[译]开源软件保护系统-第1部分
By robot-v1.0
本文链接 https://www.kyfws.com/applications/open-source-software-protection-system-part-1-zh/
版权声明 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
- 12 分钟阅读 - 5921 个词 阅读量 0[译]开源软件保护系统-第1部分
原文地址:https://www.codeproject.com/Articles/4034/Open-Source-Software-protection-system-Part-1
原文作者:Kamal Shankar
译文由本站 robot-v1.0 翻译
前言
Outlines in developing an open source implementation of a new software protection system.
概述了开发新软件保护系统的开源实现.
执照(License)
您必须同意以下内容才能继续阅读本文档(You MUST agree to the following to continue reading this document)
- 未经Kamal Shankar授权,禁止全部或部分发布本条款.(Publication of this article as a whole or in part(s) is prohibited without authorization from Kamal Shankar.)
- 如果在Kamal Shankar和被许可人之间存在安排,则允许与本文相关的软件的商业开发/分发.(Commercial exploitation/distribution of the software(s) in conjunction with this article is allowed provided an arrangement exists between Kamal Shankar and the licensee.)
- 本文附带的软件没有扩展的保修.使用风险自负.(The software(s) packaged with this article comes with NO WARRANTIES EXTENDED. Use at your own risk.) 任何有兴趣仅出于此目的而构建PE装载机的人-谢谢.继续阅读.(Anybody interested in building a PE Loader just for the sake of it - Thanks. Read on..)
背景(Background)
它旨在成为一个免费的,开放的软件保护系统,其基于一个简单的假设,使该保护系统仅适用于小型软件公司或实际上是单个程序员.(This is intended to be a free, open software protection system based upon a simple assumption that makes this protection system viable only for small software companies or actually a single programmer.)
该程序的原理与几乎所有当前可用的(商业)软件保护系统都不同,并且很简单:我们不会依赖(The philosophy of this program is different from almost ALL the currently available (commercial) software protection systems, and it is simple: We will NOT be depending on)预防措施(preventive measures)(聪明的计算机学生总是可以绕开它),而是基于所有加密算法背后的第一个也是最基本的想法-您有密钥,有了数据(否则尝试破坏钛金库!)((which can ALWAYS be bypassed by a clever computer student) but rather upon the first and most basic idea behind ALL encryption algorithms - you have the key, you have the data (otherwise try to break down the titanium vault!))
此保护系统的USP将是这样的:具有该软件的任何人都可以对其进行无限复制,但是它们只会在未经授权的计算机上崩溃.但是,它们将在正确的机器上透明地运行,好像它根本没有受到保护!(The USP of this protection system will be this : Anybody having the software can make infinite copies of it, but they will just crash on an unauthorized machine. They will however, run transparently on the correct machine as if it was not protected at all!)
这样,它并不是真正意义上的复制保护系统,而是更多的一台机器-一种软件保护.那些使用此保护的用户无需在其程序中使用保护调用或API,也不会以任何方式更改网络可执行代码-代码混淆,IAT修改,段合并,入口点隐藏等.简而言之,您编译的是最终加载到用户计算机中的内容(只要它是正确的机器)(In this way, it’s not really a copy protection system in the true sense, but more of a one machine - one software kind of protection. Those using this protection do NOT need to use protection calls or APIs in their program, nor will the net executable code be changed in anyway - code obfuscation, IAT modification, section merging, entry point hiding or whatever. In short, what you compiled is what is finally loaded into the user’s computer (provided it’s the correct machine))
正如伟大的+ ORC曾经说过的:“任何运行都可能被破解”.(As the great +ORC had once said - “Anything that runs can be cracked”.)
我们要做的是完全让用户在他的系统上运行我们的程序.该程序使用与机器相关的密钥进行加密,只有正确的密钥才能生成正确的解码程序文件,否则将只是纯垃圾.(What we do is fully leave the user to run our program(s) on his system. The program is encrypted using a machine dependent key and only the correct key will produce the correct decoded program file(s), else it will be just plain garbage.)
将计算加密/解密密钥(The encryption/decryption key will be calculated)在运行时动态地(dynamically at run time)通过一个程序,我们称之为(by a program, let’s call it) HardwareID
.用户/客户将被要求运行(. The user/customer will be required to run) HardwareID
在他的机器上.结果密钥(其长度取决于特定的加密算法)将发送到(on his machine. The resultant key (it’s length depending upon the particular encyption algorithm) will be sent in) plaintext
软件发行商,软件发行商将使用该密钥对所有或重要的程序文件进行加密,并将分发内容与程序加载器一起发送给客户(我们将其称为加载器)(to the software publisher, who will encrypt all or the important program files using that key and send the distribution to the customer along with the program loader (let’s call the loader) Loader32
),它将再次动态计算密钥,并仅解密并运行以下文件中的文件(), which will again calculate the key dynamically and just decrypt and run the files from) primary
记忆.我们不会将文件解密到(memory. We will NOT be decrypting the files to) secondary
内存(HDD),这将使我们的发行版大约0.1%不会被破解.(memory (HDD) and this will make our distribution about .1% secure from being cracked.)
[任何运行([Anything which runs)可以破解(can be cracked).如果你有(. And if you have the) 正确的工具(correct tools) ,您只需单击].(, you just need to click].)
障碍物(Stumbling Block)
我们可以通过两种方式解决该问题:(We can approach the problem in two ways:)
-
直接将数据解密到内存,并尝试使Win32程序加载器运行该映像.(Decrypt data directly to memory, and try to make the Win32 program loader run the image.)现在,据我所知,没有一个SDK API允许我们直接从内存中运行映像,它们都需要磁盘映像\有效文件名.我们可以做的是解密到内存,然后编写我们自己的Win32加载程序(不必介意可以转储内存). (请参阅(Now, as far as I am aware, none of the SDK APIs allow us to run a image directly from memory, they ALL want a disk image\valid filename. What we could do is to decrypt to memory, and then write our own Win32 loader (never mind that the memory could be dumped). (Please refer to) 开源软件保护系统-第2部分(Open Source Software protection system - Part 2) 看实现)(to see the implementation ))
-
编写我们自己的Win32加载程序,以直接从磁盘读取加密的文件,将其解密然后加载;)(Write our own Win32 loader to read the encrypted file directly from disk, decrypt it and then load it ;)) (尴尬的Grin)好吧,这个主意的核心-PE加载器可能超出了我:(我只是想重写一些能够处理重定位,函数查找和有序查找以及翻译,图像处理,CS:EIP的东西.管理,堆栈和…((Embarrassed Grin) Well, the heart of the idea - the PE loader is probably beyond me : (I just cannot think of rewriting something which will be able to handle relocations, function lookups and ordinal lookups and translation, image handling, CS:EIP management, the stack and …)
本文附带的程序会将加密的数据提取到HDD并从那里运行;).(The program packaged with this article will extract the encrypted data to HDD and run it from there ;).)
直接(For direct)内存中的二进制代码修补(in memory binary code patching)解决方案,请参阅(solution, refer to) 开源软件保护系统-第2部分(Open Source Software protection system - Part 2) .(.)
任何有工作想法/执行任何事情的人都可以将加密的PE文件直接解密到内存中,然后从那里运行它-如果您愿意,欢迎您!所以实际上我要问的是代码到程序打包程序.显然会想到开放式UPX,但是为什么我们不能使用它呢?因为:(Anybody with a working idea/implementation of anything able to decrypt a encrypted PE file directly to memory and from there run it - welcome if you wish! So actually what I am asking is code to a program packer. Obviously the open UPX comes to mind, but why can we not use it? Because:)
- 我无法想到要用汇编语言编写CAST或TWOFISH.(I cannot think of writing CAST or TWOFISH in assembly.)
- 我所使用的外部模块在您不知道要移植为与NASM兼容的过程中会非常痛苦.(The external modules used by me will be too much of a pain in the you-know-what to port to be NASM compatible.)
- UPX Win32PE加载程序的代码对我来说很容易理解(我在汇编中编写程序,但是吗?)(The code for UPX Win32PE loader is BEYOND my easy comprehension (I do program in assembly but this?))
为什么不使用众多商业包装商之一?(Why not use one of the many commercial packers ?)
首先,我想对LEARN而不是EARN;)(First of all, I wanted to do it to LEARN rather than EARN ;))
我相信,这项倡议将不是我本人,而是所有人.谢谢,祝您编程愉快!(I am sure that this initiative will be looked upon NOT as my own, but all. Thank you and happy coding!)
然后,目前几乎所有包装工的最大缺点是他们实施了(And then, the biggest disadvantage of almost all currently packers is that they implement)预防措施(preventive measures).(.)
根据我的经验,预防措施成功地使初学者望而却步.真正的饼干只需要找到采取预防措施的位置,就可以轻松地将其破坏!(From my experience, preventive measures succeed in keeping out the beginners. Real crackers just need to find the locations where the preventive measures are operating, and can bust them easily !)
该系统与众不同-它具有(This system is different - it has)首先没有预防措施使饼干破裂(no preventive measures for the cracker to crack in the first place)!(!)
简单起见-制造此类系统的概述(To Make it Simple - outlines for fabricating such a system)
首先,这个系统(First of all, this system)*必须满足(must satisfy)*以下条款:(the following clauses:)
- 它不能采取任何预防措施(杀毒,黑名单,无效代码..).(It must not employ any preventive measures (antidebugging, blacklists, dead code..).)
- 必须对最终用户尽可能透明.(Must be as transparent as possible to the end user.)
- 一定不需要修改源代码级别.理想情况下,应仅使用二进制文件.(Must not require source level modification. Ideally should work with just binaries.) 目前,让我们将自己限制为Win32和PE映像,保护模式和32位寻址.代码应为Visual C ++,但如果ASM确实存在,则应提及该算法并充分记录代码.没有其他语言. [如果您遇到类似但使用另一种语言的内容,无论如何都欢迎,但是请尝试成为C ++;)] [(For the time being, let’s limit ourselves to Win32 and PE images, protected mode and 32 bit addressing. Code should be Visual C++, but if ASM does come in, the algorithm should be mentioned and code well documented. No other language. [If you come across something similar but in another language, it’s welcome anyway, but try to be C++ ;)] [)可能我建议我们尝试使用已经尝试和测试过的现有代码?(Might I suggest that we try to use existing code which has already been tried and tested?).有人对此有任何建议吗?](. Has anybody got suggestions about this ?])
当然,允许使用Win32 API(以及调试API).(Of course, Win32 APIs (as well as debugging APIs) are allowed.)
有些东西告诉我,也许是指Win32加载程序的实现(Something tells me that perhaps referring to the implementation of the Win32 loader of) 葡萄酒(WINE) 可以帮助我们,但是他们自己实现了一切-实际上,他们编写的许多API的行为与原始Microsoft API的行为非常不同.实际上,他们的代码实现了页面对齐的重定位和寻址,而不是Microsoft Windows上使用的字节对齐.如果我弄错了,我将很乐意对此进行纠正.(will help us out, but they have implemented EVERYTHING themselves - actually, many APIs written by them behave VERY differently from the orignal Microsoft API’s. In fact, their code implements page aligned relocations and addressing rather than byte alignment used on Microsoft Windows. I will gladly stand corrected on this aspect if I got it wrong.)
我可能会借此机会让大家知道这只是一个开始,一旦(I might take this opportunity to make you all aware that it’s just a beginning, we will soon be having more features once the) 障碍物(Stumbling Block) (加载程序)完成.我承诺 ;).((the Loader) is done. I promise ;).)
来源(The Source)
如您所见,我已经上传了一个源程序包.它包含(As you will see, I have uploaded a source package. It contains the) HashLibProper
文件.包括头文件并链接到(files. Include the header file and link to the) .lib
.放(. Put) SysInfo.dll
和(and) HashLibProper.dll
使用该程序,您就完成了.(with the program and you are done.)
SysInfo.dll
是(is part of the) SysInfo
保罗`温特[(package most generously let out by Paul Wendt [)p-wendt@home.com(p-wendt@home.com)]并在以下位置可用(] and available at) CodeGuru的"系统"(CodeGuru’s ‘system’) 类别.(category.)
HashLibProper
包是一个简单的Win32 dll,它使用(package is a simple Win32 dll which uses) SysInfo
获取处理器名称,速度,操作系统和已安装RAM的类.它使用单个链接列表来保存逻辑驱动器信息,其标签和序列号.它连接所有这些信息,并返回一个C类型的字符串.它还返回此字符串的MD5.(classes to get Processor name, speed, OS and installed RAM. It uses a single linked list to hold logical drive information, their labels and serial numbers. It concatenates all this info and returns a C type string. It also returns an MD5 of this string.)
您可以在自述文件中找到所有这些详细信息.(You will find ALL these detailed in the ReadMe.)
在开始大声喊叫之前-“哪里是(NOW BEFORE YOU START CRYING OUT LOUD - “Where is the source code for) HashLibProper
包?"(package?"),(,)**一旦(I will release the source once the) 障碍物(Stumbling Block) 实现,我们得到了具体的解决方案. [无论如何,该库的代码既简单又小巧,我只想对这个项目做出一点贡献-如果发生这种情况,我将发布代码](materializes and we get a concrete solution. [The code for the library is easy and small anyway, and I just want to see a little contribution to this project - if that happens I WILL release the code])
当前实施(Current Implementation)
- 本文附带的软件.(Software packaged with this article.)通过遍历源程序包可以最好地理解这一点.简而言之,我们将所有获得的系统信息放入C类型的字符串中,并对其执行MD5.我们可以将MD5摘要用作加密密钥本身,但稍后我们将做更多的数学运算以提高安全性-但是(This is best understood by going through the source package. In short we put ALL the obtained system info into a C type string and do an MD5 on it. We may use the MD5 digest as the encryption key itself but later we will do a little more math to increase security - BUT AFTER the) 障碍物(Stumbling Block) 看到了一些光.该密钥还将在用户系统上动态生成,并且加密的文件将使用此密钥解密.(has seen some light. This key will also be produced dynamically on the user’s system and the encrypted files will be decrypted using this key.)
不用说,拥有正确系统的人将创建正确的MD5,因此只有他才能运行程序(在其他系统上,解密后的输出应为不可执行的垃圾).(Needless to say, the person with the correct system will create the correct MD5 and thus only he gets the program to run (on other systems the decrypted output should be un-executable garbage).)
因此,选择一个程序文件,将其复制到您提取所有文件的目录并将其重命名为(So select a program file copy it to the directory to which you extracted all our files and rename it to) OriginalData.dat
;跑(; run) Encrypt.exe
然后点击"确定”.应用程序将选择的文件加密为(and click on ‘OK’. The application will encrypt the chosen file to) EncryptedData.dat
.然后跑(. Then run) Encrypt.exe
然后选择"取消”.您会看到一个文件(and select ‘Cancel’. You will see a file) DecryptedData.dat
已创建-这是选择的程序.将其重命名为(created - it’s the program chosen. Rename it to an) EXE
(或任何扩展名)-它将正常运行.现在,将这些文件复制到其他配置的计算机上,看看会发生什么!((or whatever extension it was) - it will running correctly. Now copy these files to a machine of a different configuration and see what happens!)
这是我的想法的非常粗略的实现,但没有得到(This is a VERY ROUGH implementation of my idea, but without getting the) 障碍物(Stumbling Block) 已清除,我只是看不到替代解决方案!(cleared, I just cannot see an alternative solution!)
- 更成熟的解决方案.(A more mature solution.)我写了一个解决方案(I wrote a solution which)很接近(very closely)遵循本文概述的大纲.在这里阅读:(follows the outline laid in this article. Read it here :) 开源软件保护系统-第2部分(Open Source Software protection system - Part 2) .(.)
特别感谢(Special Thanks)
- Paul Wendt出色的SysInfo课程(Paul Wendt for his great SysInfo class)
- R!SC和+ ORC(那里的反向器会知道为什么;)(R!SC and +ORC (the reversers out there will know why ;))
- CounterPane实验室-用于BlowFish实施(CounterPane labs - for the BlowFish implementation)
- 克里斯`莫德(Chris Maunder)和他的敬业团队-谢谢大家访问这个伟大的网站(Chris Maunder and his dedicated team - thank you all for this GREAT site)
- Nir Dremer的FileEnc代码,其中已采用BlowFish加密例程(Nir Dremer for his FileEnc code from which the BlowFish encryption routine has been taken)
任何可以为该解决方案创建解决方案的人(Anyone who can create a solution to the) 障碍物(Stumbling Block) (您可以看到我对此有多生气!)还是一个好的解决方法?((You can see how much I am mad about it!) or a good workaround to it?)
历史(History)
- 2004年4月14日:重写了一些零件(14th April 2004 : Rewrote some parts)
- 2003年4月10日:将项目邮寄到CodeProject,并期望得到答复;)(10th April 2003 : Mailed project to CodeProject and expecting response ;))
- 2003年5月15日:更新了文章以反映绊脚石I的实现.请参阅(15th May 2003 : Updated article to reflect implementation of Stumbling block I. Please refer to) 本文的第二部分(Part 2 of this article) 消除任何混乱;)(to clear up any confusion ;))
许可
本文以及所有相关的源代码和文件均已获得The Code Project Open License (CPOL)的许可。
VC7.0 VC7.1 C++ VC6 WinXP Win2003 Windows Win2K Visual-Studio Dev 新闻 翻译