reverse engineering
CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Page 1 of 12 123411 ... LastLast
Results 1 to 15 of 174

Thread: reverse engineering

  1. #1
    Join Date
    Apr 2001
    Location
    USA, Knoxville, TN
    Posts
    255

    reverse engineering

    I thought that we were pretty secure in that I can barely figure out some of our code with the source, but my boss has asked me to look into making sure that competitors can't reverse engineer our code. We have some numerical stuff that is kind of special.

    With a dis-assembler, you get C code back? C++ code? How far back can you reverse engineer an *.exe? What are techniques that people use to hack somebody's code? I'm not sure this is worth worrying about - for myself, I think it would always be easier to start with publicly available information and techniques, and develop towards what a program produced, rather than to work backwards from that program and attempt to induce how it worked.


  2. #2
    Join Date
    Mar 2002
    Location
    Florida, United States
    Posts
    50

    Re: reverse engineering

    You cannot revert a program to exact C++ code or C code -- function names, class names, variable names, etc... are lost during compilation. However, it is theoretically possible to revert the code into C, and just not have appropriate names for variables and functions. I have never seen a utility that does this.

    On the other hand, it is very easy to reverse engineer code into assembly. It is possible to reverse engineer algorithms from assembly code, although very difficult. Assembly is a very messy language, and a 1 MB executable has thousands upon thousands of lines of code.

    If a competetor really wanted to, they could hire an assembly coder to find your algorithm and reverse engineer it. However, it would take a lot of both time and money.

    If you've ever seen program cracks out on the internet (to get rid of cd keys and such), the people that design those usually reverse engineer a program, locate the cd key part, and patch it up so that it is no longer required.

    There is no way to prevent this kind of reversal, unfortunately.

    -MattAA

    -MattAA
    armadillo@engineer.com

  3. #3
    Join Date
    Sep 1999
    Location
    Philadelphia, USA
    Posts
    195

    Re: reverse engineering

    Actually the preceding reply is wrong. You can, in fact, totally reverse-engineer an exectuable into its original C++ source code. I know it is very scary to us programmers, but they do it. Almost all of the major cracking groups do it and it makes it so even a newbie cracker can break your program's protection by viewing the source code.

    They use a program called SoftIce. It decompiles your EXE and lets you actually break into any step in your EXE and shows you the line, function, etc in your actual source code of the exe in c++. The cracker can scroll through your code, step through, replace values, just like the VC++ debugger.

    Therefore, your boss is quite correct in protecting the source code of your application. Here are some very quick explanation methods of ways to protect your code:

    1. Use a CRC check on your executable at run-time before it even starts normal processing. If the CRC fails (meaning a cracker has changed at least 1 bit in your exe, then exit(0); )
    Go to http://www.programmersheaven.com and search for CRC to find an excellent C source code to implement CRC in your app.

    2. Replace any critical registers, flags, and functions with obscure names. Instead of MySecretNumberFunction() name it M14SNF0()

    3. Want to be sneaky? Use a method called MeltIce. It detects if a user is already running SoftIce and if so, you can take action from there such as exit(0), fake-dead, malicious code (I don't recommend this), etc.

    Excellent link explaining how to protect your software :
    http://www.searchlores.org/protec/protec.htm#tid18
    http://www.senseofsecurity.com/sharenc.asp


    Anyway, it is a very real threat. Afterall, what do you think China is doing to that U.S. plane's software that crashed there a few years ago?



    Easy Internet Software @
    http://www.DummySoftware.com
    ============================
    Tired of popup windows while you surf the web?
    Get PopupDummy! http://www.popupdummy.com

  4. #4
    Join Date
    Dec 2001
    Location
    Bremen, Germany
    Posts
    314

    Re: reverse engineering

    Right. Forget tools to encrypt your exe and even the crc-checks. SoftIce is a *very* powerful tool - and even if you make weired function names, they can breakpoint on every "GetWindowText" for a usertyped parameter, breakpoint on the system memory the value is stored in and there it goes.

    Only way to protect something is to make reverse engineering as hard as possible: relocate user-supplied parameters, use indirect querying, use multithreading and maybe hardware-dependend code snippets.
    But I believe that there's no really secure way to protect your work

    Oliver.


  5. #5
    Join Date
    Mar 2000
    Location
    Birmingham, England
    Posts
    2,520

    Re: reverse engineering

    Interesting conversation we are having here, and very worrying from my point of view. I believed my code was hackable and crackable, of course it is ! It's only software afterall. Set a break point with SoftIce and break it at the cd key entry, set a jmp, patch it and thats that (i guess, i've never used SoftIce, although I more or less know what it's capable of) ...

    ... the bit that worries me is your assertion that the exe can be decompiled into it's original source, with the original symbol names. Now if you are right, I just might start crying.

    Please tell me you are wrong. Please tell me that it is not possible to get the source code from my release exe.

    One other thing, and please forgive me for my ignorance, but what's the point in a crc check on your code, if the cracker can decompile your code, find the check and remove it ?

    Looking forward to further conversation on this issue. I've gotta tell you, the bottom of my world just dropped out if you are right


    Jase

    http://www.slideshowdesktop.com
    View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

    Jase

    www.slideshowdesktop.com
    View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.
    ...

  6. #6
    Join Date
    Sep 1999
    Location
    Philadelphia, USA
    Posts
    195

    Re: reverse engineering

    Sorry, but they can indeed get your exact C++ source code down to the very GetWindowText() function calls in windows.

    The benefit of things like CRC checks is they make it that much harder for someone to crack. The hope is that most crackers are "cookie-crackers". They run through a list of shareware, cracking them one-by-one to submit their duty of "10 apps cracked for the day".

    If your program is going to take them say 8 hours to crack.. why bother when they can move on to the next to fill their quota. The CRC check can make things very complex to disable. It deals with polynomials and all.. if you complicate your calls to your security routines with embedded assembly and such, you can make it tricky for a cracker to see how to disable a function.

    For example, instead of bRegistered = true, how about using iDataName = 65 where if iDataName < 50 then the program is not registered. If iDataName > 49 then program is registered, rather than straight boolean.

    Things like that. Because, yes they get your source code. If you name a function a curse word, they will certainly see it and have a good laugh.

    Thats why I think MeltIce is good. If they want to crack your stuff, you can at least detect them and keep them busy for a bit.


    Easy Internet Software @
    http://www.DummySoftware.com
    ============================
    Tired of popup windows while you surf the web?
    Get PopupDummy! http://www.popupdummy.com

  7. #7
    Join Date
    Sep 1999
    Location
    Philadelphia, USA
    Posts
    195

    Re: reverse engineering

    Oh and i don't want to scare you guys too much. Yes, they can see your exact C++ source, but at least they can't see your comments! Since comments are removed from the exe during compilation and linking.

    Anyway, in case anyone wants to have some fun here is the code to the infamous MeltIce.


    BOOL IsSoftIce95()
    {
    HANDLE hFile;
    char fname[5];
    char fullname[10];

    // Form the text SICE without characters that the hacker could see.
    fname[0] = 0x53;
    fname[1] = 0x49;
    fname[2] = 0x43;
    fname[3] = 0x45;
    fname[4] = 0x0;

    // "\\.\SICE"
    strcpy(fullname, "\\\\.\\");
    strcat(fullname, fname);

    // "\\.\SICE" without escape stuff
    hFile = CreateFile(fullname,
    GENERIC_READ | GENERIC_WRITE,
    FILE_SHARE_READ | FILE_SHARE_WRITE,
    NULL,
    OPEN_EXISTING,
    FILE_ATTRIBUTE_NORMAL,
    NULL);

    if( hFile != INVALID_HANDLE_VALUE )
    {
    CloseHandle(hFile);
    return TRUE;
    }

    return FALSE;
    }

    //////////////////////////////////////////////////////////////////////
    //
    // See if SoftICE version 3.x for Windows NT is loaded
    //
    BOOL IsSoftIceNT()
    {
    HANDLE hFile;
    char fname[6], fullname[10];

    fname[0] = 'N'; // 'N';
    fname[1] = 0x54;
    fname[2] = 0x49;
    fname[3] = 0x43;
    fname[4] = 0x45;
    fname[5] = 0x0;

    // "\\.\NTICE"
    strcpy(fullname, "\\\\.\\");
    strcat(fullname, fname);

    // "\\.\NTICE" without escape stuff
    hFile = CreateFile(fullname,
    GENERIC_READ | GENERIC_WRITE,
    FILE_SHARE_READ | FILE_SHARE_WRITE,
    NULL,
    OPEN_EXISTING,
    FILE_ATTRIBUTE_NORMAL,
    NULL);

    if( hFile != INVALID_HANDLE_VALUE )
    {
    CloseHandle(hFile);
    return TRUE;
    }

    return FALSE;
    }




    Easy Internet Software @
    http://www.DummySoftware.com
    ============================
    Tired of popup windows while you surf the web?
    Get PopupDummy! http://www.popupdummy.com

  8. #8
    Join Date
    Mar 2000
    Location
    Birmingham, England
    Posts
    2,520

    Re: reverse engineering

    pisser.

    melt ice ?


    Jase

    http://www.slideshowdesktop.com
    View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

    Jase

    www.slideshowdesktop.com
    View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.
    ...

  9. #9
    Join Date
    Mar 2000
    Location
    Birmingham, England
    Posts
    2,520

    Re: reverse engineering

    from where do you call this, and what is it doing?


    Jase

    http://www.slideshowdesktop.com
    View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

    Jase

    www.slideshowdesktop.com
    View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.
    ...

  10. #10
    Join Date
    Sep 1999
    Location
    Philadelphia, USA
    Posts
    195

    Re: reverse engineering

    It detects if a user's computer is running SoftICE. It does this by opening the root program file for SoftICE. If it is not able to open this file, SoftICE is probably not running. If it is able to open this file, whamo - you got him. It then closes the file and does nothing else. The weird 0x56 codes are just hex codes for the ASCII letters S I C E so the hacker can't easily scan your code to look for "SICE" to know you want to detect him.

    It's really a cat & mouse game.

    You usually would call this in your CDialogApp::CDialogApp() constructor or in the InitApp() function. Anywhere your program initializes would be good so you can detect it without giving the hacker much time to break into your program.

    So maybe you do:


    if (IsSoftICE95() || IsSoftICENT())
    {
    // User is running it.
    exit(0);
    }





    Easy Internet Software @
    http://www.DummySoftware.com
    ============================
    Tired of popup windows while you surf the web?
    Get PopupDummy! http://www.popupdummy.com

  11. #11
    Join Date
    Mar 2000
    Location
    Birmingham, England
    Posts
    2,520

    Re: reverse engineering

    Right, i see.

    At what point can somebody with soft ice view my code ? Can they just disassemble my exe as a disk file and see my code ? If os, then the bRegistered = TRUE or nDataName = 65 trick doesn't look to be very useful. They'll soon notice that whatever condition is checked, if its a certain value then it disables functionality - regardless of whether it's a bool or is an int called mygransmellsofwee.

    Are they only able to see a portion of it at a time, i.e. the code that is memory resident.

    And how does the code look ? Clearly it's not laid out as a whole bunch of cpp and h class files. I'm trying to build up a mental picture of what can be seen at which point. From my current understanding, I don't see what benefit there is to placing the melt ice code early on in the app - you say it gives the cracker less time to break into your program. So soft ice only displays the code while it is running ? why can they not just break in on the first instrcution called or start of execution ?

    Please forgive my ignorance in this, it's enough for me to learn a programming language and a set of api's, but i don't really have much concept of what the cpu is doing with my code while it's running. I know zero about asm.




    Jase

    http://www.slideshowdesktop.com
    View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

    Jase

    www.slideshowdesktop.com
    View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.
    ...

  12. #12
    Join Date
    Apr 2001
    Location
    USA, Knoxville, TN
    Posts
    255

    Re: reverse engineering

    in our case we are most interested in protecting algorithms, and from the various links you posted, it looks like we are completely hosed.

    I had thought that they could only get to the assembly level, but if they could get to even the C level, then they have us.


  13. #13
    Join Date
    Apr 2001
    Location
    USA, Knoxville, TN
    Posts
    255

    "pretty" example of DCC (GNU disassembler)

    http://www.itee.uq.edu.au/~csmweb/dcc.html#thesis

    but from above, sounds like SoftIce is way better.


  14. #14
    Join Date
    Apr 1999
    Posts
    27,444

    Re: reverse engineering

    In reply to:

    Yes, they can see your exact C++ source



    Where do you get this information from? Please, stop spreading this. This is not true at all. This is not Java, where the byte-codes do translate into a 1-1 relationship with the source.

    Once an EXE is there, the original source is lost. The best that can be done is to study certain patterns within the EXE, figure out what compiler might have been used, and then guess the structure of what the intent was. If a hacker sees something that looks like a jump table, they can assume it was a switch() statement, but maybe it was a v-table. The only thing that is left in the EXE (at least with VC++) are the symbols -- that's it.

    If you could get the original source code, can all of us here just burn all of our C++ source, keep only the executable files, and just get Soft-Ice to get us our code back instead of doing a backup of our original source? You realize how ridiculous that sounds, correct?

    Regards,

    Paul McKenzie


  15. #15
    Join Date
    Mar 2000
    Location
    Birmingham, England
    Posts
    2,520

    Re: "pretty" example of DCC (GNU disassembler)

    that link doesn't work for me todd


    Jase

    http://www.slideshowdesktop.com
    View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.

    Jase

    www.slideshowdesktop.com
    View your images and photos on your desktop with ease using SlideShow Desktop, the desktop wallpaper manager for Microsoft Windows.
    ...

Page 1 of 12 123411 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Windows Mobile Development Center


Click Here to Expand Forum to Full Width

This is a CodeGuru survey question.


Featured


HTML5 Development Center