Jump to content
Tuts 4 You

Hardest software protection system.

elmonoperezoso

By elmonoperezoso
in Software Security

Recommended Posts

quosego

quosego

Posted
Posted (edited)

It's not so much the protection, but the implementation. If you go mental on a RISC VM and some macro's and custom, then yes themida can be quite hard. However if you screw up and leave an obvious way for people to crack your software it becomes as easy as just using UPX. Well except for some newbies who can't bypass the crc checking.

I've seen people using every option from for instance Winlicense only to have it cracked because they use the is_registered API to check for registration and nothing else.. You can add as much stuff you want then but it'll be just as easy.

Same goes for Vmprotect, everything else isn't really up to specs to prevent cracking.

regards,

q.

Edited by quosego
Link to comment
elmonoperezoso

elmonoperezoso

Posted
  • Author
Posted

Thank you very much for your answer.

I though that there is a difference between them due to various offuscation tecniques and product updates to avoid craking.

I am wrong?.

Link to comment
quosego

quosego

Posted
Posted

There are a lot of differences indeed. However those differences are not substantial enough to rank either protector harder to crack. When properly implemented the effect is the same. Also there might be a few other protectors that can get similar results when properly implemented. But those can be somewhat easier to reverse.

Link to comment
elmonoperezoso

elmonoperezoso

Posted
  • Author
Posted

Yes, I know that the most important fact is the protection. Many programmers just invoke the Isvalidprotection() function and check via IF = .T.

But there are many packers (those I said plus Armadillo, ASPack....), so with the base of a good protection implemented, one of those should be superior on the features power and frequent updates to fix leaks.

What is your opinion?.

Thank you,

Link to comment
  • 1 month later...
  • 2 weeks later...
npad69

npad69

Posted
Posted

for me the toughest ones are those which isn't using any 'canned' protectors at all but custom ones which aren't packed/protected with 3rd party apps but relies solely on internal protection mechanisms. with canned protectors, there are lots of tutorials and papers dedicated to defeating them but with custom ones its just between you and the app's developer. but like quosego said, it all depends upon how these protections are implemented. even custom ones have crappy implementations and only a handful of ones deserve respect. i really dig these tough custom ones because you can appreciate the skill, brilliance and cunningness the program author has put into it- its almost like art.

with canned ones: if you've seen one, you've seen them all.

  • Like 1
Link to comment
  • 2 weeks later...
antrobs

antrobs

Posted
Posted

I my self if at first to second encounter of some hard protection on the software i will just leave it to the pro's first... I absolutely agree to quosego and npad69....... they are one of the pro's on this....

Link to comment
  • 2 weeks later...
chickenbutt

chickenbutt

Posted
Posted (edited)

Themida with xbundler and macros. Xbundler alone breaks all the scripts. If you do good software it wont matter though..

Arma+'secure sections' or VMprotect second.

If I was going to design one I'd do it like ubisoft except use encrypted IOCTL with a ring0 VM. It can still be trace-defeated like all he others though, you need silicon and isolated decryption and signing that can't be dumped to do non-crackable, this lasts till silicon-reversing evolves.

Edited by chickenbutt
Link to comment
quosego

quosego

Posted
Posted
Themida with xbundler and macros. Xbundler alone breaks all the scripts. If you do good software it wont matter though..

True, but dumping xbundled stuff is trivial.

this lasts till silicon-reversing evolves.

I'd so like to get into that. :)

Link to comment
The Trooper

The Trooper

Posted
Posted

If you use your brain, learn from the tutorials available on this forum and others, own and know how to use the tools that you have, no packer, method or something can be considered safe. Always someone will be able to decipher what was done, this is the purpose of this wonder called for Reverse Engineering.

Link to comment
chickenbutt

chickenbutt

Posted
Posted (edited)

If you use your brain, learn from the tutorials available on this forum and others, own and know how to use the tools that you have, no packer, method or something can be considered safe. Always someone will be able to decipher what was done, this is the purpose of this wonder called for Reverse Engineering.

It doesn't really matter, good unpackers take at least a week of free time to do something with VM handlers unless they have a script or a generic workflow. It's even more time consuming if you're an exploit developer. These are aspects 'experts' tend to not know cause they use scripts or frameworks, or rather, don't have a clue what they're talking about..

EDIT: Take a look at the themida stuff that was done before any public papers on themida were published, the targets were complex even without the protector, using huge structs coming over static openssl, and a lot of signing and compression on both media and binaries. Outside ISO protectors it's stuff like this that is the hardest in software RE, and nuker teams can't touch it, almost all other teams ignore it. It's usually Russian devs who do them under throw-up pseudonyms. I could give a big list of AAA games and industrial software that is unlockable+downloadable but nobody touches, because they are like this. Just make it time consuming and switch each version.

Edited by chickenbutt
Link to comment
deepzero

deepzero

Posted
Posted

I could give a big list of AAA games and industrial software that is unlockable+downloadable but nobody touches, because they are like this.

Interesting.

Could you point out one or two? :)

Link to comment
chickenbutt

chickenbutt

Posted
Posted

Interesting.

Could you point out one or two? :)

AAA Games{

The Hunter

All Thrixxx titles

Some others that no longer get updates like mojomaster

}

Other{

Most Education and industrial control software, I use to know a good one used by a lot of colleges in the US but forget the maker

}

Link to comment
  • 2 weeks later...
Lostin

Lostin

Posted
Posted

Thanks for your answer

but how this VM works , i mean the code that is VM'ed will it still be the same? or it will be replaced with other instructions that do the same thing inside the VM? sorry if my question is off topic.

Link to comment
quosego

quosego

Posted
Posted

The bytes as executed by the VM will represent the same code (with sometimes some added antidumps/obfu etc). However they are neither the same bytes nor will be executed by the VM in the same way. Also they usually aren't even identical between protection sessions.

There are similarities however between the code executed within the VM and the actual code. But VM code is usually obfuscated to negate that similarity.

  • Like 1
Link to comment
Lostin

Lostin

Posted
Posted (edited)

Thanks for this info quosego

It is interesting to know more about this VM, i actually find it quite difficult to understand the VM, but it also slows down application i can notice that if the app use VM is slower than not use VM.

Edited by Lostin
Link to comment
chickenbutt

chickenbutt

Posted
Posted

If I was a oreans coder two things I'd implemented are per-sessions VM mutations that use entropy for handler choice and buffer garbage, and a server auth that does byte code transfer over SSL using sub-encoding from inside the VM.

VM is the evolution of a methadology meant to make RE more expensive, it'll always be cracked, and crypto and kegen is useless cause the key-data has no isolation except with TPM. An ISO protector with no disc is a good example of how effective isolation would be to RE.

Link to comment
  • 2 weeks later...
chickenbutt

chickenbutt

Posted
Posted (edited)

Larp64 is probably hard, but not implemented to prove stability and integrity.


 


Shielden I think is based off noobyprotect which is an unstable VM protector by a chinese dev. It's been scripted just like TM/WL except TM/WL has a big dev team and is way more stable.


 


Most RE forums talk about protectors based off what active talents say about them, as if they(the forum users) know the internals of the protector thereselves. The truth is VM makes it too expensive to do the protectors without scripts for people with too little skill or time and the opinions are just trends based off singular perceptions...


 


Without hardware isolation, which outside of TPM>TXT doesn't exist for x86, the most secure thing is no unlockable demo and features behind server-auth. The ISO protectors are only harder than shareware VM protectors because of the use of volume data in their VM handlers and studios tend to use SDK more, all this stuff is defeated through tracing and light static analyses.


Edited by chickenbutt
  • Like 1
Link to comment
Lostin

Lostin

Posted
Posted

i dont know guys maybe in the last version he fixed it..cuz im using like month on some of my applications and all seems ok :o

 

Still same bugs in the latest version

i have unpacked couple of Safengine packed apps with its max protections, even though i am not that good when it comes to packers, so it is not the best as you think :P

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...