Inside ExeCryptor
Posted 2007. 6. 21. 16:01, Filed under: Study/Computer ScienceMost of the available protection schemes use a so called 'mounted scheme' (the protection program adds code to your program that makes it encrypted, compressed and debugger protected). When your program is started this code unpacks, decrypts and adjusts your application back to its original state.
In such a case a cracker's actions are obvious: he suppresses the anti-debugging tricks and dgumps the unpacked and decrypted application code. Then after having disassembled and analyzed the code, he simply needs a little patching and he gets a fully functional unprotected copy.
What are the weak points of such protection?
| • | Protection code added to an applications is usually more or less standard and soon or later it becomes the subject of detailed analysis. Once the security code is analyzed, reverse engineering of the protected application becomes a snap. In addition there are many automatic deprotectors that crackers can use for most popular protection solutions. |
| • | Protected code of your application is encrypted. But before it can be executed the protector has to decrypt it and pass the control to it. This moment can be intercepted by an intruder so he can get the access to the original code for analyzing/modification. |
EXECryptor uses a conceptually new approach to protect software applications. The core of the protection technology is a brand new concept of the code transformation called "Code Morphing". This technology protects the code on the CPU-command level. It is known the x86 processors command system is redundant and allows the execution of the same 'code' using various different system commands. EXECryptor breaks up the protected code into several processor commands or small command snippets and replace them by others, while maintaining the same end result. Thus EXECryptor obfuscates the code not on the source level but on the level of the CPU commands.
The Code Morphing is multilevel technology containing hundreds of unique code transformation patterns. In addition this technology includes the special layer that transforms some commands into Virtual Machine commands (like P-Code). EXECryptor's Code Morphing turns binary code into an undecipherable mess that is not similar to normal compiled code, and completely hides execution logic of the protected code.
Unlike other code protectors, there is no concept of code decryption with EXECryptor. Protected code blocks are always in the executable state, and they are executed as a transformed code. The original code is completely lost and code restoration is an NP-hard problem.
In addition you do not have to worry about the size or speed of your program because you don't need to transform its entire code. You have to protect only critical parts of your code, responsible for serial number verification, trial expiration date, and other evaluation restrictions. The rest of application code remains intact and software execution speed remains the same.
Below is a code sample generated by Delphi and a partial (the full listing contains over 500 instructions) listing of the transformed code.
| Source code: | |
| {$I crypt_start.inc} WriteLn('Test OK'); {$I crypt_end.inc} | |
|
After compilation |
Protected code (partial) |
 |
 |
----------
ExeCryptor라는 실행압축
OllyDbg 에서 안읽어져서 참 난감하다.
어떤 방식으로 이루어지는지 궁금해서 요 며칠간 뜯어보고 있다.
도무지 모르겠다 ㅋ
tls 섹션에 등록된 콜백합수를 이용해서 복호화 루틴을 수행한다는 것.
소스코드 레벨에서가 아니라 하드웨어 레벨에서 소스 변경을 통해 압축한다는것.
(그래서 올리에서 처리할 수 없는 명령어라면서 팅기는 건가 -_-)
여튼 난감 난감
쉬운거 부터 봐야겠다~
출처- http://www.strongbit.com/execryptor_inside.asp