Menu
Search

Forums

Forum Index

Thread overview
Protecting PE files
Apr 06, 2012
Erik Weber
Apr 12, 2012
Walter Bright
Apr 12, 2012
Erik Weber
April 06, 2012
Gravatar of Erik WeberPosted by Erik WeberReply
Erik Weber
Gravatar of Erik Weber


Reply
Another security question for whomever can help.

As I understand it (please correct me if I am wrong), the digital signature applied with something like signtool.exe incorporates a checksum but otherwise does not alter the file structure (such as the code and data sections). Is it feasable for a cracker to infect an exe with a patch while still causing the checksum to be calculated with the same result (maybe by adding or removing bogus instructions), thus forging the signed exe?

More importantly, what recommendations do any of you have for protecting PE files that you want to sell (from reverse engineering)? It looks like a common way of doing this is to use some sort of "packer" that either compresses, encrypts, or both, the code section of the PE file, which is then uncompressed/decrypted and somehow loaded by the entry point function at runtime. Is it very difficult to write your own program to do something like this, or is there a decent commercial product to start with that is known to work well? When I search for stuff like this I seem to find some whitepapers but otherwise endless dead links . . .

Thanks,
Erik
April 12, 2012
Gravatar of Walter BrightPosted by Walter Bright
in reply to Erik Weber		Reply
Walter Bright
Gravatar of Walter Bright
Posted in reply to Erik Weber


Reply
On 4/6/2012 7:33 AM, Erik Weber wrote:
> Another security question for whomever can help.
>
> As I understand it (please correct me if I am wrong), the digital
> signature applied with something like signtool.exe incorporates a
> checksum but otherwise does not alter the file structure (such as
> the code and data sections). Is it feasable for a cracker to
> infect an exe with a patch while still causing the checksum to be
> calculated with the same result (maybe by adding or removing bogus
> instructions), thus forging the signed exe?

Yes.


> More importantly, what recommendations do any of you have for
> protecting PE files that you want to sell (from reverse
> engineering)? It looks like a common way of doing this is to use
> some sort of "packer" that either compresses, encrypts, or both,
> the code section of the PE file, which is then
> uncompressed/decrypted and somehow loaded by the entry point
> function at runtime. Is it very difficult to write your own
> program to do something like this, or is there a decent commercial
> product to start with that is known to work well? When I search
> for stuff like this I seem to find some whitepapers but otherwise
> endless dead links . . .

It's a lost cause to try and prevent people from disassembling your PE file.
April 12, 2012
Gravatar of Erik WeberPosted by Erik Weber
in reply to Walter Bright		Reply
Erik Weber
Gravatar of Erik Weber
Posted in reply to Walter Bright


Reply
Thanks.