reverse engineering

Ok i may just be new to this fourm but i realized that meny of you dont seem to know much about protecting your programs. useing special coading like useing hex strings wont help you at all. the only proven methods that make it extreamly hard to extract coad is to check and see if some one is useing debugging api's probaly te best one to check is ReadProcessMemory or WriteProcessMemory as they allow them to look at your coad and modify it directly in memory very few hackers use c++ to hack a program. but thry do have to use these api's to make modifications to your program or to read what it is doing in memory. if you check and see if your porgram is being debugged then you have a greater chance that you will force them into useing a disasembler of some kind and you can throw those off by calling your fuctions useing global varables that temproaly store the adress of the function your about to call. cuppled with placing fake copys of your functions in memory.

using these methods will prevent all ametures from hacking your program but the pros who spend sevral hrous to sevral days will still get passed these.

btw. there are c/c++ decompilers but they are very hard to get ahold of and most hackers dont use them.

[edit]
oh i frogot another good mthod to use is to create an independant thread that checks to see if your program had been suspeded (paused/halted) and if so closes the program. i dont know if any of these methods work agenst softice but i'm almost sure that they will. as softive has to obey the same rules as any other program in windows.
[\edit]
[edit]
sorry i didnt read through the whole thread. i want to add that though there are c/c++ decompilers tehy dont keep variable names and such unless you compile them into your code ad debugging information. they will simply decompile working coad that is often ilegable without sevral hours of reading through it
[\edit]

Can anyone tell me where can I get SoftIce???

www.compuware.com

Why not just use windbg with two machines :) Granted SoFtIcE _legally_ costs hmm 1000.00 US somthing last time I looked well not really looked cause someone else pays those bills...

PS: when will this thread die? it's has far more disinformation than information...though maybe it will help in futher confusing the masses. It's good for a laugh though...

Quote:

---

Originally posted by briball

There is a defense against softice though, but I'm not sure it is this "MeltIce" since I can simply change file names. I accidently left it on (I have to restart to toggle it on or off) and tried to run a MS game. It "detected a debugger" and shut down. I never investigated, so your guess is as good as mine.

---

Perhaps...Age of Mythology... :) :) ;) that's just a guess at which game you were trying to play though...

Ha! That was a good guess of the game I was playing, just slightly off. It was Age of Empires II. If Age of Mythology does it as well then there is a new trend. I don't think it will be mainstream soon however.

Developing something for MS has its advantages I guess. Like access to the most sophisticated techniques to control Windows.

Anyway, SoftIce is useful for seeing what goes on in near real-time, but I have always used a dissassembler with it as well. Change some jmp or je commands in a hex editor and you bypass a password protection, etc. However, to figure out complex algorithms like this...Someone's better off just buying the information from you than spending so much time.

Original source is not and never was the point.

First, there is a distinct difference to Crackers and Hackers.

The former will almost ALWAYS work in assembler, and if softice is detected there is always w32dasm or IDA. Real Crackers are non destructive, the challenge is to find the best way to overcome a particular security system. The point is NOT free software. If you take the time to search the modern reverse sites, you will find tutorials for shareware/commercial proggers to help them make the security stronger. Softice IS the most powerful tool around at the moment, but certainly not the only one to use, for an experienced assembly progger, a dead listing (disassembly) is all thets needed, then a hex editor to patch. As stated before, nearly always the code is cracked then the software thrown away. The idea that crackers need to reverse just the simple code is ludicrous, many reversers are techs or proggers themselves, and after reversing a few harder pieces some of which can take weeks, it enebles you to go on and produce stronger code.

Hackers are mostly young, dumb and short of patience, these ones WILL give up after 10 minutes, but a cracker relishes reversing a tough protection scheme.

Finally, any code that runs on computers CAN be cracked, try a google search for clsid+pagemill or any such multi strings and you will start to get the picture. If you use C or C++ or VB using MS libs, then newbies will be able to open it in half an hour. Go seek the tutorials, for there are thousands and LEARN, don't fear them learn from them, and consider learning Assembler for your protection

Regards

eNkO:cool:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ECD4B(C)
|
:004ECD54 FF75C0 push [ebp-40]

* Reference To: ADVAPI32.RegCloseKey, Ord:0117h
|
:004ECD57 FF154C005400 Call dword ptr [0054004C]
:004ECD5D 837DEC01 cmp dword ptr [ebp-14], 00000001
:004ECD61 0F85F3000000 jne 004ECE5A

* Possible StringData Ref from Data Obj ->"CLSID"
|
:004ECD67 68D4A95A00 push 005AA9D4
:004ECD6C 8D4DE0 lea ecx, dword ptr [ebp-20]

* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:004ECD6F E808220200 Call 0050EF7C
:004ECD74 8D45DC lea eax, dword ptr [ebp-24]
:004ECD77 C645FC03 mov [ebp-04], 03
:004ECD7B 50 push eax
:004ECD7C FF75E0 push [ebp-20]
:004ECD7F 53 push ebx
:004ECD80 FFD7 call edi
:004ECD82 33DB xor ebx, ebx
:004ECD84 3BC3 cmp eax, ebx
:004ECD86 7512 jne 004ECD9A
:004ECD88 8D45D8 lea eax, dword ptr [ebp-28]
:004ECD8B 50 push eax

* Possible StringData Ref from Data Obj ->"{6E996511-A3ED-11d1-B7B8-0060975AE13F}"
|
:004ECD8C 685CD85A00 push 005AD85C
:004ECD91 FF75DC push [ebp-24]

* Reference To: ADVAPI32.RegCreateKeyA, Ord:011Ah
|
:004ECD94 FF1534005400 Call dword ptr [00540034]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ECD86(C)
|
:004ECD9A FF75DC push [ebp-24]

moral here DONT use unencrypted strings in codee, this bit of code is part of a routine relating to wether or not this key exists in Win Registry, if it does the trial is over. You will notice the (C)onditional jump reference so we know where to go back to. A simpler approach would be to change CLSID to KLSID then the return is always false. This is not the only protection in this piece of software there is also the infamous 0013C680 (15 days in seconds Hex) plus a couple of others, but all laid bare by 'dead listing'

This is why code that is not at least somewhat polymorphic will never be safe. Once you've been reading assembly for some time, it is just as easy to understand as c++, and is shipped with the product! Polymorphic code cannot be statically disassembled, and with appropriate checksum tests and similar environment checks during the "unrolling" of the code, you can prevent direct cracking efforts. This leaves only virtual processor technology that can read execution path, and patching can be made a non-polynomial problem with proper interlocking security checks.

Quote:

---

Originally posted by Mick_2002
PS: when will this thread die? it's has far more disinformation than information...though maybe it will help in futher confusing the masses. It's good for a laugh though...

---

I completely agree. This thread has quite lifted my spirits, and I lift my spirits to it in toast for the good times to come... :)

More safe thing will be integration of a kernel mode Driver ,because many programmers dont have Kernel mode debugger.
A best aproach would include polymorphic functions to fool the disassembler + sensitive algorithms in device drivers + and threaded (APC from DD) way to call the entry points so that debugger just gets fooled.
Periodical code overwriting ,extracting encry. code in memory and then executing it etc. are also better ways to eliminate the cracking of code.

P.S. Wait for few days I will post a very goood sample on anticracking.(AntiDebugging and AntiDisassembling tech.)

Quote:

---

Originally posted by Krishnaa
More safe thing will be integration of a kernel mode Driver ,because many programmers dont have Kernel mode debugger.

---

Plenty of Kernel mode debuggers are just a download away. As are the symbols. As a matter of fact I believe windbg and the OS symbols ship on the support CD's.

Yaa ,but think you can have total code rewriting implemented in that too. It makes any debugger hard to simultaniously debug many threads in diff. rings.

I seen in this thread several times about detecting if the program is being debugged. How is this done? Someone mentioned that there was an API to tell if debug CPU flag was on.


Thanks
Doc

IsDebuggerPresent() is the API.

It is however a pretty pointless. You may be able to keep out some of the extreme newbie crackers with this, but it isnt exactly difficult to view the API dump in Wdasm and NOP it out or jump it.

You can even use something like sice or frogsice to trick it into thinking the debugger isnt there.

All thats been said is without a doubt true. Ive learned by looking at other code and one technique if come accross to prevent reverse engineering has stood out from the rest. I have found the some app's use the ReadProcessMemory() (a windows api func) to veryify that that people have not altered you code. Remember most if not all breakpoint will change the in process memory so if you compare a segment of code while its in memory you can prevent people from inject jmp statements by actually checking veryifying the in proc memory. Break pts are usually an injected "int 3" statement which causes an exception which your debugger will catch and then say hey look we reached a break pt.
So you should beable to prevent people from even puting bp's in critical sections of code and remember dissassembling is alot easier when you can step through a working model of the code

Disassembly really isn't that hard. A determined dis-assembler can easily subvert pretty much any protection scheme you can come up with. Speaking from personal experience, I have disassembled entire operating systems; I have traced through and disassembled encrypted code segments; I have disassembled code that attacks debuggers; I have succesfully disassembled self modifying code written to prevent disassembling. All not terribly hard to do.

Most code protection schemes are load time schemes. The easiest way to attack your code, I would imagine is to attach a debugger, catch a key event like WM_COMMAND, and then snapshot/dissassemble/debug from there. It's pretty hard to imagine anything you could do to hold off a determined reverse engineer for much more than an afternoon.

Unfortunately, anyone who has the skills required to dis-assemble large blocks of code will also have the skills needed to subvert your code protection scheme.

On the other hand, you're going to end up investing a huge effort re-creating linker/loader relocation, which you're going to lose as soon as you try to protect your code segment in the binary.

Not worth the effort. My advice: get a new boss. Any real boss with real code worth really protecting should understand immediately why this is a waste of time.

I want to start out by saying thank you to "Paul McKenzie". He seems to be the only one in this thread that is passing along correct information.

Yes, it is true that SoftIce will allow a user to set a breakpoint on ANY Windows API call. Which also means that the code for detecting SoftIce is a joke. The hacker simply puts a breakpoint on CreateFile() and checks the parameters that are passed to it. This tells them what the user is attempting to do. If it's a check for SoftIce, simply jump over it or make the software think it didn't find it.

As for the concept of your EXE containing your C++ source code...the answer is NO! Assuming that your not an idiot and you are releasing a RELEASE build and not a DEBUG build of your application. Just for the sake of argument, let's say that you did release a DEBUG build and it included COFF style debugging information. In this case, yes you are giving out your source code. Not because it can be reverse engineered but because the COFF style debugging information includes your source in the EXE so a debugger can access it. However, the Microsoft Program Database, which is the default style in VC, does not. It creates a PDB file that contains the debugging information. So what lesson have we learned. :=) Don't release DEBUG versions of your software. However, if you need to be told that, then you should find another profession. :=)

If you build in a SoftIce check like the one someone mentioned earlier, make the function inline. Then include it in multiple places in your application. This will force the hacker to find every instance of this check in order to get the program to run correctly. This won't stop them but it will slow them down. If you don't make it inline then all they have to do is find the function and change it's return value. And every place in your application that calls this function will think SoftIce is not loaded.

The real question when it comes to reverse engineering is "Is it worth my time?". If a hacker has good reason to reverse engineer it then you have a concern. But this stuff is not easy, so hackers don't spend time on it unless they have something to gain from it. For example, like recognition for cracking Windows XP's registration.

If you really have a concern for this stuff check out a product called PECompact.

http://www.collakesoftware.com/PECom...SPECompact.htm

PECompact allows you to compress an EXE file and encrypt it. However, this only makes reverse engineering harder...not impossible. Nothing is impossible, so all you can hope to do is make it hard enough that the hacker says "forget it".

Good luck!

There is a lot of disassembler on the net not only softice. :rolleyes:

For me what was Olivier said:


>Only way to protect something is to make reverse engineering >as hard as possible: relocate user-supplied parameters, use >indirect querying, use multithreading and maybe hardware->dependend code snippets.
>But I believe that there's no really secure way to protect your >work

is the best thing that is possible to do. It can take a lot of time to a cracker to reverse your code, but there is always the possibility to do it.

<grin/> sorry but there is no getting back original code from an exe - simply wont happen - at all.
it will take an amazingly good dissasembler to get functionally equivalent code to teh binary. if i have a good compiler and go full optimisation the asm code can be mangled beyond recognition of its c++ counterpart.

:confused: i dont know what it is that you are referring too in softice - can i drop you an exe and expect by source code back ?
softice does a **** good job of taking windows for a ride with breakpoints and the full muddle.

i mentioned good optimisation right ? take a look at this
http://msdn.microsoft.com/msdnmag/issues/02/05/Hood/
also take a look at the profile of the guy who wrote that - does compuware/numega ring a bell about softice ?


:) rosh

interesting discussion ,but i agree with "Paul McKenzie" he is right

hmmmmmmmmmm good discusion here ,
I am new user of this forum and found this thread quite interesting , So i am also getting in with u guys ..... :)
Well, An .exe/P.E cannot be translated into C++ source, This is impossible . inspite of SoftIce or wat ever u have it can only manage to show u the piece of code of ur choice. Then reversing depends upon u how much u r good in Assembly, Guessing abt the instructions usage why the compiler inserted which instruction for which puspose?, and if u can answer this u can reverse any thing.
Theoritically code is never safe from the (good)reversers, They can crack it wat ever u make. Although it need a lot of time , experties
You can adopt some anti crack methods but still u cannot guarntee it is safe. You can raise exception on the prescence of say 1 debugger or say 2 but we cannot code for each debugger. Yeah every one know abt SoftIce and we do have code which raises the exception on it's prescence , so ur program never executes unless softice is removed . But wat abt Ollydbg, I know Ollydby can work even better then SoftIce. It starts ur application so ur application can be caught where it will try to raise exception , inserting nopes there will make calm ur application and it will obey olldbg .
And one thing more , IDA pro is a great dissassmbler it generates all the required stuff which a good reverser need. Do wat ever u want IDA pro will expose it all.
Agian let me repeat that the reversers can only extracts the algorithms( u cannot stop them in any way) and some times an assemble-able source file in assemby(Although it need a lot of donkey work), So usually they extract the algo and they can rewrite the code in c++ or wat ever they want once they have the algorithms
C the folowing link , and watch out wat they can do and wat cannot.

http://board.anticrack.de/

Regards feel free to ask me more.

Might I add a little twist to this very interesting thread? ;)

It has been multiply stated that the original (C/C++) source code cannot be obained from a release EXE/DLL. However, higher level source code similar in functionality to the original can be obtained. Several attempts at decompilers do exist, but I'd classify them as "work in progress" as of now. (see for instance http://boomerang.sourceforge.net/ )

Anyhow... moving to my question. When having the debug version of a C/C++ EXE or DLL (including the PDB), it should be possible to recreate the source. It is quite trivial, but lengthy, to do it by hand - stepping into the binary does reveal all kinds of information, including variable/function names, types and so on. Even class structure is embedded as debug information. Yet, I am not able to find any utility that automates the task. Does anyone have any useful information?

www.astalavista.com contains an article to reverse engineering ...

And there are many tools who can compress your code, and/or crypt it. And make it very hard to reverse engineer your programms. But there is a new tool in development: KORE (forgot the homepage, but will look for it)Kernel Of Reverse Engineering. This supposed to be a disassembler than can reverse simple constructions like if/else, while, for functions and calls to them ... I thought it looks something like that:

Code:

---

module "test.exe"
{
    function [#stdcall | #entry] [12] [4]
    {
          if  (param % 4) not 0x02 then
          {
                // assembler code goes here
          }
          else
          {

          }
    }
}

---

And the c code for it is something like that:

Code:

---

int main ( int argc, char* argv[] )
{
    if ( argc != 2 )
    {
        exit(0);
  }
  else
  {  // Go on
  }
}

---

But its under development ... Lets see what it becomes ... I also will search for an explanation of that code

Hi All

this is my first code on visual c++ 2010. main part is not working

can you please help

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

#define MT4_EXPFUNC __declspec(dllexport)

#include "math1.h"
#include <stdexcept>

#define BUFSIZE 1024
#define PIPE_TIMEOUT 5000
#define SERVER_NAME L"."
#define PIPE_NAME L"SamplePipe"
#define FULL_PIPE_NAME L"\\\\" SERVER_NAME L"\\pipe\\" PIPE_NAME

using namespace std;


namespace math
{

MT4_EXPFUNC double __stdcall Add1(double a1,double a2){a4=a1;a5=a2;return a6;}
MT4_EXPFUNC double __stdcall Add2(double a1,double a2){a6=a1;a7=a2;return a4;}


}

void pipez( )
{
BOOL flg;
DWORD dwWrite;
char szPipeUpdate[1024];
HANDLE hFile;

hFile = CreateFile(FULL_PIPE_NAME,GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);

if(hFile != INVALID_HANDLE_VALUE)
{

sprintf_s(szPipeUpdate,"CL1.58258");
flg = WriteFile(hFile, szPipeUpdate, strlen(szPipeUpdate), &dwWrite, NULL);

}

}



int main( )
{

if ( a4 > a7+0.00000 ) {pipez();}
if ( a5 < a6-0.00000 ) {pipez();}

return(0);
}

Quote:

---

Originally Posted by walker36

Hi All

this is my first code on visual c++ 2010. main part is not working

---

And what does your problem have to do with this 8-years old thread discussing something like "reverse engineering"? :confused:

Please, delete your post in this thread, create a new one and use Code tags around code snippets.
It would be also very useful if you read Announcement: Before you post....