Jump to content

Reverse Engineering Prevention

SomethingToChatWith
 Share

Recommended Posts

SomethingToChatWith Newbie

SomethingToChatWith

Posted
Posted

Ok, so I'm not all that great with assembly but with intelisense came across the option to put in a AssemblyHashAlgorithm line using md5, sha1, or none in AssemblyInfo.vb. Does this actually protect your application with the chosen algorithm? I'm in the market for an easy to use tool otherwise that can take an executible and encrypt its contents so it still can be used but at the same time protect against reverse enginerring like Chris has shown on a .net app in a past hak5 episode.

So if you had an award winning app you wanted to protect, what would you use?

Perhaps this would be a good follow up to the episodes on how to break it, versus showing us how to protect against it...

Link to comment
Share on other sites
dr0p Newbie

dr0p

Posted
Posted

Pretty sure that has nothing to do with blocking reverse engineering. In all actuality, the toughest thing for a reverser to deal with is code virtualization (trust me on this one). Unless you're on a really old/slow machine, or you're doing some crazy math formula, your end user won't really notice that it's being virtualized so you don't have to worry about that. And of course you can always add anti-debug tricks such as IsDebuggerPresent() but those are easily bypassed and don't work nearly as well as code obfuscation / encryption. In the end though, if a reverser has enough time, there is absolutely nothing you can do to stop him or her from achieving his or her own goal.

Some easy to use options for anti-reversing are EXECryptor, Armadillo, and Themida.

Link to comment
Share on other sites
SomethingToChatWith Newbie

SomethingToChatWith

Posted
  • Author
Posted

Drop, thanks for your feedback. Those tools look great for if I ever want to go into professional development. Thing is, I don't need licensing or key systems right now and the pricing on some of those tools are ridicuous for a single developer, just a simple solution to safeguard against reverse engineering to easily get access to the orginal source code.

Zimmer, I'm actually interested in putting built-in validation in the application, but I havent been programming long enough to know how to implement it :(

Link to comment
Share on other sites
Zimmer Newbie

Zimmer

Posted
Posted
Zimmer, I'm actually interested in putting built-in validation in the application, but I havent been programming long enough to know how to implement it sad.gif

Built in Validation??? Do you mean to validate that it is not being revere engineered?

Link to comment
Share on other sites
MuNk Newbie

MuNk

Posted
Posted
Ok, so I'm not all that great with assembly but with intelisense came across the option to put in a AssemblyHashAlgorithm line using md5, sha1, or none in AssemblyInfo.vb. Does this actually protect your application with the chosen algorithm? I'm in the market for an easy to use tool otherwise that can take an executible and encrypt its contents so it still can be used but at the same time protect against reverse enginerring like Chris has shown on a .net app in a past hak5 episode.

So if you had an award winning app you wanted to protect, what would you use?

Perhaps this would be a good follow up to the episodes on how to break it, versus showing us how to protect against it...

Protecting your software..

EXECryptor, Armadillo, and Themida. can be unpacked with a ollydbg no skill really required. the best method is to make your own secure Crypter.

Anti-VM, Anti-Sandbox, Anti-dbg are the 3 main catagorises that crypters used on bots/viruses/worms etc.. are designed for ,yourself you just need a Anti-dbg, you could just look at the info thats avalible from conflicker worm which has some simple but very effective code for detecting this stuff.

Example code (delphi / inline asm)

function OllyPresent() : boolean;
begin
  asm
    mov   Result,0
    cmp   esi,0FFFFFFFFh
    jne   @@ollyEnd
    mov   Result,1
    @@ollyEnd:
  end;
end;


function InDebugger():boolean;
begin
  OutputDebugString(PChar('Hi'));
  if GetLastError = 00000006 then
    Result := TRUE
  else
    Result := FALSE;
end;

Crypters work well, your program is encrypted and compressed inside the stub, the stub will have all sorts of anti-dbg code in it, thus this should make your program protected and safe. well to a level at least =]

Link to comment
Share on other sites
dr0p Newbie

dr0p

Posted
Posted

@MuNk: I realize that a custom crypter does a muchmuchmuch better job at protecting an EXE but since he asked if changing a variable in the assembly info pane would protect his EXE, I didn't think he was quite up to it, so I offered easy solutions. Imho a segment about how crypters work and how to make a basic one that just does a simple xor routine or something would be simply amazing and an eye opener for a lot of people in this community, but for some reason I just don't see that happening :x

Link to comment
Share on other sites
SomethingToChatWith Newbie

SomethingToChatWith

Posted
  • Author
Posted

Zimmer, by validation I meant check for known debuggers and kill them as you suggested.

Custom cryptor than. It'll be a good learning experience so thanks everyone...

If you got links to any paticular places that would explain the proccess of building one than that would definetly help. I agree with Drop here, it would be nice if hak5 did some more programming segments but unforunately the critizing they receive for the projects they've done with "oh this insert code works a lot better than what was shown on an episode" I don't see it happening either.

Link to comment
Share on other sites
dr0p Newbie

dr0p

Posted
Posted

Well there are two parts to making a crypter. The first part is meshing your target file(s) with the stub that you have coded. Usually the stub will locate the OEP in the target program(s) and append this this along with the actual exe to the stub, and then encrypt the target. Then, when the program is run, the stub does anti-debug and anti-vm checks, decrypts the target program, and then uses the OEP that it stored along with CreateThread() to start the target going. However, if you're more advanced (and I mean a lot more) you can create a special handler that only decrypts the target in RAM as each piece of memory is needed, and then encrypt it again when it's not in use, but this is much more difficult to code and rarer to see.

Link to comment
Share on other sites
dr0p Newbie

dr0p

Posted
Posted
I see. I wonder if I could take advantage of .net's encryption classes for this purpose? Create a separte project that'll decrypt and run the actual program if the right conditions have been met...

In all honesty, .NET sucks for this kind of stuff.

Link to comment
Share on other sites
  • 1 month later...
SomethingToChatWith Newbie

SomethingToChatWith

Posted
  • Author
Posted

Well by accident I came across Dotfuscator. I'm wondering how good it actually is... anyone? I found out that they actually install it along side VS for all versions except the express so sure enough it showed up in my tools menu in VS. Registered the community edition (here comes the spam :( ). Supposedly all a beginner needs to do is to select the input tab, import the assembly they want to use, select the build tab, and hit build according to thier help file, but when I attempt to build I get a brief flash of status at the bottom of the screen and nothing but empty directories (see attachment).

Its canceling the build for no reason. I've changed the output directory and even specified a temp directory. Nothing appears on the output tab. I can't figure out whats going on here and getting really frustrated having had to register. Anyone know what I'm doing wrong?

Update: Expanded the details pane at the bottom after setting build output to verbose (see second attachment). Apparently its requiring a VS file or version I don't have, but I don't see how that can be. I'm using VS Pro 2008.

Link to comment
Share on other sites
  • 3 weeks later...
shawty Newbie

shawty

Posted
Posted

All Dotfuscator does Somthing... is to mangle the stub names, assemblies and MSIL calling structure. Anyone with enough time and patience can still reverse engineer it, I've done it myself using nothing more than a hex editor.

As Drop pointed out, .NET is rubbish for what your trying to do, personally if it where me, i'd go the path you where thinking, that is write your own encryption routine to encrypt your compiled EXE.

If you make creative use of the file IO functions, or even use PHP's binary safe file functions, then you can put together your own bit twiddling code quite easily, once you've got a prototype for encrypting it, you could then use MASM32 (http://www.masm32.com/) and build a small loader that you tag onto the front of said encrypted data, that would then take care of decrypting, loading into memory then passing control to.

Your other alternative is to try using self modifying code, again this is something I've done in the past, but alas not so much on the X86 platform, i did used to do this kind of trick all the time on the ARM VLSI Platform cause the instruction set was perfect for it.

Unfortunately there is one big drawback with both methods.

Anti virus software. Most AV's these days will pick up what your trying to do through heuristic analysis and may prevent your code from running. As an example, i have bad problems with apps packed using "Themedia" as AVG goes balistic whenever i try to run one, and usually detects it as "Win32/Themedia" virus.

The reason?

Simple, a lot of malware authors pack thier files using Themedia and so the AV is erring on the side of caution. Anything thats going to modify it's own structure in memory is likley to trigger some sort of reaction from an AV, which leads me to my final point.

Most AV's expect some kind of manipulation of resources, so what i generally do these days is i write my program as normal, but for my protected code, i use them a little like overlays of the bygone dos days.

Create your protected routines as DLL's, then zip/gzip/mash whatever them and attach them to your main program as resource files, and simply unpack and late bind to them on the fly, remembering to unbind and delete them when your program exits.

Link to comment
Share on other sites
  • 1 month later...
ibionika Newbie

ibionika

Posted
Posted

Hi all

I hope if posted in the right place.

Basically i was wondering are there any methods of reverse engineering an image that has been altered in some way? Im doing a forensic project at uni and ive got a few images that have been altered using an image manipulation program called GIMP. However im not sure how to find out what changes have been made to the image or how to view the image in its original format. I downloaded GIMP to see if they had a method of reverse engineering a picture however that didnt prove successful.

Any help would be much appreciated

Thanks

linty

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...