Software Protection: How to Crack Programs, and Defend...
Transcript of Software Protection: How to Crack Programs, and Defend...
![Page 1: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/1.jpg)
c© March 26, 2014 Christian Collberg
Software Protection:
How to Crack Programs, and
Defend Against Cracking
Lecture 5: Code Obfuscation II
Moscow State University, Spring 2014
Christian CollbergUniversity of Arizona
www.cs.arizona.edu/˜collberg
![Page 2: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/2.jpg)
Last week’s lecture
What is an opaque predicate?
2 / 66
![Page 3: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/3.jpg)
Last week’s lecture
What is an opaque predicate?
Give two methods for constructing opaquepredicates!
2 / 66
![Page 4: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/4.jpg)
Last week’s lecture
What is an opaque predicate?
Give two methods for constructing opaquepredicates!
Give two algorithms that make use ofopaque predicates!
2 / 66
![Page 5: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/5.jpg)
Today’s lecture
1 Dynamic obfuscation
algorithms
3 / 66
![Page 6: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/6.jpg)
DynamicObfuscation
![Page 7: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/7.jpg)
Static vs. Dynamic obfuscation
Static obfuscations transform the code priorto execution.
5 / 66
![Page 8: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/8.jpg)
Static vs. Dynamic obfuscation
Static obfuscations transform the code priorto execution.
Dynamic algorithms transform the programat runtime.
5 / 66
![Page 9: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/9.jpg)
Static vs. Dynamic obfuscation
Static obfuscations transform the code priorto execution.
Dynamic algorithms transform the programat runtime.
Static obfuscation counter attacks by staticanalysis.
5 / 66
![Page 10: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/10.jpg)
Static vs. Dynamic obfuscation
Static obfuscations transform the code priorto execution.
Dynamic algorithms transform the programat runtime.
Static obfuscation counter attacks by staticanalysis.
Dynamic obfuscation counter attacks bydynamic analysis.
5 / 66
![Page 11: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/11.jpg)
Dynamic Obfuscation: Definitions
A dynamic obfuscator runs in two phases:1 At compile-time transform the program to an
initial configuration and add aruntime code-transformer .
2 At runtime, intersperse the execution of theprogram with calls to the transformer.
6 / 66
![Page 12: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/12.jpg)
Dynamic Obfuscation: Definitions
A dynamic obfuscator runs in two phases:1 At compile-time transform the program to an
initial configuration and add aruntime code-transformer .
2 At runtime, intersperse the execution of theprogram with calls to the transformer.
A dynamic obfuscator turns a “normal”program into a self-modifying one.
6 / 66
![Page 13: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/13.jpg)
Modeling dynamic obfuscation —
compile-time
P
7 / 66
![Page 14: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/14.jpg)
Modeling dynamic obfuscation —
compile-time
ConfigurationCreate Initial
I
P P ′
Transformer I creates P ’s initialconfiguration.
7 / 66
![Page 15: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/15.jpg)
Modeling dynamic obfuscation —
compile-time
TransformerEmbed Runtime
ConfigurationCreate Initial
I T
P P ′ P ′
T
Transformer I creates P ’s initialconfiguration.
T is the runtime obfuscator, embedded inP ′.
7 / 66
![Page 16: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/16.jpg)
Modeling dynamic obfuscation —
runtime
P ′
T
Transformer T continuously modifies P ′ atruntime.
8 / 66
![Page 17: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/17.jpg)
Modeling dynamic obfuscation —
runtime
TP ′P ′
T
Transformer T continuously modifies P ′ atruntime.
8 / 66
![Page 18: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/18.jpg)
Modeling dynamic obfuscation —
runtime
P ′
TP ′
TP ′
T
Transformer T continuously modifies P ′ atruntime.
8 / 66
![Page 19: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/19.jpg)
Modeling dynamic obfuscation —
runtime
TP ′
TP ′P ′
T TP ′
Transformer T continuously modifies P ′ atruntime.
8 / 66
![Page 20: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/20.jpg)
Modeling dynamic obfuscation —
runtime
...P ′
TP ′P ′
T TP ′
T
Transformer T continuously modifies P ′ atruntime.
8 / 66
![Page 21: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/21.jpg)
Modeling dynamic obfuscation —
runtime
P ′
TP ′
TP ′
TP ′
T TP ′
Transformer T continuously modifies P ′ atruntime.
We’d like an infinite, non-repeating series ofconfigurations.
In practice, the configurations repeat.
8 / 66
![Page 22: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/22.jpg)
Algorithm Ideas
![Page 23: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/23.jpg)
Basic algorithm ideas
Build-and-execute: generate code for aroutine at runtime, and then jump to it.
Self-modification: modify the executablecode.
Encryption: The self-modification isdecrypting the encrypted code beforeexecuting it.
Move code: Every time the code executes,it is in different location.
10 / 66
![Page 24: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/24.jpg)
File-Level Encryption: Packers
> decryptDecryptor
Key
Encryptedcode
> find key
> find decryptor
Packers are simple tools that encrypt thebinary, and include a routine that willdecrypt at runtime.
11 / 66
![Page 25: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/25.jpg)
Function-Level Encryption
> decrypt
Keyfoo()
foo()
> find key
> find Dk
> find fDk
f = Ek (foo)
foo= Dk (f )
You can also decrypt a function just beforeit gets called.
12 / 66
![Page 26: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/26.jpg)
Build-And-Execute
foo()
foo()foo= f ()
f = build(foo) > find f
You can generalize “encryption” to anyembedded function that constructs the“real” code at runtime.
13 / 66
![Page 27: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/27.jpg)
Self-Modifying Code
> find fixup_foo
foo:
fixup_foo()foo()
foo()
> find foo
Leave “holes” in foo, fix them just beforefoo gets called.
14 / 66
![Page 28: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/28.jpg)
Move Code Around
foo()
foo();move();foo();move();
foo
foo
foo > find foo
Continously move code around to make itharder to find.
15 / 66
![Page 29: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/29.jpg)
Granularity
These operations can be applied atdifferent levels of granularity:
File-levelFunction-levelBasic block-levelInstruction-level
16 / 66
![Page 30: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/30.jpg)
Attack Goals
The attacker’s goal can be to:recover the original codemodify the original code
17 / 66
![Page 31: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/31.jpg)
✞ ☎
int modexp(int y, int x[], int w, int n, int mode) {
int R, L, k = 0, s = 1, t;
char* p=&&begin;
while (p<(char*)&&end) *p++ ˆ= 99;
if (mode==1) return 0;
while (k < w) {
begin:
· · · · · · · · ·
· · · · · · · · ·
end:
k++;
}
p=&&begin; while (p<(char*)&&end) *p++ ˆ= 99;
return L;
}
int main() {
makeCodeWritable(· · ·);
modexp(0, NULL, 0, 0, 1);
· · ·
modexp(· · ·, · · ·, · · ·, · · ·, 0);
}✝ ✆
![Page 32: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/32.jpg)
Code Explanation
The blue code is xor:ed with a key (99).
When the code is to be executed it gets“decrypted”, executed, and re-encrypted.
The green code would normally execute atobfuscation time.
Every subsequent time the modexp routinegets called the pink code first decrypts theblue code, executes it, and then the yellowcode re-encrypts it.
19 / 66
![Page 33: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/33.jpg)
Practical issues
Pages have to be modifiable andexecutable. (See next slide).
You have to flush the CPU’s data cachebefore executing new code you havegenerated. (Why?) X86 does thisautomatically.
20 / 66
![Page 34: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/34.jpg)
✞ ☎
void makeCodeWritable(caddr_t first, caddr_t last) {
caddr_t firstpage =
first - ((int)first % getpagesize());
caddr_t lastpage =
last - ((int)last % getpagesize());
int pages=(lastpage-firstpage)/getpagesize()+1;
if (mprotect(
firstpage,
pages*getpagesize(),
PROT_READ|PROT_EXEC|PROT_WRITE
)==-1)
perror("mprotect");
}✝ ✆
![Page 35: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/35.jpg)
Decrypting by Emulation
“Encrypting” binaries is often re-invented!
Attack: run the program inside an emulatorthat prints out every executed instruction.
The instruction trace can be analyzed(re-rolling loops, removingdecrypt-and-jump artifacts, etc.) and theoriginal code recovered.
22 / 66
![Page 36: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/36.jpg)
ReplacingInstructions
![Page 37: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/37.jpg)
Kanzaki’s Algorithm
Motivation: make it hard for the adversaryto snapshot the code.
Idea: replace real instructions by bogusones.
Right before execution, the bogusinstruction is replaced by the real one.
Just after execution, the real instruction isreplaced by the bogus one!
24 / 66
![Page 38: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/38.jpg)
✞ ☎
int player_main (int argc, char *argv[]) {
char orig = (*(caddr_t)&&target);
(*(caddr_t)&&target) = 0;
. . . . . . . . .
for(i=0;i<len;i++) {
(*(caddr_t)&&target) = orig;
. . . . . . . . .
target:
printf("%f\n",decoded);
(*(caddr_t)&&target) = 0;
}
}
int main (int argc, char *argv[]) {
makeCodeWritable(...);
player_main(argc,argv);
}✝ ✆
![Page 39: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/39.jpg)
Algorithm Details
Find three points A, B, C in the control flowgraph:
target:
ENTER
B
A
C
EXIT
move orig,target
move bogus,target
26 / 66
![Page 40: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/40.jpg)
Algorithm Details
Every path to B must flow through A andevery path from B must flow through C:
target:
ENTER
B
A
C
EXIT
move orig,target
move bogus,target
27 / 66
![Page 41: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/41.jpg)
Algorithm Details
At A : insert an instruction which overwritesthe target instruction with its original value:
target:
ENTER
B
A
C
EXIT
move orig,target
move bogus,target
28 / 66
![Page 42: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/42.jpg)
Algorithm Details
At C : insert an instruction which overwritesthe target with the bogus value:
target:
ENTER
B
A
C
EXIT
move orig,target
move bogus,target
29 / 66
![Page 43: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/43.jpg)
Attack: set pages unwritable!
The attacker calls mprotect to set thecode region to readable and executable, butnot writable. (See next slide).
When the program tries to write into thecode stream the operating system throwsan exception.
Under debugging, see where this happens!
30 / 66
![Page 44: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/44.jpg)
✞ ☎
(gdb) call (int)mprotect(0x2000,0x3000,5)
(gdb) cont
EXC_BAD_ACCESS, Could not access memory.
KERN_PROTECTION_FAILURE at address: 0x00002934
0x000028c0 in player_main
30 (*(caddr_t)&&target) = orig;
(gdb) x/i $pc
0x28c0 <player_main+220>: stb r0,0(r2)
(gdb) print (char)$r0
$7 = -64
(gdb) print/x (int)$r2
$10 = 0x2934✝ ✆
31 / 66
![Page 45: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/45.jpg)
Code Merging
![Page 46: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/46.jpg)
Madou’s Algorithm: Dynamic Code
Merging
Motivation: Keep the program in constantflux!
33 / 66
![Page 47: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/47.jpg)
Madou’s Algorithm: Dynamic Code
Merging
Motivation: Keep the program in constantflux!
Every time the adversary looks at the code,it’s different!
33 / 66
![Page 48: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/48.jpg)
Madou’s Algorithm: Dynamic Code
Merging
Motivation: Keep the program in constantflux!
Every time the adversary looks at the code,it’s different!
Idea: Two or more functions share thesame location in memory!
33 / 66
![Page 49: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/49.jpg)
Madou’s Algorithm: Dynamic Code
Merging
Motivation: Keep the program in constantflux!
Every time the adversary looks at the code,it’s different!
Idea: Two or more functions share thesame location in memory!
Before f is called, patch memory to ensuref is loaded.
33 / 66
![Page 50: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/50.jpg)
Example: Original Code
Obfuscate a program that contains twofunctions f1 and f2:
f10 101 52 63 204 99
f20 101 92 33 20
To the left is byte index in the function, tothe right the code byte at the location.
Note: At index 0, both f1 and f2 have thesame code byte (10).
34 / 66
![Page 51: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/51.jpg)
Example: Obfuscation Time
During obfuscation replace f1 and f2 withthe template T and two edit scripts e1 ande2:
T
0 101 ?2 ?3 204 99
e1 = [1→ 5,2→ 6]e2 = [1→ 9,2→ 3]
35 / 66
![Page 52: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/52.jpg)
Example: Calling f1() at Run Time
Program calls f1() : patch T using e1.
Replace the code-byte at offset 1 with 5and the code-byte at offset 2 with 6.
T
0 101 ?2 ?3 204 99
e1 = [1→ 5,2→ 6]e2 = [1→ 9,2→ 3]
36 / 66
![Page 53: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/53.jpg)
Example: Calling f1() at Run Time
If you call f1 again (without intervening callsto f2), no need to patch!!!
T
0 101 ?2 ?3 204 99
e1 = [1→ 5,2→ 6]e2 = [1→ 9,2→ 3]
37 / 66
![Page 54: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/54.jpg)
Example: Calling f2() at Run Time
If you call f1 again (without intervening callsto f2), no need to patch!!!
Program calls f2() : patch T using e2.
T memory region will constantly change,first containing an incomplete function andthen alternating between containing thecode-bytes for f1 and f2.
38 / 66
![Page 55: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/55.jpg)
Algorithm step 1: Clustering
Decide which functions should be in thesame cluster, i.e. reside in the sametemplate at runtime.
39 / 66
![Page 56: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/56.jpg)
Algorithm step 1: Clustering. . .
Avoid putting f1 and f2 in the same cluster ifthey are called like this:
✞ ☎
while(1) {
f1();f2();
}✝ ✆
40 / 66
![Page 57: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/57.jpg)
Algorithm step 2: Make scripts and
patch routine
Create a template Tk containing theintersection of the code-bytes of thefunctions in ck .
For each function fi in ck create an editscript ei such that applying ei to thecode-bytes of Tk creates the code-bytes offi .
41 / 66
![Page 58: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/58.jpg)
Dynamic Code Merging
Original code:✞ ☎
int val = 0;
void f1(int* v) {*v=99;}
void f2(int* v) {*v=42;}
int main (int argc, char *argv[]) {
f1(&val);
f2(&val);
}✝ ✆
42 / 66
![Page 59: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/59.jpg)
EDIT script1[200], script2[200];
char* template;
int template_len, script_len = 0;
typedef void(*FUN)(int*);
int val, state = 0;
void f1_stub() {
if (state != 1) {
patch(script1,script_len,template); state = 1;}
((FUN)template)(&val);
}
void f2_stub() {
if (state != 2) {
patch(script2,script_len,template); state = 2;}
((FUN)template)(&val);
}
int main (int argc, char *argv[]) {
f1_stub(); f2_stub();
}
![Page 60: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/60.jpg)
Attacks
Note: the patch routine is in the clear!
44 / 66
![Page 61: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/61.jpg)
Attacks
Note: the patch routine is in the clear!
Note: the scripts are in the clear!
44 / 66
![Page 62: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/62.jpg)
Attacks
Note: the patch routine is in the clear!
Note: the scripts are in the clear!Static attack:
1 Analyze binary, find patch routine an scripts.2 Running each call to patch(Tk ,ei ) to recover
the code!
44 / 66
![Page 63: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/63.jpg)
Attacks
Note: the patch routine is in the clear!
Note: the scripts are in the clear!Static attack:
1 Analyze binary, find patch routine an scripts.2 Running each call to patch(Tk ,ei ) to recover
the code!
Counterattack: Encrypt the scripts.
44 / 66
![Page 64: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/64.jpg)
Attacks
Note: the patch routine is in the clear!
Note: the scripts are in the clear!Static attack:
1 Analyze binary, find patch routine an scripts.2 Running each call to patch(Tk ,ei ) to recover
the code!
Counterattack: Encrypt the scripts.
Counter-counterattack: Intercept thedecrypted scripts at runtime.
44 / 66
![Page 65: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/65.jpg)
Self-ModifyingState Machine
![Page 66: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/66.jpg)
Aucsmith’s algorithm
C0 :
C1 :
C2 :
C3 :
C4 :
C5 :
A function is split into cells.
46 / 66
![Page 67: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/67.jpg)
Aucsmith’s algorithm
C0 :
C1 :
C2 :
C3 :
C4 :
C5 :
A function is split into cells.The cells are divided into two regions inmemory, upper and lower.
46 / 66
![Page 68: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/68.jpg)
One step
C0 :C1 :C2 :C3 :C4 :C5 :
C0 :C1 :C2 :C3 :C4 :C5 :
orig M0
47 / 66
![Page 69: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/69.jpg)
XOR!
⊕ =
⊕ =
⊕ =
48 / 66
![Page 70: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/70.jpg)
![Page 71: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/71.jpg)
![Page 72: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/72.jpg)
⊗
![Page 73: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/73.jpg)
⊗
![Page 74: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/74.jpg)
⊗
![Page 75: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/75.jpg)
⊗
![Page 76: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/76.jpg)
⊗
![Page 77: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/77.jpg)
⊗
![Page 78: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/78.jpg)
Why does this work?
A B
50 / 66
![Page 79: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/79.jpg)
Why does this work?
A B
⇓ B← B⊕A
50 / 66
![Page 80: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/80.jpg)
Why does this work?
A B
⇓ B← B⊕A
⇓ A← A⊕B
50 / 66
![Page 81: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/81.jpg)
Why does this work?
A B
⇓ B← B⊕A
⇓ A← A⊕B
⇓ B← B⊕A
50 / 66
![Page 82: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/82.jpg)
RuntimeEncryption
![Page 83: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/83.jpg)
Code as key material
Encrypt the code to keep as little code aspossible in the clear at any point in timeduring execution.
52 / 66
![Page 84: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/84.jpg)
Code as key material
Encrypt the code to keep as little code aspossible in the clear at any point in timeduring execution.Extremes:
1 Decrypt the next instruction, execute it,re-encrypt it, . . .⇒ only one instruction is everin the clear!
52 / 66
![Page 85: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/85.jpg)
Code as key material
Encrypt the code to keep as little code aspossible in the clear at any point in timeduring execution.Extremes:
1 Decrypt the next instruction, execute it,re-encrypt it, . . .⇒ only one instruction is everin the clear!
2 Decrypt the entire program once, prior toexecution, and leave it in cleartext. ⇒ easy forthe adversary to capture the code.
52 / 66
![Page 86: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/86.jpg)
Code as key material
The entire program is encrypted — exceptfor main.
53 / 66
![Page 87: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/87.jpg)
Code as key material
The entire program is encrypted — exceptfor main.
Before you jump to a function you decrypt it.
53 / 66
![Page 88: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/88.jpg)
Code as key material
The entire program is encrypted — exceptfor main.
Before you jump to a function you decrypt it.
When the function returns you re-encrypt it.
53 / 66
![Page 89: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/89.jpg)
Code as key material
The entire program is encrypted — exceptfor main.
Before you jump to a function you decrypt it.
When the function returns you re-encrypt it.
On entry, a function first encrypts its caller.
53 / 66
![Page 90: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/90.jpg)
Code as key material
The entire program is encrypted — exceptfor main.
Before you jump to a function you decrypt it.
When the function returns you re-encrypt it.
On entry, a function first encrypts its caller.
Before returning, a function decrypts itscaller.
53 / 66
![Page 91: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/91.jpg)
Code as key material
The entire program is encrypted — exceptfor main.
Before you jump to a function you decrypt it.
When the function returns you re-encrypt it.
On entry, a function first encrypts its caller.
Before returning, a function decrypts itscaller.
⇒ At most two functions are ever in theclear!
53 / 66
![Page 92: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/92.jpg)
Code as key material
What do we use as key? The code itself!
54 / 66
![Page 93: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/93.jpg)
Code as key material
What do we use as key? The code itself!
What cipher do we use?Something simple!
54 / 66
![Page 94: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/94.jpg)
Simple case: tree-shaped call-graph:
main
play
decodedecrypt
getkey
![Page 95: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/95.jpg)
Simple case: tree-shaped call-graph:
main
play
decodedecrypt
getkey
Before/after procedure call : call guardfunction to decrypt/re-encrypt the callee.
![Page 96: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/96.jpg)
Simple case: tree-shaped call-graph:
main
play
decodedecrypt
getkey
Before/after procedure call : call guardfunction to decrypt/re-encrypt the callee.
Entry/exit of the callee: encrypt/decrypt thecaller.
![Page 97: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/97.jpg)
Simple case: tree-shaped call-graph:
main
play
decodedecrypt
getkey
Before/after procedure call : call guardfunction to decrypt/re-encrypt the callee.
Entry/exit of the callee: encrypt/decrypt thecaller.
Key: Hash of the cleartext of thecaller/callee.
![Page 98: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/98.jpg)
int player_main (int argc, char *argv[]) {
int user_key = 0xca7ca115;
int digital_media[] = {10,102};
guard(play,playSIZE,player_main,player_mainSIZE);
play(user_key,digital_media,2);
guard(play,playSIZE,player_main,player_mainSIZE);
}
int getkey(int user_key) {
guard(decrypt,decryptSIZE,getkey,getkeySIZE);
int player_key = 0xbabeca75;
int v = user_key ˆ player_key;
guard(decrypt,decryptSIZE,getkey,getkeySIZE);
return v;
}
int decrypt(int user_key, int media) {
guard(play,playSIZE,decrypt,decryptSIZE);
guard(getkey,getkeySIZE,decrypt,decryptSIZE);
int key = getkey(user_key);
guard(getkey,getkeySIZE,decrypt,decryptSIZE);
int v = media ˆ key;
guard(play,playSIZE,decrypt,decryptSIZE);
return v;
}
![Page 99: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/99.jpg)
float decode (int digital) {
guard(play,playSIZE,decode,decodeSIZE);
float v = (float)digital;
guard(play,playSIZE,decode,decodeSIZE);
return v;
}
void play(int user_key, int digital_media[], int len) {
int i;
guard(player_main,player_mainSIZE,play,playSIZE);
for(i=0;i<len;i++) {
guard(decrypt,decryptSIZE,play,playSIZE);
int digital = decrypt(user_key,digital_media[i]);
guard(decrypt,decryptSIZE,play,playSIZE);
guard(decode,decodeSIZE,play,playSIZE);
printf("%f\n",decode(digital));
guard(decode,decodeSIZE,play,playSIZE);
}
guard(player_main,player_mainSIZE,play,playSIZE);
}
![Page 100: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/100.jpg)
void crypto (waddr_t proc,uint32 key,int words) {
int i;
for(i=1; i<words; i++) {
*proc ˆ= key;
proc++;
}
}
void guard (waddr_t proc,int proc_words,
waddr_t key_proc,int key_words) {
uint32 key = hash1(key_proc,key_words);
crypto(proc,key,proc_words);
}
![Page 101: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/101.jpg)
Discussion
![Page 102: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/102.jpg)
Code Obfuscation — What’s it Good
For?
Diversification — make every programunique to prevent malware attacks
60 / 66
![Page 103: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/103.jpg)
Code Obfuscation — What’s it Good
For?
Diversification — make every programunique to prevent malware attacks
Prevent collusion — make every programunique to prevent diffing attacks
60 / 66
![Page 104: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/104.jpg)
Code Obfuscation — What’s it Good
For?
Diversification — make every programunique to prevent malware attacks
Prevent collusion — make every programunique to prevent diffing attacks
Code Privacy — make programs hard tounderstand to protect algorithms
60 / 66
![Page 105: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/105.jpg)
Code Obfuscation — What’s it Good
For?
Diversification — make every programunique to prevent malware attacks
Prevent collusion — make every programunique to prevent diffing attacks
Code Privacy — make programs hard tounderstand to protect algorithms
Data Privacy — make programs hard tounderstand to protect secret data (keys)
60 / 66
![Page 106: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/106.jpg)
Code Obfuscation — What’s it Good
For?
Diversification — make every programunique to prevent malware attacks
Prevent collusion — make every programunique to prevent diffing attacks
Code Privacy — make programs hard tounderstand to protect algorithms
Data Privacy — make programs hard tounderstand to protect secret data (keys)
Integrity — make programs hard tounderstand to make them hard to change
60 / 66
![Page 107: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/107.jpg)
Evaluate Me!
![Page 108: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/108.jpg)
Mid-Course Evaluation!
1 Take a piece of paper that I pass around.
2 Write GOOD on one side of the paper.
3 Write BAD on the other side of the paper.
4 Write undergraduate/master/PhD.
5 Write your year/major.
62 / 66
![Page 109: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/109.jpg)
What should I write?
1 You can write in English or Russian.
2 You can be anonymous, of course!
3 You can be brutally honest!
4 Be as specific and constructive as you can!
63 / 66
![Page 110: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/110.jpg)
What should I comment on?
1 On either side of the paper, pleasecomment on:
Difficulty of the course.English is easy/hard to follow?Topics covered in the course.Style of lectures.In-class exercises.Slides.
2 Anything else you would like to say!
64 / 66
![Page 111: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/111.jpg)
How else can I evaluate you?
1 You can also comment on me onratemyprofessors.com/
ShowRatings.jsp?tid=787531
2 Of course, you can always send me emailto tell me how you feel about the course!
3 Thank you — this will help me the next timeI teach this course!
65 / 66
![Page 112: Software Protection: How to Crack Programs, and Defend ...collberg/Teaching/mgu/2014/lecture5.… · c March 26, 2014 Christian Collberg Software Protection: How to Crack Programs,](https://reader033.fdocuments.net/reader033/viewer/2022060315/5f0be4b87e708231d432bc90/html5/thumbnails/112.jpg)
Next week’s lecture
1 Tamperproofing algorithms2 Please check the website for
important announcements:
www.cs.arizona.edu/˜collberg/
Teaching/mgu/2014
66 / 66