When an application is being created, the Compiler will compile the
application source code into several object files made of machine language
code. Then the object files are linked together to create the final executable.
Figure 1: Compilation of your source code
In the same manner that the source code of an application is converted
into machine code at compilation time, there are tools that can convert a
compiled application into assembly language or a higher programming language.
These tools are known as dissemblers and de-compilers.
Figure 2: Decompilation of your application
An attacker can use a dissembler or de-compiler to study how a
specific application works and what a specific routine does. When the attacker
has a good knowledge of the target application, he can modify the compiled
application to alter his behavior. For example, the attacker could bypass the
routine that checks for the trial period in an application and make it run
forever or even worse, cause the application to behave as if it was registered.
Software protectors where created to keep an attacker from directly
inspecting or modifying a compiled application. A software protector is like a
shield that keeps an application encrypted and protected against possible
attacks. When a protected application is going to be run by the operating
system, the software protector will first take control of the CPU and check for
possible cracking tools (dissemblers or de-compilers) that may be running on
the system. If everything is safe the software protector will proceed to
decrypting the protected application and giving it the control of the CPU to be
executed as normal.
The advantages of using a Software Protector are:
Protect an application against
piracy.
Prevents attackers from
studying how an application is implemented.
Will not allow attackers to
modify an application to change its behavior .
Since software protectors were born, many attackers have centered most
of their efforts on attacking the software protectors themselves instead of the
applications. Many tools have been developed that aid in the attacking of
software protectors. These attacks often result in the attacker obtaining the
original application that is decrypted and has the protection wrapper removed.
Figure 3: Common software protectors philosophy
The main problem with software protectors is that they use protection
techniques very well known by crackers, so they can be easily bypassed with
traditional cracking tools.
Another important problem in software protectors is that they have
restricted execution by the operating system, that is, they run with normal
application privileges. Because of this attackers can use cracking tools that
run at the same priority level as the operating system allowing them to fully
supervise what a software protector is doing at a certain time and attack it in
specific places.
With Themida® , we have centered in the main weakness that software
protectors have thus providing a complete solution to overcome those problems.
Themida® uses the SecureEngine® protection technology that, when running in the
highest priority level, implements never seen before protection techniques to
protect applications against advanced software cracking.
Figure 4: Themida® protection procedure
SecureEngine® defeats all current cracking tools that can be used
against protected applications and it will make sure that your protected
applications are only run in safe environments.
Figure 5: SecureEngine® technology adds more strength to the existing
protection
Software protection programming is not a very well known field for
most programmers. Software protection techniques are not like
"visible" features that can be seen and compared. Because of this
most software protection authors could talk about impressive techniques that
are included deep inside the protection scheme, when many times most of these
techniques hardly exist or they are much simpler than what they seem.
Most software protectors reiterate a lot about using very strong
cryptographic algorithms like RSA, Elliptic curves and AES hoping that the
final user will believe that those protectors and the cryptic algorithms are
unbreakable. This if far from the truth as software protection is very
different from data protection. Even if a software protector encrypts the
protected application with the most robust cryptographic algorithm, sooner or
later the protected application needs to be decrypted in order to be run by the
CPU. It is in this phase when most attackers will start their work by dumping
the decrypted application from memory to disk thus not having to deal with the
cryptographic algorithm and reconstructing of the original application.
In Themida® we want to be realistic about which weakness can be
exploiting by attackers and what we really need to pay attention to protect an
application with the highest security possible against software cracking.
These are the key
features of Themida®:
Anti-debugger techniques that detect/fool
any kind of debugger
Anti-memory dumpers techniques for any
Ring3 and Ring0 dumpers
Different encryption algorithms and
keys in each protected application
Anti-API scanners techniques that
avoids reconstruction of original import table
Automatic decompilation and scrambling
techniques in target application
Virtual Machine emulation in specific
blocks of code
Advanced Mutator engine
SDK communication with protection
layer
Anti-disassember techniques for any
static and interactive disassemblers
Multiple polymorphic layers with more
than 50.000 permutations
Advanced API-Wrapping techniques
Anti-monitors techniques against file
and registry monitors
Random garbage code insertion between
real instructions
Specialized protection threads
Advanced Threads network communication
Anti-Memory patching and CRC
techniques in target application
Metamorphic engine to scramble
original instructions
Advanced Entry point protection
Dynamic encryption in target
application
Anti-tracing code insertion between
real instructions
Advanced Anti-breakpoint manager
Real time protection in target
application
Compression of target application,
resources and protection code
Anti-“debugger hiders” techniques
Full mutation in protection code to
avoid pattern recognition
Real-time simulation in target
application
Intelligent protection code insertion
inside target application
Random internal data relocation
Possibility to customize dialogs in
protected application
Support of command line
Many many more...
Support All Windows.
