How to Protect an Exe File from Decompilation

techno picture techno · Jul 31, 2011 · Viewed 18.5k times · Source

What are the methods for protecting an Exe file from Reverse Engineering.Many Packers are available to pack an exe file.Such an approach is mentioned in http://c-madeeasy.blogspot.com/2011/07/protecting-your-c-programexe-files-from.html

Is this method efficient?

Answer

Ira Baxter picture Ira Baxter · Jul 31, 2011

The only good way to prevent a program from being reverse-engineered ("understood") is to revise its structure to essentially force the opponent into understanding Turing Machines. Essentially what you do is:

  • take some problem which generally proven to be computationally difficult
  • synthesize a version of that whose outcome you know; this is generally pretty easy compared to solving a version
  • make the correct program execution dependent on the correct answer
  • make the program compute nonsense if the answer is not correct

Now an opponent staring at your code has to figure what the "correct" computation is, by solving algorithmically hard problems. There's tons of NP-hard problems that nobody has solved efficiently in the literature in 40 years; its a pretty good bet if your program depends on one of these, that J. Random Reverse-Engineer won't suddenly be able to solve them.

One generally does this by transforming the original program to obscure its control flow, and/or its dataflow. Some techniques scramble the control flow by converting some control flow into essentially data flow ("jump indirect through this pointer array"), and then implementing data flow algorithms that require precise points-to analysis, which is both provably hard and has proven difficult in practice.

Here's a paper that describes a variety of techniques rather shallowly but its an easy read: http://www.cs.sjsu.edu/faculty/stamp/students/kundu_deepti.pdf

Here's another that focuses on how to ensure that the obfuscating transformations lead to results that are gauranteed to be computationally hard: http://www.springerlink.com/content/41135jkqxv9l3xme/

Here's one that surveys a wide variety of control flow transformation methods, including those that provide levels of gaurantees about security: http://www.springerlink.com/content/g157gxr14m149l13/

This paper obfuscates control flows in binary programs with low overhead: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.167.3773&rank=2

Now, one could go through a lot of trouble to prevent a program from being decompiled. But if the decompiled one was impossible to understand, you simply might not bother; that's the approach I'd take.

If you insist on preventing decompilation, you can attack that by considering what decompilation is intended to accomplish. Decompilation essentially proposes that you can convert each byte of the target program into some piece of code. One way to make that fail, is to ensure that the application can apparently use each byte as both computer instructions, and as data, even if if does not actually do so, and that the decision to do so is obfuscated by the above kinds of methods. One variation on this is to have lots of conditional branches in the code that are in fact unconditional (using control flow obfuscation methods); the other side of the branch falls into nonsense code that looks valid but branches to crazy places in the existing code. Another variant on this idea is to implement your program as an obfuscated interpreter, and implement the actual functionality as a set of interpreted data. A fun way to make this fail is to generate code at run time and execute it on the fly; most conventional languages such as C have pretty much no way to represent this.

A program built like this would be difficult to decompile, let alone understand after the fact.

Tools that are claimed to a good job at protecting binary code are listed at: https://security.stackexchange.com/questions/1069/any-comprehensive-solutions-for-binary-code-protection-and-anti-reverse-engineeri