Home » Support » User Manual » Introduction » Analyzing, cracking and protecting software

Analyzing, cracking and protecting software

It is possible to analyze a software product statically and/or dynamically. In case of static analysis, the development of the protection crack algorithm is based on analyzing the results of dissassembling or decompiling the program being cracked. Dynamic analysis is most often used to crack software products whose executable code is encrypted or dynamically changed because the static analysis of such programs presents some difficulties.

In order to perform dynamic analysis, the program being cracked is run in the debugger environment, which makes it possible to control all changes taking place while the application is running. During the dynamic analysis, the debugging mode is used to get through the "protection" algorithms of the program step-by-step, including algorithms of checking and generating the correct registration code. Activity monitors are another tool used during dynamic analysis. They monitor how the program accesses files, system services, ports and external devices.

Protectors are the main tool used to protect applications against being cracked. Protection offered by most protectors comes down to packing and/or encrypting the source executable file, paying special attention to protecting the procedure of unpacking/decrypting the file.

This kind of algorithm very often turns out to be the reason why the protection provided by most of them is not enough. In case an application is protected by packing, the cracker may get the source file as a result of dumping a certain memory area after the unpacker finishes its work. Moreover, crackers have developed a lot of software tools allowing protection to be broken automatically. A similar approach is used to break encryption: after getting a license key, which may have been legally purchased, the cracker can decrypt protected code parts.

Some protectors use various anti-debugging techniques. However, the use of anti-debugging considerably slows down the performance of the application. You should also bear in mind that anti-debugging techniques are effective only against dynamic analysis and are completely useless against static analysis. Moreover, all anti-debugging techniques used in modern protectors were studied long ago and crackers have written a lot of tools that completely neutralize them. Anti-debugging techniques built into an application do not affect the effectiveness of activity monitors.

Obfuscation and virtualization that make it harder to analyze the code of the protected application are more effective methods for application protection. Generally, the effectiveness of these methods is achieved due to peculiarities of human factors: the more complicated the source code is and the more resources an application uses, the more difficult it is for the person analyzing it to understand the logic of its work and, therefore, break the protection methods used in it.

In case of obfuscation, the application code is obfuscated due to introducing additional instructions. In case of virtualization, the source code is compiled into bytecode executed on a special interpreter emulating a virtual machine with a special instruction set. Therefore, the use of virtualization results in high obfuscation that cannot be reduced in the output code. And if you use a certain approach to the implementation of this method, the protected code will not contain methods for restoring the source code as it was. Thus, the main advantage of virtualization is the fact that at the moment of executing a virtualized part of code it is not translated back into machine code, which excludes the possibility of getting the source code of the application by the cracker.

The reengineering of virtualized fragments comes down to studying the virtual machine architecture, creating the disassembler corresponding to the architecture of the CPU emulated by the virtual machine and analyzing the disassembled code. With a certain approach to the implementation of the virtual machine, it becomes rather time-consuming to create a disassembler for the virtualized code. The only disadvantage of virtualization is a considerably low performance rate so this method should only be used to protect parts of code that do not require a high performance rate.

Obfuscation and virtualization play secondary roles in the overwhelming majority of modern protectors and the level of their implementation is not good enough, which allows crackers to break this kind of protection automatically or manually. Another weak point in most modern protectors is the use of undocumented Windows features, which imposes limitations on using applications in new versions of the operating system or with the DEP mode enabled.