Page 1 of 2
Encrypt code in exes (decrypt at runtime)
Posted: Wed Oct 10, 2007 9:20 pm
by Inf0Byt3
Hi! Here's what I came up with after watching some codes here on the forum. I created a way to encrypt pieces of code in the executables that gets decrypted at runtime. The demonstration has 2 files: The exe you protect and the encryptor. First create a file called "Test.exe" from the Test.pb file than execute Encryptor.pb and the code between those 2 labels will be encrypted. At runtime, it will decrypt and run normally.
[Code removed, see second page for an updated version]
Enjoy and please if you make it better post it here so all can benefit from it
Posted: Wed Oct 10, 2007 9:39 pm
by srod
Very very nice.
It works well.
Thanks for this.
Posted: Wed Oct 10, 2007 10:02 pm
by Inf0Byt3
Thanks! I'll try and mod it further. Maybe even make it support multiple encrypted blocks. With proper encryption, this can help minimize cracking a bit.
Posted: Wed Oct 10, 2007 11:16 pm
by thefool
Nice
Little bugfix to the test.pb file:
;By Inf0Byt3, 10OCT07
;Free to use, credits appreciated
;Modifications/bugfixes must be made public
;The code address
CStart = ?X
CEnd = ?Y
CDiff = ?Y-?X
;Unprotect!
Mode = #PAGE_READWRITE
Result=VirtualProtect_(CStart,CDiff,Mode,@OrigMode)
;unXOR!
For I = CStart To CEnd
v=PeekB(I)
a=v ! 100
PokeB(I,a)
Next I
;Protect
VirtualProtect_(CStart,CDiff,OrigMode,Mode)
;Here's the protected code!
Goto lbl1
!_MarkBegin1 db "CRYPT_START"
lbl1:
X:
MessageRequester("","This code here is scrambled")
For t = 97 To 122
a$ + Chr(t)
Next
MessageRequester("","Result "+a$)
Goto ov:
Y:
!_MarkEnd1 db "CRYPT_END"
ov:
;The protected code ends here
!
In this one I added a jump over the DB's. Otherwise they will mess up the code afterwards
Posted: Wed Oct 10, 2007 11:25 pm
by Rook Zimbabwe
Not to flog a dead pony or anything, BUT!!!
With some slight revision of this you could create a Armadillo like Software security system.
Posted: Wed Oct 10, 2007 11:27 pm
by thefool
Well, we would need some things like adding sections to the exe's (unless we use another approach)
There is a huge difference in doing this source-level or compiled-level.
But surely not unlikely to happen one day..
But for now there is other things on the plan
Posted: Thu Oct 11, 2007 8:40 am
by Rings
ha, i did something long time ago,
should be the same way.
http://www.purebasic.fr/english/viewtop ... sc&start=9
any question now: did that work under vista ?
Posted: Thu Oct 11, 2007 9:00 am
by Inf0Byt3
Of course! I was inspired by your code, especially the xor-ing and memory (de)protection
. Oh and Thefool is using Vista 64Bit and it seemed to work
.
Posted: Thu Oct 11, 2007 4:55 pm
by Inf0Byt3
Anybody has an idea how to make the encryptor patch in multiple places in the exe? I have a logical problem with this. I have no idea how to get more than the first offset and everything i tried failed.
Posted: Thu Oct 11, 2007 8:32 pm
by utopiomania
First, thanks for tip, but FYI, this isn't the way execryptor work. Execryptor messes up the final assembly to the point where no man
can read it, but your CPU can. It does'n decrypt the mess at runtime..
Posted: Fri Oct 12, 2007 10:15 am
by Inf0Byt3
Oh, I just meant that it uses that "CRYPT_START" and "CRYPT_END" labels to secure the code.
Posted: Sun Oct 14, 2007 6:45 pm
by DoubleDutch
Here are my improvements:
Code: Select all
;By Inf0Byt3, 10OCT07
;Free to use, credits appreciated
;Modifications/bugfixes must be made public
; subtle "mod" by DoubleDutch, credits appreciated too! ;)
;The code address
CStart = ?X
CEnd = ?Y
CDiff = ?Y-?X
;Unprotect!
Mode = #PAGE_READWRITE
Result=VirtualProtect_(CStart,CDiff,Mode,@OrigMode)
;unXOR!
For I = CStart To CEnd-1
v=PeekB(I)
a=v ! 100
PokeB(I,a)
Next I
;Protect
VirtualProtect_(CStart,CDiff,OrigMode,Mode)
;Here's the protected code!
!_MarkBegin1 db $eb,$06,$eb,$fc,$eb,$fa,$eb,$f8
X:
MessageRequester("","This code here is scrambled")
For t = 97 To 122
a$ + Chr(t)
Next
MessageRequester("","Result "+a$)
Y:
!_MarkEnd1 db $eb,$06,$eb,$fc,$eb,$fa,$eb,$f8
End
;The protected code ends here!
; alternative tag: !db $eb,$04,$eb,$04,$eb,$fc,$eb,$fc
Code: Select all
;By Inf0Byt3, 10OCT07
;Free to use, credits appreciated
;Modifications/bugfixes must be made public
; subtle "mod" by DoubleDutch, credits appreciated too! ;)
If ReadFile(0,"Test.exe")
Total = Lof(0)
*Mem = AllocateMemory(Total)
ReadData(0,*Mem,Total)
CloseFile(0)
Tag.q=PeekQ(?EncoderTag)
*addr=*mem
For loop=0 To Total-8
If PeekQ(*addr)=Tag
If EStart
If EEnd
Debug("Error - more than one encoded section! "+Hex(*addr))
EStart=0
EEnd=0
Break
Else
Debug("found end "+Hex(*addr))
EEnd=*addr
EndIf
Else
Debug("found start "+Hex(*addr))
EStart=*addr
EndIf
EndIf
*addr+1
Next
Patched=0
If EStart And EEnd
For loop=EStart+8 To EEnd-1
x=PeekB(loop)&$ff
x!100
PokeB(loop,x)
patched+1
Next
EndIf
If CreateFile(0,"Test.exe")
WriteData(0,*Mem,Total)
Debug Str(patched)+" bytes patched"
CloseFile(0)
EndIf
EndIf
DataSection
EncoderTag: Data.b $eb,$06,$eb,$fc,$eb,$fa,$eb,$f8
This is a newer version than I posted before, it now uses quads to search for the tag. I've commented an alternative tag that could possibly be used to use as an different start tag - this way you could have multiple encoded sections with alternating start/end tags?
Don't jump over the tags like thefool suggested, it's built-in the tag itself. It' better using this method of tags because it's less obvious whats going on when disassembling the code than using plain text.
Posted: Sun Oct 14, 2007 10:04 pm
by Inf0Byt3
Thank you! I'll take a look at it tomorrow morning (terminated LOL). I already made the multiple block crypt, I'll try to morph the solutions together and post it. Oh, and I want to change the license for the code a bit, to make it more "liberal"
.
Code: Select all
;Modifications/bugfixes must be made public
to
Code: Select all
;It would be nice to improve it if you have time and if you want to share the knowledge
Thanks again!
Posted: Mon Oct 15, 2007 1:21 pm
by pdwyer
Is the xor 100 just to give an example of where the xor encryption would take place? What would you use there normally?
If I get one of these exe's and xor the entire thing with 100, everything will turn to garbage except the secret part which will become human readable and stand out.
I gather some sort of serial number etc from a valid licensed user?
Posted: Mon Oct 15, 2007 4:01 pm
by DoubleDutch
The Xor 100 is just an example of where you should include byte for byte encryption. You need to include an encoding method in the encoder and a decoder in the main program. In the case of simple xor encyption its the same for both. I think that the reason that Xor 100 was used is because it makes the routine fairly easy to read and thus easier for people new to this to understand.
I would use my revision/marking scheme over the original because it's less obvious than plain text as to where the markers are and you don't need to remember to jump over the markers.