Software Security - Anti-Patching
Introduction
In this series of articles, we will discuss some of the techniques that will help better protect our software against reverse engineering. This first article aims to cover an anti-patching technique which will allow us to detect if our software has been tampered with or patched.
Note: You must have some knowledge of Assembly language and know how to use debuggers such as Ollydbg.
Tools needed
- The target file (crackme.exe)
- Ollydbg
Target software
A CrackMe that requires a Registration Code was made in Assembly to demonstrate the technique that we will cover in this article.
Scanning -> crackme.exe
[Hash] MD5 (16) -> 285d46d9ac8bc9d87fff1618063a0879
[Hash] SHA1 (20) -> f08838efcb80b05293ef0ae131c57700898007be
[Hash] CRC32 (04) -> ead8bc3c
- Hashing Took : 0.16 Second(s) [000000010h (16) tick(s) (3 function(s)) (16.0 byte(s)/s)]
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 3072 (0C00h) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x58600B7D -> Sun 25th Dec 2016 18:10:05 (GMT)
[TimeStamp] 0x58600B7D -> Sun 25th Dec 2016 18:10:05 (GMT) | PE Header | - | Offset: 0x000000E0 | VA: 0x004000E0 | -
[File Heuristics] -> Flag #1 : 00000000000001001100000000000000 (0x0004C000)
[Entrypoint Section Entropy] : 4.93 (section #0) ".text " | Size : 0x132 (306) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 4 (0x4) | ImageSize 0x5000 (20480) byte(s)
[ModuleReport] [IAT] Modules -> user32.dll | kernel32.dll | comctl32.dll
[CdKeySerial] found "Registration Code" @ VA: 0x0000304B / Offset: 0x0000084B
[CdKeySerial] found "Registration Code" @ VA: 0x00003069 / Offset: 0x00000869
[CompilerDetect] -> MASM
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.188 Second(s) [0000000BCh (188) tick(s)] [506 of 580 scan(s) done]
Securing
What interests a reverse engineer the most in a Software is the serial key checks or any of the many authentication procedures, and that is what interests too.
The picture below shows how our serial check routine looks like just a hard coded serial (s0me_r@nDoM_rEg_c0dE) and two message boxes.
Assuming another case where the serial is not hard coded, Patching it is easy, just a NOP at address 0x40107A will trigger the good boy (Registration code is correct). However, after we apply our anti-patching method, this will not happen.
For this method to work properly we need:
- Start address of the part to secure
- End address of the part to secure
- Size of the part to secure (End address – Start address)
- Algorithm (might be hashing or encryption…)
Since we only want to secure the serial check routine (picture above) we have the following:
- Start address : 0x401052
- End address : 0x4010A6
- Size of the part to secure : 0x4010A6 – 0x401052 = 0x54 (84d)
- Algorithm: we will only use XOR for demonstration
Now that we have what is required let's see how our algorithm looks like.
In the above picture we have our XOR algorithm which basically does ADD and XOR through each byte of the serial check routine starting from address at esi (0x401052) till it reaches the end which is ecx (0x54), and the result which is stored in eax is 0x110342F7 this is basically a unique checksum so if something changes in the serial check routine the message at address 0x4010E7 will be triggered and the CrackMe will not start.
However, for this to work there should be a call to that algorithm (0x4010BE) somewhere, the best place is at the beginning of the CrackMe.
Now let's check if this anti-patching method works.
Running the app with no changes in code will have no effects since we did not change anything, the app would start normally.
Now let's see what happens when we patch it.
NOP at address 0x40107A should normally trigger the good boy message.
Running the patched app will show us the following message and the app will not start.
Moreover, that proves that our anti-patching method works perfectly.
Conclusion
This article has shown that it is possible to make things harder for a reverse engineer, but with more efforts. It could be much harder. Moreover, hope you have learned something new and useful.
11 courses, 8+ hours of training
Download links:
- CrackMe: https://www.mediafire.com/?2wwymyj49ih946t
-
Ollydbg: http://www.ollydbg.de
In this Series
- Software Security - Anti-Patching
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security