News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

DLL decryption

Started by Wheet, November 01, 2006, 04:16:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Wheet

November 01, 2006, 04:16:25 PM
I have written a DLL in MASM which does a simple xor encryption on itself based on information passed across a named pipe. The base address is set to a pretty unique number so that the loader doesn't have to rebase the DLL when it's loaded. Just incase it does, require a rebase I scan each address before the byte by byte encrypted/decrypted against the reloc section and skip encryption of any RVA in it. I use OllyDBG to trace up to the end of the encryption/decryption loop and save all encrypted data to the PE once it's done therefore it will decrypt in the future.

When I attach a debugger to the executable and trace over the call I have created for the decryption of the DLL it will decrypt perfectly fine and operate as it's supposed to. When I do not have a debugger attached or if I attach the debugger and execute without breakpoints the decryption will fail, not a single byte will decrypt. I have been debugging this for a few days now and I cannot figure it out. It's driving me nuts.  :dazzled: The PE header for the reloc section says that the section has read characteristics.

I know NT has some certain permissions setup for DLL which will cause certain things to fail. Does anyone have any idea what the problem could be? Or methods I could use instead of going through all the work of wrapping it or using a commercial packer?

Thanks.

PBrennick

#1
November 02, 2006, 12:47:07 AM
Wheet,
In the areas where you were setting the breakpoints try using invoke Sleep, somevalue instead. Set somevalue to a low value and bump it up until it works.

Paul
The GeneSys Project is available from:
The Repository or My crappy website

Wheet

#2
November 02, 2006, 01:12:42 PM
Thanks Paul, really makes me wish I had posted this before I spent like 30 hours trying to figure it out.

Any explanation on why this solution works?

PBrennick

#3
November 07, 2006, 11:12:05 PM
Wheet,
Sorry for the late reply. I have been quite busy for the past couple of days. The reason why I was sure that it would work is because, in effect allowing the app to stabilize between operations so it was easy to see it was a timing issue. Adding latency is an accepted method but you want to keep the latency as low as possible. That is why you start with a low value and work your your way up slowly until your app takes off.

Paul
The GeneSys Project is available from:
The Repository or My crappy website
Print
Go Up Pages1
User actions