flat assembler
Message board for the users of flat assembler.

Index > Heap > Most recommended PE proctection tool?

Author
Thread Post new topic Reply to topic
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
You all ASM experts, tell me what's the best free PE protection tool?
Or are you also thinking "everything is crackeable?"
Or should I build my own protection?

Thanks
Post 22 Sep 2007, 15:47
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
"best" is hard... depending what kind of protection you desire. Maybe I could protect something for you with SVKP if you like... Wink
Post 22 Sep 2007, 21:30
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
use upx
Post 30 Sep 2007, 19:03
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
UPX != protection.

And if you use some tool to make it "un-decompressable", you're violating the UPX license and effectively putting your entire program under the GPL (go ahead, read the UPX license) - besides it's not too hard to dump+reconstruct UPX.
Post 30 Sep 2007, 19:07
View user's profile Send private message Visit poster's website Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Hey fodder!
Do you mean that using UPX + renaming the UPX sections to something different to make it difficult to uncompress will violate the license?
Post 30 Sep 2007, 22:05
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Ozzy: i quess this was the answer:
Quote:
go ahead, read the UPX license


Razz Wink
Post 30 Sep 2007, 22:16
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Here's relevant parts of the UPX license:

http://upx.sourceforge.net/upx-license.html wrote:

1. You must compress your program with a completely unmodified UPX
version; either with our precompiled version, or (at your option)
with a self compiled version of the unmodified UPX sources as
distributed by us.
2. This also implies that the UPX stub must be completely unmodfied, i.e.
the stub imbedded in your compressed program must be byte-identical
to the stub that is produced by the official unmodified UPX version.
3. The decompressor and any other code from the stub must exclusively get
used by the unmodified UPX stub for decompressing your program at
program startup. No portion of the stub may get read, copied,
called or otherwise get used or accessed by your program.

...

- You can use a modified UPX version or modified UPX stub only for
programs that are compatible with the GNU General Public License.

- We grant you special permission to freely use and distribute all UPX
compressed programs. But any modification of the UPX stub (such as,
but not limited to, removing our copyright string or making your
program non-decompressible) will immediately revoke your right to
use and distribute a UPX compressed program.

- UPX is not a software protection tool; by requiring that you use
the unmodified UPX version for your proprietary programs we
make sure that any user can decompress your program. This protects
both you and your users as nobody can hide malicious code -
any program that cannot be decompressed is highly suspicious
by definition.
Post 30 Sep 2007, 22:26
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
f0dder

I'm not sure if I understand properly what you wrote. Imagine such situation:

Assume that we have executable E and we compress it with UPX, i.e. get E'=UPX(E) executable. Let we have another compressor X and compress E' with it to obtain E''=X(E')=X(UPX(E)).

Question: Is it mean that our executable E'' falls under GPL license (UPX header can be modified by X packer)?
Post 09 Oct 2007, 13:39
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
MHajduk: it might just mean that, yes - I'm pretty sure the UPX authors made the license this way because they always want end-users to be able to unpack executables compressed with UPX, being in the GPL spirit and all.
Post 09 Oct 2007, 14:18
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
wow, compressing compressed executable... that might easily not work.
Post 09 Oct 2007, 14:21
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
vid

It works. Smile I've found such X which compresses UPX-ed executable and, what is funny, UPX crashes when you try to decompress E''. Very Happy
Post 09 Oct 2007, 14:25
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
report it to UPX developers. they got a bug there.

parsing PE headers safely is very irritating task Smile
Post 09 Oct 2007, 15:23
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
This bug should be very interesting for us (especially for those, who are interested in applications protection). Smile

Very simple example.
  • E = MINIPAD.EXE (from FASM examples) - size 5632 bytes,
  • E' = UPX(MINIPAD.EXE) - size 4096 bytes (72,73% E),
  • E'' = X(UPX(MINIPAD.EXE)) - size 3902 bytes (95% E').
Try to de-UPX E''. Very Happy


Description: UPX crash
Filesize: 5.64 KB
Viewed: 5681 Time(s)

upx_crash.png


Description: E'' = X(UPX(MINIPAD.EXE))
Download
Filename: x_upx_minipad.zip
Filesize: 2.36 KB
Downloaded: 153 Time(s)

Post 09 Oct 2007, 16:22
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
so it DIDN'T crash.
Post 09 Oct 2007, 16:30
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
Ok, it isn't "crash", but UPX failed to decompress it (internally executable looks like "normal" UPX-ed).
Post 09 Oct 2007, 16:32
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Hajduk, just remember that you're most likely violating the UPX license if you're doing this. And you might as well use a real protector instead.
Post 09 Oct 2007, 22:04
View user's profile Send private message Visit poster's website Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo
I think protection is usually looked upon as irritating, especially by some antivirus vendors because it can be used in bad ways. However, there's no use arguing against it completely (although I do feel it's pretty useless, you're not hiding national security secrets or anything, are you??).

UPX is good, please do use it (faster downloads, at least). But yeah, you can't modify the stub or prevent the .EXE from being unpacked without releasing such changes publicly.
Post 13 Oct 2007, 21:29
View user's profile Send private message Visit poster's website Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
I guess a good protection would be using a very unknown packer.
So the crackers would not be able to unpack it.

BTW, if I write software in ASM I have no problems adding encryption and junk code by hand.
But when using HLLs it's not possible without external tool.
Post 13 Oct 2007, 23:14
View user's profile Send private message Reply with quote
smoke



Joined: 16 Jan 2006
Posts: 42
smoke
I dont think you're right about this ...I think its just a matter of time and motivation till someone cracks this unknown protector... Wink
Post 14 Oct 2007, 08:32
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.