 module shared structural definition 547.4 SHIELD Module 567.4.1 Shell Program The processing of the API and library functions 597.4.2 Shell main body 627.4.3 encryption case 637.4.4 Run modified its code 647.4.5 Code hash check 647.4.6 jump to the client program 657.4.7 Load and Destruction of the Client Program IMPORTTABLE 667.4.8 Self-Destruction Code 697.4.9 Compilation Method 707.5 Merge Module 717.6 Register Module 767.7 Server Module 777.8 Software Authorization Protocol 787.9 Client Code (Data) Encryption / Decryption Flow Illustration 828 User Instructions And Demo 8.1 Instructions 838.2 Demonstration and Effect 839 Limit, Insufficient and Prospect 9.1 Limitations of this Software 869.2 The software is less than 869.3 Outlook on the software 10.1 Summary 9110.2 Acknowledgments 91 References 92 1 Overview I quote "Application Cryptology" Author's Bruce Schneier: There are two passwords in the world: one is to prevent your little sister from seeing your file; One is to prevent the authorities from reading your file information. If a letter is locked in the safe, hide the insurance cabinet in a place in New York ..., then tell you to see this letter. This is not safe, but hidden. Conversely, if a letter is locked in the safe, then put the safe and its design specification and many the same safe to you so that you can study the locking device in the world's best security. And you can't open the safe to read this letter, this is safe. It means that a cryptographic system is only on the confidentiality of the key, not the confidentiality of the algorithm. This is true that the encryption of pure data is true. For people you don't want to let him see these data (plaintext) of data (data), with a reliable encryption algorithm, as long as the crack is not known to be encrypted, he cannot interpret these data. However, the encryption of software is different from data encryption, which can only be "hidden". Whether you are willing to let him (legal users, or cracker) see these data (Software of the software), the software is ultimately run on the machine, the machine, it must be clear.
Since the machine can "see" these plain text, Cracker can also see these plaintexts through some technologies. Thus, in theory, any software encryption technology can be broken. It's just that the difficulty of crack is different. Some want to make the tallest Cracker for a few months, and some may be crackdown without blowing the ash. Therefore, anti-piracy tasks (technical anti-piracy, not administrative anti-piracy) is to increase Cracker's difficulty. Let them spend the cost of cracking software, which is better than he cracking this software. This way, Cracker has become meaningless - who will spend more money than genuine software to buy pirated software? However, what to do "is difficult to crack"? SONY has declared the super anti-piracy (Key 2 Audio Music CD anti-piracy), using a very cutting-edge technology, but recently being cracked by a marker, becoming a laughter after people! So, a lot of technologies that look good, maybe in front of Cracker. Just like a Marino line, Cracker does not start from your defense, but "bypass". In this way, let your anti-piracy technology can't think of CRACK in your place. Why is this so ? The root is due to the software running on the machine, and the software and machines are separated - this is the key. If the software and hardware are completely bound, it cannot be separated, which is a system that can be almost unmracosable like IdeA. This will explain the traditional software protection technology later. For my solution, I can't guarantee that the Crack master can't crack it in a few days, I can only say: "In this software, I try to block the general use of the current crack people and" I want to get " Possible gaps. "But I believe that I poured my three-month blood anti-piracy software, I am willing not to" toy "anti-piracy software. 2 Password Description 2.1 Concept (1) The sender and recipient assumes that the sender wants to send a message to the recipient, and want to send information safely: she wants to be confident that the sneak listener cannot read the message. (2) Messages and encryption messages are called plaintext. The process of camouflage messages with some method is called encryption, and the dense message is called ciphertext, and the process transition into a clear text is referred to as decryption. Figure 2-1 shows this process. Figure 2-1 Encryption and decryption expressing m (message) or P (clear) indicates that it may be a bitstream (text file, bitmap, digitized voice or digitized video images). As for the computer, P is simple binary data. The plain text can be transferred or stored, wherever m hosted the encrypted message. Cipheet use C, which is also binary data, sometimes as large as M, sometimes slightly large (by combining compression and encryption, C may be smaller than P. However, single encryption is usually unchanged). The encryption function E acts on M to obtain ciphertext C, expressed as: e (m) = c. Conversely, the decryption function D acts on C to generate MD (c) = m. First encrypt, decrypt the message, the original plain text It will be restored, the following equation must be established: d (e (m)) = m (3) Declusion, integrity, and resistance, in addition to providing confidentiality, cryptography usually has other functions:. (A) Identification The recipient should be able to confirm the source of the message; the invader is impossible to disguise others.
(b) The recipient of the integrity inspection message should be able to verify that the message is not modified during the transfer; the invader is impossible to replace the legal message with a fake message. (C) The anti-relative sender cannot deny the message he sent in falsely. (4) Algorithm and key password algorithm are also called passwords, which are math functions for encryption and decryption. (Usually, there are two related functions: one is used as an encryption, and the other is used as a decryption) if the confidentiality of the algorithm is based on the secret of the retention algorithm, this algorithm is called a restricted algorithm. Restriction algorithms have historical significance, but according to current standards, their confidentiality is far less. Big or frequently converted user organizations cannot use them, because every user leaves this organization, and other users must change another different algorithms. If someone has no intention to expose this secret, everyone must change their algorithms. Worse, the restricted password algorithm is not possible to perform quality control or standardization. Each user organization must have their own unique algorithm. Such an organization cannot adopt a popular hardware or software product. However, the eavesdropper can buy these popular products and learn algorithms, so users have to write algorithms and implement it. If there is no good password in this organization, then they can't know if they have a safe algorithm. Despite these major defects, restricted algorithms are still very popular for low-level applications, users or do not recognize or do not care about the problems in their system. Modern cryptographic key solves this problem, the key is represented by K. K can be any value in many values. The range of possible values of the key K is called a key space. Encryption and decryption operations use this key (ie, the operations depend on the key, and use K as a subscript), so that the add / decryptive function now becomes: EK (m) = cdk (c) = m. These functions Have the following characteristics (see Figure 2-2): DK (EK (M)) = m. Figure 2-2 Using a key / decryption
Figure 2-3 Some algorithms using two keys use different encryption keys and decryption keys (see Figures 2-3), that is, the encryption key K1 is different from the corresponding decryption key K2, In this case: EK1 (M) = CDK2 (C) = MDK2 (EK1 (M)) = m All of these algorithms are based on the security of the key; rather than algorithm-based details. This means that the algorithm can be disclosed, or it can be analyzed, you can produce a large number of products that use algorithms, even if you have a listener knowing that your algorithm doesn't matter; if he doesn't know the specific key you use, he can't read you. Message. The cryptographic system consists of algorithms, and all possible plaintext, ciphertext, and key. Key-based algorithms usually have two categories: symmetric algorithm and public key algorithm. The following will be introduced: 2.2 Symmetric cryptographic algorithm symmetric algorithm Sometimes it is also called a traditional password algorithm, that is, the encryption key can be calculated from the decryption key, and it is also established. In most symmetric algorithms, the add / decryption key is the same. These algorithms are also called a secret key algorithm or a single key algorithm that requires the sender and the recipient to agreed a key before securing. The security of the symmetric algorithm depends on the key, and the leak key means that anyone can add / decrypt the message. As long as the communication needs to be kept secret, the key must be confidential. The encryption and decryption of the symmetric algorithm is expressed as: EK (M) = CDK (C) = M symmetric algorithm can be divided into two categories. A algorithm or sequence password is called a sequence algorithm or sequence password only on the algorithm of a single bit (sometimes a byte) operation in a clear text. Another type of algorithm is an operation of a set of Bit ABB, which is called packets, and corresponding algorithms are called packet algorithms or packet passwords. The typical packet length of the modern computer password algorithm is 64 bits - this length is large enough to prevent analysis of deciphery, but it is enough to make it easy (before the computer appears, the algorithm is generally only for a character computing to the plain text, can be considered It is the calculation of the sequence password on the character sequence). 2.3 Public Password Algorithm Publication Key Algorithm (also called an asymmetric algorithm) is designed: the key used as the encryption is different from the key used as the decryption, and the decryption key cannot be calculated according to the encryption key (at least in reasonable) Assuming for a long period of time). The reason why the public key algorithm is called because the encryption key can be disclosed, that is, the unfamiliar can encrypt information with an encryption key, but only the corresponding decryption key can decrypt information. In these systems, the encryption key is called a public key (scientific key), and the decryption key is called a private key (referred to as private key). Private keys are sometimes called a secret key. To avoid confusion with the symmetric algorithm, this name is not used here. The public key K is expressed as EK (m) = c. Although the public key and the private key are different, it can be expressed as: DK (c) = m, sometimes the message is private. The key is encrypted and decrypted with the public key, which is used for digital signature (described in detail later), although it may be confused, but these operations can be expressed as: EK (M) = CDK (c) = M Current public password algorithm The speed, which is slower than the symmetric cryptographic algorithm, which makes the public password algorithm are limited in the encryption of large data. 2.4 One-way hasiduous function One-way hasidisfunction function h (m) acts on a message m of any length, which returns a fixed length has a hash value H, where H is the length of M.
The function input is a function of any length and output is a fixed length, but the one-way hash function also has other characteristics that makes it unidirection: (1) given M, it is easy to calculate H; (2) given H, The M) = H is calculated to be difficult; (3) give M, find another message m 'and satisfy H (m) = h (m') is difficult. In many applications, only one-dimensionality is not enough, but also the conditions called "anti-collision": to find two random messages M and M ', so that H (m) = h (m') It is difficult to satisfy. Due to these characteristics of the hash function, since the calculation speed of the public password algorithm is often slow, in some password protocol, it can be used as a summary of a message M, instead of the original message M, let the sender is h (m) signature Instead of signing M. As the SHA hash algorithm is used in Digital Signing Protocol DSA. 2.5 Digital Signatures Adjusts Digital Signing inseparable from Open Cryptographic Systems and Hash Technology. There are several public key algorithms to be used as digital signatures. In some algorithms, such as RSA, public key, or private key can be used as encryption. Encrypt file with your private key, you have a secure digital signature. In other cases, such as DSA, the algorithm distinguishes out ?? Digital signature algorithm cannot be used for encryption. This idea is first proposed by Diffie and Hellman. The basic protocol is simple: (1) A. Use her private key to encrypt files to sign files. (2) A pass the files of the signature to B. (3) B decrypt file with a public key to verify the signature. In this agreement, it is only necessary to prove that the public key of A is indeed her. If b cannot be completed (3) step, he knows that the signature is invalid. This protocol is also satisfied with the following features: (1) Signature is credible. When b is verified with a public key verification information, he knows is signed by A. (2) Signature is unable to make. Only a knows her private key. (3) Signature is unrealted. The signature is the function of the file and cannot be converted to another file. (4) The file being signed is not changeable. If there is any change in the file, the file cannot be verified using a public key to A. (5) Signature is unrecognizable. B You can verify a signature of A without the help of A. In practical applications, because the public password algorithm is too slow, the signature is often a signed signature of the message instead of signing the message itself. Do not reduce the credibility of the signature. This chapter only has some brief introduction to cryptography, more please refer to the reference [1].
3 Introduction to the PE file in the Windows environment 3.1 Win32 and PE Basic Concepts As long as people who have used the computer know what is Windows, Windows95 is already outdated yesterday, WINDOWS98 has also launched for nearly four years. In 2000, I also launched Windows2000. This year, I launched WindowsXP, Microsoft's operating system update speed is so fast, so that it is still in use yesterday, it is outdated today. After Windows98, Microsoft's rumors are not launching the operating system of the 9X kernel, but in the second half of 2000, WindowsMillennium officially launched, referred to as Win.ME. However, from WindowsXP, it can be asserted that Microsoft will not upgrade the Win9x operating system. Windows2000 and WindowsXP are based on NT kernel. All of these operating systems use a "Portable Executable File Format, referred to as PE file format. Let's introduce some concepts of the PE file below. For details, please refer to References [14]. WINDOWS NT inherits the tradition of VAX? VMS? And UNIX? Many founders of Windows NT are designed and encoded on these platforms before entering Microsoft. When they start designing Windows NT, it is natural, in order to minimize engineering start-up time, they will use the previously written and have tested tools. The executable and OBJ file format that uses these tools and the OBJ file format are called COFF (the first letters of Common object file format). The age of COFF is no more than eight years. Coff itself is a good starting point, but it needs to be extended to a modern operating system such as Windows 95 and Windows NT to do some updates. The result is generated (PE format) portable executable format. It is called "portable" because WindowsNT implemented on all platforms (such as X86, Alpha, MIPS, etc.) uses the same executable file format. Of course, there are many different things such as binary code CPU instructions. Important is that the operating system's loaders and programming tools do not need to be able to achieve full rewriting for any CPU. About the PE file is that the executable file on the disk is very similar (as shown in Figure 3-1) after loading memory by Windows (called PE image after the PE file is loaded). The Windows Loader does not have to create a process for a work from the disk to load a file from the disk. The loader uses the memory map file mechanism to map similar blocks in the file to the virtual space. The structure is analyzed, and a PE file is similar to a prefabricated room. It starts in nature in such space, and there are several parts that connect it to the remaining space (that is, let it contact it on its DLL, etc.). This is as easy to apply as DLL in PE format. Once this module is loaded, Windows can effectively treat it and other memory map files. Figure 3-1 The layout of PE files and PE images is very similar
For Win32, all code, data, resources, import tables, and other required module data structures used in modules are in a consecutive memory block. In this situation, you only need to know where the loader maps the executable file to where it is. By a pointer as part of the image, you can easily find all the different blocks of this module. Another concept you need to know is relative virtual address (RVA). Many domains in the PE file are specified by the term RVA. A RVA is just some projects to be mapped to the mortems of the file. For example, the loader maps a file to the memory block started by the virtual address 0x10000. If an actual table in the image is 0x10464, then its RVA is 0x464. (Virtual Address 0x10464) - (base 0x10000) = RVA 0x00464 In order to convert a RVA into a useful pointer, you only need to add the RVA value to the base address of the module. The base site is the base address of the EXE and DLL memory maps, which is a very important concept in Win32. For convenience, WindowsNT and Windows9x modules' base address is used as an instance handle of this module. You can get a pointer to access its components to any DLL to call GetModuleHandle (DLLNAME). If the dllname is NULL, get the execution body's own module handle. This is very useful. If the startup code generated by the usual compiler will get this handle and pass it as a parameter Hinstance to WinMain. 3.2 PE headers, like other executable files, PE files have some domains of the remainder of the file in well-known places. The header contains the location and size of this like code and data, the operating system intervenes, such as the initial stack size, and other important block information. Compared with the format of Microsoft's other actuats, the main first part of the executor in PE format is not the beginning of the file. Typical PE files start hundreds of bytes occupied by DOS residual part. This residual part is a printer such as "this program cannot run under DOS!" This type of information. So, in a system that doesn't support Win32, you will get this type of error message. This is undoubtedly in the first byte of this mapping file corresponding to the first byte of the DOS residual portion of this mapping file. Thus, with any Win32-based procedure that you launched, there is a DOS-based program-based program that is loaded. Like other Other executable formats of Microsoft, you can get the real head by finding its start offset, this offset is placed in the DOS residual head. Winnt.h header file contains the DOS residual program definition (Note), making it easy to find the starting position of the PE header. The E_LFANEW domain is the offset of the real head of PE. In order to obtain a pointer in the memory, only the value is added to the base address of the image. // ignore type transformation and pointer transformation PNTHEADER = DOSHEADER DOSHEADER-> E_LFANEW; Note: In order to not latency, the complete definition of these structures is not listed here, which is directly referenced, the structure is defined in WinNT. H, it is recommended that the reader will refer to Winnt.h when reading this chapter. Once you have a pointer to the top of the PE, the game can start! The PE The header is the structure of an image_nt_headers, defined in Winnt.h.
This structure consists of a double word (DWORD) and two sub-structures, the layout is as follows: DWORD SIGNATURE; // Sign Domain Image_File_Header FileHeader; Image_Optional_Header OptionalHeader; Sign field ASCII indicates "PE / 0/0". The flag is the structure image_file_header. This domain only contains the most basic information of this file. This structure has not changed from its original Coff implementation. In addition to part of the PE head, it also manifests the first part of the COFF OBJ file generated by the Microsoft Win32 compiler. For details, please refer to References [14] (I have translated into Chinese).
3.3 Import Table of PE files Because the import table is critical in the design of the software, the rear shell introduced the table, the import table is involved in the import table. So, there is a need to explain here, please refer to References [14] [15] [16]. Import tables, simply, the import table is equivalent to the system interrupt function of DOS. Both are operating system APIs. Only the DOS interrupt does not require an operating system to fill in the actual address of the API while loading each actuger, and the import table can also import functions in other modules other than the operating system API. In a PE file, when you call a function in another module (such as getMessage in user32.dll), the compiler produces the CALL instruction to transfer control directly to this function in the DLL. Instead, the CALL command shifts the control to a JMP DWORD PTR [xxxxxxxx] instruction in .Text (as shown in Figure 3-2). This JMP instruction is controlled by a DWORD variable in the import table. This DWORD of the import table contains the actual address of the operating system function. Why is DLL call to implement this way? It turns out that all the calls to a given DLL function are transmitted through a location, and the loader does not need to change the instructions of each calling DLL. All PE loaders must do to place the correct address of the target function in a DWORD of the import table. There is no need to change any Call instruction itself. If you want to call a function through a function pointer, things will be as expected. However, if you want to read the byte starting with GetMessage, you will not be as wish. The reverse API breakpoint will be described in detail later. Figure 3-2 An illustration of an import function call describes how the function call is in an external DLL and does not call this DLL directly. Instead, in the .Text block in the actuator (if you use Borland C is the .icode block), the CALL directive reaches a JMP DWORD PTR [xxxxxxxx] instruction. The address of the JMP instruction looks forward to the control to the actual target address. The import table of the PE file contains some necessary information, which is the address of the loader to determine the address of the target function and correct them in the active image. The import table begins in an image_import_descriptor array. Each DLL has a PE file implies image_import_descriptor on the link. There is no domain that specifies the number of structures in this array. Instead, the last element of this array is a full NULL image_import_descriptor. Image_import_descriptor's format is displayed in Table 3-1. Table 3-1 Image_import_descriptor's format DWORD CHARACTERISTICS at a moment, this may be a logo set. However, Microsoft has changed its meaning and is no more confused to upgrade Winnt.h. This domain is actually a shift (RVA) pointing to the array of pointers. Each pointer points to an image_import_by_name structure. The meaning of this domain is originated by OriginalFirstthunk. DWORD TIMEDASTAMP represents the creation time of this file.
DWORD ForwarderChain This domain contacts the forward chain. The forward chain includes a DLL function to transfer a reference to another DLL. For example, in WindowsNT, NTDLL.DLL appears some of its forwards to the function to kernel32.dll. The application may think that it is called a function in NTDLL.DLL, but it finally calls the function in kernel32.dll. This domain also includes an index of a firstthunk array (instant). The function of this domain index will be forward reference to another DLL. Unfortunately, how the function does not have a document forwarded to the format, and the example of the forward function is difficult to find. DWORD NAME This is the name of importing the DLL, pointing to the ASCII string ending with NULL. The common example is Kernel32.dll and user32.dll.
PIMAGE_THUNK_DATA FIRSTTTHUNK This domain is an offset (RVA) integrated to Image_thunk_Data. Almost any case, this domain is interpreted as a pointer to a pointer to the image_import_by_name structure. If this domain is not one of these pointers, it is regarded as an export number value that will be imported from this imported DLL. If you can actually import a function from the order instead of import from the name, see the document, this is very vague. An important part of image_import_descriptor is the imported DLL name and two image_import_by_name pointer arrays. In the exe file, these two arrays (by the CHARACTERISTICS field and the firstthunk domain) are parallel to each other, all as the last element of the array with the NULL pointer. The pointers in the two arrays point to the image_import_by_name structure. Figure 3-3 shows this layout. Figure 3-3 Structure of an item in the introduction table
Each function in the PE file import table has an image_import_by_name structure. Image_import_by_name The structure is very simple, it looks like this: Word Hint; Byte Name [?]; The first domain is the best guess value of the imported number of import functions. Unlike the NE file, this value is not necessary. Thus, the loader instructs it as a suggested start value for one-point lookup. The next is an ASCIIZ string that imports the name of the function. Why is there two parallel pointer arguments pointing to structural image_import_by_name? The first array (by the Characteristics field pointing) is left separately and is not modified. It is often referred to as nomination table. The second array (pointing by the firstthunk domain) will be overwritten by the PE loader. The loader is introduced each pointer in this array and finds the address of the function points to each image_import_by_name structure. The loader then covers this pointer to the image_import_by_name structure with the found function address. [Xxxxxxx] in JMP DWORD PTR [xxxxxxxx] points to an entry to the firstthunk array. Because this pointer array covered by the loader actually maintains the address of all import functions, called the Import Address Table. In the optimized exploration, Microsoft "Optimized" The system DLL (kernel32.dll, etc.) in WindowsNT. In this optimization, the pointer in this array no longer points to the image_import_by_name structure, which already contains the address of the import function. In other words, the loader does not need to find the address of the function and override the Thunk array (translation) with the address of the import function. Translation: This is Bound Import, about Bound Import, reference [15] [16], has a detailed introduction. However, in my software, the processing of Bound Import is ignored, which will cause some program load speed reduction. But the problem simplifies a lot. Because the import address table is relatively easy to intercept a writable block, the call to another DLL is relatively easy. Just modify the appropriate import address entry to point to the function you want to intercept. No code to modify the caller or the adjuster. Note that Microsoft's PE file import table is not fully being synchronized by the connector, this is interesting. The instructions of all the modes of the function in another DLL are in an import library. When you connect a DLL, the library manager (lib32.exe or lib.exe) scans the OBJ file that will be connected and creates an import library. This import library is completely different from the import library used by the 16-bit NE file connector. The 32-bit library manager generated import library has a .Text block and a few .idata $ block. The .Text block in the import library contains JMP [XXXX] instructions, and the label of this instruction is stored in a symbolic table in the symbol table of the OBJ file. This symbolic name is unique to all function names that will be exported from the DLL (for example: _dispatch_message @ 4). One of the import libraries contains an address that is referenced from the import library, that is, the instructions in the .text in the library: JMP [xxxx] in XXXX. Another. IData $ block has a hint order (Hint Ordinal). These two domains constitute an image_import_by_name structure. When you connect to a PE file using the import library, the block of the import library is applied to the list of blocks that need to be processed, this list is in your OBJ file.
Once the name of this XXXX in the library is the same as the function name to import, the connector assumes that the JMP [xxxx] instruction is this import function and fixes the xxxx, which makes it point to this .idata $. Store the space for importing function addresses. This JMP [xxxx] instruction in the import library is essentially as this import function itself. In addition to providing an instruction JMP [xxxx] of an import function, the import library also provides a PE file. IDATA block (or introducer introduction table). These pieces come from the different .idata $ blocks in the library manager in the import library. Briefly, the connector actually does not know the difference between the import function and the normal function that appears in different OBJ files. The connector is only established and combined according to its internal rules, so all things are naturally sympathy. This article is related to the content of the introduction, basically so much, to get more information, see References [14] [15] [16].
4 Current popular software protection technology 4.1 Serial number Protection Mathematics algorithm is the core of password encryption, but in general software encryption, it doesn't seem to care for people, because most of the time software encryption itself is implemented Is a programming skill. However, with the popularity of serial number encryption, the proportion of mathematics algorithms in software encryption seems to be larger. Look at the working principle of serial number encryption on the network. When the user downloads a Shareware - shared software from the network, there is generally limited time limit. After the trial period of sharing software, you must go to this software to go to the registration. The registration process is generally the user to tell the software company with the credit card number (general main name), and the software company will calculate a sequence code according to the user's information. After the user gets this sequence code, follow the steps required to register Enter the registration information and registration code in the software. After the legality of its registration information is passed by software verification, the software will cancel the various restrictions of its own, which is relatively simple, no additional cost, users buy Very convenient, 80% of the software on the Internet is protected in this way. The legality process of the software verification serial number is actually the process of verifying whether the translation relationship between the username and the serial number is correct. There are two of its verification, one is to generate a registration code according to the name input by the user, and then compare the registration code entered by the user, the formula is represented by the following: Serial number = f (username) But this method is equal to the user The software reproduces the process of software companies to generate registration code. It is actually very unsafe. No matter how complicated its conversion process, the decryptors only need to extract your conversion process from the program to prepare a universal registration program. The other is to verify the correctness of the username by registration code, the formula is represented as follows: User Name = F reverse (serial number) (such as acDsee) This is actually the counter-algorithm for software company registration code calculation process, if the forward algorithm is The reverse algorithm is not a symmetrical algorithm. For decryptors, there is indeed difficulties, but this algorithm is quite bad. So someone is taking into account the following algorithm: F1 (user name) = F2 (serial number) F1, F2 is two completely different algorithms, but the username is calculated by the feature word calculated by the F1 algorithm is equal to the serial number by the F2 algorithm. The character characterization, this algorithm is simple in design, and the confidentiality is better than the above two algorithms. If the F1 and F2 algorithms are designed to be irreversible algorithm, the confidentiality is quite good; this algorithm is unsafe. This algorithm is not safe. The design of a dollar algorithm seems to have to work hard, it is difficult to have too big breakthrough, so binary? Specific value = f (username, serial number) This algorithm looks quite good, the relationship between the user name and the serial number is no longer so clarity, but at the same time, it also lost a correspondence between the user named serial number, software Developers must maintain uniqueness between user names and serial numbers, but this seems to be difficult to do, and it is possible to build a database. Of course, the user name and serial number can be used to construct a plurality of algorithms. Specific value = f (Username 1, User Name 2, ... Serial Number 1, Serial Number 2 ...) The existing serial number encryption algorithm is mostly designed by software developers, most of which are quite simple. And some algorithms authors have made great efforts, the effect is often not the result it hopes.
4.2 Time Limits Some Programs Trial Edition has time limit each run, such as 10 minutes or 20 minutes, stop working, you must re-run the program. These programs naturally have a timer to count the time of running. This method is less used. 4.3 Key File Protects Key File is a way to register software using files. Key File is generally a small file, which can be a plain text file, or a binary file containing a non-displayed character, which is some encrypted or unencrypted data, which may have username, registration code and other information. The file format is defined by the software author. The trial version software does not have a registration file. After the user pays registration to the author, it will receive the author's registration file, which may contain the user's personal information. The user can make the software become a formal version as long as the user puts the file in the specified directory. This document is generally placed in the installation directory of the software or in the system directory. Each time you start, you read the data from this file, then use some algorithm to process it, determine whether or not the correct registration file is determined according to the result of the processing, and if it is correct, it is running in registration mode. This protection is not used, but I personally think that it is better than time limit. 4.4 CD-CHECK is CD protection technology. The program determines whether there is a specific file on the disc in the optical drive at startup, if there is no existence, it is considered that the user has no genuine disc, and the operation is refused. The existence or not of the disc is usually no longer checked in the process of running. The specific implementation under Windows is generally: first use getLogicalDriveStrings () or getLogicalDrives () to get a list of all drives installed in the system, and then check each drive with getDriveType (), if it is CreateFilea () or FindFirstFilea () Wait for functions check whether the specific file exists and may further check the properties, size, and content, etc. of the file. 4.5 Anti-debug is good for software protection to be combined with anti-tracking techniques. If there is no anti-tracking technology, the software is equal to direct exposure in front of Cracker. The reverse tracking here refers to the backbone tracking. That is to prevent Cracker from dynamically track, analyze the software. The current such software is as used as TRW, iCEDUMP, and more. The reverse tracking technology is generally targeted, ie for reverse tracking of a certain debugger, and does not prevent all debugger tracking, if there is a new crack tool, the corresponding anti-tracking technique is required. This technique is generally detected whether these specific debuggers resident in memory. If memory is resident, it is considered to be tracked, thereby rejecting execution, or performing some punitive measures. There are also some test methods, such as assumed these debuggers, software, and these debuggers, if the result is in the output of these debuggers. It is considered to be tracked. Or search for these debuggers in memory, if you find, it is considered to be tracked. Some even detect the debugger with interrupt hooks, SEH (Structural Exception Handle,, Structured Exception). 4.6 Anti-Disassembly Technology (Anti- Disassmbly) is Anti-Disassmbly. "Trap" designed for specialized disassembled software, allows the reverseiberium to fall into a dead cycle, but this method has no versatility. General use of flower instructions. This method has versatility, that is, all reverse instrument can be used in this way. This method mainly uses the number of bytes contained in different machine instructions, and some are single byte instructions, and some are multi-byte instructions.
For multi-byte instructions, the reverse assembly software needs to determine the starting position of the first byte of the instruction, which is the location of the opcode, so that this instruction can be correctly disassembled, otherwise it may reverse the additional A instruction. And, multi-byte, the command length is uncertain, so that the reverse system is decoded after an error decoding an instruction, and the next many instructions are incorrectly decoded. Therefore, this method is very effective. Implementation method: Add some useless bytes to interfere with the judgment of the disassembly software, so that it is incorrectly determines the starting position of the instruction, then the purpose of interfering the reverse exchange editor. The general form is as follows:
........ JMP L1DD 012344578H; Here is some random numbers, used to interfere with the disassembler; decoding the instructions L1: ....... 4. Dog software dog is an intelligent encryption tool. It is a hardware circuit installed in an interface such as parallel port, serial port, and has a set of interface software and tool software for various languages. When running by the dog protected, the program issues a query command to the software dog plugged in the computer, the software dog quickly calculates the query and gives a response, the correct response ensures that the software continues to run. If there is no software dog, the program will not be able to run, complex hardware and software technology combine to prevent software piracy. Really costs of business prices generally use software dogs to protect. Usually common dogs mainly include "Dogs" (foreign dogs) and "Poetry" (domestic dog). Here "Dog" mainly refers to the US Rainbow and Israel's HASP, "Turogi" mainly has Jin Tianwei (now with the US Rainbow, is called "Rainbow World"), deep thinking, sharp stone. In general, "Dog" does not "soft" in software interface, plus the shell, anti-tracking and other "soft", but absolutely can't crack in hardware (it should be very difficult); "It is very good in soft aspects, but it is better to" Dog "on hardware, and people who have a slightly chip microcomputer can be copied. 4.8 VBOX Protection Technology VBOX is a software. It is used to protect other software. Any software protected by VBOX, once the trial period, it is no longer used, and it is useless to delete it, unless the entire operating system is reinable. 4.9 Salesagent Protection Technology Salesagent Protection Software typically has an X-day trial-purchased interface, is a time limit protection method. The software that uses this protection is mainly Macromedia Flash 4, Dreamewaver, and more. 4.10 Securom Protection Technology SECUROM (http://www.securom.com) is a commercial disc encryption technology developed by Sony. It prevents users from copying, CMS16.DLL, CMS32_95.dll on the copy of the encryption disc, protected disc. These documents, CMS32_NT.DLL. Many game discs use this protection technology. 4.11 Floppy Disk Encryption By formatting some non-standard tracks on a floppy disk, write some data on these tracks, such as software decryption keys, and the like. This floppy disk is "key disc". Software runtime users Insert the floppy disk, read the data in these tracks, and determine if the legal "key tray" is determined. Floppy disk encryption also has some other technologies such as weak positions, etc. As the floppy disk in recent years, this method basically exits the historical stage. 4.12 After the software is combined with the machine hardware information (buy or downloaded or downloaded online) software, the software acquires some of the hardware information of the machine from the user's machine (such as hard disk serial number, bois serial number, etc.), then Calculate this information and user serial number, username, and the like to a certain extent to partially bind software and hardware part. This method and other methods will be used in my shell program, and will be described in detail later. 4.13 Housing is on the complete software - compiled connected, can run, plus a "shell", this "shell", protects the software, these shells generally use 4.1 to 4.6 Software protection technology. Because the shell technology is used in my design, it will be described in detail later, and details are not described here.
5 Design Ideological Thoughts of the Software 5.1 In the last chapter of traditional protection, some of the current popular software protection technology, some of which work very well, such as serial number technology, almost all software use this technology. Here I will not point out how these technologies will be cracked, as in the previous stated, software protection can be cracked. Only the "non-technical" disadvantages of these programs are said. It can be seen that in these technologies, software and hardware are still separated. In software dog protection, software and hardware have a certain combination, but software and a specific machine are not bound. In floppy protection, software and hardware have certain combination. But users can still install the same software on multiple machines. When you need these hardware, if you insert a software dog, insert the keyboard, you can use the same software on multiple machines. Also, you want a genuine user to insert a software dog when using the software, insert the keyboard, causing a lot of unnecessary trouble. If the user's parallel port may be user printers ... Also, since the hardware is added, this protection method has a higher cost, and this method is un practical. CD-CHECK, etc. CD encryption technology, there is a disadvantage that the user must insert the disc, and the development of the current hard disk technology makes the storage capacity is no longer a problem. Users often put all things on the CD to the hard drive. To insert an CD while running the software, it is a bit unacceptable. Compare the sequence number protection technology, there is a common problem - algorithm to developer developers yourself, and if a pair (serial number, user name) is released from the Craker, all users can use this For (serial number, user name) "Register" software to illegally use it. 5.2 The popularity of the network is now, I don't think there is no use of the Calculated person without using the Internet. There are tens of millions of people in the world in using Internet, and we have tens of millions of people in China in China. Many commercial software also have an Internet trial version, shared software (not discussing free software) is even published on the Internet. And almost all software has crack version on the Internet. Thus, the software protection and Internet is naturally a natural thing. To combine software protection and Internet, you should naturally ensure safety. To ensure safety, you can insepass the password, and some concepts of passwords have been briefly introduced in Chapter 1. The security of information transmission on the network is important, especially some sensitive information, such as user information, password, etc. 5.3 My program is aimed at some of the problems, compared to all aspects, trade-off, I propose this software protection program. This set of schemes collects traditional serial number protection, using hardware information protection, handling protection, anti-tracking, anti-disassembly, anti-DUMP, anti-API breakpoint is equal to one. The digital signature, hash, key exchange, etc. in cryptography are added. It has formed my own unique, higher encryption strength, more convenient in use (now just as a demonstration, using it, not easy to convenient), more user taste anti-piracy, electronic registration solution. The specific details of the scheme will be described in the next chapter. 5.4 The feasibility analysis of the program can be said that there is no password and network, this program can only be talking on the paper. I was seeing these two points, and I sprout the design idea of this program.
This idea has a vague idea before 3 months. After receiving a large number of related information, plus the considerations of themselves, gradually has a clear contour in my mind, this three months Time, just turn this idea into reality. Modern cryptography (especially asymmetric cryptography) is until the 1970s, it is time to show, but it has developed very quickly. Now we can use many ready-made password algorithms. These algorithms are even a part of the Windows inseparable, called CryptoAPI, if there is no cryptoAPI, I will have to include huge algorithms within my source code, and there are many algorithms to write code implementations. This will be a disaster for me! In order to simplify the design, and highlight the main problems, it is not confracted to the appearance of the flowers, I will not do the graphical user interface, and use a simple consol console user interface. Stepping on the shoulders of the giant, will look higher, farther. It is the effort of so many former people, I can do my own innovation here. The popularity of the Internet, the flood of pirated software, almost become the disaster of our Chinese national software enterprises. Make the software very active practical significance. - only requires very few modifications, increase the graphical interface, this system can be used as business applications. There is no need to modify, only write some simple batch files, can make software developers and ordinary users (later deings are to simplify user interfaces using simple batch files). It is based on these reasons, compared to traditional programs, this program has the following advantages: (1) Many current software protection technologies, most of them seek the characteristics of the operating system itself, indulge in complicated technical details, regardless of use Good cryptographic agreement, algorithm. This scheme is different, the primary is to use a reliable cryptographic protocol, algorithm, and make the encryption strength guarantee. (2) Authorization to software through the network is a blind spot of current popular software protection technology, and integrated with digital signatures, hashing techniques, key exchange, and less. As far as I know, there is a very famous plus-shell software written by Russians, using a lot of password algorithms - being draped by people: "Use all the password algorithms in the world!" But he still has no digital signature and secret The key exchange is also a single machine. (3) Software licenses through the network, the cost is low, the user is very convenient, the sales, agents, etc. of the software developer management software are also very convenient. (4) This program is not only designed and reasonable on the password algorithm, and it is better to perform in the final protected program, which will be specified in detail the main technique of the shell program. (5) This program has strong scalability, and uses an object-oriented method in the implementation of software authorization and password protocol. The structure is clear and distinguished in the development of the shell program. Several modules are relatively independent. On this basis, each module can be designed relatively independently under the premise of compling a set of rules, such as the same MERGE, Register programs, can protect customer software in different SHIELD shells. (6) This software uses VC and assembly language portfolio development, making the development cost reduced a lot, and the software reliability, availability, testability, and maintainability have greatly improved. The currently almost all of the same software is developed with assembly language and cost is high. - If the software uses assembly language, it is impossible to complete in just three months.
(7) Use CRYPTOAPI to make the entire design of the software independently of the specific cryptographic algorithm, in order to use different algorithms, only need to modify the relevant parameters, and do not need to rewrite a large number of code; and use CryptoAPI to make the software The volume is greatly reduced - if you write a password algorithm, the size of the software will be very large, at least more than 3 times. 6 The overall architecture of the software, development tools and method 6.1 Demand analysis This software needs, is a software license agreement, and the protection function that should be completed, and will be briefly described below: (1) Role Description (Software Authorization Agreement) Each role): p: is a software product; A: is the developer of P; B: is an agent of A (can also be A yourself); C: is the end user of P. (2) Software authorized protocol execution process agreed: (a) Server, MERGE, REGISTER runs on different machines. Server runs on a machine, Merge runs on the machine, REGISTER runs on the C machine. (b) The server authorizes the software sold by the developer - Of course, his software has been protected with my software. (c) Server has been running all over the night, it receives requests from MERGE and Register. (d) During the following protocol, Server and A, Merge and B, Register, and C are overlapped. Most of them are synonyms. The protocol began to execute: Here's the instructions for the authorization agreement simply explain the demand of the software. The subsequent section will explain the software authorization process and give the algorithm used in the protocol. (a) a Turn his software P to B, A running Server. (b) b To sell a set of software P, run the Merge program. The MERGE program produces a random SN that sent this SN to Server (ie a). (c) Server receives SN, find SN from the registration database, if you find (the order of the probability of the SN) is found, then send back the information to merge, it generates a repetitive SN, if it re-calculates one Sn. If not found (almost always can't find), the SN is logged into the registered database, and the SN is digitally signed with its own private key ASK. Get K1, send K1 as a decryption password to B, and will also Public key APK is sent to B. B is encrypted using K1. (d) After the software is sold to C, c can register the software to the developer on the local host (user's own computer), to the developer's network server, and then use it. C Operating the Registration Program REGISTER, Register acquires the serial number Sn (Serial Number) from Q, and then obtains the hardware information of the local host, calculates and stores the Hardware Information HD's Hardware SAC (System Autentation Code). Send it to the server server.
Server Server finds this SN from the database, if found, and this serial number has been registered, and it receives the SAC and the same copy of the SAC, the same copy can be installed multiple times on the same authorized computer / Register - or find SN, but the SN has not registered, the SAC sent together with SN into the database, and then verify this computer later. Server transmits the decryption password K1 corresponding to the SN to the user C, and simultaneously distribute its public key APK to C. (e) The Register program uses K1 to decrypt Q, and simultaneously encrypt Q by another hash value K2 of the local host hardware information HD, and finally R. Now, user c can run software R (R is registered P), and R has some anti-Cracker functionality and other protection functions. (3) The final protected software P (i.e., the above authorization protocol executes the executable program R) should have the function: (a) can only run on the registered Too machine (anti-illegal use); (B ) Virus detection and Cracker change detection (protection function); (c) anti-track function (anti-debug, or anti-trace); (D) anti-DUMP function (Anti-dump); (e) anti-reverse contour function ( Anit-disassembler; (f) Other anti-CRACK functions. (4) The illustration of the protocol: Fig. 6-1 The block represents the process of the process, the shield is "shell", the ellipse indicates "processing process", that is, the software module. This figure also references in the following sections. 6.2 Overall Framework From the requirements of the previous section, it can be seen that the software should be at least three independent modules: (1) Server server module. (2) Merge generates the module of software copy. (3) The module of the Register end user registration software. However, a module is also a module, that is, the "housing" module of the protection software. This module is called Shield, which means protective shells. The entire software is divided into these four modules! Their relationship is as shown in Figure 6-1, the process of authorization agreement also points out the relationship between the four modules. 6.3 Aspects of the head (assembly and C / C each) can be seen from the figure that Server, MERGE, and Register modules do not involve the operating operation. Is there any SHIELD involved in the underlying surface of the operating system, and cannot be obtained by the previous graphics and protocol. However, from demand, you can know that Shield is on the protected software, when running protected software, the Shield program will first run, extract some data from the file, do some necessary inspections, and decrypt, To perform anti-tracking, anti-disassembly, and ultimately jump to the original program in the case of relatively easy control. Due to the SHIELD program to perform these underlying operations, it does not apply to advanced language development, and it is impossible to develop in advanced languages. At this time, you have to use assembly language - the most powerful, most efficient, and the language is also the most difficult language. However, it can also be seen from demand that the Shield program also uses some advanced algorithms, such as cryptographic algorithms, inspection of file integrity algorithms, and more. This makes it possible to write in assembly language if the Shield program is developed using assembly language, so many complicated algorithms that require higher techniques.
These are not special, and the results written in assembly language can only be: high cost, and scalability, maintainability is very poor! After serious consideration, read a lot of information, I finally found a compromised approach, I have to use, I have to write some of the assembly language, if you want to extract data from the file, and anti-tracking, anti - disassembly, The memory layout design part, written in assembly language, the rest, involves complex algorithms, written with C . Then complicate two parts. Server, Merge, Register, because it does not involve these underlying operations, can be written in advanced language, I use C , mainly because: Although these three modules do not involve the lowest level of operation, they still need Communication with SHIELD (Server does not communicate with SHIELD), some algorithms (Merge, Register, and Shield) are also shared, so advanced languages choose C is taken. As for the development tool, I choose VC6.0, don't have to say, the assembly language development tool is 7.0, which is the most assembly language of the programmer. 6.4 Intermodulation Agreement at C / C and Assembly Language Mixed Programming Since SHIELD is written in C and assembly language, then communications (ie, mutual call) are inevitable. To communicate, it is necessary to obey the common agreement, and have passed the large amount of information. My communication between C / C and assembly languages finally said. The following will be described in detail below: (1) Naming Convention: VC Compile C File (not C file), generated target file (.obj file, the C and executable "intermediate files generated by the compiler) Each global symbol (function name, global variable name) has added a downline "_". That is, if there is a full-class function in the C file (only global function in C) "FUN1", after compilation, in the target file, the symbolic name of the function is "_fun1". The global variable is also the same. For the CPP file (C language source file, the following will be called C file), I don't plan to introduce the class name, class variable (ie the STATIC variable defined in the class), class method (class) STATIC function), object name, object variable (non-STAITC variable defined in the class), object method (non-STATIOC function in the class) ... These too much, it is impossible to introduce, and because of my design These aspects have not been involved. The following is only a naming convention for the global non-overloaded function in the C source program. Generally, a complete global function in the C source program should be like this: [EXTERN "C"] returntype calling_convension fun_name (paramtype1 [param1], paramtype2 [param2], ...); function definition must be The statement is exactly the same.
For this function, the definition should be as follows: [EXTERN "C"] returntype calling_convension fun_name (paramtype1 [param1], paramtype2 [param2], ...) {..... Return V; // v type should be returntype} Extern "C" indicates that the naming of the function in the target file will press the C language protocol, for simplification, all the functions called each other in all C and assembly languages in my code have plus Extern "C". The following is also a hypothetical function with Extern "C" declaration. For different Calling_Convensions, the modified protocol, the order generated in the target file, and the order of the parameter transmission, generally different. Calling_convension will be described in detail below. Now just say a function name. If calling_convension is __stdcall, the resulting function name, add a next line before the source of the source program, add a "@" after the function name, after adding the number of bytes in the form of the function (10 credit representation) ). If the function is assumed, it is assumed that the function has three long types (C language standards specified that the long type must be 32 digits in all machines), and the function name in the target file will be "_fun_name @ 12". If CALLING_CONVENSION is __cdecl, generated function name, add a next line before the source program of the source, not "@" after the function name, and there is no "@" after the function name, and there is no number of bytes of the parameter area of the function (10). If the function is assumed, it is assumed that the function has three long form parameters, and the function name in the target file will be "_fun_name". This naming agreement is actually the standard naming protocol of C. Other Calling_Convensions are shown in a table behind (Table 6-1). (2) Parameter delivery protocol, the parameter transmission is pushing from the right direction left, and the restoration of the stack is completed by the caller, that is, the above functions, if there is any call: fun_name (x , Y, Z); the resulting assembly instructions will be: PUSH ZPUSH YPUSH XCALL _FUN_NAMEADD ESP, 12FUN_NAME's function body is as follows: _fun_name procpush ebpmov EBP, ESP .... Ret; Here you have not skipped in the parameter area (unrecovered stack) _fun_name ENDP is only this example here. Such functions are recovering the stack by the caller, rather than the Callee recovery stack is the C language allows parameter number of variable functions, such as Printf. In this way, Callee will "don't know" to pass to its parameters in the end, and Caller knows. This reduces efficiency to some extent. Behind you will see.
For the extern "c" __stdcall function, there will be the following code: Function call: fun_name (x, y, z); generated assembly instructions will be: push zpush ypush xcall _fun_name @ 12 ;; add ESP, 12; no Instructions, the stack has been restored by the modulated function, the function body of FUN_NAME is as follows: _fun_name @ 12 procpush ebpmov EBP, ESP .... RET 12; here skip the parameter area (restored the stack) _fun_name @ 12 ENDP can be seen, __ stdcall The number of instructions generated by the function call has a stack recovery instruction, the code is naturally small, and the execution speed is fast. However, the flexibility is lost (in general, the parameters transmitted to the modulated function must be the same as the number of parameter zone of the function definition and the declaration, the function is 12 bytes, see later instructions). (3) Non-Extern "C" function: For non-Extern "C" functions, the parameter transfer protocol is similar, but the function naming protocol is somewhat different, such as the __stdcall function for non-Extern "C". Named is to add __Imp__, and the function name is added before the function name is later. The number of bytes of the @ and the parameter area. Because the communication between the software C language and assembly language does not use this call protocol, this example is not listed. (4) Various function call protocols (Table 6-1): CDECL Syscall Stdcall Basic Fortran Pascal Front Overline Yes YES YES Transformation To uppercase YES YES YES Parameter Transfer Direction ← ← ← → → Stack Recovery Calle Callee Note Callee Callee Callee Save BP (EBP) YES YES YES YES YES parameter number number? YES YES YES Table 6-1 Various functions call protocols Note: STDCALL This is obvious. In this case, the calling protocol is like CDECL. 6.5 Limitations and Solutions of Modules in the Software and Solutions of Language Characteristics Server, Merge, Register Due to the processing of the system underlayer. Therefore, all language features of C can be used. However, the SHIELD module is different because it is attached to other programs to be relocated, so all "absolute addresses" must be converted, including the address of the static variable and the address of the function, and the static modified variables in C , and Global variables, and useful strings defined by quotation marks are static variables, and their absolute address has been determined at the time of program compilation. For the call to the function, the compiler is generally used is the relative address of the function, that is, the address of the next instruction relative to the CALL instruction.
Such as ........: 01006432 Call Fun1; The machine code here will be E800001000: Note: 0100643B MOV EAX, 1000 ...: 0100743B Push EBP: 0100743C MOV EBP, ESP .... ... Note: E8 is an opcode of this Call instruction, 00001000 is the operand of this Call instruction, this operand is a relative address: 0100743B-0100643B == 00001000. Such an instruction, no matter whether it is relocated to wherever it is. However, the virtual function in C is different (see References [13]) for details. Its call is this: assuming an object anObject, the class belonging to the anobject object has some virtual functions, which will be illustrated below (Fig. 6-2). As can be seen from Figure 6-2, there is a pointer VFTable in the object anObject, pointing to a virtual function table, each item in the virtual function table is a function pointer, pointing to a function. These pointers (addresses) are absolute addresses. This mechanism works very well in a general program. However, in the SHIELD shell, this mechanism cannot work. Because SHIELD can operate on any protected program. Then look at the part of the client (protected software) and SHIELD (Figure 6-3): It can be seen that the base address of the Client is 0x01000000, the base address of Shield is 0x00400000, after attaching the shield to the Client, Figure 6 As shown in (Fig. 6-4): It can be seen that the address of VFUN1 has changed, and it becomes 0x01101486, and the PVFUN1 in the virtual function table is still 0x00401486 - and does not mention the "virtual function table pointer in the anobject" The address) "is also wrong. In this way, it will of course be wrong when running. The above is just a change in the function address, the global data is the same, and the address will change - because the address of the global variable is also determined when compiling Shield. Thus, in the Shield program, there is only two ways: (1) Transform the function addresses in the virtual function table (and the virtual function table pointer in the anobject object) to the address attached to the Client. (2) No virtual functions.
Because the virtual function mechanism is encapsulated by the C language, the address transformation is unlikely, so "Never use the virtual function" in the shield program! However, it also said above, the address of the static variable is not right after Shield attached to the client. Since the static variable is not completely encapsulated by the C , it is possible to use a static variable, but address transformation. Address Transformation will be described in detail later in the main technique of the shell. The above says that virtual functions and static variables are limited in the Shield program, and there is a mechanism in C . It is also not used in Shield, that is, an exception handling mechanism. TRY, Catch, Throw. The abnormality processing also uses the absolute address of the function, which cannot be used, and the virtual function is the same, and will not be described again here. Also, the dynamic memory management function in C , that is, New, Delete cannot be used. Because they are all coupled with the C library. - Unless you write new, DELETE handler. But still subject to some restrictions, such as setting new handler to use library functions set_new_handle. There are still some restrictions on C in the Shield program: can't use C libraries! There is less virtual function in the C library, less static variables, absolute addresses, and cannot be used is obvious. However, theoretically the C library function can be used, but the IO functions in the C library function cannot be used because the IO functions are almost all associated with global variables, which cannot be used. However, the string function in the C library function, the memory operation function (excluding memory management functions, such as Malloc, Free, etc.) can be used. But because of the other reasons (will be detailed in the main techniques of the shell program), I also don't use C's library functions. In short, these restrictions make developing Shield programs as being a embedded system, most of which are mostly used. 6.6 Demonstration of 6.6 C / C and assembly language Due to the size of the software - about 6000 lines of code, and due to the Shield program to cross-compile, debugging, making the development difficulty. A small error may repeatedly modify the code, tracking several times to discover, and if you frequently modify the code in order to find an error - the error is easier to accumulate, - the principle of software engineering is: Code modification is greater than the profit. Also, there are some algorithms such as MD5, and other encryption, decryption algorithms, SHIELD programs to be shared, however, other functions called in these algorithms are different in SHIELD and other modules. If you rewrite these shared algorithms because of this, the cost is very high. The problem. Fortunately, C / C and assembly languages have powerful pre-compilation functions, using pre-compiled features, the above problems are solved. These issues are just proposed here. Chapter VII will explain the implementation methods of these pre-compilations in detail. 7 The implementation and technical details of the software introduce password, PE file format, traditional software protection scheme, and design idea, strategy, and overall architecture of the software. Now that the last step is now, it is also a key implementation detail.
With the previous foundation and the planning of the entire program, there is a clear goal to achieve the right way. However, there are still many ways, which is it? For example, in the password, the selection, design, encryption algorithm of the password protocol, the selection, design, password function library, is the library in the form of source code or the library in DLL? In terms of network, the network interface is selected, is it using WinsocketAPI, or uses VC already packaged Socket classes? Is it using the TCP protocol or use a UDP protocol? How to treat the software to be encrypted? Store it after encrypting it on the hard disk, run it as a child process (or sub-thread) of the shell, or intersecting it and the shell (this is a little clative to the previous chapter)? ...... The pain of these programs I don't want to say more, I just say which one is selected and why choose it. (1) Cryptography protocol, algorithm, library selection: (a) Password protocol, select the simplest one-way digital signature. - This is also sufficient for this design. (b) Password algorithm, digital signature algorithm is used to use RSA, do not need to say, has a hash algorithm in digital signatures selected SHA, SHA to currently not exposed signs of crack. The encryption algorithm is used to use RC2, do not need to be said. (c) Cryptolib Select Microsoft CryptoAPi because it has supported version above Win95 IE3.02. Also, the library is provided in the form of a DLL, and the generated code volume is much smaller. The MD5 hash algorithm in this software is used, because of the efficiency and flexibility reasons, the code is implemented.
(2) The selection of network interfaces: (a) Because the SHIELD module is considered, you may use the network interface, so you don't apply the VC's Socket class, and WinsocketAPI is used. (b) The network protocol uses the TCP protocol to consider the simpleness and reliability of the implementation. (3) Cooperation of the shell and the procedure to be encrypted: Exter the shell with the program to be encrypted, that is, the program to be encrypted, instead of separating the shell and the program to be encrypted. Realizing the workload of the entire software is huge, the code is more than 6,000 lines - do not calculate the code that the compiler is automatically generated. There are more than 1600 lines of hand-written assembly code in the Shield module, still not a test code; the C code in the Shield module is approximately 1200 rows. The MERGE module has about 1300 lines of code. The Register module has about 600 lines of code. The Server module has 600 lines of code. Other algorithms, structural definitions, etc. shared by these modules, and about 2000 lines of code. 7.1 CryptoAPI Introduction Because it is too complicated encryption algorithm, or even some "simple" encryption algorithms, such as RSA, it is quite difficult, so in the past, many applications can only use very simple encryption technology, so The result of doing is that the encryption is very low, it is easy to decipher. The emergence of CryptoAPI solves this problem, using CryptoAPI, programmers can easily add powerful encryption features in the application without having to consider basic algorithms. CryptoAPI is a complete architecture that is complex, here is only a most commonly used subset of CryptoAPI's huge architecture. CryptoAPI is essentially a set of functions, which provide programmers to access the interface of the encryption algorithm. This interface has been implemented by the operating system and eventually implemented by the underlying CSP. CSP, English full name Cryptographic Service Providers, the encryption service provider (module). It is an independent module that realizes the real encryption service. Concept, its implementation is completely independent of a specific application. So a specific application can run on a different CSP. However, in fact, some special needs of applications require a customized CSP. A CSP includes at least a DLL file with a digital signature (typically a digital signature of Microsoft). To ensure that CryptoAPI can identify this CSP, signature file must be. Some CSPs may be implemented completely by software, while others may be implemented by hardware (such as smart cards) through the device driver. The DLL file with digitally signed is just an interface as a CSP and an operating system, which is a SPI, service providing an interface (Service Provider Interface). In this way, the underlying implementation of the application and CSP is completely independent, and their coupling achieves minimization. Microsoft provides a CSP in the operating system level by bundling RSA Base Provider, that is, RSA's public key encryption algorithm. More CSPs can be added to the application as needed. There are now some companies in China to provide Hardware devices compatible with CryptoAPI, such as the electronic key of the UKEY300 USB interface of the ISecurex.com, have a Microsoft's digital signature. Apply CRYPTOAPI, you can encrypt data, exchange public keys, calculate a summary of a message and generate digital signatures, and so on with a simple function call. It also provides advanced management operations, such as using a CSP from a group of possible CSPs.
In addition, CryptoAPI provides a basis for many advanced security services, including SETs for e-commerce, PCTs for encrypting client / server messages, and is used to pass back and forth in each platform. PFX, Digital signatures, etc.. The architecture of CryptoAPI is shown in Figure 7-1: ---- Currently supporting CryptoAPI Windows systems include: Windows 95 OSR2, Windows NT SP3, and subsequent versions, Windows 98, Windows 2000, etc. CryptoAPI configuration information stored in the registry, including the following registry key: HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Cryptography / DefaultsHKEY_CURRENT_USER / Software / Microsoft / Cryptography / Providers7.2 several public functions and macros The following functions and macros in the Shield, Merge, Register The module is used in the module, and these functions should be used to call other functions (such as C library functions, WindowsAPI functions, etc.) therefore, in the header files that declare these functions, have a pre-compilation indication: #ifdef shield_program # define vReadFile iraReadFile #define vHeapAlloc iraHeapAlloc #define vHeapFree iraHeapFree #define vGetProcessHeap iraGetProcessHeap # else # define vReadFile ReadFile #define vHeapAlloc HeapAlloc #define vHeapFree HeapFree #define vGetProcessHeap GetProcessHeap # endifvXXXX is explained below these library functions called in the function (or API) Alias. Macro shield_program "tell" compiler, it is now compiled with the Shield module. To declare (defined) in the Shield module, Iraxxxx. Iraxxxx interfaces and features are exactly the same as XXXX, just these functions in the SHIELD module is my own declaration (defined), and these functions in the Merge and Register modules are library functions. Also, in the SHIELD module, the address translation of all global variables is performed, and the address conversion function is A2IRA, which converts the address of the global variable when compiling the global variable to the program runtime (Chapter 6 has Note The address of global variables in the SHIELD module is different when compiling and running). For this address conversion function, there is also the following pre-compilation instructions in the header file: #ifdef shield_program #define Va2ira (PTR) A2ira (PTR) #Else #define VA2IRA (PTR) (PTR) #ENDIF
It can be seen that in a non-Shield module, VA2IRA does not dry, and in the Shield module, it calls A2IRA to perform address translation. (1) xxcomplexencrypt, xxcomplexdecrypt: These two functions use CryptoAPI, select the RC2 block encryption algorithm to encrypt / decrypt the data in the input buffer. (2) XXSIMpleEncrypt: The two functions are encrypted / decrypting functions that meet the following conditions: M K1 K2 - K1 - K2, which can be encrypted with two key, decrypt, can exchange these two keys order. This is important to ensure that it does not appear in the process of exchange keys K1 and K2. The plain text M until finally decrypts with K2. As shown in Figure 7-2: Operation process on the left: m1 == m k1m2 == m k1 k2m3 == m k1 = m1 to the right arithmetic process: m1 == m k1m2 == m k1 K2M3 == m k2 Of course, XXSIMPLEENCRYPT / XXSIMpleDecrypt also conforms to the condition of a normal symmetric cryptographic algorithm. In fact, this can be extended to an asymmetric cryptographic algorithm. However, K1 / K2 is the key pair at this time, that is, using EK1 / EK2 when encrypting, and DK1 / DK2 is decrypted. The RSA algorithm is in line with the C1 / K2 exchangeable order. This feature of the password algorithm is at some time, if the key exchange is available, the original plaintext does not appear during the key exchange; however, this is another shortcoming, such as being attacked. This should be determined according to specific applications. (3) XXSMARTENCRYPT, XXSmartDecrypt: The encryption / decryption speed of the two functions for short messages (may be a message shorter than the key). Use in encryption / decryption of ClientImport. (4) XXgetsysInfo: obtain system information, put into the buffer specified by parameters. (5) XXGetFac: Calculate the FAC (File Authentication Code) that specifies the protected file. Skip the FAC domain of MyShieldSection when calculating the FAC.
(6) XXGETFACOFFSET: Calculate file offsets in the protected file, and this function is called in the XXGetFac. (7) XXGETLOCALKEY: Calculate local password from SysInfo with MD5 algorithm for encryption of client. (8) xxgetsac: Calculate the SAC (System Authentication Code) from SysInfo by MD5 algorithm to identify the local machine. This function has been preprocessed by Sysinfo, making the calculation results and XxGetLocalKey. But the calculation results of these two functions are the same for the same machine. (9) XXMD5Digest: Calculates a summary of a message with the MD5 algorithm. (10) XXGetsnkey: Send SN to Server, obtain SNKEY and APK returned from Server, and other information (error code, error messages), and verify SNKEY with APK. (11) MD5init: Initialize MD5_CTX. The global variables are used in this function, of course, with VA2IRA, address conversion, where global variables used here are unique non-character global variables in the Shield module. (12) MD5UPDATE: Update MD5_CTX. This function will call multiple times when calculating multiple non-continuous (or buffered) memory areas. (13) MD5Final: Generates the final MD5 summary. (14) Macro Round: #define runk ((((x) -1) / (align)) * (ALIGN) (align)) Round (x, align) puts X Press Align in Align, ie If x is 11, Align is 3, the calculation result of this macro will be 12, and so on. The advantage of this definition is that there is no jump, the running speed is fast, and it is easy to understand. This macro uses multiple times in the entire software. 7.3 Module Shared Structural Definition Typedef Struct __registerinfo {byte Sac [Sac_length]; // Hash of User Machine, OFTEN HARDWAREBYTE SN [SN_LENGTH]; // The Serial Number of this copy} RegisterInfo; this structure is the user's registration information structure . Includes SAC, ie system (information) verification code System Authentication Code, and SN, namely serial number serial number. typedef struct __SessionStruct {BYTE PK [MAX_PK_LENGTH]; // developer's public key DWORD PKLength; // developer's public key length BYTE SNKey [SN_KEY_LENGTH]; DWORD SNKeyLength; RegisterInfo RegInfo; DWORD ErrorCode; char ErrorInfo [MAX_ERROR_INFO_LENGTH];} SessionStruct; the structure It is the data structure when the MERGE and Register modules are communicated with Server. The meaning of each domain has been indicated by the comment.
typedef struct __MyShieldHeader {DWORD ShieldEntry; //; often is 0 DWORD ShieldImportAddress; DWORD ShieldImportSize; DWORD ClientEntry; DWORD ClientImportAddress; DWORD ClientImportSize; DWORD ClientCodeBase; // in the ASM is used to store encrypted Shield // to be a region-based DWORD CLIENTCODESIZE; / / In ASM, store SHIELD // to encrypted area size DWORD ClientDatabase; dword signal; // @ @ used to signature my shield dword EncryptCondition; // Encrypted its property is the subset of this domain /// If this domain is 0, the client's block / / does not encrypt the BYTE FAC [FAC_LENGTH]; // 128-bit file check code BYTE CAC [cac_length]; // Code Ratings value, used to verify the shell code / / Integrity RegisterInfo Regin;} MyShieldHeader; This structure is very important, it is not only the link of the Shield module and the Merge module, but also the bridge from Shield to Client. This structure is designed so that the complexity of the entire software is greatly reduced. It's hard to imagine that if there is no such structure, how the entire software will design, how to do it. The meaning of each domain in this structure is also a clear two-chu, no more. Constant SHIELD_SIGNATRUE, this constant is equivalent to the flag image_nt_signature of the PE file, as a sign of the Shield file. Constant my_shield_header_offset, this constant pointed out that MyshieldHeader offset inside the block in ShieldSection, now is 0x100. These modules define in assembly languages and the definitions in C are exactly the same, and the order of each domain is exactly the same. It's just a different grammatical, no more. In other modules, only the structure they use, the type definition will be described when the specific module is discussed. 7.4 SHIELD Module SHIELD Module can be said to be the most complex module in the entire software, but also the soul of the entire software. The memory layout of the module is as follows (Fig. 7-3): Figure 7-3 shows that the code and data of the shell program are mixed, which also reflects the execution flow of the shell program. Since static variables in the shell need to be transformed at runtime (in the original, the previous chapter is described), the address of one symbol is converted to the real address of the run. Using the following method: In the SHIELD assembly module, use a macro to run the runtime address: LDIRA Macro Dst, Var Ll Call LLLL: POP DST Add DST, VAR - LL ENDM
Among them, the difference between VAR and LL is determined, that is, when assembled and run, the difference between the two symbol addresses is the same, and this difference can be calculated when assembled (VAR-LL). At runtime, the actual function of the CALL instruction is to press the LL runtime address into the stack, then pop up this address to the DST, typically a register. Because their difference is determined, as long as this difference is added to DST, the runtime address of VAR is obtained. The following: The runtime address 0x101200 is calculated in the runtime address 0x101200, and the runtime address 0x101600 of the VAR is calculated as long as the difference is 0x400 plus VAR and LL. In order to easily convert the address in the same way in the C program, I wrote a function in the assembly language A2ira: _a2ira @ 4 Proc Near Call A2ira @ 4LL A2ira @ 4LL: POP Eax Sub Eax, A2ira @ 4ll Add Eax, DWORD PTR [ESP 4]; The Parameter RET 4 _A2ira @ 4 ENDP, because A2IRA is declared in the C header file, so the function name (label name) is "_A2ira @ 4". This relocation technique often encounters in the virus, I am from CiH viruses. Here's a few sections describe the main technologies of the shell program: 7.4.1 Calling the API in the process shell in the shell program, the compiler will generate a JMP [xxxx] instruction, where xxxx is IAT ( The address of an item in the import address table, this address is determined when compiling, but the code of the shell code and the data of the data are different from the client program (this is in front of the description), that is, the XXXX The client has changed differently. When such a housing I have to modify the xxxx in these JMP [xxxx] instructions to YYYY corresponding to the client program, which seems to be not very difficult, but, all JMP [xxxx] is modified, so at the price Big, at the same time, the modification is definitely a very dangerous thing. So I came up with another compromised program - I made a table that logged into this table in accordance with the PE Import Table defined organization, log in to this table. And calculate the offset of the address in the table relative to the section base, deploy the offset into a structure called MyShieldHeader, of course, the structure also saves other information. See the source program for details. There is still a benefit that it is very easy to detect the API breakpoint, and you will see: Then, write these jumps to the API code.
I wrote two assembly language macro: APICALL MACRO APINAME LOCAL INT3_PRESENT, END_THIS_MACRO LDIRA EAX, IRA_ & APINAME MOV Eax, DWORD PTR [EAX]; Detects 5 bytes of the API entry to see if Int 3 endpoint instructions CMP BYTE PTR [EAX 0], 0cch jz int3_present CMP BYTE PTR [EAX 1], 0CCH JZ INT3_PRESENT CMP BYTE PTR [EAX 2], 0cch JZ INT3_PRESENT CMP BYTE PTR [EAX 3], 0cch JZ INT3_PRESENT CMP BYTE PTR [ eax 4], 0CCH jz int3_present jmp dword ptr [eax] int3_present: ldira ecx, ina_ & apiname 2; loading the API name ecx ldira edx, msg_breakpoint_at_api_entry jmp show_found_int3_msg_and_exitend_this_macro: endm; macro apicall end and
;; macro call api_call causes a branch to the code api_imp macro apiname API inlet, arglen _ira & apiname & @ & arglen equ ira & apiname & @ & arglen ira & apiname & @ & arglen: apicall apiname endm macro call api_imp generated jump to code specified API, see The 5 bytes of the APICALL detect the API portions are handfint instructions (the macro and source of the macro and source of the source shown are exactly the same.). Thus, the detection API breakpoint to the API call in C is completely transparent (ie the API call in the C language does not know if the API it calls to check the breakpoint). In general, if we want to check if a function entry is set, it is the following method: if (* (* (char *) fun == 0xcc) {// Discovery breakpoint} This is a line for import functions Not passing, because when a import function is called, it is actually transferred to a JMP [XXXX] instruction, this JMP [xxxx] instruction shifts the control to the entry of the import function, where [xxxx] stores imported The entry address of the function. As follows: Call _fun; call the import function fun ......._ fun: jmp [xxxx] .......: XXXX 0x777FEBC24; 0x77FEBC24 is the entrance of import function ....... (* _fun) is always equal to the first byte (0xFF) of the JMP instruction opcode, and it is impossible to detect breakpoints. Because the breakpoint is actually set at 0x77FEBC24. 7.4.2 The main body of the shell main body shell is written by C / C . In this C / C program, only WinAPIs imported in the Shell framework can be used, and these WinAPIs have declarations in the C header file. These function names are different from Windows their own statements. The use of different functions with standard WindowsAPI names mainly: In the case of the shell main body, the Windows header is included, if the same name is and the standard WindowsApi, will generate a symbolic name conflict; if it does not include the Windows standard header file, the shell is used The symbols defined in many Windows headers will have to copy from the Windows header file to the header file of the shell, and this is a very troublesome thing and is particularly easy. Declaring all WinAPI functions used in the shell SHIELDAPI.H, the naming rules of these API functions are: add IRA in front of the name of the standard WINAPI function. If the standard WinAPI function MessageBoxa is declared as IraMessageBoxa. Similar processing is also made to the standard C library function, such as Memcpy, declared as Iramemcpy, and so on. Different: iraMessageBoxa is actually my transfer of system MessageBoxa, and the transfer function is implemented in code written in assembly language (see the next section). The iramemcpy function is written by my own C language, and the C compiler will generate assembly code for it. The source file name of the main body of C written cases is shieldmain.cpp (1) Detection Softice and other system-level debugger: Write with C , use IRACREATEFILE (Name, ...). If the file is created success, it indicates that the debugger is in memory.
For Softice, Name is "//./ntice" or "//./sice", for WinNT or Win9x. Other debuggers are only different. (2) Call the API function isDebuggerPresent () to detect if there is a debugger exists. (3) Detecting a user-level debugger: Test the tracking mark in the shell program, see if it is set, if set, indicate that the program is being tracked, the main code is as follows: PushfdPop EaxTest Eax, 0100h; Trace Flag in PSW 9-bit jz trace_flag_not_set; found that the debugger is of course, implementing the reverse tracking, such as time difference trace, setting SEH for reverse tracking, etc. 7.4.3 Most of the encryption shell program, which encrypts the client code, but its own program code is still a clear text, which can be revealed, even if the flower instruction technology can be used, most of the instructions can still be disassembled. And the strings in the shell program are expressly text form, which is easy to know, and then change. For example, the shell test Softice uses a string "//./ntice" so that the plaques of this string can be found with the editor to open the executable. If it does not use the file integrity check, then the decrypted person only needs to change "//./ntice" to another, such as "abcdefghi", the number of characters must be matched when decrypting, otherwise A project file offset error in the file will appear. I encrypt the shell, of course, the encryption process is implemented in the MERGE module. In this way, the vast text of most code in my shell will not appear. In order to ensure the conciseness, the encrypted shells I use the simplest direct different or encrypted. Only very little code, such as the code of the unscreen, must exist in the form of a clear text, that is, the function CRYPTNEXT, which has only 20 instructions, and the flower directive is added, and it is almost a few times. Because there is a clear text of the code in the file, so, I use the flower instruction, so that it cannot be disassembled. I have been tested, using this method encrypted notepad.exe, the plain text code is only two! - Size entrance to jump code! 7.4.4 Running Modified Self-code implementation is also relatively simple. My implementation is this: Define two functions: cryptany, cryptnext, use the simplest algorithm, CryptNext can specify a key, Cryptany Use a domain in MyShieldhead as a key to specify a key. The code of these two functions is very short, there is no 20 lines! Cryptany is generally encrypted to a code zone that needs to be deformed or is also used to decrypt. CryptNext is a block decrypting the next command, and the address of the next instruction is removed from the stack in CryptNext (in the "Call CryptNext" instruction to press the address of the next instruction into the stack, the area starting to the address The block is decrypted. Since the CRYPTNEXT function returns the next command of "Call CryptNext", this function can only be used to decrypt. I wrote a macro, Anamorph, which varies a piece of code, just insert this code inserted into the program and specifies the end point of the deformation. The starting point of the deformed is the next instruction of Anamorph.
This makes it almost impossible to track, which can make WinDASM's tracking feature is not available. It has not yet been running to a place to detect the TRACE FLAG code, and there is already an abnormality, and it must be suspended. For more detail, please refer to the source program. 7.4.5 Code Handout Check If the program is tracked, Debugger often writes the INT 3 instruction in the program, making the code change, and how do I know where it wrote INT 3 instruction? do not know! So, I can only calculate the checksum of the code. The easiest way is to add all the contents of the code to the unit, calculate one and, store it in the file (of course, store this and the land 32 byte Skip), recalculate when running, see if it is equal. This is feasible! I used a safer MD5 hash algorithm to calculate the code hashing (for speed, only calculating the hash of the shell program, not the entire PE image has a hash - this is enough!) To test. To calculate the hash of the code, then all static variables must be read-only! - My code block and data block are stranded in a block. Also, the front also said, you must store this inspection and partial skip, because I also calculate the hash value of the file, so I should skip the file's hash value, and Windows load The program will fill the address of the API in IAT, resulting in changing the value of these domains, so IAT also skips. I jump over the entire MyshieldHeader and the entire ImportTable, because this is easier to achieve, and never affect the strength of protection! 7.4.6 Jump to the client's portal, because, in general, Craker only needs to track and interrupt the program when the instruction pointer falls to the customer code block, so he gets the entrance of the client program. Address, then dump memory, everything is OK, the shell is taken off! So, I can't directly jump to the entrance to the client program, I use a skill. Jump multiple times in customer code block, but you can jump accurately. This is this: At the beginning, I first press the entrance of the customer code into the stack, then find the RET instruction in the customer code, the machine code is 0xc3, find a return, press the address into the stack until the customer The code block ends. Finally, an RET instruction is executed so that the final RET instruction will jump to the last RET instruction in the customer code, and this RET instruction jumps to the second RET instruction in the customer code. Thus repeated, the first RET instruction of the customer code block will transfer the control to the entrance of the customer code. It is worth explanating that the RET instructions found in the customer code are not necessarily a RET instruction, because there is a machine code containing a RET instruction in an instruction, such as: MOV EAX, 0C3C3C3C3H instructions there are 4 The machine code 0xc3 of the RET instruction, which will be executed as the RET instruction in the RET chain, and when the customer code is running normally, it is used as a MOV EAX, 0C3C3C3C3H command execution! This is indeed a big confusion for Craker.
7.4.7 Loading and destroying all the necessary inspection works of the ImportTable shell of the Client program, it is necessary to load the client's ImportTable, which is not doubtful. ImportTable loaded into the client is a more complex job. To traverse the entire importtable, one item is loaded, because each shell must do this, so I don't put the client's importTable. As a key detail. Only how special processes are described below to prevent Cracker. Here, if it is handled according to ordinary methods, it is easy to crack. Because the program runs, the contents of all client blocks are expressly text. In this way, after the program runs into the customer code, the decryptors only need to put the memory DUMP of all the client blocks and find the port of the client (assuming that the barriers to the string RET instruction in 7.4.6 have been broken), then according to DUMP The customer's importtable, rebuild it. In this way, the decryptors do not need to understand how the shell is working, it can take off the shell. In response to this decryption method, I came up with an approach, in the MERGE program, in addition to encrypting the Import Table and its blocks, before encrypting this block, first encrypt the Import Table once. Wait until the shell will decrypt the encryption of the block, then decrypt the import table and load the IAT (Import Address Table) of the customer import table. Then remove other parts other than IAT in Import Table! In this way, even if DUMP is stored, it does not get the Import Table, and an exe file is not impossible to work! But there is still a matter: if IMPORT TABLE is decrypted as a whole block, then there is always a moment, IMPORT TABLE is complete in memory! Decryptors can still take back the shells as long as they do DUMP memory! So, I used a method-item-by-item encryption, encrypted every item in the Import Table in MERGE, and started from the leaves, i.e. IMPORT FUNCTION, and then IMPORT DESCRIPTOR. (This encryption process is Mergenet, but I feel that it is more appropriate, and it is more appropriate to say that Encryptimport will draw a flow chart.) There is also a problem, which is all set (arrays, strings) over the Import. It is the end of NULL logo, such as Function Name and Library Name are a string ended with ZERO characters.
When encryption, you can calculate the exact length of this string, which is undoubtedly! But there is a problem when decrypt, it is possible to add a non-0 character to 0 when encrypted, so that this string length will be wrong when decrypt! The probability of this happens is 1/256, in the computer, such a large error is not allowed! So, you have to save the length of the string! The import function is guided by a structure: image_import_by_name is specified, image_import_by_name is a structure: struct image_import_by_name {word hint; // prompt char name [any_size];}; according to the definition of the PE file, Hint does not have to be correct, it is just use Let the loader optimize an initial value when you use a two-binary lookup corresponding function in the Import Library. For example, there is a 1024 output function in an Import Libray's export table. If the function to import is the first, Hint is also 1, then the loader only looks up, you can find it, however, if Hint is 0, then you will need up to 10 times! This efficiency is 10 times, however, I am programmed to load Function, which does not use Hint at all, unless more complex other technologies to improve efficiency! However, my focus is encrypted, not the efficiency. When I encrypt, I put the length of the function name first, there is Hint, then encrypt Hint and Name, pay attention, I am encrypted separately, not to encrypt together! The reason is not much. After decrypt, first decrypt the Hint, get the length of the Name, and then decrypt the NAME. Similarly, the encryption of library name has also used similar methods. DLL NAME is specified by a domain name in IMPortDescriptor, and there is a TimedataStamp field in ImportDescriptor. It is useless to me, so I use it. Dll Name length. However, the processing of other items is different, as pointing to one pointer to image_import_by_nam (a offset value in the PE file), called Firstthunk and OrignalFirstthunk, only one use in these two (in which See References [14]). It is DWORD, ie 4 bytes, if these 4 bytes are not 0, and encryption becomes 0, such probability is 1/2 ^ 32, which is sufficient to ignore. Also, because there is no other place where it can store it, if it is afraid of this probability is still too big, there is a way to divide TimedateStamp into two words, a Word Save Library Name length, a save this executable from this library import The number of function. However, for ImageImportDescriptor, it is really no place to put it, but it is better, imageimportdescriptor is large enough, with 20 bytes, so that the probability of similar errors is 1/2 ^ 160.
It is absolutely negligible, because the hash table generally has only 16 bytes, based on the probability of ignore 1/2 ^ 128. When decrypt, just decrypt the direction of the counter! Not delayed. And, when decrypt, decrypt one, import one, clear one! But IMPORTADDRESSTABLE can never be cleared! - Because Windows API calls are through it - only other items are destroyed. There is another reason for the IMPORT TABLE is not predictive. Although DataDirectory [1] exists in the RVA and size of Import Table, the size is usually not allowed. But Windows doesn't need it to be accurate! 7.4.8 Since the destruction code code shell operation, the control is transferred to the client program, but after the case is running to the Client program, his code has all become a clear text, so that the decryptient is After the client program is running, the block DUMP in the shell is out, and then the static analysis is possible! In order to prevent such CRACKER, I am destroying the shell before the last instruction RET that is turned to the CLIENT program! However, of course, this code from destroying the shell program cannot be self-destroyed. Who can grab your hair to bring yourself? I also used the flower instruction in the self-destruction code and increased the difficulty of CRACKER again. After the code is self-destroy, these flower instructions still exist, continue to confuse Cracker! In order to make Craker, this self-destruction code I also used a deformation technology, and in order to leave the smallest information for the decrypted person, I use a skill, that is, I will first destroy the "self-destruction code". Code, then self-destroy the code in front of "Self-destruction Code", so that only two instructions cannot be self-destroy, that is, the following two next to each other cannot be destroyed. Rep Stosbret
7.4.9 Compiling Methods Use the command line to compile shieldmain.cpp (with VC, set the environment variable, the command line option is case sensitive but the file name is not case sensitive.): Cl / c /famyshield.asm MyShield. CPP then deletes the line declaration of the EXTRN declaration in the ASM file and change the paragraph_data to _text, I wrote a UltraEdit macro, you can do this. The UltraEdit macro is defined as follows: InsertModeColumnModeOffHexOffUnixReOffFind RegExp "% public ^ t * $" Replace All "" Find RegExp "% extrn ^ t * $" Replace All "" Find RegExp MatchWord "% end $" Replace All "" Find MatchCase RegExp "% _Data ^ t" replace all "_text ^ t" Next is the assembly shield.asm, command behavior: ml / coff shield.asm / link / subsystem: windows generates an EXE file Shield.exe. This file cannot be performed because the compiler does not generate import table for it. Its Import Table is my manual construction, and the system cannot be identified. To use the MERGE module to assemble Shield.exe to the program you want to protect (assuming its name is P.exe), Shield can run. 7.5 How do you say it? The MERGE module is actually an assembler to assemble the software and shield to be encrypted, so that the SHIELD is combined with the program to be encrypted (in later P). For the MERGE module, I designed a base class, this base class performs basic MERGE operations, and declares some functions that may be overwritten in the subclass as virtual functions. The MERGE base class mainly does the following: (1) Read the Client's PE header from the client file. (2) Read the SHIELD program, extract the SHIELD program unique section, ie the code block (if Shield is generated, then there will be two blocks, one code block, one block, and Merge brief There is no problem with one to handle it). (3) Read the MyShieldSECTION structure, modify the data that the MYSHIELDSEC is fill in according to the CLIENT's PE header. Handling each of these modifications: (a) PatchShieldImport: adds the block offset of the ShieldSection to each store RVA in ShieldImport. (b) PatchMyShieldHeader, this function is a virtual function: obtains the corresponding item from the Client's PE, fill in ClientEntry, ClientImportaddress, ClientImportsize, ClientCode, ClientDatabase; also fills the machine's Sac in MyShieldHeader.sac.
(4) According to the data stored in MyShieldSection, the Client's PE header is modified: (a) setshieldsectionHeader: Add a block in the Client's PE header, the Shield block, fill the properties of the Shield block in this shieldsectionHeader In, the number of blocks in the client is added 1 and the next sectionHeader is all cleared. (b) UpdateClientHeader: Update the rest of the Client's PE header, that is, change the entrance to Shield's entry, the size of the original ClientImageBase, plus the "block offset" in the shield portrait, becomes new entrance address; put Shield Importaddress and ImportSize are set to Client Importadress and Importsize. (5) Transform the block in the subclass: (a) ReadOneSecion: Read all the data of this block into buffer. (b) Transformonesection, this function is virtual function: If this block's Charicteristics is the subset of EncryptCondition in MyShieldSection, call the virtual function encrypt encrypted this block (data in the buffer). Because this function may override this function in the subclass (such as MergeNet subclasses, write this function. (C) WriteOseSection: Write the data in the buffer to the output file, and then directly between the block and the next block ( No encryption) Write the output file. Because of the definition of the PE file, the block can be not mapped to the image, as shown below (Figure 7-5): Because the unmapled data may be read from the file when the CLIENT program is executed Take (most typical is self-extracting file, the data after the last block is not mapped to memory), so it is not possible to encrypt. It should be noted that the unmapped data area 0 is read with the CLIENT's PE header. This part will write the output file with the PE header that modifies the client. (D) WriteoutFile: First write the PE header of the modified Client to the output file, then call ReadOnesection, Transformoneseection, WriteOndeeSECTION to CLIENT Write the output file and finalize the ShieldSECTION to the output file. This function is a "template function" (design pattern term).
(e) UpdateoutFile: Call the XXGetFAC calculation of the MD5 hash, write MyShieldHeader, and write the updated SHIELDSECTION to the output file. The base class of the MERGE module is over here. MergeNet subclasses in the Merge base class have the following rewritments: (1) Rewriting virtual functions Encrypt: virtual function Encrypt is an empty function in the base class MERGE. Mergenet needs to override it because the encryption key is switched in the Register module. So Mergenet :: Encrypt execution action is: first use xxsimpleEncrypt encrypted data, then encrypt data with xxcomplexencrypt. (2) Increases a function generatesn that generates a random SN, calling GenerateSn to generate SN in the constructor, and transmits the SN to the Server, and then get SNKEY and APK and other information. (3) Remote PatchMyShieldHeader, calculate the MD5 hash value of the SHIELDSECTION to store the MYSHIELDHEADER, then encrypt the SHIELDSECTION code. Finally call Merge :: PatchMyShieldHeader. (4) Add a method Encryptimport, which is parameter in an image_section_header. Encrypt Import in this block with Smartencrypt method, which is more complicated, its flowcharts are as follows (Figure 7-6): (5) Remove the TransformOseration, because the ClientImport is to be encrypted, so it is judge whether the ClientImport is current block in this function. In, if there is, call Encryptimport Encryption ClientImport. (6) Increase a method Patchcac, this method calculates the MD5 hash of SHIELDSECTION code (and static data), and stores in MyShieldHeader. To calculate the MD5 hash to skip MyShieldHeader and SHIELDIMPORTTABLE - because the CAC will be stored in MyShieldHeader, while Windows fills the address of the import function to ShieldImportTable when the encrypted Client loads. (7) Increases a method ExtenPT, which encrypts 90% of code (and static data) in ShieldSection, which will decrypt when the program is running. 7.6 Register Module This module has the same processing of the MergeNet module. (1) ReadshieldSection: Read the SHIELDSECTION to buffer from the input file. (2) DEENCRYPT: This method processes the input data: m = xxcomplexdecrypt (m, k1) m = xxsimpleEncrypt (m, k2) m = xxsimpledept (m, k1) m = xxcomplexencrypt (m, k2) This is like Mergenet The encrypt and the Decrypt in SHIELD can ensure that it is not shown in the memory during the decryption process. (3) The functionality of the remaining method is the same as the MergeNet. Such as WriteOutfile and its subordinate method, but processing is more simple than MERGE. As the class ratio, WriteOSECTION handles the functions of the ReadOSecion, TransformOSECTION, WriteOnSection, WriteOSECTION in the MERGE module.
Because Register does not need to inherit, there is no need to divide so many ways. 7.7 The functionality of Server Module Server is mainly reflected in the process of communicating with MERGE and Register. However, there are still some unique technologies: (1) for database files and data processing, using STL (STANDARD TEMPLETE LIBRARY, reference [20]). The MAP Template in STL is used. The template parameters of the Map class have three keytype, valueetype, comparefunction. In Server, KeyType is defined as: typedef struct tagusersn {byte sn [sn_length];} userSn; valueetype is defined as: typedef struct taguserinfo {byte sac [sac_length]; dword islisenced;} UserInfo;
COMPAREFunction is defined as: Class Sncmp {Public: Bool Operator () (Const UserSn & K1, Const Usersn) Const {Return Memcmp (& K1, & K2, SIZEOF (USERSN)) <0;}}; (2) Because Server is available At the same time handle the requests for multiple users, the multithreading technology must be used to handle the user request, and the database must be accessed, so the database has become a critical resource, and the thread must guarantee the mutual exclusion of this critical resource. (3) Server uses its own public key, that is, the APK is signed by the SN sent by MERGE or Register. The standard usage of the signed in CryptoAPI is to calculate the hash value of the data and then sign the hash value. I also in accordance with this standard, the signature algorithm used is 4096 bits of RSA, with a hash algorithm with SHA. (4) Other functions of Server will be described in the "Implementation of Authorization Protocol" later. 7.8 The implementation of the software license agreement is an accurate description of the implementation of the entire software license agreement. It is now assumed that Server, Merge, and Register run on a different machine. The server authorizes the software sold by the developer - Of course, his software has been protected with my software. First of all, A put his software P to b, he runs Server, (now assumed that Server's IP address is 202.193.64.34): Server DataFile.dat 2000 2001Server has been running all the time, it receives from Merge and Register Request. The role of Server plays and its operating mechanism will be described in the protocol below. B To sell a software P, run the Merge program: Merge P.EXE SHIELD.EXE Q.EXE 202.193.64.34 2001 Merge program generates a random SN-random number with B's computer self-turning time for milliseconds As seed, calculate a string of random number - a total of 16 bytes. At the beginning, the MERGE program calculates the MD5 hash value Cac in the remainder other than MyShieldhead and Import Table, and stores the CAC domain in MyShieldHeader. Next, the MERGE program uses SN as a key, with a simple different or encryption algorithm to add most of the code (and data) in the shell program (and data) - in addition to the MyShieldHeader header and import tables of the shell, and decrypt this layer encryption. The code cannot be encrypted. Then, use Sn as a password, encrypted by IMPORT TABLE using the "Smartencrypt" algorithm, because each item in the Import Table is small data, the smallest is two bytes, and many items The length is uncertain. So this speed special fast flow encryption algorithm is used. Then, the MERGE program sends SN to Server, Server looks up SN from the registration database, if you find (can find the amount of the probability of the SN), prompt merge, it produces repetitive SN, destroy Calculate one SN again. If you are not found (almost always can't find), you will register the SN to the registered database, and the ISLISENCED domain in the database is set to false.
Then the Sn's hash H is calculated with the SHA safety hasoflite algorithm, and the HKEY is digitally signed with his own private key ASK. Get snkey, send snkey as a decryption password to B, and also send its own public key APK to B. . B After receiving the apk, that is, after the MERGE program receives the snkey and APK returned by the server, the SNKEY is verified with the APK. The verification process is: use the APK to decrypt snkey, get H ', "Sn has been" Sn get from Server ", The Sn has a hash H h, if H 'is equal to H, pass the verification, otherwise the error is not passed, and this information is fed back to the server Server processing. After verification, the MERGE program uses the hash value K1 of SNKEY's SHA Safer algorithm as a key, with a symmetric encryption algorithm, such as RC2, or 3Des, etc., I use RC2, encrypts P. File Q '. Then, the MERGE program is set to all the SAC domains in the MySheildHeader head in Q '. Calculate the Q ''s MD5 hash, store the FAC domain in the MySheildheader - of course, to calculate the MD5 hash to skip the FAC domain - unlike calculating the calibration or, you can set this domain to 0, check I only need to make all the FAC_LEGTH of the file or all as if the result is zero, it passes the verification, and the CRC check is similar. - Then write the changed FAC domain into the file Q. After the software is sold to C, C runs registration program Register: register q.exe r.exe 202.193.64.34 2000 First, Register verify Q's hash value, if passing, continue, otherwise, it is considered to be damaged, at this time Some processing (if verified once, or prompt C to change the software, because it is very likely that the optical disc has received physical damage). Then, the registration program adds a serial number Sn (Serial Number) from Q, and then obtains the hardware information of the local host, calculates the HD value SAC (System AutentAmony Code) of the hardware information HD. Send it to the server server. Server Server finds this SN from the database, if found, and this serial number has been registered, and it receives the SAC and the same SAC's same - the same software copy can be used multiple times on a licensed computer. Install / register - or find SN, but the SN has not been registered, the SAC sent with SN into the database, and then verify this computer later. Next, the Sn has a sn-signed H h, and then use its own private key ASK to digital signing, get snkey, send snkey as a decrypted password to the user C, and simultaneously put its own public key APK Send it to C. If the SN is not found, the client may have an error, request retransmission, and you can do some processing after multiple errors (if you think is a malicious attack on the server, not paying information from this client).
Registration Program - On the computer running in C, after receiving the snkey and APK returned by the server, use the APK to verify the snkey, the verification process is: use the APK to decrypt snkey, get h ', then use the SHA security hash algorithm to calculate SN Hatched H, if h 'is equal to H, passes verified. Then: Register program calculates the SNKEY's hash value K1 with the SHA security hash algorithm. One password algorithm removes this K1, while using another hash value of the local host hardware information just obtained as LocalKey (get LocalKey's hash The algorithm is different from the hash algorithm to obtain the SAC, but the input data calculated by two hash algorithms is the same - all C's hardware information HD). Then, REGISTER calculates the LocalKe's SHA security hash value K2, and then encrypts P with K2, in which during this process. The combination of the SimplePT algorithm and the ComplexCrypt algorithm can be ensured that the plain text in the process of decay K1 and adds K2, and the plain text does not appear in memory. You can prevent the decryptient from DUMP memory during this process. In the above steps, the encrypted data is written to the file R. The last registration program calculates the MD5 hash value of the file R, and stores the FAC domain of the MyShield HEADER structure in the housing. Finally, update the file R - that is, write the FAC in the rewritten MyShieldHeader into the file R. 7.9 CLIENT Code (Data) Encryption / Decryptive Flow Chart Diagram 7-7 describes the encryption / decryption process of Client code (data), using this method, can not have original data M across the process (here M Refers to the encrypted code (data) in the client), only the CLIENT code (data) is decrypted by Shield. In Figures 7-7, SE represents xxsimpleEncrypt, SD represents xxsimpleDecrypt, CE represents xxcomplexencrypt, CD represents xxcomplexdecrypt.
8 Instructions for use and presentation 8.1 User descriptions Server, Merge, and Register can run in a consol console mode in Windows98 and WindowsNT4.0 / Windows2000 / WindowsXP. But the software encrypted by the software can only be run under WindowsNT4.0 / Windows2000 / WindowsXP. The software developer's server runs the Server program, the command line is as follows: server datafile.dat user_port seller_port where data is the database file specified by the software developer (if the file does not exist or illegal, Server will create a new file), SELLER_PORT is User C registered the port used by the software, user_port is the port that requests snkey to the Server when generating a copy. If you want to sell a set of software, execute the following command line: Merge P.exe Shield.exe Q.EXE ServerIP SEILD.EXE Q.EXE Serverip Seller_port where P.exe is the software to encryption, Serverip is the port of Server, which is open to the sales office. Q.EXE is the output file. Users bought Q.EXE, register with the following command: Register Q.EXE R.EXE Serverip user_port where R.exe is the final output file, the remaining parameters don't say more. 8.2 Demonstration and Effects There are four .bat batch files in this software, there is a notepad.exe if you only demonstrate on one machine, then: (1) Run RunServer.bat - double click by mouse. (2) Do not turn off the server and run Maker.bat - double click by mouse. Finally, three files file1.dat are registered database files, Q.EXE is the generated copy, after registering with register.exe, R.exe is encrypted and registered NOTEPAD.exe, which can only be in you Used on a computer. If you want to delete the file generated locally, run Delfiles.bat In order to achieve the expected demo effect, follow these steps: (1) Use UltraEdit to open R.exe, modify one byte. Run R.EXE, the message box will appear, prompting that it is changed, refuses to run. (2) Using WDASM to negative R.exe, it can be found that only the jump instructions of the entrance are correct, and the remaining almost all instructions are all incorrect; more incorrectly used by iDAPRO. (3) Load R.exe in WDASM, automatic single step, because the code continues to change itself, so that WDASM will appear immediately. (4) Copy the R.exe to another, the prompt box, prompting a set of software to run on the machine that is registered, that is, the registered machine. (5) Copy Q.EXE to another, run the registration process, will get information sent by the server: "A software copy can only register to a machine." I illegally operated when the generated R.exe is running, which is exactly what we expect. (6) Run the registration process again on the correct machine, get information sent by the server: "Machine verification". (7) Run Softice (correct and incorrect machines), run R.EXE, the message box will appear, prompting to find Softice in memory, and refuse to run.
(8) Set the breakpoint BPX CreateFilea Do "D * (ESP 4)" in Softice, run R.exe, will prompt the box, prompting the breakpoint instruction in the entrance of CreateFilea, refuses to continue running. (Under normal circumstances, the decryptient's breakpoint BPX CreateFilea Do "D * (ESP 4)" is skipped to detect Softice, however, the decryptient cannot be decrypted in this way, because the breakpoint is detected. (9) Modify the contents of an address in the SOFTICE, such as modifying a byte of 0x1010346, the message box appears, prompting that the self-code is changed, and the operation is rejected. 9 Limit, insufficient and outlook anything can not be perfect, this software is certainly no exception. I personally think that this software is better, but it is not very good. 9.1 Restrictions using this software (1) currently can only be used under WindowsNT / Windows2000 / WindowsXP; (2) Encryption can only be encrypted with EXE files; (3) Can't encrypt the software with self-check function. Because the software of the self-check function and the test in this software itself are based on the same principle. If the file even has a change, the verification error will appear. Such software is typically Readbook, but Readbook only gives only a prompt when discovered file check error, and does not prevent the user from being used. 9.2 The shortest of this software has the following: (1) The encryption of individual files may have problems, known is an incorrect version that does not match the DLL version when using the software encrypted. (2) Because the software encrypted by this software is executed at runtime, check if piracy, anti-tracking, decrypting source code, fill in the original program of IMPORT, so that the encrypted software load speed will Slow, but after loading, running performance is not affected. In the Celeron300A / 192Ram / Windows2000 environment, the encrypted Notepad program is slow for about 1 second, and the ACDSEE is slow for about 3 seconds. In the PIII733 / 192RAM / Windows 2000 environment, open the notepad feels less than the speed. (3) Because the shell is transferred to the original program, the original program code (and data) has become a plaintext, which will be converted by Cracker Dump, although I clear the original program of IMPORTTABLE, but may still be cracking the scheme Crack: (4) Cracker scans all DLLs in memory, draws its module handle, then scans the RVA of all its import functions, calculates the real address of the function, compared to the function address in the IAT of this encrypted program, Then you can get the ImportDescryptor and INT information of IAT. Thereby reconstruction of ImportTable. The entire software is cracked. (5) During the implementation of the digital signature, if it is attacked by the middle, Merge (or register) will receive incorrect SNKEY and APK. If the MERGE and Server communication are attacked by the middleman, the registration database of the Server (ie software developer) will be recheated by the middleman (equivalent to getting). If the middleman is also eavesdropped in Register and Server communication, it may cause the user to receive the wrong snkey and verify the signature and pass, resulting in decryption errors, and the program is run due to the decryption of the error code. This will not cause the software developer's software to be cracked, but it will cause the loss of its reputation.
Using some complex confidential communication protocols can avoid this happening, but due to early design has been fixed, there is not much time in the later period, only this regret can be left. 9.3 Outlook for this software If it is subsequent development, it can be added to the following functions: (1) To prevent Cracker from cracking from the method in the above (3), "Code Transfer" technology can be used, ie, part of the CLIENT program "Transfer" into shield, and add a JMP instruction to the transfer to the target, as shown in Figure 9-1: But if the transfer command is encountered in the client, the problem is cumbersome. I envisaged two programs, but it is difficult to achieve difficulty. The first solution: Constraint: You can only handle immediate digital transfer - that is, there is no register in the transfer instruction as an operand. Because if there is a register, it is equivalent to the register, which is equivalent to the simulation of the program, high complexity. Can handle: JXX XXXX and JXX [XXXX], where xxxx can only be immediately, and cannot be a register. Where Jxx represents all relative jumps, such as JMP (unconditional jump), JA, JNA, JB, JNB, and more. You can also handle the CALL instruction. That is: Call XXXX and CALL [XXXX]; XXXX can only be an immediate number and cannot be a register. First, all "basic blocks" in the program use a node of the figure. The initial state is only the "basic block" (compilation principle terminology) starting from the entrance, which uses it as the first vertex of the figure. When you encounter a jump instruction, the target - is also a basic block - as the next node. This is the "depth priority" traversal! Of course, to decode the length of the instruction, you must have an operation code table for the entire machine instruction set, and the transfer command to be processed must also calculate the operand (ie the target of the transfer), and the like. Second Solution: Write an INT 1 (Trace Interrupt) routine to get the machine status after each instruction, so that the correct execution process can be obtained. Further, the code block that is desired to be transferred can be obtained. Similarly, this also requires the entire machine instruction set operation code table, and so on. (2) Change Merge and Register's communication protocol to secure communication protocols, you can use SSL protocols, you can also design security and communication protocols in TCP protocols and CryptoAPI. Blocking intermediary attacks. (3) In order to prevent the API function called in the Cracker blocking program, only two necessary functions loadLibrarya and getProcadDress are imported, and other API functions are imported. (4) To further prevent CRACKER DUMP memory, you can copy the IAT (import address table) of the original program into a "stack" and ruin the entire (connected IAT) in the original program, and finally All JMP [xxxx] and call [xxxx] commands in the API are changed to YYYY in this stack memory. (5) In addition, you can use some other more complex techniques such as Shield to decrypt the Client as a thread as a thread, while you still have a background monitoring program is tracked, and so on. (6) Finally, a friendly graphical interface can be written, easier to use the user, connecting Server without IP addresses and domain names.
10 Conclusion 10.1 Summary Through the profound analysis of the PE file and Windows underlayer operation mechanism, the software is encrypted, encrypting the software, has a high degree of encryption, and the difficulty of cracking is high. Also very high, it is even better than some commercial encryption software. Due to the special needs of the software industry in my country, encryption software will play a role in intellectual property protector in the future. The fight between encryption and decryption or the struggle between anti-piracy and piracy will continue. Our goal is to let encryption techniques maintain the technical advantages of decryption technology in most of time, and constantly study new type encryption methods, so that the technology, time and resources of decryption exceed the development cost and practicality of the protected software, thus actually In the sense, the protection software is not pirated in its living cycle. 10.2 Acknowledgments were completed under the careful guidance of Professor Gu Tianlong and Huangyuan. From the topic of the paper, the construction of the article structure to the final documentation, all have been careful and bits of the ancient professor and Huang. I have benefited me a lot of rigorous and rigorous school. Here, only to Professor and Huang teacher will cause the most sincere gratitude. This software has also been carefully guided by Professor and Huang Teacher in the development process. Under the guidance of Professor and Huang Teacher, it overcomes many technologies that are difficult to overcome. At the same time, I would like to care about my family, classmates and enthusiastic users. Prove with me for valuable comments, (http://www.9cbs.net): Veribigbug, Handsome, Coolkiller, Zycat2002 (Exhibition Yao), ATM2001 (Squirrel), Lownr (Liao Yue), Wowocock (Machine Cat).
Reference 1. [United States] Bruce Schneier Zhang Wenzheng and other translations. Application Cryptography. Beijing: Machinery Industry Press, January 2000, January 2. [United States] William Stallings. Password Coding and Network Security Principles And Practice (Second Edition). Beijing: Electronic Industry Press, April 2001 3. Fan Wei Fenglin East. Network Information Security & PGP Encryption. Beijing: Tsinghua University Press, August 1998 4. Zheng Xue. Software encryption Data recovery instance. Beijing: People's Posts and Telecommunications Publishing House, July 1997 5. See Snow. Encryption and Decryption - Software Protection Technology and Complete Solution. Beijing: Electronic Industry Press, September 2001, September 1, 6. A Handbook of Applied Cryptography. CRC Press, 19967. Wu Gongyi Xu Jingdong Han Yi Gang Cao Yong.Studymn / 32-bit microprocessor assembly language program design. Beijing: National Defense Industry Press, February 1997 1st Edition 8 Translation Guide Translation Guide. 32-bit System Software Programming Guide. Beijing: Electronic Industry Press, March 1997, March 1, 9. Shen Ming Wen Wen, IBM-PC assembly language program design. Beijing: Tsinghua University Press , 1996 10. [United States] Young.mj Visual C from the entrance to the proficiency. Beijing: Electronic Industry Press, January 1999 11. Hou Jie. In-depth light-out MFC 2 / E. Wuhan: Huazhong University of Science and Technology Press, 2001 12. [United States] SCOTT Meyers. Effective C Chinese version 2nd Edition. Wuhan: Huazhong University of Science and Technology Press, 2001 13. [United States] Stanley B.Lippman. In-depth exploration C object model. Wuhan : Huazhong University of Science and Technology Press, 2001 14. Matt Pietrek. Peering Inside The PE: A Tour of the Win32 Portable Executable file format .from msdn magazine march 1994 on Internet. URL: http://msdn.microsoft.com/library /Default.a SP? URL =
