S
S
sbh2015-07-20 09:03:11
Programming
sbh, 2015-07-20 09:03:11

How to implement program integrity check?

The question is more theoretical: how do programs implement integrity checks on themselves?
1 point - let's say we calculated the hash of the file, but as soon as we write the constant into the code, the amount of the file will change.
2 point - why can't you just start the procedure for checking the amount in such a program and bypass the check?

Answer the question

In order to leave comments, you need to log in

4 answer(s)
L
Lander, 2015-07-20
@usdglander

1. Usually, the checksum of the code section is considered, and the reference sum is stored in the data section.
2. You can zanopit, so they use any encryption of pieces of code, and at the time of execution they decrypt it.
In fact, there is no 100% protection and cannot be. It's just that the cost of hacking should be greater than the cost of the program. No one will spend a week hacking a program that costs 50 rubles.

V
Vitaly Pukhov, 2015-07-20
@Neuroware

As Nikita Pustovalov already saidThere is no 100% protection, the specific method depends on the programming language, for example, in C # you can do something like this, all the "important" data is taken out into a separate module, the function for calculating the hash is also taken out into it, and ideally it is non-standard or consists of several standard ones ( to make it harder). After loading the module into memory, the "body" is subtracted from it, the body is actually a dll in memory, a hash is calculated from the "body" using the method from the module and compared with the reference one (because the operation is not very expensive, you can do it at least before each call) . In this case, the module must be protected by all possible means, the rest can be scored, because. everything is critical in the module. And yes, if the module can be deobfuscated and recompiled by changing the hash calculation method and the standard, then the protection was bypassed, therefore, in any case, you will have to think about how to protect the module from decompilation. It's just not possible to "snap" here, and deobfuscation with the ability to recompile the module even on .net is not always an easy task.

D
Dmitry, 2015-07-20
@EvilsInterrupt

If everything was so simple, then there would not be so many offers to protect software such as Enigma, Themida, etc. If you want to plunge headlong into this area, then I recommend that you go to the Wasm.ru forum and read until enlightenment.
In general, the solution is "on the knee":
1. Calculate the hash from a piece of code during the imposition of protection and consider this as a reference hash. Calculate at the time of execution and compare with the reference.
2. At runtime, get the context, take the values ​​of the debug registers and xor with the code. If someone put a break, it means that in the debug register there will be a pointer value, thereby not a zero value, then it will spoil the code.
3. Search for windows with names from regmon, ollydbg, etc.
4. Encrypt all significant string constants at the protection stage and decrypt them during operation
5. Zero out section descriptors, i.e. an array of IMAGE_SECTION_HEADER structures located in the PE header
6. Find DataDirectory[DEBUG_DIR_INDEX] in the header and put it on the area in your application, generate garbage in this area
But I repeat, this is "on the knee"

A
abs0lut, 2015-07-20
@abs0lut

1 point - let's say we calculated the hash of the file, but as soon as we write the constant into the code, the amount of the file will change.

The hash can be stored separately.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question