How can you hide the exe-file code (written, for example, in Delphi) from decryption under the disassembler and, subsequently, from the reverse.

Rows, for example, you can simply XOR, or shift each character by k positions in the ASCII table (the first is better, IMHO). But how to hide the names of functions or even entire blocks of code? After all, many developers (especially virus writers) love to do this, thereby hiding their “creations” from research by unauthorized persons. In the same way, SpyEye is hidden from antiviruses by everyone. And how can I achieve this?

  • 2
    I've always wondered how such questions come to mind? having nothing to do? I would first carry out some research work myself, maybe I could have told us, or maybe just such questions would have disappeared by themselves ... - Gorets
  • 3
    Now I'm just doing research on one malicious application, stumbled upon what I described in the question ... PS “crap” with a hyphen =) - AseN
  • @Asen, if the source is compiled in Release mode, then the function names in the executable are not saved. Also to hide the code, you can use "mounted" protection, such as ASProtect . - insolor
  • @insolor, this is very similar to a regular PE packer. - AseN
  • one
    @megacoder, how do you think the purpose of the forum of questions is what? It seems to me - in a quick and qualified real help, and not at all in expressing the wishes of the author to learn or search for answers on the network. Otherwise, why is the HashCode needed at all? - avp

1 answer 1

(Some time was not engaged in reversing, so information may be outdated )

  • If we talk about serious obfuscation, then it makes sense to consider only languages ​​that are compiled into machine code ( C++ , for example). Languages ​​with an intermediate layer of byte-code are usually easily reversible and, apparently, there are no more or less adequate ways to protect the applications written on them.

  • Adequate protectors perform some sequence of actions to protect the finished application from reversing:

  • Insert ready anti-debugging code fragments (for example, decrypting it in runtime) into a ready-made binary, confuse sections, perform cunning jumps, in general, make atomic changes (not changing the program's behavior!) Over the executable code, which make it difficult to debug a person.

  • A person is a reverse engineer , who opens your application in IDA , visually pulls out familiar patterns from the disassembled listing, traces the application, replacing the contents of the stack and the patch, this is the application in its runtime.

  • And the main purpose of these protective actions of the tread is to make the reverser say “Ugh, it went to hell , zadolbalo,” since the sequence of actions of the tread can always be done in the opposite direction, would be experience and knowledge.

  • A more serious defense, sometimes stopping even the coolest and experienced reversers, is the virtualization of the application code in order to execute it on its own virtual machine (usually combined with the standard anti-debugging techniques described above) . In this case, the virtual machine is embedded in the binary along with some IL code, which can look completely arbitrary. The parameters of the created machine can also be varied within certain limits - if you wish, you can write a virtual machine with threefold logic.

  • The bonus of this approach is that for a full reversing of such an application, you need to somehow play this same virtual machine. In such a situation (if the virtual machine is tricky enough) , most of the standard tools and reverser techniques stop working out of the box. Which, again, brings this potential reverser closer to the state of “Thank you, I have had enough.”

  • Up to the details in such a way protectite Themida.

  • In accordance with the above, if you want to protect your program more or less decently, write your virtual machine and generate an IL code for it from the existing object files of your application. This action will help weed out most of the reversers, who were recently told and shown what IDA and how to apply a patch .

  • Quick test - in order to understand if you can create more or less adequate protection with virtualization, try to break CrackMe from ESET. If you understand, and here SSE and the general mechanics of testing, then you can get down to business.

  • There is always a set of ready-made public and private packers that you can use. Themida , ASProtect , FSG. It is also clear that there is always a set of people who are able to remove these or other protectors.

  • one
    Last link is broken. And there are not enough application identifiers in the text :-) - karmadro4
  • one
    @Asen, programs packed with "ordinary" packers (straightforward advertising phrase :) are unpacked by removing the memory dump + restoring the import table. And the programs packed with UPX are unpacked by him (unless signatures are of course lost, then see above). - insolor
  • one
    It is necessary to raise the question, to fix the parser eating the lower slashes in users' nicknames, and then to screen everyone with laziness - Specter
  • 2
    O - round slash :-) - karmadro4
  • 2
    Well, here it is: ¯ =) - Specter