Page 1 of 2 12 LastLast
Results 1 to 15 of 28

Thread: Protecting software code by Guards

  1. #1
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430

    Protecting software code by Guards

    Hi all,
    first of all to open the discussion I would introduce this paper

    https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2001-49.pdf

    (if you're not able to download ask it to me).

    The method the authors are proposing is really interesting and theoretically could be a pain in the ass whenever found in real applications.

    The authors patented a method to insert guards into a generic win32 program and given the patent to Arxan (http://www.arxan.com/index.php) which is selling the relative product (EnforcIT, http://www.arxan.com/products/ati/index.php), can also be easily found in the product's brochures..

    Obviouslly there's not evaluations, but I was wondering if someone already meet an application protected with this technology..just to practically see if it's so "uncrackable"..

    Moreover as a bonus in the site there's an interesting paper, not so amazing, but interesting..
    http://www.arxan.com/ati/A-Survey-of-Anti-Tamper-Technologies.pdf
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by Shub-nigurrath
    The authors patented a method to insert guards into a generic win32 program and given the patent to Arxan
    Actually, the authors are the founders of Arxan and are making use of their own patent.

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quite Interesting concept, indeed.

    They are infecting the code with polymorphic viruses (guards), who perform the tampering surveilance. Given my absolute ignorance in the field, I can venture some naive coments:

    1)By the very nature of code monitoring and self healing, these creatures are reading the code and writing the code, i/e they become ad-hoc debuggers. Hooking on APIs that perform these type of intervetions or making the code read/only thorugh external intervention with a kernel debugger one could unmask these activities and pinpoint the guards.

    2)Polymorphism, even when it is automatic, has constrains, has a pattern. Getting one's hands on the protector software may be a key to discover the features of a prototypic guard, an find them heuristically in the code. No mather how polymorphic, they WILL interact with the OS through a finite and perhaps small number of APIs


    3) Because the guard monitoring activity IS an Add-on to the original software flow, wouldn't it necessarily entail creating at least temporarily, new threads? Monitoring the creation of threads may clue the cracker to the guards code.

    Flame on
    Last edited by naides; May 26th, 2005 at 10:42.

  4. #4
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    didn't noticed that the authors were also involved in the company but makes sense ..about the protection would be extremely interesting to find proteted apps around that seems not actually.
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  5. #5
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by Shub-nigurrath
    about the protection would be extremely interesting to find proteted apps around that seems not actually.
    That's because all of their work has been government-related and not commercial.

    I wonder how well the "trick" referenced at http://www.woodmann.com/forum/showthread.php?t=7090 would work against these guards (to allow in-memory patching without the guards realizing it).

  6. #6
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    well i started this thread having in mind that paper and that type of attacks..
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  7. #7
    Quote Originally Posted by disavowed
    I wonder how well the "trick" referenced at http://www.woodmann.com/forum/showthread.php?t=7090 would work against these guards (to allow in-memory patching without the guards realizing it).
    That paper mentions guards as a technology that's inadequate against the trick...

  8. #8
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    They are infecting the code with polymorphic viruses (guards), who perform the tampering surveilance.
    This immediately gives me flashbacks of Xtreme Protector we-will-fuck-your-code-up-so-bad-it-won't-even-run-when-not-being-tampered-with tactics...

    ...which is of course one of the best kind of protections there is, not even licensed users can run the code, they might after all actually be an evil replicated clone of the original licensed owner, but anyway.

  9. #9
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    On that vein, can you imagine these guards misfunctioning or running amok?

    They may decide some stupid bug is tampering, and decide to "repair" some critical file in your system. Notice that for true "code healing" they need to permanently write their changes to the disk, not only in memory.
    No, wait, this belongs to a Sci-Fi Horror movie: A strain of "guards" start "repairing" each other until they become self concious, start injecting copies of themselves in the network, get into the Department of Defense computers. . . well, You know the rest

  10. #10
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    well, You know the rest
    Yeah, two DoD officers accidently walk into a jantor's closet, finding three photo model gorgeous blond janitor girls having sex with each other, and also inviting the officers to join in... Or am I thinking of the wrong movie here?

  11. #11
    Purely for research and scientific purposes, how about sharing the name of that movie so everyone else can perform their own.. uh.. investigation

    Interesting doc though. Great stuff.
    Still here...

  12. #12
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by Silver
    Purely for research and scientific purposes, how about sharing the name of that movie so everyone else can perform their own.. uh.. investigation .
    It is against the rulez of the board to post or request names of CopyRighted material. Besides it would not be ethical, dELTA himself directed and played the lead role on that Movie. That is why the girls and the DoD officers Spoke English with a heavy Swedish Accent.
    Last edited by naides; May 30th, 2005 at 18:20.

  13. #13
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Since it is not against the rules to name the target if you own the copyright yourself, for anyone interested I think we are talking about Sperminator 2: The Second Cumming, aren't we? And don't worry about exposing me, I was using my artist name, Jack Ass(protect)-crack.

  14. #14
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    I think we are diverging a little from the original's thread topic, isn't it?
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  15. #15
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I'll take that as a direct insult to my artistic work, one more time and you will be banned.

Similar Threads

  1. Request : Crack protected code in software
    By AmazingTrans in forum The Newbie Forum
    Replies: 2
    Last Post: September 21st, 2012, 08:51
  2. what software can i use?
    By DENiSON in forum Tools of Our Trade (TOT) Messageboard
    Replies: 9
    Last Post: July 23rd, 2009, 19:52
  3. [Release] Protecting Your Apps.
    By gWX0 in forum Mini Project Area
    Replies: 0
    Last Post: June 20th, 2009, 13:40
  4. Different papers about SMC, polymorph code and anti trace code...
    By OHPen in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: March 29th, 2007, 15:45
  5. Harlequin's "Protecting against TerminateProcess" - impossible to work
    By DakienDX in forum Advanced Reversing and Programming
    Replies: 22
    Last Post: July 21st, 2001, 04:46

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •