|
|
|
|
#1
04-06-2005, 22:54
|
|||
|
|||
|
Quote:
Visu 
|
|
#2
04-10-2005, 16:14
|
|||
|
|||
|
To: retroer
But there the point is that there is no final layer of code. At any one point in time there is only a fragment of code available. If I had a psedo-code in the form: select case { case 1: do blah; case 2: do aaa; case 3: do bbb; } At runtime, case 1 will only decode and run when it is selected, and after it finished it will have overwritten itself. I suppose if you knew there are three cases, you can go and capture each case directly, but I don't think image dumpers can grap it automatically and dump the code. I thought most on-the-fly system merely decrypts a slap of code, runs it, and then deletes or encrypts it again (and hence allows capturing). Here, there is no encryption as such as the code runs itself. There is no distinction between real code and encrypted code. I know my example is obvious to crack because it is hand-written, but I can imagine a computer generated version. To visu: I just can't see what is there to dump, there is no point in time when the entire code. If the dumper saves each line that got executed, it will end up with quite a lot of invalid instructions (all the mov CS:IP, xxx ones), that is not conducive to auto dumping. Aur PS Thanks for the reply
|
|
#3
04-11-2005, 09:29
|
||||
|
||||
|
Basically you are decribing armadillo but in your version you don't want to decrypt the entire program just the next part to be executed, and then you want to re-encrypt that part again after it has executed?
so basically: Code:
[Legend] Thread_1: Encrypt Thread_2: Decrypt Thread_3: Program Code [Example Run] Thread_1[Paused] Thread_2[00001000...00002000] Thread_3[Paused] Next... Thread_1[Paused] Thread_2[00002000...00003000] Thread_3[00001000...00002000] Next... Thread_1[00001000...00002000] Thread_2[00004000...00005000] Thread_3[00002000...00003000] Reguards
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light.
|
|
#4
04-12-2005, 07:46
|
|||
|
|||
|
Hiya,
D-Jester, I don't think his point is really about 'keys' of any sort since his obfuscation doesn't incorporate any such thing (correct me if I'm misunderstanding something though ;-) ). The point here is to obfuscate the code flow and try to fool dumpers in the process since only one path is taken through the code on each run. I just can't see how this will work since if in all cases the code is presumably going to run, why will any dumper care whether its obfuscated or not?, a disassembler would be affected though. So the first time the dumper gets case 1 which decrypts 1 piece of code, the rest of the cases stay encrypted (so any dump doesn't contain the decrypted other cases), on another run it gets case 3 and the others remain encrypted and so on..... The weaknesses of this approach as I see it is 2 fold. i). The manner in which you do the selection of a value for your switch statement; and, ii). Connecting each of the code block cases to actually do something useful and/or different in each case and that isn't very very obvious. So this technique isn't really going to prevent even basic dumpers unless we need to care what happens inside each case. Regards CrackZ. Last edited by CrackZ; 04-12-2005 at 09:02.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Tiny Basic Downloader Builder (Proof of Concept) | YANiS | Source Code | 2 | 09-20-2021 17:49 |
Hybrid Mode
