Protection by Emulation
 

Hi Guys,

I was thinking about protecting an exe by completly emulating some part of the protected code.
I am just curious to know whether any protector does this already.

thanks

ASprotect Virtual Machine
 

ASProtect can emulate users function and run them in its own VM :-

Now we're preparing the draft of documentation for ASProtect 2.0 (short keys version), hope to see the alfa version in two weeks. Sorry for a delay with this product but we've decided to develope absolutely new product (early we've supposed just to add a short keys support to the current version) and it took much more time.

Thanks for your help! So now few words about new beta version:

We've rewrote many parts of previous 1.3 beta version in order to fix possible problems under Windows 2000 and here are main features of this version:

1. New EntryPoint Protection

This improved option now uses advanced technique for changing the
part of application and placing it to the envelope's code. Original
code content is changing throw emulation and polymorphic replacement.
Since this version EntryPoint protection uses a Virtual Machine, which
makes the removal or recovering of original code practically impossible.
You can change this option via the Option Tab ("Protect Original Entry Point option").

2. Emulate Standard system functions. One more good option against manual unpacking - ASProtect just removes some common functions from protected application and executes them in the envelope code.
You can change this option via the Option Tab ("Emulate Standard system functions" option).

3. New ASProtect polymorphic markers (for EXE files only !)

By using this marks you could protect any code inside your application.
In order to use new marks, you need to insert one mark instance at any
place of the code inside function you would like to protect.
F.e. place polymorphic mark at the code top of some function. The code
fragment from this mark to the end of this function will be erased and
replaced on the polymorphic analogue. ASProtect will change its content
throw emulation (like for the EntryPoint Protection), so it will be
impossible to restore or even to understand the work principles of
the original code

and much more :rolleyes:

well..well..little failure here is 55min delay between
"nice question" & "powerfull answer"..

If I'm not mistaken, Starforce3 uses emulation (interpreter).. but then.. having never had a starforce3 exe in my hands, I can't be certain.

In principle that is an interesting approach. It makes the analysis/cracking the code much more and in some cases the cracker just gives up because of the long time needed to analyze the program. However, this does not mean that this approach is cracker-proof! Think of it, programs written in p-codes, like old QuickBasic programs or even VB are much similar in concept to the emulation idea. And we all know though difficult, they CAN be cracked/patched. The basic problem is that the emulated/p-coded/VMed/anything program is yet a PROGRAM: a sequence of bytes that do something logical. Each one or few bytes represents an operation or some data and together, they form a routine or logical sequence of operations. Now, one your x86 computer you may execute/interpret/emulate the bytecode sequences of x86, Z80, QuickBasic p-code, Java VM, ... but theoritically you are doing the same thing and the cracker using a generic approach can analyze and crack/patch your program. This methology, relies one hiding the information and once you know the meaning of the byte-code, you can read and understand it with no problem. So there is no surprize that such methods, however complex in first look, will be finally cracked. Well, only if the cracker is really motivated to do so...

WARM3CH - I agree with you. But Byte code languages like vb, java and c# are having very high level machine code. They are very easy to interpret and understand compared to the x86. Iam talking about something like BOCHS. How about completely transforming the x86 instruction table with another table. for example EB represents JMP instruction. why not change it to 5C in the protected part of the exe and emulate 5c as JMP instruction in the emulator. It is also possible to use different instruction table with each protection. I understand this involves lot of work, but you can do lot of things inside an emulator.

Does krypton uses emulation? he talks about k-execution, k-emulation etc...

Thanks guys for your replies.

I agree that VM's byte codes are very different from real machine code. My point was to just remind everyone of a KNOWN similar thing that has been addressed by the crackers.
About changing the meaning of byte code or as you say, changing the instruction table to another one, we are not in fact changing anything but may add one (easy) level of protection to the scheme.
But all in all, I agree that using emulation can make cracking much more difficult and personally, being an old guy that I am, would not be really interested to crack such a traget unless there is a big motivation for that :)

[Does krypton uses emulation? he talks about k-execution, k-emulation etc... ]


YES Yado made a good start with this Krypton. I first saw this 'emulation' (ie take the running code out of the exe and put it in the protector code) after analyzing V0.03 a few years ago. Now it appears to be de-riguer for the commercial protectors. Now ACprotect 1.10->1.23 applies the same technique and so will ASprotect 1.31.

I am sure that all commercial protectors reverse engineer each others products :o and 'share' ideas.

I believe this a good way to go for them because as Alexey Soldovnilov says, and we can see, the lame programmer cannot understand how to really use his investment in software protection to protect FULLY. They don't use encrypted bytes and registered blocks at all, meaning the protector becomes just a packer. So If the protector automatically makes scrambled stolen bytes and code emulation automatically it gives us a little more work to do :rolleyes:

yes, it has been using a VM for quite some time (not just for v3)

You are right, Star Force 3 does use its own Pcode.

Hi H3Xenoic,

My scarce intelligent tells me that you are a ASProtected developer??? Maybe everybody here knows that but me :)

If yes, any public version or keep it only for customers?

Thanks.

VM - impossible???
 

Hello folks,

Please think twice before posting "impossible". Star Force uses own VM too (I have been playing with it several times) and is each time cracked. What would I do if AsProtect would use VM? Simply, I would spend 3-5 days to write IDA plugin which would be the PCode emulation of new AsProtect. I really don't understand why someone believe that using VM makes impossible to patch/reverse the application. I would be more than happy if AsProtect author would set an serious reward for cracking its VM and gives me some money for furthcomming vacations :)

Again, with all respect to your knowledge, please think twice before posting.

Greetings,
dyn!o

This same "impossiblity" level, that, says, JAVA, VB or FOXPRO p-codes ... :) . Every of them simply takes some worktime to understand bytecode structure.
Of course, high level languages are much better documented, as protectors.
One good method - create simple code, compile it to needed p-code (or, in our case, protect it) and examine result. After some similar cycles you will see, how this VM works and how commands are translated to p-code.

hello dyn!o,

Looks very interesting your reply. I *must* learn IDA pluggins cos they look very powerful what you can do with them ;)

Btw, do you also know how to crack the SF3 VM? I tried long time ago but not success...I also remember long posts talking about Starforce but with no success in the end :( It would be perfect if you could direct some of us a bit of how to attack that monster :)

thanks

SF tracing
 

Well, there are two known private decompilers but I don't own them. Also I'm not authorized to say who made them :(

Good luck,
dyn!o