Log in

View Full Version : On-the-fly memory en-/decryption --- How does it work?

N8di8
May 20th, 2006, 11:39
I'm not looking for a normal crypter but I'm looking for a routine that decrypts code in memory (when it's needed). The idea is that only the "active" procedure is decrypted and the rest of the program remains encrypted in memory.

I have googled and used the search function ... but did not find anything useful (within a reasonable period of time).

Can someone please give me a hint (or even point me to an example (source code))?

Many thanks + sorry for my ignorance ;-)
tom324
May 20th, 2006, 13:31
Something like this?

http://www.core-dump.com.hr/?q=node/25

Tom
LLXX
May 20th, 2006, 14:21
The basic idea is to decrypt before entering a block, and encrypt on exit. This is accomplished by placing two calls, one to decrypt and another to encrypt, at the start and end of the block respectively.

Note that this can only be done in an uninterrupted block with no jump-outs or jump-ins, otherwise the block will be left decrypted (and become unexecutable as it is decrypted again on the next entrance) or execution of encrypted bytes may occur (as with jumping into the middle of a non-decrypted block).

Writing your own isn't that hard...

Code:
; example encrypted dunxrion

somefunc:

 push 256 ; e.g. size of data to decrypt

 call _decrypt

 ; 256 bytes of encrypted code goes here

 mov cx, 256

 call _encrypt ; will return from _encrypt routine to save 3 bytes + obfusc. flow

Code:
; decryptor

_decrypt:

 pop di ; return address AND start of encrypted block

 pop cx ; size

 push di ; save return address for later use

 mov si, di

_decrypt_loop:

 ; perform byte-by-byte decryption here, preferably involving lodsbs and stosbs

 loop _decrypt_loop

 ret ; return back to caller (which is now decrypted)

Code:
; encryptor

_encrypt:

 pop di ; return address AND end of decrypted block

 sub di, cx ; find start of block to encrypt

 sub di, 6 ; do not encrypt call to encryptor (or can encrypt too...) 

 mov si, di

_encrypt_loop:

; perform byte-by-byte encryption here, preferably involving lodsbs and stosbs

 loop _encrypt_loop

 ret ; return back to caller *of the encrypted function*
N8di8
May 20th, 2006, 14:48
@LLXX Awesome.


I love this forum. You are all so cool.
Admiral
May 20th, 2006, 14:50
Another thing you may want to consider is Armadillo's CopyMem-II algorithm. This does exactly what you describe without the need to isolate continuous code blocks. The disadvantage is that you need to be debugging your code, at some level (though this can be done successfully using some cleverly implemented exception handling, if you don't want to run two processes).
The basic idea is to encrypt your entire code section and imagine it in 0x1000 byte aligned blocks/pages. If you can maintain the status whereby a block has guard-page access if and only if it is encrypted, you can easily keep track of which pages are in what state and you will be alerted (by a guard page exception) whenever execution moves between blocks.
There are a few things to look out for (such as loops on block boundaries, which will destroy your execution speed if you leave only one block decrypted at a time) but the idea is simple enough.

Regards
Admiral
N8di8
May 20th, 2006, 15:04
Do you also know how Themida works? Thanks.
nikolatesla20
May 20th, 2006, 22:32
Themida is very advanced - in the case that it uses hardware and low-level windows internals against you. go to http://cracking.accessroot.com (home of ARTeam) to find a new tutorial about how to defeat it. But be warning this is gritty material and you need to understand windows internals and how the x86 platform chips work with IDT registers, etc, to know what is being said.

-nt20
OHPen
May 21st, 2006, 11:35
Lo,

no need to anymore, since the new versions of Themida does not use one ring0 feature anymore....
This is very sad but its a fact.
You can play with Themida with understand any of the windows internals.

Regards,

OHp