The real question you should be asking is 'what is the point?' Any decent
cracker will be able to look at your decrypted binary in RAM, even make a
copy of it for later use. The very best you can do is raise the bar, but
to have any real chance of making a difference you need to make your
program detect that it is being run in a debugger (not a trivial task and
probably one that is fundamentally impossible, as the hardware itself can
be emulated) and continue to run, but with some subtle differences that
make it unusable (if it just crashes, it tells the cracker just what she
needs to know to bypass the check). Obscuring the code generally makes
maintenance costs skyrocket; you should do an economic analysis to prove
that the extra effort will be repaid. Keep in mind that legitimate users
often need to run their code in debuggers as well, so be sure to factor in
the ill will created when their attempts to debug their code that uses your
DLL cause all sorts of nasty problems for them (not to mention the support
calls!).
Keith Oxenrider
CISSP
At 04:17 PM 5/6/2005 -0300, VP wrote:
Hi, i have a dll and i want to encrypt it to hide (obfuscate ??) an
important algorithm used here.
Well today i'm using a following approach:
I'm encrypting the dll with a program, then when i want to loadlibrary() it,
i decrypt it to a plain-text file, then i loadlibrary the plain-text file.
So i have my encrypted dll and i have a plain-text version either. To
mitigate this vulnerability, i'm using EFS to protect my plain-text dll.
I'm wondering if using the PE format i can do some kind of "on-the-fly
encrypt and decrypt". Is it possible ? There is any example ? Is it a good
solution ?
Thanks in advance,
Victor
