Understanding the risk
When an
application is being created, the Compiler will compile the application
source code into several object files made of machine language code. Then the
object files are linked together to create the final executable.
Figure 1: Compilation of your source code
In the same
manner that the source code of an application is converted into machine code
at compilation time, there are tools that can convert a compiled application
into assembly language or a higher programming language. These tools are
known as dissemblers and de-compilers.
Figure 2: Decompilation of your application
An attacker
can use a dissembler or de-compiler to study how a specific application works
and what a specific routine does. When the attacker has a good knowledge of
the target application, he can modify the compiled application to alter his
behavior. For example, the attacker could bypass the routine that checks for
the trial period in an application and make it run forever or even worse,
cause the application to behave as if it was registered.
Software
Protectors
Software
protectors were created to keep an attacker from directly inspecting or
modifying a compiled application. A software protector is like a shield that
keeps an application encrypted and protected against possible attacks. When a
protected application is going to be run by the operating system, the
software protector will first take control of the CPU and check for possible
cracking tools (dissemblers or de-compilers) that may be running on the
system. If everything is safe the software protector will proceed to
decrypting the protected application and giving it the control of the CPU to
be executed as normal.
The
advantages of using a Software Protector are:
- Protect an application against piracy.
- Prevents attackers from studying how an
application is implemented.
- Will not allow attackers to modify an application
to change its behavior
The
Weakness
Since
software protectors were born, many attackers have centered most of their
efforts on attacking the software protectors themselves instead of the
applications. Many tools have been developed that aid in the attacking of
software protectors. These attacks often result in the attacker obtaining the
original application that is decrypted and has the protection wrapper
removed.
Figure 3: Common software protectors philosophy
The main
problem with software protectors is that they use protection techniques very
well known by crackers, so they can be easily bypassed with traditional
cracking tools. Another important problem in software protectors is that they
have restricted execution by the operating system, that is, they run with
normal application privileges. Because of this attackers can use cracking
tools that run at the same priority level as the operating system allowing
them to fully supervise what a software protector is doing at a certain time
and attack it in specific places.
Revolutionary
Solution
With
Themida¢ç , we have centered in the main weakness that software protectors
have thus providing a complete solution to overcome those problems. Themida¢ç
uses the SecureEngine¢ç protection technology that, when running in the
highest priority level, implements never seen before protection techniques to
protect applications against advanced software cracking.
Figure 4: Themida¢ç protection procedure
SecureEngine¢ç
defeats all current cracking tools that can be used against protected
applications and it will make sure that your protected applications are only
run in safe environments.
Figure 5: SecureEngine¢ç technology adds more strength to the existing protection
Features
- These are the key features of Themida¢ç:
- Anti-debugger techniques that detect/fool any kind of debugger
- Different encryption algorithms and keys in each protected application
- Anti-API scanners techniques that avoids reconstruction of original import table
- Automatic decompilation and scrambling techniques in target application
- Virtual Machine emulation in specific blocks of code
- Advanced Mutator engine
- SDK communication with protection layer
- Anti-disassembly techniques for any static and interactive disassembler
- Multiple polymorphic layers with more than 50.000 permutations
- Advanced API-Wrapping techniques
- Anti-monitors techniques against file and registry monitors
- Random garbage code insertion between real instructions
- Specialized protection threads
- Advanced Threads network communication
- Anti-Memory patching and CRC techniques in target application
- Metamorphic engine to scramble original instructions
- Advanced Entry point protection
- Dynamic encryption in target application
- Anti-tracing code insertion between real instructions
- Advanced Anti-breakpoint manager
- Real time protection in target application
- Compression of target application, resources and protection code
- Anti-¡°debugger hiders¡± techniques
- Full mutation in protection code to avoid pattern recognition
- Real-time simulation in target application
- Intelligent protection code insertion inside target application
- Random internal data relocation
- Possibility to customize dialogs in protected application
- Support of command line
- Many many more...
|