逆向工程的基本原理

當(dāng)一個(gè)程序被創(chuàng)建時(shí)， 編譯器 會(huì)將程序的源代碼 編譯 成多個(gè)含有機(jī)器語(yǔ)言代碼的 對(duì)象檔案 。然后，這些 對(duì)象檔案 會(huì)被銜接在一起而產(chǎn)生最后的 可執(zhí)行 文檔。

圖 1: 編譯你的原代碼

當(dāng) 一個(gè)軟件破解者嘗試破解一個(gè)編譯過(guò)的程序時(shí)，他會(huì)使用反 編譯器 具將機(jī)器語(yǔ)言代碼反 編譯 成另一種更容易讓人明白的代碼（例如 匯編語(yǔ)言 或者一種更高級(jí)的 程序語(yǔ)言 ），然后對(duì)于這反 編譯 成的語(yǔ)言進(jìn)行研究。

圖 2: 對(duì)你的程序作反編譯

當(dāng) 一個(gè)軟件破解者對(duì)于目標(biāo)程序擁有很好的了解時(shí)，他可以更改這個(gè)編譯過(guò)的程序來(lái)改變它的運(yùn)行。例如 , 軟件破解者可以在程序里繞過(guò)一組用來(lái)檢驗(yàn)試用期限的 例程 ，使它可以永久運(yùn)作。更嚴(yán)重的是，軟件破解者可以使程序看來(lái)已經(jīng)經(jīng)過(guò)注冊(cè)那樣地來(lái)運(yùn)作。

代碼虛擬化和逆向工程的比較

代碼虛擬化主要是將一組 二元碼 轉(zhuǎn)化成另一種另一個(gè)機(jī)器才明白的 二元碼 。換句話說(shuō)，一個(gè)特定機(jī)器的指令將被轉(zhuǎn)變成另一個(gè)機(jī)器的指令。下圖展示的是一組 Intel x86 指令轉(zhuǎn)變成另一個(gè)機(jī)器的指令（一個(gè) 32- 位的精簡(jiǎn)指令集計(jì)算機(jī)的指令）

圖 3: Intel x86 指令轉(zhuǎn)變成 精簡(jiǎn)指令集計(jì)算機(jī) 的指令

Code Virtualizer 可以產(chǎn)生多種擁有個(gè)別指令集的虛擬機(jī)器。 換句話說(shuō)，一組特定的 Intel x86 指令可以在個(gè)別的機(jī)器里被轉(zhuǎn)變成各種不同的 指令集，以防 一個(gè)軟件破解者從中辨別任何所產(chǎn)生的虛擬碼。下圖展示了一組 Intel x86 指令如何可以被轉(zhuǎn)變成各種不同種類的虛擬機(jī)器所模擬的虛擬碼。

圖 4: x86 到多種虛擬 CPU 的轉(zhuǎn)化

當(dāng) 一個(gè)軟件破解者嘗試對(duì)一組受到 Code Virtualizer 保護(hù)的代碼進(jìn)行 反編譯時(shí)，他無(wú)法找到任何本來(lái)的 x86 指令，而只會(huì)發(fā)現(xiàn)一個(gè)他或其它特別的 反編譯器 完全陌生的、新的指令集。這將迫使 軟件破解者使用非常多的努力來(lái)研究每一行的代碼的意思以及學(xué)習(xí)每一個(gè)受保護(hù)程序內(nèi)的虛擬機(jī)器的運(yùn)作原理。 Code Virtualizer 完完全全地對(duì)虛擬碼的運(yùn)行以及個(gè)別虛擬機(jī)器的學(xué)習(xí)進(jìn)行了攪亂，以阻止任何人學(xué)習(xí)當(dāng)中的虛擬碼是如何運(yùn)作的。

現(xiàn)實(shí)生活上的代碼虛擬化

Code Virtualizer 可以被輕易地 內(nèi)嵌 進(jìn)你的 Win32 或 Win64 程序以及 驅(qū)動(dòng)程序 里。你只需要在你的源代碼當(dāng)中選擇你要使用 Code Virtualizer 保護(hù)的代碼區(qū)。下面的例子展示你如何可以在 C 程序里保護(hù)一個(gè)特定的代碼區(qū)。

VIRTUALIZER_START/VIRTUALIZER_END 宏 都只是多余的 宏 ，它們不會(huì)對(duì)原來(lái)的程序的運(yùn)行有任何的影響。只有當(dāng)一個(gè)受保護(hù)的程序運(yùn)行進(jìn)入保護(hù)時(shí)段時(shí)， Code Virtualizer 可以辨認(rèn)這些受保護(hù)的程序區(qū)，然后將它們轉(zhuǎn)變成一個(gè)虛擬機(jī)器明白的虛擬代碼。

下圖展示了一個(gè)原來(lái) 編譯過(guò)的程序（在還沒(méi)有受保護(hù)時(shí)）以及當(dāng)它被 Code Virtualizer 保護(hù)時(shí)所經(jīng)過(guò)的 轉(zhuǎn)變。

圖 5: 原來(lái)的程序和受保護(hù)程序的比較

如圖所示， Code Virtualizer 需要將所產(chǎn)生的虛擬機(jī)器 內(nèi)嵌 進(jìn)受保護(hù)程序的末端，以便在程序運(yùn)行的時(shí)候可以對(duì)模擬運(yùn)行這些虛擬代碼。虛擬機(jī)器的 大小 可以相等于 10 Kb 到 30 Kb （大小取決于所選擇的復(fù)雜程度），對(duì)于最后所產(chǎn)生的受保護(hù)程序的大小沒(méi)有太大的影響。

結(jié)論

Code Virtualizer 是一個(gè)可以用來(lái)防止別人窺視你重要且敏感的程序的強(qiáng)大技術(shù) , 例如你用來(lái)檢驗(yàn)所輸入的注冊(cè) 序號(hào) 是否正確的 例程 。此外， Code Virtualizer 稍微改比變受保護(hù)程序里的 PE 標(biāo)頭 ，這意味著你可以在 Code Virtualizer 上置入一個(gè) 壓縮器 或另一個(gè)軟件保護(hù)層。

如果你是一個(gè) 驅(qū)動(dòng)程序 的開(kāi)發(fā)者，而且為了找不到一個(gè)保護(hù) 驅(qū)動(dòng)程序 的解決方案而煩惱， Code Virtualizer 提供你一種相同于保護(hù)你程序和 DLL 的技術(shù)來(lái)保護(hù)你的 驅(qū)動(dòng)程序 （ 32- 位或者 64- 位）。

今天就嘗試 Code Virtualizer ，開(kāi)始為你的 32- 位 /64- 位程序以及 驅(qū)動(dòng)程序 里置入軟件保護(hù)業(yè)里最新的技術(shù)吧！

以下是 Code Virtualizer? 的主要特點(diǎn)：

• 使用多個(gè)虛擬機(jī)器進(jìn)行攪亂

• 對(duì)每個(gè)受保護(hù)程序進(jìn)行獨(dú)特的保護(hù)

• 保護(hù)任何的 x32 和 x64 程序以及 驅(qū)動(dòng)程序

• 先進(jìn)的變異引擎

• 代碼重組來(lái)保護(hù) DLLs 和 驅(qū)動(dòng)程序

• 在獨(dú)特的虛擬機(jī)器里模擬任何 Intel x86 代碼

• 每個(gè)受保護(hù)程序里都有獨(dú)特的虛擬碼

• 完全兼容于任何的 壓縮器 / 軟件保護(hù)層

• 由指令列加載 的保護(hù)

Basics about Reverse Engineering

When an application is being created, the Compiler will compile the application source code into several object files made of machine language code. Afterward, the object files are linked together to create the final executable.

Figure 1: Compilation of your source code

When an attacker tries to crack a compiled application, he will use a decompiler tool which will decompile the machine language code into a more comprehensive code (like assembly code or a higher programming language), doing his research over the decompiled code.

Figure 2: Decompilation of your application

When the attacker has a good knowledge of the target application, he can modify the compiled application to alter its behavior. For example, the attacker could bypass the routine that checks for the trial period in an application and make it run forever, or, even worse, cause the application to behave as if it was registered.

Code Virtualization against Reverse Engineering

Code virtualization consists of the transformation of binary code from a specific machine into a different binary code that is understood by another machine. That is, the instruction set from a specific machine is converted into a new instruction set which is understood by a different machine. The following picture represents the transformation from a block of Intel x86 instructions into a new instruction set for another machine (specifically a RISC 32-bit CPU):

Figure 3: Transformation from x86 to RISC 32-bit CPU

Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

Figure 4: Transformation from x86 to multiple Imaginary CPUs

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed.

Code Virtualization in RealLife

Code Virtualizer can be embedded inside your Win32 and Win64 applications and device drivers with ease. You just need to select which areas in your source code are going to be protected by Code Virtualizer. The following example shows how you can protect a block of code in a C application.

The VIRTUALIZER_START/VIRTUALIZER_END macros are dummy macros which do not interfere with the execution of the original application. It's only in protection-time when Code Virtualizer will recognize those areas of code and will covert them into unique virtual opcodes, which are then emulated by a virtual machine when the protected application is running.

The following picture represents the image of an original compiled application (before being protected) and how it's transformed when it's protected by Code Virtualizer:

Figure 5: Original Application versus Protected Application

As the image shows, Code Virtualizer needs to embed the generated virtual machine at the end of the protected application in order to emulate the virtual opcodes when they are going to be executed. The size of the virtual machine can vary from 10 Kb to 30 Kb (depending on the complexity level selected), making no impact in the final size of the protected application.

Final Words

Code Virtualizer is a powerful technology that can prevent someone from inspecting your sensitive code, such as your routines that validate an entered serial key for registering your application. Also, Code Virtualizer slightly modifies the PE header of the protected application, meaning you could put a compressor or other software protector on top of Code Virtualizer with no problems.

If you are a device driver developer and felt neglected when there was no solution to protect your device drivers, Code Virtualizer offers you the same technology to do so (for either 32-bit and 64-bit drivers) in the same way as your applications and DLLs.

Try Code Virtualizer today and start inserting the latest software protection into your Win32/Win64 applications and device drivers!
These are the key features of Code Virtualizer?:

• Obfuscation through multiples Virtual Machines
• Unique protection for every protected application
• Protection of any x32 and x64 application and Device Driver
• Advanced mutation engine
• Code relocation to protect DLLs and Device Drivers
• Emulation of any Intel x86 opcode inside unique Virtual Machines
• Unique virtual opcodes for every protected application
• Full compatible with any compressor/protector
• Command line protection