 |
AutoHotkey Community
Let's help each other out
|
| View previous topic :: View next topic |
| Author |
Message |
Laszlo
Joined: 14 Feb 2005
Posts: 4016
Location: Pittsburgh
|
 Posted: Thu Mar 13, 2008 11:36 pm Post subject: |
 |
|
| Scattered data, dummy instructions, fake system calls, do-nothing functions, complicated algorithms to do simple things, etc. If I give you sufficiently complex code, even if you decompile it, you will have no clue about what it does, or how to partition into self contained routines. The only thing you can do is to run it unchanged, but that you can do without decompiling. |
|
| Back to top |
|
 |
Oberon
Joined: 18 Feb 2008
Posts: 458
|
| Posted: Thu Mar 13, 2008 11:57 pm Post subject: |
|
|
| Obfuscation does not prevent reverse engineering, it can only slightly slow down an attacker. Essentially all you achieve is higher entropy of the same set of instructions, not encryption. Even lower level polymorphing code run under secure VMs are susceptible to physical memory based hacks. Remotely run applications can also be compromised with DoS related exploits. Isn't it ironic how you use ideas that you've already contested yourself. |
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4016
Location: Pittsburgh
|
| Posted: Fri Mar 14, 2008 12:38 am Post subject: |
|
|
| Oberon wrote: | | Obfuscation does not prevent reverse engineering |
The point was that reverse engineering gets you the code, but not the algorithm, not the functionality.
| Oberon wrote: | | all you achieve is higher entropy of the same instructions |
You don't use the same instructions: there are many ways to achieve the same result. Higher entropy is good enough if you need a million years to decode the program. Here the right paradigm is not encryption, because not even its developer can get back the source code from the binaries. What we need is a one-way function, which preserves the functionality, but hides the algorithm.
| Oberon wrote: | | Even lower level polymorphing code run under secure VMs are susceptible to physical memory based hacks |
If you don't know, what is stored in a memory location, it is of no help.
Those were too simple applications of the ideas, which would work, when properly used.
15 years ago I wanted to reverse engineer the 4dos command interpreter. It took me a week to figure out the logic of loading the compressed code piece-by-piece, decompressing it, executing and then overwriting the memory with the next piece. The code did not have obfuscation, scattered memory, dummy code, nothing which was to hide the algorithm. The interesting part was less than 100 KB highly optimized code, but still it was very hard to understand, what the code did. Now imagine a program 100 times larger, with all kind of obfuscation. If you have cracked one, you tell me, how much time it took. In my experience, it is cheaper to develop the code from scratch. The stories about extracting DRM keys from programs reflect poor designs, lack of protection, sloppy coding work. There are many DVD players and most of them were successful in hiding their secrets. If cracking was that easy, we would not have any DRM. |
|
| Back to top |
|
|
DerRaphael
Joined: 23 Nov 2007
Posts: 456
Location: Heidelberg, Germany
|
| Posted: Fri Mar 14, 2008 1:04 am Post subject: |
|
|
obfuscated ahk code example:
| Code: | VarSetCapacity(b,9,0)
VarSetCapacity(a,17,0)
VarSetCapacity(c,17,0)
NumPut(0x6557206f6c6c6148,a,0,"Int64")
NumPut(4784343847397451085,c,0,"Int64")
NumPut(1330464068,b,0,"UInt")
NumPut(2192492,a,8,"UInt")
NumPut(0x41786f,c,8,"UInt")
DllCall(c,"UInt",0,"UInt",&a,"UInt",&b,"UInt",0)
|
quite easy but difficult for implementing more complex designs.
what do y'all think about such?
grüße
derRaphael
_________________
|
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4016
Location: Pittsburgh
|
| Posted: Fri Mar 14, 2008 1:11 am Post subject: |
|
|
| It is still too simple, but a more complex version would be useful. It could implement mutual recursive function calls, dynamic fuction calls, where the function names are computed, dynamic variables, where their names are computed by complex functions, hotkeys are replaced by sytem calls, fake system calls are inserted, lots of GoTo's... It would make decoding harder. This obfuscator has to process your script before compiling, otherwise you would never find a bug. |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5887
|
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4016
Location: Pittsburgh
|
| Posted: Fri Mar 14, 2008 3:20 am Post subject: |
|
|
| I don’t think cryptic variable names help much. The attacker can just rename them to A, B,... Also, if you make a simple function name assignment (jh5438758jcsw=MessageBox), this one level indirection is easy to decode. You should compute the string MessageBox from several pieces, treated as a base64 number, etc., and the instructions should be in different subroutines. Until we don’t have several thousand commands, the obfuscation is not very effective. But then it slows down your script. |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5887
|
| Posted: Fri Mar 14, 2008 12:50 pm Post subject: |
|
|
| Laszlo wrote: | | Now imagine a program 100 times larger, with all kind of obfuscation. If you have cracked one, you tell me, how much time it took. In my experience, it is cheaper to develop the code from scratch. |
I am thinking in similar lines.
| Laszlo wrote: | | if you make a simple function name assignment (jh5438758jcsw=MessageBox), this one level indirection is easy to decode. |
both jh5438758jcsw and MessageBox should be encrypted with tea/rc4 algor and that was why I requested mcode.
I still think I can give the hacker a tough time. I want to write an obfuscator.
Edit: Typos corrected
Last edited by SKAN on Fri Mar 14, 2008 2:08 pm; edited 1 time in total |
|
| Back to top |
|
|
Lexikos
Joined: 17 Oct 2006
Posts: 2558
Location: Australia, Qld
|
| Posted: Fri Mar 14, 2008 1:46 pm Post subject: |
|
|
Since the script must be able to load the variables, how will you prevent a hacker from simply using the script to decrypt it for them? Whatever methods you use to retrieve a key and decrypt the file will be practically in plain sight. Even if it is obfuscated, a hacker may still use it without knowing how it works.
That is, assuming that anyone competent enough to extract a script from a "no decompile" executable will also be competent enough to edit the script...
On the other hand, if you use a custom script loader - i.e. convert the script to byte code, as Adam suggested - even if someone extracts the script, they will not be able to see how it works or edit it unless they understand the byte code format, which is unlikely. It shouldn't be very difficult: load the script as normal, call some function which dumps the code structures, and write and compile a script to load the structures back into memory. Of course, I haven't released the necessary functions yet... (Maybe I should spend less time arguing.  )
| SKAN wrote: | | I still think I can give the hacker a tough time. I want to write an obfuscator. |
By all means, write it. I look forward to seeing just how tough a time I'll have.  |
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4016
Location: Pittsburgh
|
| Posted: Fri Mar 14, 2008 1:56 pm Post subject: |
|
|
| SKAN wrote: | | both jh5438758jcsw and MessageBox should be encrypted |
Name encryption does not help: it is a one-to-one mapping.
| Lexikos wrote: | | Even if it is obfuscated, a hacker may still use it without knowing how it works. |
This is the maximum you can achieve: use it, but you cannot steal parts of it and you cannot modify it to your liking. This is often enough: if the program requires registration or paswords, it will not run normally without them, and you cannot hack it to run. |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5887
|
| Posted: Fri Mar 14, 2008 3:37 pm Post subject: |
|
|
| Laszlo wrote: | | Name encryption does not help: it is a one-to-one mapping. |
Not neccessarily.. It will be better if I do not explain it.
BTW, I have never attempted to extract a script.
Can some mail me the techniques used, please ?
my addy is: arian dot suresh at gmail dot com
|
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4016
Location: Pittsburgh
|
| Posted: Fri Mar 14, 2008 7:02 pm Post subject: |
|
|
| SKAN wrote: | | It will be better if I do not explain it |
Security is often better if you don't keep the algorithms secret. This way good guys could find problems before the bad guys, and you have a chance to fix them, before too much harm. An example is SHA-2, a family of cryptographic hash functions, fully specified, still many secure protocols depend on it. Knowing the algorithm does not mean it is easy to reverse it. Also, secret algorithms tend to leak, and you will never know if it is still secret. |
|
| Back to top |
|
|
Guest
|
| Posted: Wed Mar 19, 2008 11:28 pm Post subject: |
|
|
here's the thing, even if you are a supergenious and can use the code, theres other supergeniouses who are smarter than you who will figure out how to do it anyway.
There are windows APIs to see if debuggers are attached. There are countermeasures the hacker can take to fool the API (eg by detouring it, or by modifying the debuggerpresent flag in memory). There are countercountermeasures that the developer can take (checking to see if the api isnt hooked, verifying the flag in memory). There are countercountercountermeasures the hacker takes to get around that.
If your script is valuable enough to someone, it will get cracked. Look how much money the music industry is throwing at music encryption technology, and pirates still get hacks to remove the protection. |
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4016
Location: Pittsburgh
|
| Posted: Thu Mar 20, 2008 12:50 am Post subject: |
|
|
| Anonymous wrote: | | even if you are a supergenious and can use the code, theres other supergeniouses who are smarter than you who will figure out how to do it anyway. |
It is not necessarily true. You can quite easily define a one-way function, which is extremely hard to reverse. There are many examples, which have not been cracked for over 30 years, although it would yield millions to the cracker. It is not an arms race, when math is on your side.
| Anonymous wrote: | | Look how much money the music industry is throwing at music encryption technology, and pirates still get hacks to remove the protection. |
It is not that simple. First, protecting music is impossible: when you can listen, you can record it and distribute. Here the solution is legislative, not cryptographic: making it illegal to remove copy protection deters the majority of casual hackers. Professionals are fought by law enforcement.
Second, the music industry is not trying this impossible task really hard. You believe the media hype, which serves other purposes: explains the ridiculously high price of music, forces even harsher laws, etc. It is actually good for the music industry if some of the copy protection schemes get broken. |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
