niaren
December 8th, 2010, 15:41
Inspired from this thread
http://www.woodmann.com/forum/showthread.php?13913-Watermarking-application&p=88531#post88531
and in particular from the contents of this post
a mini project is proposed to study how to reverse/defeat/handle this (clever) way of creating a watermark. As is mentioned in the above post it may not be easy to reorder the objects/functions in the executable (.exe/.dll) because addresses then points to wrong locations. It turns out that IDA and its scripting functionality (IDC) may be used to achieve the reordering without having to go make a BIG project. This is a mini-project
With IDA and IDC the reordering can be automized which is quite convenient because for applications with many object files it may not be safe to just reorder a subset of the object files. It would be more safe to create a whole new watermark/permutation of all object files.
This mini-project is just as much a project about getting hands-on experience with IDC and having fun
In order to get started I have created a toy-application. All the application does is to print two strings.
From these 3 very simple files two applications are built, the only difference being that the linking order of the object files is different. This makefile
creates the two .exe files watermark1.exe and watermark2.exe. Attached a zip file containing all the files.
Maybe not surprisingly, for this example, the order of the objects in the binary corresponds to the order in which they are listed in the linker command. The idea is to create watermark2.exe from watermark1.exe.
I hope this example is not too simple. Maybe it will be much harder with c++ code, have no idea. I'm not sure if it is possible to identify the objects themselves but the functions can be identified (by IDA) and IDC (as far as I understand now) provides functionality for jumping to specified functions or just the next function in the code given som virtual address.
Does this make any sense at all?
http://www.woodmann.com/forum/showthread.php?13913-Watermarking-application&p=88531#post88531
and in particular from the contents of this post
Quote:
...Others can correct me if I am wrong here but I believe what IDA does on top of what others have said is change the linker order of it's various object files during the linking stage. For example if the compile process ended up with the following objects file1.o, file2.o, file3.o You could change the order they are linked together giving and individualised watermark, now imagine doing that with hundreds of object files that IDA is most likely to have you would have loads of combinations you can use. And personally I don't think it's an easy task to remove since you would need to move the order of the linked in objects to alter the watermark which means relative addresses within the program would need to be updated. |
a mini project is proposed to study how to reverse/defeat/handle this (clever) way of creating a watermark. As is mentioned in the above post it may not be easy to reorder the objects/functions in the executable (.exe/.dll) because addresses then points to wrong locations. It turns out that IDA and its scripting functionality (IDC) may be used to achieve the reordering without having to go make a BIG project. This is a mini-project

With IDA and IDC the reordering can be automized which is quite convenient because for applications with many object files it may not be safe to just reorder a subset of the object files. It would be more safe to create a whole new watermark/permutation of all object files.
This mini-project is just as much a project about getting hands-on experience with IDC and having fun

In order to get started I have created a toy-application. All the application does is to print two strings.
Code:
main.c
extern void func1object1();
extern void func1object2();
void main()
{
func1object1();
func1object2();
}
file1.c
#include <stdio.h>
void func1object1()
{
printf("Hello from object 1!\n";
}
file2.c
#include <stdio.h>
void func1object2()
{
printf("Hello from object 2!\n";
}
From these 3 very simple files two applications are built, the only difference being that the linking order of the object files is different. This makefile
Code:
SRCS = main.c file1.c file2.c
OBJS1 = main.obj file1.obj file2.obj
OBJS2 = file2.obj file1.obj main.obj
CC = CL
CCFLAGS = /O2 /Oi /D "_MBCS" /FD /EHsc /MD /Gy /W3 /c /Zi /TC
LINK = link
LINKFLAGS1 = "/OUT:watermark1.exe" "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /OPT:REF /OPT:ICF /DYNAMICBASE /NXCOMPAT /MACHINE:X86 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib
LINKFLAGS2 = "/OUT:watermark2.exe" "/MANIFESTUAC:level='asInvoker' uiAccess='false'" /OPT:REF /OPT:ICF /DYNAMICBASE /NXCOMPAT /MACHINE:X86 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib
EC = echo
RM = del
default: all
clean:
@$(RM) /F *.obj
@$(RM) /F *.idb
@$(RM) /F *.pdb
@$(RM) /F *.exe
@$(RM) /F *manifest*
%.obj : %.c
"C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\vcvars32.bat"
@$(EC) ************************************************
@$(EC) * Comiling $@
$(CC) $(CCFLAGS) $<
watermark1.exe: $(OBJS1)
"C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\vcvars32.bat"
$(LINK) $(LINKFLAGS1) $(OBJS1)
$(LINK) $(LINKFLAGS2) $(OBJS2)
all: watermark1.exe
creates the two .exe files watermark1.exe and watermark2.exe. Attached a zip file containing all the files.
Maybe not surprisingly, for this example, the order of the objects in the binary corresponds to the order in which they are listed in the linker command. The idea is to create watermark2.exe from watermark1.exe.
I hope this example is not too simple. Maybe it will be much harder with c++ code, have no idea. I'm not sure if it is possible to identify the objects themselves but the functions can be identified (by IDA) and IDC (as far as I understand now) provides functionality for jumping to specified functions or just the next function in the code given som virtual address.
Does this make any sense at all?
