Fighting Reverse Engineering of Software

Self Extracting/Modifying Code : How to?

Page 1 of 1

6 Replies - 1637 Views - Last Post: 15 October 2008 - 11:49 PM

#1 csmanoj  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 10
  • View blog
  • Posts: 150
  • Joined: 06-August 07

Fighting Reverse Engineering of Software

Post icon  Posted 05 October 2008 - 09:10 PM

The other day when I opened one of the programs on my computer, it said that I was running a debugger and the program won't open until I close it. I was surprised to know it found out*. I was curious about it, so I tried to put it through a disassembler. The disassembler said that the program was self extracting or self modifying so it's not really possible to disassemble the program accurately.

How is this done? How can I make my programs 'anti-crack' like this?

*I was debugging one of MY applications, when I had to open an IDE. It is this IDE software that said I had a debugger running. No harmful intentions here.

Is This A Good Question/Topic? 0
  • +

Replies To: Fighting Reverse Engineering of Software

#2 no2pencil  Icon User is offline

  • Toubabo Koomi
  • member icon

Reputation: 5178
  • View blog
  • Posts: 26,870
  • Joined: 10-May 07

Re: Fighting Reverse Engineering of Software

Posted 07 October 2008 - 08:10 PM

Let me see if I can dig up the discussion. I actually saw partook in a similar discussion on the alt.lang.asm newsgroup (with Randal Hyde) a few years ago.

** Edit **
Sorry, I can't find it. I do remember reading how it's able to detect the disassembler & then it runs tedious loops constantly, never allowing actual code to run.
Was This Post Helpful? 0
  • +
  • -

#3 Salv0  Icon User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 17
  • Joined: 31-July 08

Re: Fighting Reverse Engineering of Software

Posted 08 October 2008 - 02:42 AM

For do that you can implement the necessary code to check if a debugger is active.
The most used method is using the IsDebuggerPresent() API call in kernel32.dll with some inline assembly protection code, but there are some ways to bypass this :look:

This post has been edited by Salv0: 08 October 2008 - 02:45 AM

Was This Post Helpful? 1
  • +
  • -

#4 WolfCoder  Icon User is offline

  • Isn't a volcano just an angry hill?
  • member icon


Reputation: 782
  • View blog
  • Posts: 7,610
  • Joined: 05-May 05

Re: Fighting Reverse Engineering of Software

Posted 11 October 2008 - 06:11 PM

As the endless army of hackers getting past GameGuard and plaguing MapleStory almost instantly even after it updates to the point where a server side measure had to be implemented, it reminds me that I shouldn't bog the user's machine down with DRM and anti-reverse engineering systems.
Was This Post Helpful? 0
  • +
  • -

#5 dawmail333  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 27
  • View blog
  • Posts: 174
  • Joined: 02-July 07

Re: Fighting Reverse Engineering of Software

Posted 14 October 2008 - 05:26 AM

View PostWolfCoder, on 11 Oct, 2008 - 06:11 PM, said:

As the endless army of hackers getting past GameGuard and plaguing MapleStory almost instantly even after it updates to the point where a server side measure had to be implemented, it reminds me that I shouldn't bog the user's machine down with DRM and anti-reverse engineering systems.


Gah, stupid copy protection, I had to no-cd patch a game I legally own, just because it wouldn't open due to an error that said 'A required security module is missing.' The solution was to delete some registry entries (apparently it was to do with virtual CD drives), but now, I have no virtual CD drive software, and the registry keys don't exist, but it STILL won't work. The thing is, really advanced anti-debugging/anti-copying software just delays the inevitable crack, and annoys honest users more.

But for the original question, I've never heard of such things.
Was This Post Helpful? 0
  • +
  • -

#6 wingot  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 52
  • Joined: 13-October 08

Re: Fighting Reverse Engineering of Software

Posted 15 October 2008 - 08:58 AM

Hey,

I've seen some programs that detect is SoftIce and other debuggers are present. A more detailed example/explanation can be found http://www.honeynet....otnet-code.html, but in short (specifically for softice) "This method is used by a lot of crypters/compresors it uses INT 41, this interrupt is used by Windows debugging interface to detect if a debugger is present. Only works under Windows." The other methods are variations on this type of technique, doing something that is idiosyncronatic of a specific debugger and seeing if anything happens that would indicate the debuggers involvement.

And in regards to implementing them in your code, you will need to work with assembler,so first you'll have to convert your IL to real machine code, which locks it down to a specific architecture and all the rest that goes with abandoning the .Net platform. It is probably possible to work with ASM in unsafe code within C# (C can do it), but not in a way that will be effective as an anti-crack method.

Of course, as dawmail333 has stated (and it is my opinion as well), anti-piracy implementations to date have done nothing to stop crackers (it only delays them mildly) but annoy rightful owners and cause people that have bought legitimate copies problems. This is probably even evident to you based on your own experience, you couldn't open your IDE (which you obtained legitimately) while a dissassembler (that you were using completely legitimately) was running.

If you do insist on invasive copy protection though, the link in the first paragraph should be helpful.

If you are just looking at it from an academic point of view I highly recommend checking it out.
Was This Post Helpful? 0
  • +
  • -

#7 dawmail333  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 27
  • View blog
  • Posts: 174
  • Joined: 02-July 07

Re: Fighting Reverse Engineering of Software

Posted 15 October 2008 - 11:49 PM

View Postwingot, on 15 Oct, 2008 - 08:58 AM, said:

And in regards to implementing them in your code, you will need to work with assembler,so first you'll have to convert your IL to real machine code, which locks it down to a specific architecture and all the rest that goes with abandoning the .Net platform. It is probably possible to work with ASM in unsafe code within C# (C can do it), but not in a way that will be effective as an anti-crack method.


Um, a bit off topic, but how can you compile IL to machine code? http://www.gocosmos.org/ does it, but I'd like to know how. Even if just to make non-monoable software run on Linux through wine. Also, not requiring the .Net framework would be nice!
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1