Migrating to Mono.Cecil 0.9.2 : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years ago

Mono.Cecil was developed by JB Evain back in the fall of 2004 and since has had a fairly stable code base that has changed very little. The world has rather changed around Mono.Cecil... until now! Mono.Cecil has now been updated utilising many compiler features introduced with the .NET framework over the years, fixing many bugs, improving performance, and also improving code flow for developers. Since NCloak is still in development, I thought it would be a perfect chance to stay on top of the game and upgrade to the shiny new v0.9.2 of Mono.Cecil. This is a breaking version upgrade therefore, as expected, drove me a little insane ironing out all of the introduced bugs in the code! This article is essentially a summary of "gotchas" outside of the migration document to help anyone else performing a migration. read more...

add a comment |category: Architecture |Views: 14

tags: Architecture another

Overcoming the switch statement in IL : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 2 months ago

In the last article I mentioned how the community had started using the NCloak application and started finding places where it did not work. The main problems occurred with code injection; before injection it worked fine, after injection we had an invalid program. The last article looked at fixing instruction operand overfow whereby a short form branch statement was now referencing a long form instruction. In this article we take a look at an instruction that I had neglected to fix, and why the fix wasn't as simple as I'd hoped... read more...

add a comment |category: Architecture |Views: 7

tags: Architecture another

Handling instruction operand overflow in NCloak : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 2 months ago

NCloak has started to become attractive enough for people to have a fiddle with it on their own applications. This is great news as it means that it is getting exposure to scenarios outside of my "sandbox". As a result of testing, it quickly became apparent that NCloak failed to work when large amounts of code were injected. This article investigates why the program had issues, and how it was fixed. read more...

add a comment |category: Architecture |Views: 2

tags: Architecture another

Tamper Proofing - an implementation (Part 3) : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 2 months ago

In our last article we took a look at implementing an example tamper proofing solution in code. This has now been implemented as an NCloak task; that is, NCloak now automatically packages your assemblies and generates a bootstrapper to execute your program. In this article, we take a look at hair pulling "obvious now that I know the answer" problems I had during this seemingly simple implementation! read more...

add a comment |category: Architecture |Views: 6

tags: Architecture another

Tamper Proofing - an implementation (Part 2) : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 3 months ago

In the last article we took a look at a partial implementation of tamper proofing: encrypting an assembly and placing it in the resource section of an assembly. This article takes a look at writing a bootstrapper for decrypting these embedded assemblies and running them dynamically on the fly (of course avoiding writing them to disk). read more...

add a comment |category: Architecture |Views: 10

tags: Architecture another

Tamper Proofing - an implementation (Part 1) : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 3 months ago

Last week we took a look at various methods of tamper proofing .NET assemblies, breaking it down into three primary methods: * Hash checking - checking your assemblies hash to ensure unchanged * Result checking - checking results of calculations throughout your assembly * Encryption - encrypting your assemblies before deployment Over the next few weeks I'll discuss an implementation of injecting tamper proof techniques into your assemblies using NCloak. To make things simple, we'll simply be using encryption and hash checking to detect any tampering of assemblies. read more...

add a comment |category: Architecture |Views: 19

tags: Architecture another

Tamper Proofing your Code : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 3 months ago

A largely "untouched" area of intellectual property protection is Tamper Proofing. I can only assume that the reason for this is that while tamper proofing methods are easy to add, it is extremely difficult to stop tamper proofing being removed. It all boils down to the simple fact: if your computer can run the program then a hacker can understand the control flow and change your code for their own purposes. This article takes a look at what tamper proofing is, various methods of tamper proofing, and finally evaluates their real world use. read more...

add a comment |category: Architecture |Views: 7

tags: Architecture another

Hacking Mono.Cecil - allowing invalid opcodes : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 4 months ago

In the last post we took a look at how to manually remove invalid opcodes from an obfuscated assembly. We did this by decompiling the assembly, replacing with the nop opcode and then recompiling. We used this manual method of removing these as Mono.Cecil crashed at the sight of some of the invalid opcodes. In this post we take a look at a tiny "hack" to Mono.Cecil which allows us to do the same thing in an automated manner. read more...

add a comment |category: Architecture |Views: 31

tags: Architecture another

Removing Invalid OpCodes From Obfuscated Assemblies - Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 4 months ago

Last week we took a look at what was required to make the NCloak obfuscator fool Reflector. Following on; this week we'll take a look at reversing all of that hard work allowing Reflector to decompile our assembly again! read more...

add a comment |category: Architecture |Views: 22

tags: Architecture another

Making NCloak fool Reflector (an implementation) : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 4 months ago

In the last article of the series we took a look at two different methods for stopping Reflector being able to successfully decompile our code: inserting invalid IL, and modifying header information. Today we'll implement the more common approach: inserting invalid IL into each method inside our assembly making unreadable in Reflector. read more...

3 comments |category: Architecture |Views: 226

tags: Architecture another

Lightspeed 3 : Testing Enhancements - Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 5 months ago

In this post I'm going for a bit of a diversion from the usual Protecting Your Precious Code series; and for good reason! The long awaited version 3 of the Lightspeed tool was released on Monday. Rather than go into all of the new features that it boasts (which can be found on the Mindscape blog), I'm going to take a look at a particular aspect that excites me: improved testability of entities! read more...

add a comment |category: Unit Testing |Views: 2

tags: Testing another

How to make your Obfuscator fool Reflector : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 5 months ago

The primary purpose for Obfuscators is to stop users understanding your application. The idea of this is that if you can stop them making sense of your application, you can stop them bypassing licensing steps and/or stealing code. A popular feature for a lot of commercial obfuscators is to take this a step further and stop popular decompilers from even being able to understand your program. While this may sound quite attractive; it can also be quite scary as you need to break many of the "set rules and guidelines" to make this happen. In this article, we'll discuss two of those methods to stop our code from working in Reflector. read more...

add a comment |category: Architecture |Views: 20

tags: Architecture another

Handling 64-bit assemblies during obfuscation - Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 6 months ago

Continuing on along the lines of the Protecting your precious code series, we'll take a look at pre-empting a bug in our obfuscator! One assumption I had made during writing these articles, which fell through into the implementation of NCloak was that an address size was 32 bits long. While this will work for MOST people (Any Cpu or 32 bit compilation); when obfuscating a 64 bit assembly, it will start causing a few execution problems. read more...

add a comment |category: Architecture |Views: 6

tags: Architecture another

Stopping ILDASM decompiling your assemblies : Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 6 months ago

The main purpose of obfuscation is to hide tell tale program information from being easily read and understood by the human eye. This is quite a difficult task when there are tools such as Reflector and ILDASM sitting around that allow you to easily break apart an assembly and investigate its internals. Many obfuscators these days attempt to thwart this by stopping ILDASM and Reflector decompilation via some simple techniques that we'll go into detail over the next few posts. Some of the techniques are questionable as we'll soon see; however some of them are also quite legitimate but weak. This week we'll take a look at a simple technique to stop ILDASM decompilation, and also how to get around it. read more...

add a comment |category: Architecture |Views: 15

tags: Architecture another

String Encryption as an Obfuscation Tool - Reverse Engineering - Paul (blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 6 months ago

In the last post we took a look at how to encrypt strings within an assembly to assist in obfuscating our code from prying eyes. In this post we'll take a look at how easy it is to circumvent this feature, essentially making it... well... not as cool as it sounds. Topics we'll cover: * A quick recap of what string encryption did to our assembly * Why is string encryption easy to to circumvent? * A simple method for circumventing this feature * Implementation of circumvention code (reverse engineering?) read more...

add a comment |category: Architecture |Views: 14

tags: Architecture another

String Encryption as an Obfuscation Tool - Part 2 - Paul Mason(blog.paul-mason.co.nz)

submitted by tivit(364) 2 years, 6 months ago

In the the last post we took a look at how we were going to implement String Encryption into NCloak. In this post, we take a look at the implementation of this feature. We'll cover: * The plan of attack * Creating the decryption method * Changing ldstr * "Gotcha's" to be aware of read more...

add a comment |category: Architecture |Views: 6

tags: Architecture another