Quite useless in current state tool

Quite useless in current state tool

Hello, team!

I developed software protection tools for years. This kind of obfuscation is almost useless because it is closed thing-in-itself. For more or less good protection some information should come from outside of protected software itself (network service, key USB device, human entered password or so).

Anyway it is interested when so grand company as Intel tries to "brake the rules". ;-) Ok, ok, I did not expect a lot, this is just obfuscation, not a protection.  So, anyway, I need to check it out.

I downloaded w_tamper_protection_0.2.0.006.exe few days ago. Installed, followed instructions in obfuscation_tutorial.pdf. All worked fine. Obfuscated DLL looks protected but works as expected. So all is fine with it. The customer gets what is promissed.

Then I tried to investigate it. You know, it is part of a protection tool, so why cannot I test it for protection, right? I will not write here found details. Just my opinion. Idea is not bad but as you wrote has some limitation (like indirect jumps and so "no switch operator" - it uses jump according a data+jump offset table, yes). But this is not a big problem and your recomendations how to adjust the source code is Ok.

Now what is not too good. What I found is "use the same trick for milion times". It does not work if you understand the trick. So I have spend one day to understand obfuscation principals and anothe two days to write a de-obfuscation tool. As a proof I attached a ZIP archive. It keeps an Obfuscated.dll buil according your instructions an decoder.exe. The last one is a console Windows application that de-obfuscate code in Obfuscated.dll and output an original executable code to the screen. I limited it to work with this specific DLL obfuscation settings so it will not work correct, if you use a different parameters for iprot.exe. Also it parces only one branch just for demonstration.

Actully what I wanted to say is:
- the obfuscation tool works fine for a low and may be middle level "protection"
- it is goot for tamper protection
- it has some potential to improve it obviously.
- do not use the same algorithm a lot of times, use some of them (perhaps it is already done, I checked only Obfuscated.dll)

Good luck with a software protection!

AttachmentSize
Downloadapplication/zip deobfuscate.zip38.69 KB
2 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Thanks for your feedback. I will forward your feedback to my colleague. Thanks!

Leave a Comment

Please sign in to add a comment. Not a member? Join today