custom Run-time packer [Cryptography]

Prev: Why hash function (e.g. MD5) cannot be a MAC
Next: Best practice for password hashing

From: liveline on 7 Jun 2010 17:51

does someone know good encryption sheme to encrypt and compresss PE
executable? (i.e. to make custom Run-time packer)
For encryption I would choose AES-256 with random key, but how to implement
encryption/compression scheme: we need strip out the old PE header and put
in a new stock header that performed the decryption. Also, proper
obfuscation would need to actually interpret and reoptimize the machine code
of the program to be obfuscated.

From: Tom St Denis on 8 Jun 2010 07:01

On Jun 7, 5:51 pm, "liveline" <livel...(a)news.eternal-september.org>
wrote:
> does someone know good encryption sheme to encrypt and compresss PE
> executable? (i.e. to make custom Run-time packer)
> For encryption I would choose AES-256 with random key, but how to implement
> encryption/compression scheme: we need strip out the old PE header and put
> in a new stock header that performed the decryption. Also, proper
> obfuscation would need to actually interpret and reoptimize the machine code
> of the program to be obfuscated.

In the PE format you can just append your encrypted content to the end
of the executable. So just make a loader than expects an encrypted
payload after itself.

Then realize this is pointless since the average 12 yr old will break
it.

From: Dave -Turner on 8 Jun 2010 07:56

The executable could only be executed if the user is prompted for the
password when it starts, are you sure that's what you're after? Because if
not then AES256 is no harder to get past than an XOR - the executable can be
dumped from memory after it's been decrypted and loaded.

From: unruh on 8 Jun 2010 14:42

On 2010-06-08, Dave -Turner <admin(a)127.0.0.1> wrote:
> The executable could only be executed if the user is prompted for the
> password when it starts, are you sure that's what you're after? Because if
> not then AES256 is no harder to get past than an XOR - the executable can be
> dumped from memory after it's been decrypted and loaded.

And then the "ask for password" routine replaced by something that
always says "succeeded"
Unless there is a continual decryption process going on, with continual
requests for passwords to run that next decryption.
>
>

From: Dave -Turner on 9 Jun 2010 01:16

> And then the "ask for password" routine replaced by something that
> always says "succeeded"

Yes, but you'd still need to know the password first though to get to that
stage.

| Next | Last
Pages: 1 2
Prev: Why hash function (e.g. MD5) cannot be a MAC
Next: Best practice for password hashing