Introduction
Interesting characteristic (for me!) of .NET the Framework, is the possibility to simulate situations that they were possible
only using the language assembler x86. I refer, in particular, to the STACK (sequence of data). The Stack can be considered
(reductively) as an area of "temporary memory" in which the data they are visible in inverse order to just the insertion.
Background
To emulate an other programming language in order "to confuse" the code against the decompilers !
Using the code
In .NET, therefore, class STACK is present. The main methods exposed from the .NET class STACK are following:
- PUSH (Inserts the value in the stack. Equal instruction is present in the assembler language x86);
- POP (Extracts the value from the stack. Equal instruction is present in the assembler language x86);
- PEEK (Law a value from the stack);
- COUNT (Counts the elements on the stack).
example vb.net code:
Dim st As New Stack '<<< st.Push(1) 'insert 1 into the stack st.Push(2) 'insert 2... st.Push(3) 'insert 3... '+ Debug.WriteLine(st.Count) 'return: 3 Debug.WriteLine(st.Peek) 'return last value onto the stack: 3 '+ st.Pop() 'extract value 3 '+ Debug.WriteLine(st.Count) 'return: 2 Debug.WriteLine(st.Peek) 'return last value onto the stack: 2 '+ st.Pop() 'extract value 2 st.Pop() 'extract value 1 '+ Debug.WriteLine(st.Count) 'return 0
Understood as the stack works, for insertion/extraction of the data (*always* in inverse order), we are ready to implement
our algorithm of cryptography. We want to realize it (relatively simple), effective, it turns out to you always random source
code and that it comes dynamically executed from the compiler... then we want to construct a creative...vb.net...
Poly-Engine Crypter for the strings (...ehila! Who has said like the poly-engines present in the virus code? *yes* is the
answer!). In this tutorial I introduce to you like *only* implementing dynamic code using the functions of: sum, subtraction,
xor (for the nostalgic programmers of the assembler language x86: add, sub, xor) of byte.
We imagine of wanting to hide (crypt) the string:
Hello Word! (hex value: 48 65 6C 6C 6F 20 57 6F 72 64 21)
Dim _myStr As String = "Hello Word!" Dim rand As New Random 'used for randomize operations on the byte Dim _count As Integer '0=sub/1=xor/2=add/3=xor ...only your creativity :-))) Dim _valCrypt As Integer = 0 'temporary value Dim _value As Integer 'single char value Dim ik As Integer '<<< Debug.WriteLine("Dim st As New Stack(" & CStr(_myStr.Length - 1) & ")") Debug.WriteLine("Dim bCrypt As Integer = 0") 'init value 0 '<<< For ik = _myStr.Length To 1 Step -1 'from last char (stack inverse order) _count = rand.Next(0, 3) 'random value _value = Asc(Mid(_myStr, ik, 1)) '+ generation Debug.WriteLine(PolyEngineWrite(_valCrypt, _count, _value)) Debug.WriteLine("st.Push(bCrypt)") Next ik '...end procedure poly-generationPoly-Engine (core) Crypter:
Private Function PolyEngineWrite(ByRef valCrypt As Integer, _ ByVal count As Integer, _ ByVal value As Integer) As String Dim tempVal As Integer '<<< Select Case count 'SUB Case 0 tempVal = (valCrypt - value) 'XOR Case 1, 3 tempVal = (valCrypt Xor value) 'ADD Case 2 tempVal = (value - valCrypt) End Select tempVal = tempVal And 255 valCrypt = value Return ("bCrypt = StackDecrypt(bCrypt, " & CStr(count) & ", &H" & Hex(tempVal) & ")") End Function
Generated Source Code
...the generated source code is *always* different!
random output (vb.net source code) example:
Dim st As New Stack(10) 'lenght string - 1 Dim bCrypt As Integer = 0 '<<< bCrypt = StackDecrypt(bCrypt, 2, &H21) '01. 00h + 21h = 21h (!) st.Push(bCrypt) bCrypt = StackDecrypt(bCrypt, 1, &H45) '02. 21h Xor 45h = 64h (d) st.Push(bCrypt) bCrypt = StackDecrypt(bCrypt, 0, &HF2) '03. 64h - F2h = 72h (r) st.Push(bCrypt) bCrypt = StackDecrypt(bCrypt, 1, &H1D) '04. 72h Xor 1Dh = 6Fh (o) st.Push(bCrypt) bCrypt = StackDecrypt(bCrypt, 2, &HE8) '05. 6Fh + E8h = 57h (W) st.Push(bCrypt) bCrypt = StackDecrypt(bCrypt, 2, &HC9) '06. 57h + C9h = 20h (space) st.Push(bCrypt) bCrypt = StackDecrypt(bCrypt, 0, &HB1) '07. 20h - B1h = 6Fh (o) st.Push(bCrypt) bCrypt = StackDecrypt(bCrypt, 0, &H3) '08. 6Fh - 03h = 6Ch (l) st.Push(bCrypt) bCrypt = StackDecrypt(bCrypt, 0, &H0) '09. 6Ch - 00h = 6Ch (l) st.Push(bCrypt) bCrypt = StackDecrypt(bCrypt, 0, &H7) '0A. 6Ch - 07h = 65h (e) st.Push(bCrypt) bCrypt = StackDecrypt(bCrypt, 2, &HE3) '0B. 65h + E3h = 48h (H) st.Push(bCrypt)
The bytes comes manipulates from the StackDecrypt procedure and inserted into the stack with PUSH class method (sees
introduction):
Private Function StackDecrypt(ByVal bCrypt As Integer, _ ByVal iOpCode As Integer, _ ByVal iSalt As Integer) As Integer Select Case iOpCode 'SUB Case 0 bCrypt = (bCrypt - iSalt) 'XOR Case 1, 3 bCrypt = bCrypt Xor iSalt 'ADD Case 2 bCrypt = (bCrypt + iSalt) End Select bCrypt = bCrypt And 255 Return bCrypt End Function
**Now it does not remain that "to recompose" the string from the stack. For this last passage we can use (continuation of
the two examples of output):
Dim str As String = "" Dim ij As Integer For ij = 1 To st.Count str &= Chr(st.Pop)'it composes final string Next ij...the final string obtained from the dynamic process of the code decryption is: Hello Word!
Points of Interest
In a future article I will explain as it is possible to generate dynamic code in assembler language x86 and recalling it with
a callback execution!
With these techniques I try to implement secure code against the decompiler. It must be used in combination with a
obfuscator and a crypter. He will be available, to short, my .NET crypter ;-)
For other information please visits my web site (in continuos modernization)
History
July 2004: First Public Release (sorry for my bad english...i'm italian)
About Marcello Cantelmo
| President of the "Cantelmo Software" Company (situated in Lecce-Italy). Development Software and Professional Component for .NET Platform. Click here to view Marcello Cantelmo's online profile |
from: CodeProject.com
4040
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
