Encrypt code in exes (decrypt at runtime)

Inf0Byt3 · Post by **Inf0Byt3** » Wed Oct 10, 2007 9:20 pm

Hi! Here's what I came up with after watching some codes here on the forum. I created a way to encrypt pieces of code in the executables that gets decrypted at runtime. The demonstration has 2 files: The exe you protect and the encryptor. First create a file called "Test.exe" from the Test.pb file than execute Encryptor.pb and the code between those 2 labels will be encrypted. At runtime, it will decrypt and run normally.

[Code removed, see second page for an updated version]

Enjoy and please if you make it better post it here so all can benefit from it

srod · Post by **srod** » Wed Oct 10, 2007 9:39 pm

Very very nice.

It works well.

Thanks for this.

Inf0Byt3 · Post by **Inf0Byt3** » Wed Oct 10, 2007 10:02 pm

Thanks! I'll try and mod it further. Maybe even make it support multiple encrypted blocks. With proper encryption, this can help minimize cracking a bit.

thefool · Post by **thefool** » Wed Oct 10, 2007 11:16 pm

Nice

Little bugfix to the test.pb file:

;By Inf0Byt3, 10OCT07
;Free to use, credits appreciated
;Modifications/bugfixes must be made public

;The code address
CStart = ?X
CEnd = ?Y
CDiff = ?Y-?X

;Unprotect!
Mode = #PAGE_READWRITE
Result=VirtualProtect_(CStart,CDiff,Mode,@OrigMode)
;unXOR!
For I = CStart To CEnd
v=PeekB(I)
a=v ! 100
PokeB(I,a)
Next I
;Protect
VirtualProtect_(CStart,CDiff,OrigMode,Mode)

;Here's the protected code!
Goto lbl1
!_MarkBegin1 db "CRYPT_START"
lbl1:
X:
MessageRequester("","This code here is scrambled")
For t = 97 To 122
a$ + Chr(t)
Next
MessageRequester("","Result "+a$)
Goto ov:
Y:
!_MarkEnd1 db "CRYPT_END"
ov:
;The protected code ends here

!

In this one I added a jump over the DB's. Otherwise they will mess up the code afterwards

Rook Zimbabwe · Post by **Rook Zimbabwe** » Wed Oct 10, 2007 11:25 pm

Not to flog a dead pony or anything, BUT!!!

With some slight revision of this you could create a Armadillo like Software security system.

thefool · Post by **thefool** » Wed Oct 10, 2007 11:27 pm

Well, we would need some things like adding sections to the exe's (unless we use another approach)

There is a huge difference in doing this source-level or compiled-level.

But surely not unlikely to happen one day..

But for now there is other things on the plan

Post by **Rings** » Thu Oct 11, 2007 8:40 am

ha, i did something long time ago,
should be the same way.
http://www.purebasic.fr/english/viewtop ... sc&start=9

any question now: did that work under vista ?

Inf0Byt3 · Post by **Inf0Byt3** » Thu Oct 11, 2007 9:00 am

Of course! I was inspired by your code, especially the xor-ing and memory (de)protection

. Oh and Thefool is using Vista 64Bit and it seemed to work

.

Inf0Byt3 · Post by **Inf0Byt3** » Thu Oct 11, 2007 4:55 pm

Anybody has an idea how to make the encryptor patch in multiple places in the exe? I have a logical problem with this. I have no idea how to get more than the first offset and everything i tried failed.

utopiomania · Post by **utopiomania** » Thu Oct 11, 2007 8:32 pm

First, thanks for tip, but FYI, this isn't the way execryptor work. Execryptor messes up the final assembly to the point where no man
can read it, but your CPU can. It does'n decrypt the mess at runtime..

Inf0Byt3 · Post by **Inf0Byt3** » Fri Oct 12, 2007 10:15 am

Oh, I just meant that it uses that "CRYPT_START" and "CRYPT_END" labels to secure the code.

DoubleDutch · Post by **DoubleDutch** » Sun Oct 14, 2007 6:45 pm

Here are my improvements:

Code: Select all

;By Inf0Byt3, 10OCT07 
;Free to use, credits appreciated 
;Modifications/bugfixes must be made public
; subtle "mod" by DoubleDutch, credits appreciated too! ;)

;The code address 
CStart = ?X 
CEnd = ?Y 
CDiff = ?Y-?X 

;Unprotect! 
Mode = #PAGE_READWRITE 
Result=VirtualProtect_(CStart,CDiff,Mode,@OrigMode) 
;unXOR! 
For I = CStart To CEnd-1 
 v=PeekB(I) 
 a=v ! 100 
 PokeB(I,a) 
Next I 
;Protect 
VirtualProtect_(CStart,CDiff,OrigMode,Mode) 

;Here's the protected code! 
!_MarkBegin1 db $eb,$06,$eb,$fc,$eb,$fa,$eb,$f8 
X: 
MessageRequester("","This code here is scrambled") 
For t = 97 To 122 
 a$ + Chr(t) 
Next 
MessageRequester("","Result "+a$) 
Y: 
!_MarkEnd1 db $eb,$06,$eb,$fc,$eb,$fa,$eb,$f8 
End

;The protected code ends here! 
; alternative tag: !db	$eb,$04,$eb,$04,$eb,$fc,$eb,$fc

Code: Select all

;By Inf0Byt3, 10OCT07 
;Free to use, credits appreciated 
;Modifications/bugfixes must be made public 
; subtle "mod" by DoubleDutch, credits appreciated too! ;)


If ReadFile(0,"Test.exe") 
 Total = Lof(0) 
 *Mem = AllocateMemory(Total) 
 ReadData(0,*Mem,Total)
 CloseFile(0)

Tag.q=PeekQ(?EncoderTag)
 *addr=*mem
 For loop=0 To Total-8
 	If PeekQ(*addr)=Tag
 		If EStart
 			If EEnd
 				Debug("Error - more than one encoded section! "+Hex(*addr))
 				EStart=0
 				EEnd=0
 				Break
 			Else
 				Debug("found end "+Hex(*addr))
	 			EEnd=*addr
 			EndIf
 		Else
 			Debug("found start "+Hex(*addr))
 			EStart=*addr
 		EndIf
 	EndIf
 	*addr+1
 Next
 
 Patched=0
 If EStart And EEnd
 	For loop=EStart+8 To EEnd-1
 		x=PeekB(loop)&$ff
 		x!100
 		PokeB(loop,x)
 		patched+1
 	Next
 EndIf
 If CreateFile(0,"Test.exe")
 	WriteData(0,*Mem,Total)
 	Debug Str(patched)+" bytes patched"
 	CloseFile(0)
EndIf 
  
EndIf 
DataSection
EncoderTag:	Data.b	$eb,$06,$eb,$fc,$eb,$fa,$eb,$f8

This is a newer version than I posted before, it now uses quads to search for the tag. I've commented an alternative tag that could possibly be used to use as an different start tag - this way you could have multiple encoded sections with alternating start/end tags?

Don't jump over the tags like thefool suggested, it's built-in the tag itself. It' better using this method of tags because it's less obvious whats going on when disassembling the code than using plain text.

Inf0Byt3 · Post by **Inf0Byt3** » Sun Oct 14, 2007 10:04 pm

Thank you! I'll take a look at it tomorrow morning (terminated LOL). I already made the multiple block crypt, I'll try to morph the solutions together and post it. Oh, and I want to change the license for the code a bit, to make it more "liberal"

.

Code: Select all

;Modifications/bugfixes must be made public

to

Code: Select all

;It would be nice to improve it if you have time and if you want to share the knowledge

Thanks again!

pdwyer · Post by **pdwyer** » Mon Oct 15, 2007 1:21 pm

Is the xor 100 just to give an example of where the xor encryption would take place? What would you use there normally?

If I get one of these exe's and xor the entire thing with 100, everything will turn to garbage except the secret part which will become human readable and stand out.

I gather some sort of serial number etc from a valid licensed user?

DoubleDutch · Post by **DoubleDutch** » Mon Oct 15, 2007 4:01 pm

The Xor 100 is just an example of where you should include byte for byte encryption. You need to include an encoding method in the encoder and a decoder in the main program. In the case of simple xor encyption its the same for both. I think that the reason that Xor 100 was used is because it makes the routine fairly easy to read and thus easier for people new to this to understand.

I would use my revision/marking scheme over the original because it's less obvious than plain text as to where the markers are and you don't need to remember to jump over the markers.