BillyColl

Yoda Protector is built on polymorphic encryption principle. Encryption approach is enough weak, because the encrypted app code becomes decrypted and restored when the program runs. As for ExeCryptor http://www.strongbit.com it is based on a kind of code obfuscation : Code morphing. It makes to run program in obfuscated state without original code restoration. This way it is much harder for crackers.

EXECryptor is a software tool that provide developers with software protection from reverse engineering, analysis and modifications. Its main difference from other protection tools is its code transformation called "Code Morphing". This technology protects the code on the CPU-command level. It is known the x86 processors command system is redundant and allows the execution of the same ‘code’ using various different system commands. It breaks up the protected code into several processor commands or small command snippets and replace them by others, while maintaining the same end result. Thus the protector obfuscates the code not on the source level but on the level of the CPU commands. The Code Morphing is multilevel technology containing hundreds of unique code transformation patterns. In addition this technology includes the special layer that transforms some commands into Virtual Machine commands (like P-Code). Code Morphing turns binary code into an undecipherable mess that is not similar to normal compiled code, and completely hides execution logic of the protected code. There is no concept of code decryption with this system Protected code blocks are always in the executable state, and they are executed as a transformed code. The original code is completely lost and code restoration is an NP-hard problem. The weak point of such scheme is that it significantly increases the size and affects the speed of a program. But protecting an application author usually doesn't need to transform its entire code. It is enough to protect only critical parts of your code, responsible for serial number verification, trial expiration date, and other evaluation restrictions. The rest of application code remains intact and software execution speed remains the same. Below is a code sample generated by Delphi and a partial (the full listing contains over 500 instructions) listing of the transformed code. Source code : writeln('Test OK'); After compilation mov eax, [$ 004092ec] mov edx, $00408db4 call @WriteOLString call @WriteLn call @_IOTest After the code transformation (partial): db 3 add al, $30 xlat call +$000025b2 jmp +$00000eec call +$00000941 or al, $4a scasd call -$304ffbe9 rol eax, $14 mov edi, [ebx] jmp +$00001738 mov ebx, eax shr ebx, $03 push ebx jmp +$0001b5e call -$000001eb jmp +$00003203 jmp +$00005df8 call +$00000910 adc dh, ah fmul st(7) adc [eax], al les eax, [ecx+$0118bfc0] stosb http://www.strongbit.com

However ExeCryptor unlike Armadillo and others remains unckracked 2 years. It uses a sort of obfuscation called 'Code Morphing' that is conceptually different form other packers. The main cores are: A program is obfuscated on machine code level (not on just the source code) The original source of a protected by execryptor program is never restored in its original statement even when an app runs. Really its analysis is NP-hard problem for crackers and remains still open question for them