flat assembler
Message board for the users of flat assembler.

Index > Main > String & Proc Encrypting

Goto page 1, 2, 3, 4, 5, 6  Next
Author
Thread Post new topic Reply to topic
ic2



Joined: 19 Jan 2008
Posts: 75
ic2 16 Apr 2008, 06:59
I wanted to post this at http://board.flatassembler.net/topic.php?t=8605 but snify is getting to near to a solution and I don't mess up the title of that thread but itsnobody got me fired up.

I also wanted to post this at http://board.flatassembler.net/topic.php?t=8597 but his main subject is about (AES) and is far more important across the map. (Something even non-programmers would be interested in)

itsnobody:
Quote:
Then it'll be more difficult to hack, there's no such thing as anything impossible to hack, as long as it is encrypted and decrypted by the software itself it can be hacked

Keywords: as long as gave me a idea of how I want to start doing things Smile

I got a good idea of how to use FASM and I am ready to build a small app from scratch in FASM. It will contains under a 100 string and about 40 procedures.
Quote:
as long as it is encrypted and decrypted by the software itself

I want to encrypt each and every string individually outside of the process with some strong encryption code and I also want to encrypt all the procedures that are not use during start-up. Then I'll place them in a include file and assemble it all together with FASM... than pack it with FSG or other suggested packer.

Is this possible? If so, what should I use? Is there some links on the board that has done something like this already? Can I include a One-time-Pad here?

I don't know much about encryption and never been good with math but I do know how to follow orders.

Alexp:
Quote:
Please leave the mode of operation to someone who's done it before, if you mean to actually use my AES code then just tell me, don't use that library alone. Encrypting 16 bytes at a time reveals code patterns, which can give away major clues to your data.

I guest is AES is use to encrypt files for storage on disk or transferring files over a network and is not really design for encrypting code with-in an app. Is this true? What about Twofish. Tea, blowfish and others?

Alexp:
Quote:
Oh yeah, encrypting your code (like decrypting on every function call?) does not make it invisible to reversers.

I'm not worried about professional reversers but I do want to make their job as hard as possible... For starter, the encryption code will not be in the final executionable. It will only contain the decrypting code. Shouldn't this help to slow down the process?

Would using macros for decrypting help to obfuscate some of it activity? I also like to include Tommy XOR Crypting Macro just for because it looks good and may obfuscate the thing even more. I need an opinions on this also. I'm just guesting things through.

Anyway, this is the way I choose to write and I'm glad to be starting from scratch. I don't know everything but learned a lot through reading in the past three months and if it wasn't for the help from the members of the board it would be many month more before I would understand even some of what I read.

Would all please post some information based on what I am trying to do here. All ideas suggestions and links will be greatly appreciated.


Thanks in advance
Post 16 Apr 2008, 06:59
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 16 Apr 2008, 07:48
ic2 wrote:
I'm not worried about professional reversers but I do want to make their job as hard as possible... For starter, the encryption code will not be in the final executionable. It will only contain the decrypting code. Shouldn't this help to slow down the process?
It is the decryption process that a hacker needs and it is the decryption process that your exe also needs, hence, it cannot be protected. It might slow someone down slightly, that is all.
Post 16 Apr 2008, 07:48
View user's profile Send private message Visit poster's website Reply with quote
ic2



Joined: 19 Jan 2008
Posts: 75
ic2 16 Apr 2008, 08:27
I'm not really worry about the professionals. I always wanted to learn how to do this anyway. Forget about them. Where do we start? Smile
Post 16 Apr 2008, 08:27
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 16 Apr 2008, 09:05
ic2 wrote:
I'm not really worry about the professionals. I always wanted to learn how to do this anyway. Forget about them. Where do we start? Smile
In that case then even a simple registry key with "daysremaning=30" will do the trick. You have to examine your threat model before you can decide how to overcome it. The last point below is the killer.

Does your opponent know how to read/edit the registry?
Does your opponent know how to read/edit binary files?
Does your opponent know how to use a debugger?
Does your opponent know how to reverse engineer?
Does your opponent know how to decode and rewrite programs?
Does your opponent know how to find another free alternative on the 'net?
Post 16 Apr 2008, 09:05
View user's profile Send private message Visit poster's website Reply with quote
ic2



Joined: 19 Jan 2008
Posts: 75
ic2 16 Apr 2008, 09:32
I don't understand. A simple registry key is a long way from what I described.
Quote:
I want to encrypt each and every string individually outside of the process with some strong encryption code and I also want to encrypt all the procedures that are not use during start-up. Then I'll place them in a include file and assemble it all together with FASM... than pack it with FSG or other suggested packer.

Sorry if my long post mis-lead. Forget about my reasons why. This is all I want to do.
Post 16 Apr 2008, 09:32
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4353
Location: Now
edfed 16 Apr 2008, 09:40
revolution wrote:
Does your opponent know how to find another free alternative on the 'net?


non free programs shall be only for professionnals, specifics, hard to code, original, etc...
the only domain where not free is OK is for industry and professionnal programs.

for general purpose and public, it is always possible to find free/open source/GPL code, then, there is no reason to focuse on security when coding simple programs.

if your code is a special one for NASA, ok, you shall encrypt everything, but at least, this code will never go out of the NASA rooms, never on the net, never at your own home etc...

Non free programs are really hard to find in reality (don't speak about the poor sharewares programs on the web (full of bugs, etc...) )


edit:
i don't know why, but nowadays (2008) is a year highly focused on security... why? is there a war coming soon?

there are many, many forums focused on this shit of security today. like a marathon??? the first to achieve will fuck everybody or what?
Post 16 Apr 2008, 09:40
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 16 Apr 2008, 10:01
ic2 wrote:
I don't understand. A simple registry key is a long way from what I described.
Quote:
I want to encrypt each and every string individually outside of the process with some strong encryption code and I also want to encrypt all the procedures that are not use during start-up. Then I'll place them in a include file and assemble it all together with FASM... than pack it with FSG or other suggested packer.

Sorry if my long post mis-lead. Forget about my reasons why. This is all I want to do.
Okay, maybe I was off on a tangent a bit, but one should still try to equate the extra time and bugs involved with adding encryption/security against the expected return in revenue. Even most large companies decide that encryption/security will eventually cost more in the long term than it provided in extra returns.

Never mind me, you can still go and do all the encryption/security stuff if you like. It will slow down an attacker a small amount, but not by much.
Post 16 Apr 2008, 10:01
View user's profile Send private message Visit poster's website Reply with quote
ic2



Joined: 19 Jan 2008
Posts: 75
ic2 16 Apr 2008, 12:20
Quote:
Okay, maybe I was off on a tangent a bit,

Funny, I grew up only to find it was always the super coders talking that way. I read 10 years worth and that's what keep me from even wanting to be a programmer for year. so don't feel bad. I know this is not your true style on the subject. If it wasn't for you I would have gave up FASM in a week like i did once before when I really wanted to try but was too afraid to ask for help. I saw many never receiving none
Quote:
but one should still try to equate the extra time and bugs involved with adding encryption/security against the expected return in revenue.

I have no worries about time and I never wrote a bug. I debug with MessageBox and check every darn thing I do, as I go, many, many, times ... over and over again. That should give you an idea about the time I have wasted and is willing to give that time to the art of security. Don't change my plan , im just including this--Would you believe I mostly want to protect myself from Windows. It is full of sh*t and most people call it a bug and Vista is a tricky bit*h. See how long I been at it.

Quote:
Even most large companies decide that encryption/security will eventually cost more in the long term than it provided in extra returns.

But they still do it.... Did that stop you from protecting your most important projects. hee hee
Quote:
Never mind me, you can still go and do all the encryption/security stuff if you like..

I can't go on without you. Crying or Very sad You don't fool me a bit. Confused You are D Man Shocked
I don't want no one secret codes. I just want some great tips and a maybe a few strong examples (whole or pieces) that no one really use but know I can build a full un-cut Idea from with some imagination. I check my FASM e-mail everyday if he choose not to post it.

Quote:
It will slow down an attacker a small amount, but not by much

I'll worry about attackers after im finish.

Smile
Post 16 Apr 2008, 12:20
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 16 Apr 2008, 13:37
ic2 wrote:
Funny, I grew up only to find it was always the super coders talking that way. I read 10 years worth and that's what keep me from even wanting to be a programmer for year. so don't feel bad. I know this is not your true style on the subject. If it wasn't for you I would have gave up FASM in a week like i did once before when I really wanted to try but was too afraid to ask for help. I saw many never receiving none
Well I no great coder, I probably just borrowed the words from someone who is. But I can't take recognition for your enthusiasm, it comes from inside, you would have found a way no matter what.

As for examples, I think it is still not entirely clear what you want to do. You mention including some output from another program so that would seem to require the 'file' directive?
Post 16 Apr 2008, 13:37
View user's profile Send private message Visit poster's website Reply with quote
ic2



Joined: 19 Jan 2008
Posts: 75
ic2 16 Apr 2008, 15:53
Code:
include 'win32ax.inc'

macro macroBITCH
{ 
        mov eax decrypt BIG_BOY
        and     SHAKE_HIM_DOWN
ret 
}        

.code
  start:

mov eax, procCHICK

Call BIG_BOY

invoke  MessageBox,0,"Get me a beer baby.. What's for dinner!",0,0

        invoke  ExitProcess,0
; .............................................................
;  I been totally crypt by blowfish in another program but some
;  how ic2 put me back inside here between two CHICKS
;  I dead as a door nail.. That fool name ic2 even crypted
;  even what id me as a procedure ...  Even IDA can find me...
;  I got to wait for my wife procCHICK or my slick ass 
;  girlfriend  macroBITCH to
;  turn me On. 

proc   BIG_BOY
endp
            
; .............................................................
;  I am the Decrypt for BIG_BOY entire block of code ...
;  Not just what inside the proc but the whole code block
;  I think it's my turn to get a piece of BIG_BOY today
;  I know he needs if he want to exsist.  That macroBITCH
;  just jerk him around

proc procCHICK. 

          mov eax decrypt BIG_BOY
          and       LOVE_HIM_WELL
endp

.end start    

And I want to do the same for some strings. Is this possible or am im barking up the wrong tree? If all is well what are the most recommended encryption tools I should use? And the hardest question of them all is how do I completely encrypt a single procedure. My guest is to place it in a separate asm file, assemble it, encrypt it, than assemble the results in the main file... But that didn't work so for me I think it's more to it than that. So anyway, how can this be done.

My 2nd guest is to know the address of the procedure and get or know it size and encrypt it.

I really want to do it the first way and I don't want to go into any reason WHY. But since you insist.. I just want to know how to do it all than I can pick and choose and go deeper into it..


To all females repeat after me "it's only a joke"


Last edited by ic2 on 16 Apr 2008, 16:29; edited 1 time in total
Post 16 Apr 2008, 15:53
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 16 Apr 2008, 16:29
The user code:
Code:
start:
      call    decode_some_shit
    call    the_shit
    invoke  ExitProcess,0

decode_some_shit:
  ;put whatever decryptor/decoder here you want
       ret

the_shit:
    file    'MyEncodedEncryptedBinaryStuff.bin'

.end    


The programmer code:
Code:
the_shit:
   invoke  MessageBox,0,0,0,0
  ret    


But there is a problem with how to cross over your variables between processes. After you decode the_shit all the pointers to things like messagebox are not properly initialised. You will have to add some sort of translation layer.
Post 16 Apr 2008, 16:29
View user's profile Send private message Visit poster's website Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 16 Apr 2008, 16:29
no imports + xor data/code section with fasm preprocesor + pack with fsg/mew.. should be fine Wink
Post 16 Apr 2008, 16:29
View user's profile Send private message Reply with quote
ic2



Joined: 19 Jan 2008
Posts: 75
ic2 16 Apr 2008, 16:41
I'm going to try that now.
Thanks revolution

asmhack, that do mean I use LoadLibrary GetProcAddress.for all my API calls. Just want to be sure. I got all the pieces going to try that too.
Thanks
Post 16 Apr 2008, 16:41
View user's profile Send private message Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 16 Apr 2008, 16:53
Post 16 Apr 2008, 16:53
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 16 Apr 2008, 16:59
ic2 wrote:
...I use LoadLibrary GetProcAddress.for all my API calls.
You are likely to trigger a virus detection if you start doing that sort of thing. Also be mindful of writing to the code section, some OS version/settings will block you.
Post 16 Apr 2008, 16:59
View user's profile Send private message Visit poster's website Reply with quote
asmhack



Joined: 01 Feb 2008
Posts: 431
asmhack 16 Apr 2008, 17:59
revolution wrote:
ic2 wrote:
...I use LoadLibrary GetProcAddress.for all my API calls.
You are likely to trigger a virus detection if you start doing that sort of thing. Also be mindful of writing to the code section, some OS version/settings will block you.


i remember one time i had made a vb application with "virus" or "trojan", don't remember now, caption on the form and the antivirus blocked it from loading XD
Post 16 Apr 2008, 17:59
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 16 Apr 2008, 22:17
IC2: I will be glad to make you whatever you want. I do suggest either EFB or OFB for modes of operation. Just tell me what you want, and how well you want it done.

Also, I'd recommend AES (I like 256 Smile) for a strong encryption, and I do believe performing checksums of the encrypted/decrypted code or data sections will help a hell of a lot to stop mid-debug tampering to get your code. I can also do this.

Also @ Ic2: The AES algo (even the much slower versions) have out-performed the Twofish/Blowfish by quite a bit of speed. I would definitely suggest using it.

AsmHack: I've heard of "V1ruz" or something very odd and obfuscated like that, (more than that above) be picked up by a virus scanner.
Post 16 Apr 2008, 22:17
View user's profile Send private message Visit poster's website Reply with quote
daniel.lewis



Joined: 28 Jan 2008
Posts: 92
daniel.lewis 17 Apr 2008, 00:53
If your program consists of a set of finite buffers of data which must, when transformed as described in the x86 documentation, perform some algorithm; then that algorithm can be Beale Ciphered or AES encrypted or XOR'd or any other similar means you may devise. It won't take me more than an additional 0.5 seconds to reduce it to pure assembler.

Allow me to posit that anyone capable of reverse engineering an executable with any margin of understanding it at all, is only just shy of understanding the above. I would argue that encrypting your algorithm will only prevent a very slim population from successful deobfuscation.

The act of obfuscating your algorithm will also slow it and bloat it, reducing it's competitiveness. Reversers and customers alike will both lose the feeling that you're a collaborative party, which is damaging on multiple levels.

That said, if you still feel the urgent need to obfuscate I am able to do so in a way that would prevent a product from being reversed by anyone who uses an Emulator, Debugger or Flat Assembler from understanding the algorithm in less than a month. Encryption certainly won't cut it, and it would be expensive.

_________________
dd 0x90909090 ; problem solved.
Post 17 Apr 2008, 00:53
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 17 Apr 2008, 13:36
In other words, daniel believes it would be a shameful waste of time.

I, on the other hand, think that if you would like to encrypt your code/data, it's all up to you. Place it on a crackme site, the full code will probably be given back to you within hours.

I'd say go for it. Try it out, learn how it's done, you might even figure out a new way to do it that will make it much better. You cannot know until you try, so make it and then post it here so we can break it!!!!

PS: As I said in my last post briefly, I don't see much of full process encrytion. Usually you just see checksums performed (in a discrete way) on the code, to find any 'int 3's. It is useful, and helps against a debugger. It would take a pretty good reverser to crack it then. (or they would just nop-out the hashing function Sad ).
Post 17 Apr 2008, 13:36
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 17 Apr 2008, 13:44
AlexP wrote:
In other words, daniel believes it would be a shameful waste of time.

I, on the other hand, think that if you would like to encrypt your code/data, it's all up to you. Place it on a crackme site, the full code will probably be given back to you within hours.

I'd say go for it. Try it out, learn how it's done, you might even figure out a new way to do it that will make it much better. You cannot know until you try, so make it and then post it here so we can break it!!!!
Yes, good thoughts there, learning can never be overstated. As long as it is well known in advance that the resulting output won't be very difficult to reverse then go for it and don't be disappointed at how quickly another, properly motivated, person can crack it.

It will probably take you longer to code and debug it than a good hacker will take to reverse it. Just look at the Vista DRM fights, a classic example of wasting time with protection. But, as AlexP noted, there is nothing wrong with wasting time as long as you're learning.
Post 17 Apr 2008, 13:44
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3, 4, 5, 6  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.