Re: New concept in software protection
From: Volker Birk (bumens_at_dingens.org)
Date: 10/07/05
- Next message: Security Alert: "SSRT051043 rev.0 - Apache Remote Unauthorized access"
- Previous message: SoftComplete: "New concept in software protection"
- In reply to: SoftComplete: "New concept in software protection"
- Next in thread: Michael Brown: "Re: New concept in software protection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 7 Oct 2005 12:16:46 +0200
SoftComplete <igor@softcomplete.com> wrote:
> (the protection program adds code to your program that makes
> it encrypted, compressed and debugger protected).
I'm casting doubt on the latter. And a greeting from SoftICE to you ;-)
> What are the weak points of such protection?
What are the advantages of such "protection"?
> Unlike other code protectors, there is no concept of code decryption
> with this system Protected code blocks are always in the executable
> state, and they are executed as a transformed code. The original code
> is completely lost and code restoration is an NP-hard problem.
With all disadvantages self modifying code has. But first: please proof,
that the problem is NP hard - I cannot see that yet. Beside that code
restauration maybe is not possible at all (is the relation bijective?),
usually, it's not needed anyway.
> In addition you do not have to worry about the size or speed of your
> program because you don't need to transform its entire code. You have
> to protect only critical parts of your code, responsible for serial
> number verification, trial expiration date, and other evaluation
> restrictions.
This is wrong. If you're "protecting" only this parts, then ignoring them
by slightly modifying the rest is very easy (as usual).
> Below is a code sample generated by Delphi and a partial (the full
> listing contains over 500 instructions) listing of the transformed
> code.
> Source code :
> writeln('Test OK');
> After compilation
> mov eax, [$ 004092ec]
> mov edx, $00408db4
> call @WriteOLString
> call @WriteLn
> call @_IOTest
> After the code transformation (partial):
> db 3
> add al, $30
> xlat
> call +$000025b2
> jmp +$00000eec
> call +$00000941
> or al, $4a
> scasd
> call -$304ffbe9
> rol eax, $14
> mov edi, [ebx]
> jmp +$00001738
> mov ebx, eax
> shr ebx, $03
> push ebx
> jmp +$0001b5e
> call -$000001eb
> jmp +$00003203
> jmp +$00005df8
> call +$00000910
> adc dh, ah
> fmul st(7)
> adc [eax], al
> les eax, [ecx+$0118bfc0]
> stosb
The classical obfuscation.
Yours,
VB.
-- If class libraries are compared to animals, MFC is the slime-warts toad.
- Next message: Security Alert: "SSRT051043 rev.0 - Apache Remote Unauthorized access"
- Previous message: SoftComplete: "New concept in software protection"
- In reply to: SoftComplete: "New concept in software protection"
- Next in thread: Michael Brown: "Re: New concept in software protection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
