|
We will deal with the theory and practice of working with the program VMProtect in this article and take a simple program written in Delphi as an example. What are protectors? Protectors are programs used to protect software against cracking. Currently, there are a lot of protectors on the market, but nearly all of them have one considerable drawback - they do not modify the source code (software protection just means packing the entire file and it is the unpacker that finally unpacks the file that is "protected"). After the unpacker finishes its work, the program can be easily damped and finally it is possible to get the source (unpacked) files without any difficulties. Hackers have a lot of tools for disabling the most popular protectors. There are a lot of articles about nearly all protectors that tell you how to disable them that is why try to read what people from the underground write about a commercial protector in their articles before purchasing one. A bit of theory VMProtect is a completely new software protection tool. Unlike most available protectors, VMProtect modifies the source code of the program. VMProtect transforms parts of code in the file being protected into a program (bytecode hereinafter) executed on the virtual machine (VM hereinafter). You can also think of VM as a virtual processor with a system of commands really different from that used in Intel 8086 processors. For example, VM has no commands responsible for comparing two operands, there are no conditional and unconditional jumps, etc. As you can see now, hackers will have to develop a completely specific tool for analyzing and decompiling bytecode, which will take a lot of time. Unfortunately, we know that there is no unbreakable protection that is why we should achieve the level of protection when expenses on breaking it will be comparable with (or even excede!!!) expenses on purchasing the protected program by legal means. Anyway, you should keep in mind that VMProtect is only a tool helping you to "hide" the main software protection mechanisms.
Preparing a program for protection
To begin with, create a simple project in Delphi consisting of a form (Form1), a text edit field (Edit1) and a button (Button1):
pic 1. After the user clicks Button1, the program will check if the password is correct and display the corresponding message (correct or incorrect): procedure TForm1.Button1Click(Sender: TObject);
begin
if StrToIntDef(Edit1.Text, 0) mod 17=13 then
MessageDlg('Correct password', mtInformation, [mbOK], 0)
else
MessageDlg('Incorrect password', mtError, [mbOK], 0);
end; |
The algorithm of determining if the password is correct is very simple - the password is converted into a number. Then, this number is divided by 17 and if the remainder is 13, the password is correct. Otherwise the password is incorrect.
Before compiling our project, we will enable generating a MAP file in the options of the project:
pic 2.
We need the MAP file for VMProtect to be able to determine the address of a procedure by its name later. After that we perform "Build Project1" and get a compiled text project and the MAP file. Using markers It makes sense to use markers when you need to protect only part (or some parts) of a procedure. You should use assembler insertions to mark sections: - The start marker of the protected block: asm
db $EB,$10,'VMProtect begin',0
end; |
- The end marker of the protected block: asm
db $EB,$0E,'VMProtect end',0
end; |
When you later work with VMProtect, markers will have their own unique names like "VMProtectMarker" + sequential marker number. Watermarks VMProtect provides you with a unique feature of adding hidden information about the owner of the file to the protected file. A watermark is an array of bytes that must be unique for each of your users. After you embed watermarks into the protected file, you will always be able to determine its owner and take the corresponding measures later (for instance, if the cracked program is distributed illegally). Working with VMProtect Load the project using the "File"-"Open" menu item. Add a procedure responsible for checking if the password is correct to the project:
pic 3.
VMProtect can process the protected code in different ways depending on the selected compilation type. Let us take each compilation type in detail: - Mutation. The executed file is modified on the level of processor commands (existing commands are modified, all kinds of garbage commands are added, etc.). This compilation type poorly protects the code it processes against hacking and analyzing and mainly prevents functions being processed from determining with signature analyzers (PEiD+KANAL, IDA+FLIRT, etc.). As a rule, there is no need to protect library functions against hacking and analyzing and it will be enough just to change their signatures for the hacker to be unable to automatically determine what libraries you use in your applications (the level of protection against hacking and analyzing is low, the code execution rate is high).
- Virtualization. Executable code is converted into bytecode executed by the virtual machine. This compilation type should be used for all critical parts of code where the execution rate is also important together with preventing hacking and analyzing (the level of protection against hacking and analyzing is medium, the code execution rate is medium).
- Ultra (mutation + virtualization). The executable code is modified on the level of processor commands and after that it is converted into bytecode executed by the virtual machine. This compilation type should be used for all parts of code where the execution rate is not important (the level of protection against hacking and analyzing is high, the code execution rate is low).
After you add all necessary procedures to the project, switch to the "Options" tab: - Debug mode (determining external addresses). Applied to find addresses there are referenced to from "external" sections of code.
- Hide constants. If this option is enabled, it will be impossible to find the addresses of variables or called functions in the open form.
- Dynamic creation of online commands. The VM interpreter can execute not all Intel 8086 commands that is why such commands are executed in the form they were present in the code of the protected section. Creating online commands dynamically also makes it more difficult to crack bytecode.
- Check the integrity of VM objects. While executing the program, the VM interpreter will automatically read the checksum of random sections in the interpreter, bytecode and watermarks that is used when commands are being performed. The integrity check of VM objects protects the interpreter, bytecode and watermarks against modifications.
- Watermakrs. Select the watermark you want to embed into the protected file.
- VM section name. You can specify the name of new sections the VM interpreter and bytecode for the interpreter will be written to.
- Remove fixup elements (only for EXE files). Compilers (in particular, Delphi) create a list of fixup elements for EXE files. The operating system does not use these elements while loading EXE files. If you enable this option, VM will use the area occupied by the list of fixup elements for its needs.
After you specify all necessary options, start compiling the project. After the project is compiled, a new file (for example, TEST.VMP.EXE) will be created next to the protected file (for example, TEST.EXE). The specified procedures will run on the virtual machine in this file. |
