Protective mechanism
【statement】
I wrote the article to communicate, I hope everyone can maintain the integrity of the article when reprint.
[Foreword]
This time, with the introduction of the protection mechanism, it is not written in a shelling method. In fact, I have misleaded a lot of kind speakers. Understanding a shelling software is the main thing to understand its protection mechanism, which is also a little after I learned. The knowledge of a little protection mechanism described below. Here is only to learn and understand the knowledge of protection mechanisms together with me.
Parallel Author: ljttt
Factory Date: 2001-01-01 (Torp's Stuff Dongdong usually writes this date)
1, first, let's look at a relatively simple self-protection method. This code is as follows:
0040cc54: 03f3 add esi, EBX <- ESI points to a certain piece of code, ECX is the length of code (DWORD)
0040cc56: 8B06 MOV Eax, DWORD PTR [ESI] <- 4 bytes in the code
0040cc58: 33d0 xor EDX, EAX <- xor
0040cc5a: f7d2 Not EDX <- Reverse
0040cc5c: 33d1 xor Edx, ECX <- Different from ECX (Code Length)
0040cc5e: 03d0 Add Edx, Eax <- adds 4 bytes in the code plus
0040cc60: 83c604 add esi, 00000004 <- Located to the lower 4 bytes in the code
0040cc63: 49 DEC ECX <- Code length minus one
0040cc64: 75f0 jnz 0040cc56 <- cycle
First describing the function of this code: You can see this code as a pointer with ESI, save the length. The data points to the ESI are different or reverse, and finally a "value" is obtained in EDX.
So what connection with your own protection? Let me briefly say if ESI = 0040cc54, ECX = 0040cc64 - 0040cc54. So is this code that is the code of your code (too or reverse)? OK!
So what will change if you set a breakpoint in this code? Will the "value" get the "value" will be the same as the original did not rule?
Let's take a brief introduction with Softice. When you set a breakpoint in the Softice debugging environment, the first byte of the code in this breakpoint becomes 0xcc.
In this way, the code is changed because the code is changed, and the "value" of the operation is not the same as not. You may think of this value, you can use the comparison method to determine if it is handled down. Nice, this is a way, but this is easy to be ... in the case of the shell software, the "value" will generally be used as the restore key to restore the next code.
That is, the so-called SMC skills restore code. (However, if you use D command in Softice, you didn't find changes. Oh, but if you start another debugger TRW2000, come to display this line code, then look at it? Oh, do you understand? ?)
2, SMC skills to restore code.
In casing software, the segmentation reduction code is a very common method. Maybe you have experienced this experience. (Who, make it like a prose ?!) You tracked a software and found a certain piece of code, such as CPUID (corresponding hexadecimal code 0x0F 0xA2). But find when you use the hex editing software to find 0x0f 0xa2, but how can you find, why?
In fact, it is very simple, that is, in the executable of the program, the encrypted data is saved, and only the program will decrypt this encrypted data from the program at a time by the program, (the reduced data is You can "see" the real code "to see" in the debugger). Then, the program executes this reduced code. Now you are clear! For example, the code introduced in 1 is used to form a restore key. Only when the key is correct, that is, it first, "bow", when "discovery" is not modified (or set off When you point), you still "quietly" restore another encrypted code. Then continue!
A little meaning! In casing software, if it "wants to" protect a certain piece of code, it will encrypt it, and then use another code to form a key with another code when running! This prevents you from static analysis of it, of course, in order to prevent you from using dynamic tracking, it also combines the self-protection method introduced in 1. In this way, if you mean into the trap (set a breakpoint in his own protection), then the restore code is a bunch of spam code. If so, don't write to the author, say that his program has a problem? !
(Of course, SMC skills can be used as a variety of purposes. Don't have a first-in-one concept, SMC skills can be used as a method of shelling software as itself, or can be used as a method of crack, so. ..... how to use, still in you! ... you want to use "virus" ..... Old days, why is the genius always rebel factor!)
The brief introduction to the simple self-protection skills, maybe you have long thought about dealing with it, such as:
Do not set any breakpoints, use single-step tracking methods
Or first track the correct key, once the next tracking, only "give" correctly when it takes the pound.
Or use the BPM breakpoint only track data, and the method of not tracking the code is dynamically tracked.
You can also think of more. . . .
Of course, in order to better protect itself, it will not just protect yourself in the casing software. What protects the method in the case where you can prevent the above method?
3, an anti-tracking method: deformed by the API call.
You may like to set up at a critical API function before entering the program code for tracking. But this method can be careful in changing the case.
Let's take a look at this code:
015F: 00411B6A 33C0 xor Eax, Eax <- ESI points to the entrance to the API function address, such as CreateFilea ()
015F: 00411B6C AC LODSB <- Get a byte 015f: 00411B6D 3C50 CMP Al, 50 <- Judging whether it is 50
015F: 00411B6F 720F JB 00411B80 <- less than 50, jump to 00411B80
015F: 00411B71 3C57 CMP Al, 57 <- Judging whether it is 57
015F: 00411B73 770B JA 00411B80 <- greater than 57, jump to 00411B80
......
015F: 00411BD3 897A01 MOV [EDX 01], EDI
015F: 00411BD6 8B831F7B0000 MOV EAX, [EBX 00007B1F]
015F: 00411BDC 8B8B237B0000 MOV ECX, [EBX 00007B23]
015F: 00411BE2 8B93277B0000 MOV EDX, [EBX 00007B27]
015F: 00411BE8 8BBB3B7B0000 MOV EDI, [EBX 00007B3B]
015F: 00411Bee 8bb3377b0000 MOV ESI, [EBX 00007B37]
015F: 00411BF4 8BAB337B0000 MOV EBP, [EBX 00007B33]
015F: 00411BFA 8B9B2B7B0000 MOV EBX, [EBX 00007B2B]
015F: 00411C00 E900000000 JMP 00411c05 <- The jump here will be modified to one instruction within the API function address.
(Note: When entering this code, ESI points to the entry address of an API function, and presses the various parameters required by the API function in the stack pointing to the ESP. Due to the longer code, there is no complete listing)
The role of the above code is to analyze the partial code started by analyzing (or reverse approve) API functions, then this part of code "copy" is executed in its own process space, then enter the internal code of the API function. Continue to execute the API function.
This way, when you are in the entrance to this API (such as: bpx createfilea), "block" does not come, why? Because it does not execute from the API function entry. Instead, it is entered from "side door". Hey, plus the shell software is more interesting! Maybe, then you will think, then do you have a code in the internal code of the API function? You have to be careful, the plus-shell software has kindness, and there is also a "prank". It conducts "disassembly" by analyzing the code started with the API function, on the one hand, on the other hand, if you are in the code it analyzed When breakpoints, it may also be a killer, because the code of the breakpoint is 0xcc, which does not like this command in the API function. If you are this ........ 4, the method of backed dynamic tracking.
Of course, the casing software may not just put the eyes to prevent you to break the point, or it may put "vision" on the prevention of debugging. For example, the most direct is to detect whether to load the debugger or some tool software in your current environment. such as:
This Method Is Most Known As 'Meltic' Because It Has Been Freely Distributed
Via www.winfiles.com. However it was first used by Numega People to Allow Symbol
Loader to Check if Softice Was Active or Not (The code is located inside nmtrans.dll).
The Way IT Works Is Very Simple:
IT Tries to Open Softice Drivers Handles (Sice, Siwvid for Win9x, Ntice for Winnt)
With the createfilea api.
Here Is A Sample (Checking for 'Sice'):
Bool Issoftice95Loaded ()
{
Handle hfile;
Hfile = Createfile (".//sice", generic_read | generic_write,
File_share_read | file_share_write,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
IF (hfile! = invalid_handle_value)
{
CloseHandle (HFILE);
Return True;
}
Return False;
}
The above is a document from Frogsice. Use CreateFile () to open some special "files", if the return value is not -1, it can "find" to load the Softice. Of course, this method can be common in Win98 / NT, so it is common.
Similarly, if you change the string //./sice
//./Ntice detects Softice under NT
//./Filemon detection Filemon
/ /REGMON detection Regmon
//Trw detection TRW
//./Trwdebug Detection TRW
//./Icedump detection iCEDUMP
You can "find" other tracking.
Another common method of detecting Softice is as follows, which is also taken from Frogsice documents.
* * Softice SHOULD NOT BE LOADED SO THAT FROGSICE CAN DETECT this Method * *
This Method of Detection of Softice (As Well as the Following ONE) IS
Used by The Majority of Packers / Encryptors Found On Internet.
IT Seeks The Signature of Boundschecker in Softice
MOV EBP, 04243484BH; 'BCHK'
MOV AX, 04H
INT 3
CMP AL, 4
JNZ Softice_Detected
In fact, there are many ways to test the Softice method, introduced some in Frogsice's documentation, and the introduction here is just a spot. If you have the most "new" anti-tracking method, you must notify me. ^ _ ^
5, self-protection and reactionary state tracking:
Finally, let's take a look at this code:
015F: 0040DDD8 01ff Add EDI, EDI
015F: 0040DDDA C783CB18000090010000MOV DWORD PTR [EBX 000018CB], 00000190
015F: 0040DDE4 8beb MOV EBP, EBX
015F: 0040DDE6 BA561E0000 MOV EDX, 00001E56
015F: 0040DDEB 03D3 Add Edx, EBX
015F: 0040DDED 52 Push EDX
015F: 0040DDEE 6467FF360000 Push DWORD PTR FS: [0000] <- SEH
015F: 0040DDF4 646789260000 MOV FS: [0000], ESP <- SEH
015F: 0040DDFA 89A3A3760000 MOV [EBX 000076A3], ESP
015F: 0040DE00 BECD1E0000 MOV ESI, 00001ECD
015F: 0040DE05 03F3 Add ESI, EBX
015F: 0040DE07 8BFE MOV EDI, ESI <- EDI = 40DECD
015F: 0040DE09 B90F0A0000 MOV ECX, 00000A0F <- ECX = 0xA0f, ECX Saved is a loop number
015F: 0040DE0E 8B93FC760000 MOV EDX, [EBX 000076FC]
; ------------------------------------------------- -------------------------------------------------
The following code is similar to the code of 1.
The code segment (015F: 40D8 - 015F: 40DECA) is calculated by calculating the initial value of EDX to form a "key"
The result is still saved in EDX.
; ------------------------------------------------- ------------------------------------------------- 015F : 0040DE14 56 Push ESI <- Cycling Beginning
015F: 0040DE15 51 PUSH ECX <- In the stack save, ECX saves the number of cycles = A0F.
015F: 0040DE16 B979010000 MOV ECX, 00000179
015F: 0040DE1B Bee6180000 MOV ESI @0018E6
015F: 0040DE20 03F3 Add ESI, EBX <- ESI = 40C000 18E6 = 40D8E6. (40C000 is the program entry)
015F: 0040DE22 8B06 MOV EAX, [ESI] <- 4 bytes in the code
015F: 0040DE24 33D0 XOR EDX, EAX
015F: 0040DE26 33D1 XOR EDX, ECX
015F: 0040DE28 83C604 Add ESI, 04
015F: 0040DE2B 49 DEC ECX <- The number of cycles is reduced, the ECX initial value is 179
015F: 0040DE2C 75F4 JNZ 0040DE22 <- This section is the same method as the previous introduction to protect its own protection
015F: 0040DE2E 59 POP ECX <- out of the stack
015F: 0040DE2F 5E POP ESI <- out of the stack
; ------------------------------------------------- -------------------------------------------------
This code uses "key" in EDX to restore the encrypted code in EDI, and the EDI initial value is 40Decd.
; ------------------------------------------------- -------------------------------------------------
015F: 0040DE30 Ad Lodsd
015F: 0040DE31 33C2 XOR EAX, EDX
015F: 0040DE33 AB Stosd
; ------------------------------------------------- -------------------------------------------------
This code is used to carry out anti-tracking
; ------------------------------------------------- ------------------------------------------------- 015F : 0040DE34 0F018BA57A0000 SIDT FWORD PTR [EBX 00007AA5] <- Take IDTR content
015F: 0040DE3B 8BB3A77A0000 MOV ESI, [EBX 00007AA7] <- Take the IDT Subterite Address
015F: 0040DE41 894E08 MOV [ESI 08], ECX <- Modify INT 1's handler address is ECX, so that you will die.
; ------------------------------------------------- -------------------------------------------------
; Transform "key".
; ------------------------------------------------- -------------------------------------------------
015F: 0040DE44 3393521E0000 XOR EDX, [EBX 00001E52]
015F: 0040DE4A 8BF7 MOV ESI, EDI
015F: 0040DE4C EB70 JMP 0040DEBE
...... (omitted)
015F: 0040DEBE FF834E1E0000 INC DWORD PTR [EBX 00001E4E]
015F: 0040DEC4 33D1 XOR EDX, ECX
; ------------------------------------------------- -------------------------------------------------
The determination of whether the loop ends, that is, all encrypted code behind it have been restored.
; ------------------------------------------------- -------------------------------------------------
015F: 0040DEC6 49 DEC ECX <- The number of cycles is reduced, the ECX initial value is A0F
015F: 0040DEC7 0F8547FFFFF JNZ 0040DE14 <- Cycle end
015F: 0040DECD 5F POP EDI <- encrypted code
015F: 0040Dece 44 Inc ESP <- Unrecovered code
This code is relatively long, so you have to understand it. This is a method of combining "backed dynamic tracking" and "self-protection".
You can see that the code after 015F: 0040Decd has been encrypted, this code is used to restore encrypted code. When this code cycle ends, the encrypted code has been restored, this is the application of SMC skills. In this code, "Key" is obtained by all the previous code to operate. And transform once a cycle. This is the self-protection introduced in 1. Prevent you from modifying its code or set off the breakpoint tracking. In addition, a method of "backend tracking" is added in the program is to modify the address of the interrupt handler of the single-step interrupt. In this way, your tracking environment is destroyed.
015F: 0040DE34 0F018BA57A0000 SIDT FWORD PTR [EBX 00007AA5] <- Take IDTR content
015F: 0040DE3B 8BB3A77A0000 MOV ESI, [EBX 00007AA7] <- Take the IDT Subterite Address
015F: 0040DE41 894E08 MOV [ESI 08], ECX <- Modify INT 1's handler address is ECX, so that you will die.
This is the characteristics of the shell software, and the combination of attack and defense. So I accidentally, you may fall into the trap it set, I saw "I came to Buddha." So in order to prevent it from being sent to Xishi. You have to work hard to understand your own protection, anti-tracking features and techniques. The shell software is generally such a trap heavy place. Of course, the protective mechanism of the shell software also has its weaknesses, as long as your program instructs the machine "Read", then dynamic tracking does not work, there will be static analysis, or a static combination. Therefore, there will be the appearance of various corresponding shelling machines. Of course, this is a "spear" and "shield" relationship. It is strong and weak. I think the key is to use the application and push new. For example, I often combine the MD5 / RSA / BLOWFISH and other encryption algorithms to calculate, how? ! Haha, then use IF instructions to register and judge! ? ...................
【postscript】
Since these protective mechanisms have more frequencies, it is also possible to introduce it. In fact, these things have been there. But I often like to have a new bottle of old wine for the production of water. In addition, I know more about Anti-Debug, and I hope to be able to throw a brick, can lead to more masters, let everyone go to fake.
