Morphing Code to Prevent Reverse Engineering? 507
ptolemu writes "Cringely's latest article discusses a new obfuscation technique currently being researched called PSCP (Program State Code Protection). An informative read that concludes with some interesting insight on the software giants that heavily depend on this kind of technology."
Re:Isn't this just self-modifying code? (Score:5, Informative)
Hmm... (Score:5, Informative)
Re:Virtual Machine? (Score:1, Informative)
Self-modifying code is ENTIRELY obsolete. Has been for ten years. Sorry.
Obscurity generation... (Score:3, Informative)
E.g. all states and variables are in an array called n[][] and the program is basically a big loop.
Quite impossible to know whats going on
Re:Wow (Score:1, Informative)
Have you ever seen decompiled java bytecode? It's almost indistinguishable from the original source code. The problem with x86 assembly is that each instruction doesn't map 1:1 with the source. With java bytecode, it *is* close enough to a 1:1 mapping that perfectly legible code can be produced from an regular class file.
Re:easy to do (Score:2, Informative)
Re:virus writers dream (Score:5, Informative)
Of course, virus writers have been using this since the early 1990s. One particular virus called Ontario III [nai.com] (there might be others before it) used this trick. An interesting part from the virus writeup: "The Ontario III virus uses a very complex form of encryption with no more than two bytes remaining constant in replicated samples."
Deobfuscation is in NP (Score:2, Informative)
Read the paper [nec.com] if ya don't believe me.
Such solutions for Java already exist (Score:3, Informative)
Retrologic awarded Java byte code obfucator (Open Source! and free!) [retrologic.com]
not free but you can try before you buy [condensity.com]
ZelixKlassMaster [zelix.com]Yet Another Java Byte Code Obfuscator (YAJBCO)
But I'm not sure they really work - just provide level of security similar to classical machine code. Btw. the MyDoom virus was BurnEye encrypted - so what?
Re:Wow (Score:5, Informative)
The Java Virtual Machine is a stack machine - there are no CPU registers. There's a seperate memory store for local variables. That tends to make it easy to tell exactly what data is being operated on at any given time.
I've seen Java decompilers that return very clear, readable code.
Re:Reverse engineering is not the problem (Score:1, Informative)
Because Quake is old, and when it was released, most players were still on 28.8 modem connections. In other words: a lot of stuff was left on the client for the purpose of saving bandwidth.
The Quake 1 source wasn't released until a couple years later. So there was no reason to obfuscate it, since it wasn't out there* (yeah don't get me going on the history of id Software).
* wasn't _supposed_ to be out there. There was a copy of at least part of the Quake 1 source floating around the warez channels for awhile, courtesy of crack dot com.
Cloakware (Score:4, Informative)
Re:Wow (Score:1, Informative)
Although I'm no expert at Java bytecodes, I didn't have any problems, and the only tools I used came with the Sun JDK.
On the other hand, some other code we got from them was put through a C obfuscator and it was almost impossible to reverse engineer. I gave up. Of course now that they provide unobfuscated code I'm able to make improvements to it for our project.
Re:Wow (Score:2, Informative)
Depends. Some versions of javac vary the position of the test (start or end of the loop) according to the loop construct.
Re:Security by obscurity (Score:5, Informative)
Re:Are folks really using obfuscation for Java? (Score:3, Informative)
Minor nitpick, that is not completly correct.
An object can still have references to it, and still be elegible for gc'ing. That is what Weak- and SoftReferences are used for.
From the API docs [sun.com]:
Re:do what i do (Score:3, Informative)
Why would you need to search for "i" in code set up in this way?
Finally an acronym for an old thing... (Score:2, Informative)
Empirical study shows that such protection mechanisms are very weak.
That's jsut because game designers get lazy... (Score:3, Informative)
Remember that most game hacks involve an exterior program that twiddles the in-game parameters after the session is up and running. If the changes were treated as a proper database update journal then things are easy. As the server and the client "play their journal" out at one another a "checksum" operation can be requested and the two memory maps had better match. The errors don't have to be "corrected" after all, they just need to be punished.
This isn't un-crackable but it is un-crackable in psud-realtime. The theoritical cracker would have to have, essentially, a second game engine running to maintian "the image that ough to be there" along with the engine of the real game. Then there would have to be a reconciler of some sort. At a minimum the machine doing the hack would have to be at least three time (yes, oversimplified math 8-) as powerful as the gamer's gaming experience. (That is, if the hacker wants to watch untextured wireframes "kill eachother" at 4 frames a second... he could probably devise a cheat. 8-)
Even so, as the server-side is applying the remote journal some very simple interger checks (c.f. if ((StartingHP + RepairHP) Turns) then EjectCheater(); if ((Pedometer / Turns) > MaxSpeed) then EjectCheater();
Online game hacks almost invariably exploit the kinds of design errors that come from hiring programmers who have only ever programmed games. Simple distributed data integrity checks (and a suspicous mind, and an understanding of why windows programs are never secure) could pretty much cut them down to nill.
(And before anybody starts narfing, I fully understand that, what with the distributed processing model the above math would need "fudge factors" and some adaptability. These too, are techinques that are well understood by people who work with distributed processing and data collection and synchronization tasks understand. Lossy environment and everything. This also wouldn't involve any real CUP hardship if designed correctly. Compared to the time to compute and render a frame, doing an MD5 over the domain of core data every few seconds isn't that hard to schedule. And it wouldn't necessarily have to be even as strong as an MD5. But gawd people, these games arn't even doing a data domain XOR... They don't get to cry over it when people do an exterior memory image patch hack. It's like leaving your car running with the doors open in Flatbush and then whining when it gets stolen. 8-)
Re:Hmm... (Score:2, Informative)
Christian Collberg [arizona.edu] has done some very interesting work on obfuscating programs at a high-level by densely intertwining their control flow and data accesses with a parallel heap-pointer-intensive computation. Sort of like a separate thread, with the key point that lots of dynamically allocated memory must be used to defeat analysis. This both obfuscates the original program and also helps in tamper-proofing (the original program can be modified by the compiler to rely on the values computed by this alternate thread).
Separating the main program from the inserted "thread" is much harder than checking and skipping some branch instructions in a decompiler or SoftICE. Static pointer analysis is an NP- hard problem for compilers, which makes de-obfuscation of this kind probably not practical.
Y.
Funny? Redundant! (Score:3, Informative)
Give credit where credit is due. Granted, for all I know the one I linked is ripped too, but still...
Time to filter out the new redundant / trolls, relevant or not.