2009. február 6., péntek

Protecting code the ... dizzy way


Problem/Question/Abstract:

Code crackers do not only use debuggers but also reverse dissassemblers, that allow viewing code in a more readable form.

Crackers set breakpoints (typically on windows calls or messages), and "peek" on the source code before actually single-stepping back.

This is a small example of how to insert VARIABLE dummy code between valid statements, which can make reverse-dissassembling and single-stepping a nightmare.

Answer:

Conditional ASM statements that actually insert dummy code are of this kind:

       JMP here
       DB byte,byte,byte,byte  ; garble data
  here:

so actually the garble data never get executed. One can find a LOT of combinations that actually drive reverse dissassemblers nuts. This include file, when used, includes variable length dummy statements

----- This is the Include file AsmDizzy.inc: ------

{$IFDEF DIZZY4}
{$UNDEF DIZZY1}
{$UNDEF DIZZY2}
{$UNDEF DIZZY3}
{$UNDEF DIZZY4}
{$ENDIF}

{$IFDEF DIZZY3}
{$IFNDEF DIZZY4}
asm
   DB $EB,$06,$55,$44,$55,$03,$a8,$09;
end;
{$DEFINE DIZZY4}
{$ENDIF}
{$ENDIF}

{$IFDEF DIZZY2}
{$IFNDEF DIZZY3}
{$IFNDEF DIZZY4}
asm
   DB $EB,$04,$75,$13,$a2,$14;
end;
{$DEFINE DIZZY3}
{$ENDIF}
{$ENDIF}
{$ENDIF}

{$IFNDEF DIZZY1}
{$IFNDEF DIZZY2}
{$IFNDEF DIZZY3}
{$IFNDEF DIZZY4}
asm
     DB $EB,$04,$55,$03,$a7,$44;
end;
{$DEFINE DIZZY2}
{$ENDIF}
{$ENDIF}
{$ENDIF}
{$ENDIF}
;

---- End of incude file ----

Having this include file, try putting this code in the event of a button click. The code executes normally, but a lot of VARIABLE garble code is between the statements, some times 4,5 or 6 bytes wide.

procedure TForm1.Button1Click(Sender: TObject);
begin
{$I AsmDizzy.inc}
  ShowMessage('1');
{$I AsmDizzy.inc}
  ShowMessage('2');
{$I AsmDizzy.inc}
  ShowMessage('3');
{$I AsmDizzy.inc}
  ShowMessage('4');
{$I AsmDizzy.inc}
  ShowMessage('1');
end;

This can make singlestepping a nightmare, even with simple statements (ShowMessage) in-between. The .inc file can be enhanced to produce real random code, but this is a task for you to do.

Nincsenek megjegyzések:

Megjegyzés küldése