Is it possible to find if an application is encrypted at runtime
-
We have an application exe developed in VC++ under VS2008. We are using an external software named HASP SRM for license protection. When we protect our Application exe using the software, its size is changed. I could understand that the exe is being encrypted. Now I want to find a way in the application at runtime to identify if it is protected or encrypted or not for some logging purpose. Is it possible to write a code inside the application to find it at runtime. Can anyone help me in this regard
-
We have an application exe developed in VC++ under VS2008. We are using an external software named HASP SRM for license protection. When we protect our Application exe using the software, its size is changed. I could understand that the exe is being encrypted. Now I want to find a way in the application at runtime to identify if it is protected or encrypted or not for some logging purpose. Is it possible to write a code inside the application to find it at runtime. Can anyone help me in this regard
You may open and read the binary file (
argv[0]) and check if that contains a signature inserted by the encryption software. Ask the maker of the software if you don't know the signature. They may also already have a documented method to perform such checks. -
You may open and read the binary file (
argv[0]) and check if that contains a signature inserted by the encryption software. Ask the maker of the software if you don't know the signature. They may also already have a documented method to perform such checks.Our Application is a MFC application. Can you please provide me the C++ source code and detail me the steps to do so.
-
Our Application is a MFC application. Can you please provide me the C++ source code and detail me the steps to do so.
I can't because I don't know what to look for. Therefore, I suggested to ask the maker of the encryption software. Alternatively, do a binary file compare of an encrypted and original version of your sofware to find out where they are different. But only you can do that beacuse I neither have your software nor the encryption software. If you know what to look for (binary pattern, length, and offset):
const unsigned char pattern[] = { 0x00, 0x01 /* ... */ };
char buf[sizeof(pattern)];
FILE *f = fopen(argv[0], "rb");
fseek(f, offset, SEEK_SET);
fread(buf, 0, sizeof(pattern), f);
fclose(f);
if (0 == memcmp(pattern, buf, sizeof(pattern)))
{
// pattern found
} -
We have an application exe developed in VC++ under VS2008. We are using an external software named HASP SRM for license protection. When we protect our Application exe using the software, its size is changed. I could understand that the exe is being encrypted. Now I want to find a way in the application at runtime to identify if it is protected or encrypted or not for some logging purpose. Is it possible to write a code inside the application to find it at runtime. Can anyone help me in this regard
Hi,
manoharbalu wrote:
Is it possible to write a code inside the application to find it at runtime.
Maybe.
manoharbalu wrote:
Can anyone help me in this regard
One of the first thing at occurs after the executable begins execution... (For brevity I will not describe the NT loader) is that it jumps to the
IMAGE_OPTIONAL_HEADER.AddressOfEntryPointand begins executing some code there. Do the following: 1.) Protect around a dozen files with the packer/protector. 2.) Read some bytes at theIMAGE_OPTIONAL_HEADER.AddressOfEntryPointoffset on all these protected files. (maybe 16 bytes of instructions) 3.) Save those bytes into an array. 4.) If all those bytes are the same... use that for your signature detection. All PE packers and protections add the decryption/decompressing functions at theIMAGE_OPTIONAL_HEADER.AddressOfEntryPointNote that in the old days some vendors used polymorphic instruction generators to avoid detection... but these days most vendors are using static instructions so that anti-virus vendors can detect the unpacker signature. Note that you can also iterate through the PE sections... A typical PE file from a Microsoft based compiler will contain: .text .bss .rdata .data .idata .reloc ... few others I believe the HASP SRM packer/protector generates an additional PE section: .protect Keep in mind that you are performing a statistical analysis so...if the instructions at IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint are the same as instructions from other binaries packed with HASP SRM
{
if There is an additional section named .protect which is consistent with the HASP SRM product.
{
Probably protected by HASP SRM
}
}Best Wishes, -David Delaune