Really it is a big problem that any new technique will be stolen by “idapro”. Virtualizer seems to be a good tool to enhance the difficulty of disassembling. Now I have a question:
Do American programmers or other programmers use this tool to protect their drivers? Or they use some other more powerful tools?
In fact, I want to sell my technique, but I fear that it will be cracked.
On Mon, Mar 9, 2009 at 2:36 PM, wrote:
> Really it is a big problem that any new technique will be stolen by
> “idapro”. Virtualizer seems to be a good tool to enhance the difficulty of
> disassembling. Now I have a question:
> Do American programmers or other programmers use this tool to protect their
> drivers? Or they use some other more powerful tools?
> In fact, I want to sell my technique, but I fear that it will be cracked.
Even if you use Virtualizer or other tools which use packing techniques or
encryption methods to prevent the disassembly.
Once loaded and started execution in memory, it is there in disassembled
form in memory.
One can easily get the disassembled dump from memory.
Regards
Deepak
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
General answer is that you can’t protect your code for 100%. If it becomes
really interesting for someone having good skils in dissassembing the
functionality you are trying to hide can be riped. What you can do is to
make life of cracker harder using different tools, but it does not give you
100 % protection. C’est la vie.
–
Volodymyr M. Shcherbyna, blog: http://www.shcherbyna.com/
(This posting is provided “AS IS” with no warranties, and confers no
rights)
wrote in message news:xxxxx@ntdev…
> Really it is a big problem that any new technique will be stolen by
> “idapro”. Virtualizer seems to be a good tool to enhance the difficulty of
> disassembling. Now I have a question:
> Do American programmers or other programmers use this tool to protect
> their drivers? Or they use some other more powerful tools?
> In fact, I want to sell my technique, but I fear that it will be cracked.
>
> Really it is a big problem that any new technique will be stolen by
"idapro".
Well, guess what IDA Pro itself gets stolen first (IDA Free lacks a lot of the things you need for professional RCE). I know of no legit customer of IDA Pro that would be stealing other people's "intellectual property". If you know of one, I am sure Ilfak would like to know.
In order to become a customer, you have to work for a company that has some justified interest in RCE (e.g. anti-malware vendors, government agencies), or you had to have (apparently they will not sell to individuals anymore, but existing customers remain) someone vouch for you. Too often IDA Pro "leaks" into illegal channels because of people deliberately "sharing" it. This hurts first and foremost us legit customers.
Do American programmers or other programmers use this tool to protect
their drivers? Or they use some other more powerful tools?
In fact, I want to sell my technique, but I fear that it will be
cracked.
If it is good, the question is not whether it'll be cracked but rather when. There are people out there who see it as a sport to crack software. There is no efficient safeguard against that. You can only make it harder, but a determined reverser will always be able to find what he needs.
And by the way, I personally think that the only way to measure the efficiency of any such protection scheme is to have a decent knowledge of RCE. How else would you gauge the efficiency? By the promises of the vendor selling the solution?
Once loaded and started execution in memory, it is there in
disassembled form in memory.
One can easily get the disassembled dump from memory.
You probably mean decrypted, right?
And btw, a (full) crashdump would be the easiest way to achieve this goal.
// Oliver
PS: RCE == Reverse Code Engineering (aka Reverse Engineering, aka Reversing)
DDKWizard and DDKBUILD: http:
Trunk (potentially unstable) version: http:</http:></http:>
As others have said more or less, the only question worth asking here is whether they can crack your
product profitably, where profitable is relative to what it costs you to protect it.
Good luck,
mm
Oliver Schneider wrote:
> Really it is a big problem that any new technique will be stolen by
> “idapro”.
Well, guess what IDA Pro itself gets stolen first (IDA Free lacks a lot of the things you need for professional RCE). I know of no legit customer of IDA Pro that would be stealing other people’s “intellectual property”. If you know of one, I am sure Ilfak would like to know.In order to become a customer, you have to work for a company that has some justified interest in RCE (e.g. anti-malware vendors, government agencies), or you had to have (apparently they will not sell to individuals anymore, but existing customers remain) someone vouch for you. Too often IDA Pro “leaks” into illegal channels because of people deliberately “sharing” it. This hurts first and foremost us legit customers.
> Do American programmers or other programmers use this tool to protect
> their drivers? Or they use some other more powerful tools?
> In fact, I want to sell my technique, but I fear that it will be
> cracked.
If it is good, the question is not whether it’ll be cracked but rather when. There are people out there who see it as a sport to crack software. There is no efficient safeguard against that. You can only make it harder, but a determined reverser will always be able to find what he needs.And by the way, I personally think that the only way to measure the efficiency of any such protection scheme is to have a decent knowledge of RCE. How else would you gauge the efficiency? By the promises of the vendor selling the solution?
> Once loaded and started execution in memory, it is there in
> disassembled form in memory.
> One can easily get the disassembled dump from memory.
You probably mean decrypted, right?And btw, a (full) crashdump would be the easiest way to achieve this goal.
// Oliver
PS: RCE == Reverse Code Engineering (aka Reverse Engineering, aka Reversing)
> In fact, I want to sell my technique, but I fear that it will be cracked.
Funny…
If you want to sell your technique you have to patent it in order to be able to claim the IP, which means you have to provide its description anyway. Otherwise, the only thing you can sell is the end product - this is the only thing you can claim your ownership to. However, you cannot claim ownership of any technique that it uses unless you have patented it. When it comes to code obfuscation, normally it is used for hiding the details of validation/ encryption mechanisms and protocols…
Anton Bassov
Thank you for so many warm-hearted answers. Thank you! You know, you are helping me very much!!
1.Dears, Virtualizer is a virtual machine protection, so memory dumps will be invalid.
2.And you mean, I can just make crackers more difficult to crack, and there is no 100 % protection.
3.If I sell my technique, I have to provide its description anyway.
Now let me explain my plans more correctly.
I want to sell my source codes to some technology company/team/individual, because I have no enough energy to write a complete product. Now I fear that when I give the trial/testing product to my potential buyers, they will crack it. Since I have heard that American and people in other civilized countries attach great importance to IP, so I want to sell my technology to them. So now I think Virtualizer is safe enough for me to interact with the civilized people. And I think if I sell my source codes, I need not to patent it, am I right?
As for technology, there are too many tools to protect applications in ring3, but I only find 2 tools to protect drivers. Fortunately these 2 tools can distort a driver’s codes greatly so it is very hard to read or debug or dump the disassembling codes.
And by the way, If I send my technique to several buyers, will I break the law? I just mean “if”.
> I want to sell my source codes to some technology company/team/individual,
I see only two possible ways for selling the code:
-
Write it upon the request of some company who wants to integrate into their product, i.e. to do a typical consultancy work. In such case all rights to the code will belong to the buyer, which will be specified in your consultancy agreement
-
Write production-grade code sample and license it, i.e. do things the way Thomas does
In either case, you have to present convincing evidence of your technical expertize to the potential buyer…
Alternatively, you can develop a product, and sell all rights to it to some technology company. However, it will involve much more than simply sending your binary with the proposal to buy it - at the very minimum you need a limited company, and your product should be at the stage that is pretty close to the final release so that it can be sent to someone who is involved with product review. Furthermore, I would say it will be potential buyer’s decision to contact you, and not the other way around…
Now I fear that when I give the trial/testing product to my potential buyers, they will crack it.
I can assure you that any serious company will simply ignore your “business proposal” - absolutely everything you said in so far strongly suggests an amateur wannabe who wants to become rich in a matter of a seconds…
Anton Bassov
> Now I fear that when I give the trial/testing product to my potential
buyers, they will crack it.
Well, if they did and you could trace it (e.g. water marking), you could sue them. IMO much more effective than scrambling the code.
And I think if I sell my source codes, I need not to patent it, am I
right?
Well, as Anton said, you don't have to, but you should. However, as a matter of fact there are many countries where software can't be patented.
Fortunately these 2 tools can distort a driver's codes greatly so it is
very hard to read or debug or dump the disassembling codes.
Unfortunately that might also hold for scenarios where you get sent a dump file and your potential customers expect an answer from you. I suppose digging through that scrambled code might backfire for you in such a case.
And by the way, If I send my technique to several buyers, will I break
the law? I just mean "if".
I suppose only if you offer all of them an exclusive license to your technology... but for this you should ask a lawyer as well as for the patent stuff. After all someone might have invented and patented what you call your technology at the moment.
// Oliver
DDKWizard and DDKBUILD: http:
Trunk (potentially unstable) version: http:</http:></http:>
xxxxx@sina.com wrote:
Really it is a big problem that any new technique will be stolen by “idapro”. Virtualizer seems to be a good tool to enhance the difficulty of disassembling. Now I have a question:
Do American programmers or other programmers use this tool to protect their drivers? Or they use some other more powerful tools?
In my experience, none at all. Most drivers exist to enable some piece
of hardware. As long as you have the hardware, there’s no problem in
using the driver.
In fact, I want to sell my technique, but I fear that it will be cracked.
Most people dramatically overestimate the appeal of their own software.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> Do American programmers or other programmers use this tool to protect their drivers?
Usually the development/support cycle nuisance due to this overwhelms the danger of being reverse-engineered.
99.9% of software does not use any revolutionary ideas at all, it main value is the bulk effort of more or-less skilled labor invested into it. Reverse engineering will not save from this effort.
Of cource, copy protection encryption of binaries like Themida does is another song.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
>any technique that it uses unless you have patented it. When it comes to code obfuscation, normally it
is used for hiding the details of validation/ encryption mechanisms and protocols…
No serious security stuff will rely on this.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> Unfortunately that might also hold for scenarios where you get sent a dump file
and your potential customers expect an answer from you.
You make a bold assumption that someone would actually want to get involved with it, which, IMHO, is quite naive. Try to look at it from the company’s perspective, and you will immediately realize that that is pretty unwise. Why? Simply because if they accept some demo binary and start testing it, at some point the sender may start claiming that this or that technique or concept that they use in the their product was, in actuality, taken from his demo that they had supposedly disassembled.
Therefore, I think the most reasonable approach for them would be simply to ignore the whole thing, especially taking into consideration that they may be getting dozens of proposals like this every day - otherwise, their legal department may get pretty busy…
Anton Bassov
> No serious security stuff will rely on this.
Why not??? Certainly, it will be always used just as an additional supplementary measure that is meant to annoy the potential cracker, but nothing more than that…
Anton Bassov
> Why not??? Certainly, it will be always
Most existing serious protocols are 100% open and do not obfuscate anything.
More so, if the protocol is an open standard, then obfuscation is impossible.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> Most existing serious protocols are 100% open
Even the ones for validating product serial keys???
Anton Bassov
For what it is worth, just to amplify what a few others have already said, the mistake almost
everyone (in my opinion) who goes down this road makes is not evaluating who their adversaries
really are, what their adversaries are willing to spend, and what adding anti-re is going to cost.
In theory, there are other factors (like likelhoods, et. c.), but they almost never matter, in my
opinion, because the answer to the first question is almost always ‘nobody’ or ‘we don’t know,’ at
which point, in my opinion, that should be it.
If you’re going to go this route, I would consider evaluation methods that do not require much in
the way of runtime support. For example, if your only concern is anti-re of a driver (a waste of
time and money, in my opinion), in all seriousness, just writing it in C++ (using only the subset
that does not require runtime support) makes re much more expensive, because it makes meaningful
static analysis without a custom tool much slower, since non-static members don’t get called
directly. I would never suggest that anyone do this, but it’s likely to be cheaper to support and
work no better or worse than complicated runtime schemes.
Regarding everything else you asked below, this is not the place to get legal advice, which is
basically what you seek, and why you would rely on whatever you’re told on that subject, I have no idea.
Good luck,
mm
xxxxx@sina.com wrote:
Thank you for so many warm-hearted answers. Thank you! You know, you are helping me very much!!
1.Dears, Virtualizer is a virtual machine protection, so memory dumps will be invalid.
2.And you mean, I can just make crackers more difficult to crack, and there is no 100 % protection.
3.If I sell my technique, I have to provide its description anyway.
Now let me explain my plans more correctly.
I want to sell my source codes to some technology company/team/individual, because I have no enough energy to write a complete product. Now I fear that when I give the trial/testing product to my potential buyers, they will crack it. Since I have heard that American and people in other civilized countries attach great importance to IP, so I want to sell my technology to them. So now I think Virtualizer is safe enough for me to interact with the civilized people. And I think if I sell my source codes, I need not to patent it, am I right?
As for technology, there are too many tools to protect applications in ring3, but I only find 2 tools to protect drivers. Fortunately these 2 tools can distort a driver’s codes greatly so it is very hard to read or debug or dump the disassembling codes.
And by the way, If I send my technique to several buyers, will I break the law? I just mean “if”.
Security via obfuscation never works for any serious security objective.
Yes, self destructing hardware is possible but as time progresses ways
around even those methods become possible.
wrote in message news:xxxxx@ntdev…
>> Most existing serious protocols are 100% open
>
> Even the ones for validating product serial keys???
>
> Anton Bassov
>
Of course, most of the time, the investment to “protect” an app is usually far more than the amount of time it might take an interested individual to attack said protection.
- S
-----Original Message-----
From: Volodymyr M. Shcherbyna
Sent: Monday, March 09, 2009 04:16
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] idapro disassembles the driver
General answer is that you can’t protect your code for 100%. If it becomes
really interesting for someone having good skils in dissassembing the
functionality you are trying to hide can be riped. What you can do is to
make life of cracker harder using different tools, but it does not give you
100 % protection. C’est la vie.
–
Volodymyr M. Shcherbyna, blog: http://www.shcherbyna.com/
(This posting is provided “AS IS” with no warranties, and confers no
rights)
wrote in message news:xxxxx@ntdev…
> Really it is a big problem that any new technique will be stolen by
> “idapro”. Virtualizer seems to be a good tool to enhance the difficulty of
> disassembling. Now I have a question:
> Do American programmers or other programmers use this tool to protect
> their drivers? Or they use some other more powerful tools?
> In fact, I want to sell my technique, but I fear that it will be cracked.
>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> > Unfortunately that might also hold for scenarios where you get sent a
dump file
> and your potential customers expect an answer from you.You make a bold assumption that someone would actually want to get
involved with it, which, IMHO, is quite naive.
Which reminds me of what Mark from OSR had to say about where the word "assume" comes from
But then, it's called subjunctive in grammatical terms
Thanks for that healthy dose of humor, Anton!
// Oliver
DDKWizard and DDKBUILD: http:
Trunk (potentially unstable) version: http:</http:></http:>