3

I want to create self erasing code - function to erase others. I tried to do it - but sometimes (most of times) I run it - it isn't working as it's suposed to work. I want to do something like this:

int func(int a)
{

return a+1;

}

int main()
{
func(5);
erase(func);
...
//execute other things
...
}

I already created function to do this, but it is kinda buggy - it's nopping everything until it finds ret opcode, I know that func begin address is (DWORD)func, but how do I find end of function address? I've seen example on web with something like:

void func()
_asm __volatile__ beg
{
...
...
...
_asm __volatile__ end
}

but this does not work for me - I'm using VS 2013. Here's my code:

void destruct(BYTE *pAddress, DWORD dwLen)
{
    DWORD dwOldProtect, dwBkup;
    VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect);
    for(DWORD x = 0x0; x < dwLen; x++)
        *(pAddress + x) = 0x90;
    VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup);
}

as dwLen I pass length calculated in other function - from begin to next ret statement. As delete function I mean fill it's body with NOP or junk - I want to "erase" function, which will be used at startup of program only one time, I don't need it later, I just don't want anybody to dump my app and reverse it etc.

mlgpro
  • 161
  • 1
  • 1
  • 8
  • What would the function return after it's erased? It's not a void... – sashoalm Apr 11 '15 at 19:26
  • @sashoalm I want to erase function after it's used last time in app, don't worry about that, I just want to erase it. – mlgpro Apr 11 '15 at 19:27
  • 1
    What do you mean by "deleting a function" ? – quantdev Apr 11 '15 at 19:29
  • @quantdev look at question, already edited it, so it's more clear. – mlgpro Apr 11 '15 at 19:29
  • I'm not a Windows expert but it seems likely that the literal program code for the functions would be stored in read-only protected memory. I have no idea why you would want this feature. – Galik Apr 11 '15 at 19:31
  • The function would still be in the exe file, unless it was created at run-time. In reality, all you need to know is the size of a function at run-time. – sashoalm Apr 11 '15 at 19:32
  • @Galik maybe it is, don't know, but my func is working - but I don't know how to find end of function, so I can make it junk. I want to destruct it so nobody can't reverse it. – mlgpro Apr 11 '15 at 19:32
  • why do you want to erase it ? Creating some malware that has someting to hide ?? "Nobody can reverse it": too late, it's in your exe, and may be also on the disk in the swapping area ! – Christophe Apr 11 '15 at 19:32
  • @Christophe it's license verification procedure, I do it at startup and I want to erase it after license check so anybody can't reverse it. – mlgpro Apr 11 '15 at 19:34
  • @sashoalm thank you for link, I've found solution there http://stackoverflow.com/a/10071330/4777874 if you want, add answer and I will accept it. – mlgpro Apr 11 '15 at 19:36
  • 1
    I suggest decrypting the function into a buffer, executing it, and clearing the entire buffer. (Of course, this creates another problem -- finding the size of the required buffer... but you can safely overallocate -- and more importantly, getting an encrypted version of the function's code) You probably should start by compiling the transient code as a separate compilation unit and NOT linking it into your application. – Ben Voigt Apr 11 '15 at 19:36
  • 1
    @mlgpro That's a very interesting question, but note that erasing the code in memory isn't going to prevent people from reversing it. It'd be trivial to put a breakpoint in the `erase` function and copy all the code right before it can delete anything. – tux3 Apr 11 '15 at 19:36
  • 1
    That won't work. Anybody skilled would execute your code step by step during the verification procedure and not afterwards. If he missed it the first time, he will restart the exe and got it the second time. Not speaking of registry monitoring tools that will log anything your programme does on the registry. – Christophe Apr 11 '15 at 19:37
  • 1
    People will probably just run it in a debugger and halt its execution at the start of `main()`. – Galik Apr 11 '15 at 19:37
  • @mlgpro No point in duplicating an answer, just click on the big blue "Yes, thank you" button so your question is closed as a duplicate. Duplicates are OK for "question A boils down to question B" situations. – sashoalm Apr 11 '15 at 19:40
  • @Galik, tux3: Well, there are various anti-debugging techniques for making that more difficult. – Ben Voigt Apr 11 '15 at 19:40
  • @BenVoigt True. But if I were to go all the way against reverse-engineers, I'd write my code directly in ASM, instead of fighting the compiler and triggering Stroustrup knows how many undefined behaviors. I'm not convinced OP's going in the right direction, here. – tux3 Apr 11 '15 at 19:41
  • @tux3: Well, stick it in a separate compilation unit, compile it using the option to output assembler, modify it some more, etc. – Ben Voigt Apr 11 '15 at 19:42
  • @BenVoigt I suppose, although compiler-generated ASM can be pretty tough to understand. It's certainly cleaner to write it directly. – tux3 Apr 11 '15 at 19:45
  • @tux3 this is nice idea, I will think about it - and compiler generated asm can be commented with equivalent lines of c++ code, vs has this feature, so it's easier to understand it – mlgpro Apr 11 '15 at 19:52
  • Attempting to write secure code without being an expert is risky. You'll almost certainly write very insecure code. – David Heffernan Apr 11 '15 at 20:13

0 Answers0