Search code examples
qtantivirusdrm

decrypt function at run time and use it QT c++

I'm new to QT and I'm trying to create an encrypted function. Overall what you do in C / C ++ is:

  • Take pointer to function
  • make the function page rwx
  • Encrypt it (for the example I encrypt and decrypt in the same program)
  • Decrypt it and run it

A simple code in C will happen roughly like this:

    void TestFunction()
{
    printf("\nmsgbox test encrypted func\n");
}
// use this as a end label
void FunctionStub() { return; }

void XorBlock(DWORD dwStartAddress, DWORD dwSize)
{
    char * addr = (char *)dwStartAddress;
    for (int i = 0; i< dwSize; i++)
    {
        addr[i] ^= 0xff;
    }
}

DWORD GetFuncSize(DWORD* Function, DWORD* StubFunction)
{
    DWORD dwFunctionSize = 0, dwOldProtect;
    DWORD *fnA = NULL, *fnB = NULL;

    fnA = (DWORD *)Function;
    fnB = (DWORD *)StubFunction;
    dwFunctionSize = (fnB - fnA);
    VirtualProtect(fnA, dwFunctionSize, PAGE_EXECUTE_READWRITE, &dwOldProtect); // make function page read write execute permission
    return dwFunctionSize;
}



int main()
{

    DWORD dwFuncSize = GetFuncSize((DWORD*)&TestFunction, (DWORD*)&FunctionStub);
    printf("use func");
    TestFunction();
    XorBlock((DWORD)&TestFunction, dwFuncSize); // XOR encrypt the function
    printf("after enc");
    //TestFunction(); // If you try to run the encrypted function you will get Access Violation Exception.

    XorBlock((DWORD)&TestFunction, dwFuncSize); // XOR decrypt the function
    printf("after\n");
    TestFunction(); // Fine here

    getchar();
}

When I try to run such an example in QT I get a run time error.

Here is the code in QT:

    void TestFunction()
{
    QMessageBox::information(0, "Test", "msgbox test encrypted func");
}
void FunctionStub() { return; }

void XorBlock(DWORD dwStartAddress, DWORD dwSize)
{
    char * addr = (char *)dwStartAddress;
    for (int i = 0; i< dwSize; i++)
    {
        addr[i] ^= 0xff;                // here i get seg. fault
    }
}

DWORD GetFuncSize(DWORD* Function, DWORD* StubFunction)
{
    DWORD dwFunctionSize = 0, dwOldProtect;
    DWORD *fnA = NULL, *fnB = NULL;

    fnA = (DWORD *)Function;
    fnB = (DWORD *)StubFunction;
    dwFunctionSize = (fnB - fnA);
    VirtualProtect(fnA, dwFunctionSize, PAGE_EXECUTE_READWRITE, &dwOldProtect); // Need to modify our privileges to the memory

    QMessageBox::information(0, "Test", "change func to read write execute ");
    return dwFunctionSize;
}




void check_enc_function()
{

    DWORD dwFuncSize = GetFuncSize((DWORD*)&TestFunction, (DWORD*)&FunctionStub);
    QMessageBox::information(0, "Test", "use func");
    TestFunction();
    XorBlock((DWORD)&TestFunction, dwFuncSize); // XOR encrypt the function -> @@@ i get seg fault in here @@@
    QMessageBox::information(0, "Test", "after enc");


    TestFunction(); // If you try to run the encrypted function you will get Access Violation Exception.

    XorBlock((DWORD)&TestFunction, dwFuncSize); // XOR decrypt the function
    QMessageBox::information(0, "Test", "after dec");
    TestFunction(); // Fine here

    getchar();
}

Why should this happen? QT is supposed to behave like precision as standard C ++ ...

post Scriptum.

Interestingly in the same matter, what is the most legitimate way to keep an important function encrypted (the reason it is encrypted is DRM)?

Legitimately I mean that anti-viruses will not mistakenly mark me as a virus because I defend myself.

PS2

If I pass an encrypted function over the network (say, I will build a server client schema that the client asks for the function it needs to run from the server and the server sends it to it if it is approved) How can I arrange the symbols so that the function does not collapse?

PS3

How in QT can I turn off the DEP and ASLR defenses? (In my opinion so that I can execute PS 2. I have to cancel them)

Thanks yoko

Solution

  • The example is undefined behaviour on my system.

    The first and main issue in your code is:

    void TestFunction() { /* ... */ }
void FunctionStub() { return; }

    You assume that the compiler will put FunctionStub after TestFunction without any padding. I compiled your example and FunctionStub in my case was above TestFunction which resulted in a negative dwFunctionSize.

    dwFunctionSize = (fnB - fnA);

TestFunction located at @ 0xa11d90
FunctionStub located at @ 0xa11b50
dwFunctionSize = -0x240

    Also in XorBlock

    addr[i] ^= 0xff;

    Is doing nothing.

    I assume you want to write in XorBlock to the memory location to XOR the entire TestFunction.

    You could do something like this:

    void XorBlock(DWORD dwStartAddress, DWORD dwSize)
{
    DWORD dwEndAddress = dwStartAddress + dwSize;
    for(DWORD i = dwStartAddress; i < dwEndAddress; i++) {
        // ...
    }
}