Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / desktop / MFC

A new software protection method (Objantihack)

2.61/5 (19 votes)
29 Nov 20064 min read 1   443  
This article intruduce you a new software encryption method.

Download encrypted demo file - 151.2 Kb

Introduction

ObjAntiHack Introduction



1. Design goal


    For preventing a software from being cracked or from being reverse engineered, the author do lot of things on software
    encrytion. But until now, The software encrypt method is very limited, The common method is packing the software,
    The limitation is the original code must be restored at runtime, So the cracker can write a memory patch tool to modify
    the code or dump the entire code, even unpack it completely. For resolving this, We have developed the Obj file
    encrypt software named ObjAntiHack ,It can encrypt a .obj file, You can link the encrypted obj file to your project,
    The instruction code is distorted completely, and the instruction code is unable to be distinguished, is unable to
    be analyzed. It has the anti-static analysis ability, and it is impossible to obtain the procedure principle easily
    via the dynamic analysis. Facing this kind of code, most of crackers will give it up thoroughly.
   
   

2. Application scope


    It supports X86 platform, 32bit coff format obj file. We plan to support Delphi,JAVA and .Net in the future.
   
   

3. Principle of work


    A. substitute register with stack variable
       Substitute one or more registers with stack variable, This convertion can not be reversed.
    B. substitute Common instruction code with randomize procedure
    C. Running the real code in stack
       Push encrypted instruction code to stack, decrypt it,call it!
    D. Erase the JMP instruction
       JMP instruction is very important to cracker, So ObjAntiHack transforms the JMP code to other format.
    E. Erase the ret instruction
       Normaly the ret instruction indicate a ending of a function, If ret is transformed, The unassembler can not
       recongize a function correctly.
    F. Add JMP instructions
       Divides functions into small pieces, reposition these codes into random place, link them with JMP instrction.

    Advanced features: These methods can be used repeatedly!



    Samples:
    1、
    call sub1

    Change to:

     mov eax, offset sub1 + 3
     push offset @1
     sub eax, 3
     jmp eax
     @1:

    2.
    ret

    change to:

     push ecx
     mov ecx, [esp+4]
     add esp,8
     jmp ecx


    3.
     cmp reg1, reg2
     jge L_DST    
     L_NEXT:

    Change to:
        
     push eax
     mov eax, reg1
     sub eax, reg2
     shr eax, 1fh
     neg eax
     and eax, L2 - L1
     add eax, L1
     jmp eax
     L1:
     pop eax
     jmp L_DST
     L2:
     pop eax
     L_NEXT:


    4.
    MOV     EAX, DWORD PTR [ECX+0AD8h]
    PUSH    EAX
    MOV     ECX, DWORD PTR [EAX]

    Change to:

    PUSH    EAX
    PUSH    ECX
    MOV     EAX, DWORD PTR [ESP]
    ADD     EAX, 0AD8h
    MOV     EAX, DWORD PTR [EAX]
    MOV     DWORD PTR [ESP+04h], EAX
    PUSH    DWORD PTR [ESP+04h]
    MOV     EAX, DWORD PTR [ESP]
    MOV     DWORD PTR [ESP+08h], EAX
    MOV     EAX, DWORD PTR [ESP]
    MOV     EAX, DWORD PTR [EAX]
    MOV     DWORD PTR [ESP+04h], EAX
    MOV     EAX, DWORD PTR [ESP]
    MOV     ECX, DWORD PTR [ESP+04h]
    ADD     ESP, 08h


4. Using Macro


   A. Using Macro below in your C++ source code to symbolizes the key encryption part:

   #pragma code_seg(".code$curve_Max")
  
   /* your key encryption part C++ code */
  
   #pragma code_seg()

   sample:
   #pragma code_seg(".code$curve_Max")
   Void func1()
   {

   }
   DWORD func2(DWORD dw1,DWORD dw2)
   {

   }
   #pragma code_seg()
  
   B. Using Macro below in your C++ source code to symbolizes the no encryption part:
      #pragma code_seg(".code$curve_NoChange")
      #pragma code_seg()
     
     

5. Others


   A. Performance
      The performance loss is inevitable, The encryption intensity is higher, the performance loses in a big way,
      If your some functions request as far as possible high speed running, then do not encrypt these functions,
      or carries on the mild encryption, those uses infrequent, the speed request is not the very harsh place all may
      carry on the high strength encryption. The encryption intensity and encryption method are may carry on the
      establishment according to user's request.
   B. File size
      Because the inflation distortion algorithm, the encryption increases the object file size , the file size
      increases is different according to the encryption intensity, may act according to the specific request to carry on
      the adjustment. Moreover, You can insert masks in the source program to tell ObjAntiHack the key encryption region.
      The key encryption region may be possible to establish as the high strength encryption, regarding the non-key
      encryption region, may use the mild encryption. You will both get guaranteed security and get a smaller file.
      
    

      Any advice? Please mail me,
      Mail: me(at)liutaotao.com
      Webpage: http://liutaotao.com/objantihack/objantihack.html

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here