New software encryption method

[Franeppe]

This article intruduce you a new software encryption method:
hxxp://www.codeproject.com/useritems/objantihack.asp

The idea is not new. In fact it is already used in nearly every protector having some kind of VM features.

But I think the best part is the following:

Code:

[...]
3. Principle of work
[...]
    C. Running the real code in stack
       Push encrypted instruction code to stack, decrypt it,call it!
[...]

This will make all people with DEP turned on (you can't even turn it off on Windows x64) happy, since each and every instruction will now crash the application.

Edit:
I just checked the sample application. It's full of code like this one:

Code:

xor         d,[esp][06],023436576
mov         eax,esp              
call        eax

Of course it will crash.

[dyn!o]

Quick notes from me since JMI may disable my account for lack of posts

1. Presented method is old as hell (look at viruses).

2. Unfortunately it has nothing common with vm. It does not even smell like vm

3. "Erase RET instruciton", "use JMP to divide code" - uhm... it was good trick but my callendar shows 2006.

4. I am a bit surprsied seeing real professional coder, like LiuTaoTao, suggesting that stack execution, even ecnrypted, may stop serious cracker. Bad news: stack analysis will help a lot during reversing. Again: we have 2006 so let's forget it. In 2007 don't even mention it.

Anyway, good news is that LiuTaoTao is back. I was wondering many times about such a talent, being conviced he was lost in some cheap company. It's very good to see him back, even in other field than his specialization.

Quote:

Originally Posted by dyn!o

2. Unfortunately it has nothing common with vm. It does not even smell like vm

Well, really?

So you say that if you have split the code into single instructions, decoded everything so far that each instruction can be placed at any memory location in any random order and know enough about the code to convert it into any code doing the same, it is more than one simple step to write a VM?

I didn't say that this is a VM, only that this trick is used in VM protectors. Perhaps you can explain me how VM protectors work if they don't use this "trick".

[dyn!o]

Quote:

So you say that if you have split the code into single instructions, decoded everything so far that each instruction can be placed at any memory location in any random order and know enough about the code to convert it into any code doing the same, it is more than one simple step to write a VM?

That is exactly what I say my friend

I would say more: IMHO that is not even a small step for vm development. It's still only a sample of pure code scrambler. Of course it will complicate reversing, especially when you take memory blocks checksum results as descrambling arguments/parameters or opcodes decryption. Complicate, but for whom? Approximately 95% crackers. There is still 5% left of them and they expect much harder protection.

IMHO VM has to operate in own environment (CPU, registers, stack, memory - including structure and communication). Sometimes virtual machines are misunderstand with virtualization but the topic we discuss is not close to virtualisation too (VMWare and VirtualPC are).

EDIT: Sorry, I did not notice your question "how vm works then". Well, each one of us can have own definition and imagination but if you want to take a look at vm inside protector then you can take Themida - it contains vm but it resembles x86 (I mean is not very hard to reverse). Question why is another topic, but you can answer it yourself looking at SPARC/PowerPC open source emulators available on the net.

Next kind of virtual machines are the ones residing in Atari/ZX/C64/Amiga emulators. They are often "perfect" virtual machines, able to serve as real virtual environment. If we are talking about vm in protections then definitely the best vm resides inside StarForce - it is already a legend. The rest is mystic...

Regards.

Well, I know the difference between virtualisation and a virtual machine. And, again, I didn't say this protection uses a VM.

Of course a VM needs a operating environment. But anybody can code a VM in just two minutes (OK, maybe 2 hours if you don't just want to have a two-opcode VM, but something which can be used for something).

But the problem is not to create the VM, the problem is how to convert any existing piece of code into virtual opcodes, which behave in the VM exactly like the original opcodes on a real CPU.

And if you've already analysed the original code deep enough to use the type of protection mentioned in the first post, it is just a simple step to convert any instruction into a virtual opcode and run it in the VM.

What other really big part do you miss, if this "is not even a small step for vm development"? (assuming that I'm not a super great coding mastermind and therefore don't understand where the big problem is hiding)

[dyn!o]

Oh my , I have no advanced knowledge about virtual machines or protections. I just came today, after a long break, to raise my post count in order to keep my account alive - I am serious. I took the first thread in General Discussion - it was a coincidence of choosing this topic. I am talking about my dreams only. Not "the only truth".

Quote:

Well, I know the difference between virtualisation and a virtual machine. And, again, I didn't say this protection uses a VM.

I did not say you do.

Quote:

Of course a VM needs a operating environment. But anybody can code a VM in just two minutes (OK, maybe 2 hours if you don't just want to have a two-opcode VM, but something which can be used for something).

Interpreter my friend... I guess you had that thing in mind. Interpreter is not a virtual machine (it's only a part of it) but you are right: the simpliest interpreter can be coded in 2h. You can find it in many crackmes and less viruses.

Quote:

But the problem is not to create the VM, the problem is how to convert any existing piece of code into virtual opcodes, which behave in the VM exactly like the original opcodes on a real CPU.

So the question is: how do you want to achieve such a result without writing a virtual machine (quote: "But the problem is not to create the VM")?

Quote:

And if you've already analysed the original code deep enough to use the type of protection mentioned in the first post, it is just a simple step to convert any instruction into a virtual opcode and run it in the VM.

I cannot agree. I could do if it is about myself only but many people read this thread and many other will do it in the future. Let's do not suggest them that with x86 "scrambler" we are simple step from running the code inside virtual machine. Virtual machine requires own environment, while LiuTaoTao's solution, in its strongest theoretical assumption, requires only an interpreter. Please take a look at the quote below to find my humble opinion regarding this point too.

Quote:

What other really big part do you miss, if this "is not even a small step for vm development"? (assuming that I'm not a super great coding mastermind and therefore don't understand where the big problem is hiding)

I am also not a mastermind but let's take a look at things which seems a bit complex for me if we are talking about "what do we miss":

1. Stack frames (not to mention FPU stack pointer )
2. Registers
3. Code evaluation
4. Exceptions
5. Non-static code support
6. Memory management
7. Privileged instructions
8. System API emulator
9. Interrupts
10. Threads
11. System calls

If that seems easy for anyone then we can extend this list at least twice.

Kind regards.

[Maximus]

You are over-extending Markus post. The VM steps you enlisted up are for a VirtualPC emulator, and they needs not to be 'explicit'. A VM can be shaped in many forms, with implicit or explicit flow and myriads of variants, you would agree that the bulk of a scrambler and a (not complex) VM might have syntactic similarities. The big difference lie on the _semantic_ plane, on structures that are built over them - which magically appears if and only if you are aware of the game you are playing.
You can reverse a VM in little time if you know what you are looking, or just go mad for indefinite time. From a coding point of view, the result can be similar. There lies Markus assumption, i suppose.
Coding a VM however requires more than an interpreter. You are translating code out its original machine, with all the implications of the case (we could go on theory with Church/Turing theorem, goedel incompleteness etc. etc. but it's boring).

Maximus

[dyn!o]

Quote:

The VM steps you enlisted up are for a VirtualPC emulator, and they needs not to be 'explicit'

VPC stuff indeed needs these points, also explicit control flow must occur. That's the part I agree. Now let's make the topic harder and erase the following points: 7-11. The first six are left and are still needed for a "real" virtual machine in the meaning of any protector. If they will not occur then I call it not a virtual machine but pure interpreter. Summarizing: IMHO the first six points should appear in order to call an engine a virtual machine.

Quote:

A VM can be shaped in many forms, with implicit or explicit flow and myriads of variants, you would agree that the bulk of a scrambler and a (not complex) VM might have syntactic similarities.

Yes, syntatic similarities.

Quote:

You can reverse a VM in little time if you know what you are looking, or just go mad for indefinite time. From a coding point of view, the result can be similar. There lies Markus assumption, i suppose.

You can reverse VM in little time, that is right. SafeDisc, SecuROM, new ASProtect - do they contain virtual machine? The discussion would start from the beginning.... "Syntatic similarities" - this name is a good solution for our topic. I would not say they contain vm but I agree they have "syntatic similarities" in the meaning of virtual machine. I also agree they can be reversed in a reasonable amount of time.

Quote:

we could go on theory with Church/Turing theorem, goedel incompleteness etc. etc. but it's boring

That is the point - boring. Church-Turing vm related solutions are very good but IMHO not here. IMHO they are too weak to implement in protections because of systematic logic.

Why do I think so?
It will be hard to understand/imagine for some of us since we are jumping from logical discussion into abstract level. According to Church conjecture we can perform (recalculate) any possible algorithm with a computer. In software protection we need a kind of reverse thesis IMHO. Turing dream was to replicate the human mind but if we want to achieve the highest level of security, in the meaning of software protection, then all we have to do is erase logic word from the dictionary. This is the place where I see the chance of disabling/confusing human mind. The thesis could look like this

"A function, which would be computable inside X engine, cannot be computed outside its environment without intelligent behavior and learning process."

So what it changes in the meaning of cracking? Nothing, the software will always be crackable. Proposed thesis extends the time needed for analysis. It extends it a lot. StarForce follows a logic and it is still the very best protection, requiring a minimum of two weeks for analysis and cracking. So far there is no proof of anyone who managed to rebuild its virtual machine code (if properly implemented). Now, imagine that StarForce goes into the level I propose. How many people could be able worldwide to crack such a protection? 2, 5? How many of them will get the protection in hands? How many of them will have any interest of continous painfull analysis/cracking? Even if one cracks such a protection then, assuming dynamic structure, another cracking attempt will require similar amount of time to crack one title.

A dream? No, a matter of time. The one who develop such a solution will definitely win the race on security market, leaving competitors few years behind. StarForce is a very good protection, I would say: "definition". But it still can be a lot better. Just like us.

Regards.

[evlncrn8]

naw, starforce really depends on the amount of protection added, i cracked starforce in under 1 hour generically, just depends on how heavy the protection is...

as for starforces vm, theres 2 (or more), one ring 0, one ring 3, thats where it makes things a bit tricky.. and starforce lost a lot of customers due to their business practice, and 'tactics'..

[Maximus]

One of the strongest reverser I knew took 3 weeks to get the way of the cd-check from scratch... and you cracked SF in ONE hour?!?!

_oh my god_

you are not joking, really?!?!
(What's wrong with their business practice? I noticed they lowered alot the prices quite time ago, but I didnt relate this to such event mmh...)


Maximus

[dyn!o]

Quote:

starforce really depends on the amount of protection added

That is the peculiarity of every vm based protection.

Quote:

i cracked starforce in under 1 hour generically, just depends on how heavy the protection is...

StarForce PE wrapper on the titles they protect without changing target's source code? That is possible but I hope you did not had in mind StarForce vm patching/removal/rebuilding.

Quote:

(What's wrong with their business practice? I noticed they lowered alot the prices quite time ago, but I didnt relate this to such event mmh...)

They do not really have any "business practice". Their PR is much worse than ExeTools one (keeping in mind that ExeTools does not have and does not need any). I am not joking. Sometimes it is better to talk nothing (SecuROM) instead of old slogans (SafeDisc) and graceless statements (Tages, StarForce).

That is not important anyway since, IMHO, it wasn't the thing which stopped StarForce (slowed down?). Their marketing is poor but software security market does not really care about such topics. They did only one mistake, giving all the opponents the best weapon they could ever receive... but that is another story.

Regards.

Well, I didn't expect my initial post to create this ammount of responses.

To make it easier to understand once again, how do VM-protectors work?

1. Do they have their own C++ cross-compiler which compiles all code to the VM-bytecode
or
2. Do they just take the compiled x86 code and analyse it in the same way ObjAntiHack also does?

The answer is most likely "2". The VM protector does not work without the step which ObjAntiHack does, so "it is already used in nearly every protector having some kind of VM features", isn't it?

[evlncrn8]

Quote:

Originally Posted by Maximus

One of the strongest reverser I knew took 3 weeks to get the way of the cd-check from scratch... and you cracked SF in ONE hour?!?!

_oh my god_

you are not joking, really?!?!

nope, not joking, had to do a crack fix after it though because the e9 redirects had +400000 added to where they should have gone heh

also had 3 vm blocks (really ripped bink code. and some code from the c lib)

it was a complete rebuild, not just a cdcheck bypass.. i had the original disk so i didnt have to bother with that bit (which is admittedly a total pain)

and having to read through the 38mb logfile my tool produced wasn't fun either

Quote:

(What's wrong with their business practice? I noticed they lowered alot the prices quite time ago, but I didnt relate this to such event mmh...)

their business practice is really 'persuading' their customer that their software will get cracked - they got in trouble recently by posting a torrent link to 'prove' their claims...their support also sucks as they mostly always claim the user is a pirate...

and cracking starforce is just time consuming, their api crap is pretty easily reversed once you see a flaw in their 'morphing' code, the only tricky part is from the vm bounce back (from r3->r0->r3 again)...

and again, cracking it is heavily dependant on whats actually implimented, the one i did had 2 vm calls, 700 or so 'hidden' files, and about 30 e9 redirects,

breed for example is a pretty simple one... pacman worlds is a fair bit tougher, but the vm calls in that are all bink crap, so if you analyse another bink exe you'll see how it was done...