[EXECryptor software protection]

Yoda's Crypter 1.3.

I love it. Used it for 3 years now. It's not uncrackable but has to be manually unpacked and is long and very difficult.

Yoda Protector is built on polymorphic encryption principle. Encryption approach is enough weak, because the encrypted app code becomes decrypted and restored when the program runs.

As for ExeCryptor http://www.strongbit.com it is based on a kind of code obfuscation : Code morphing. It makes to run program in obfuscated state without original code restoration. This way it is much harder for crackers.

[EXECryptor software protection]

Can someone explain to me what this software does and what it protects exactly?

EXECryptor is a software tool that provide developers with software protection from reverse engineering, analysis and modifications. Its main difference from other protection tools is its code transformation called "Code Morphing". This technology protects the code on the CPU-command level. It is known the x86 processors command system is redundant and allows the execution of the same ‘code’ using various different system commands. It breaks up the protected code into several processor commands or small command snippets and replace them by others, while maintaining the same end result. Thus the protector obfuscates the code not on the source level but on the level of the CPU commands.

The Code Morphing is multilevel technology containing hundreds of unique code transformation patterns. In addition this technology includes the special layer that transforms some commands into Virtual Machine commands (like P-Code). Code Morphing turns binary code into an undecipherable mess that is not similar to normal compiled code, and completely hides execution logic of the protected code.

There is no concept of code decryption with this system Protected code blocks are always in the executable state, and they are executed as a transformed code. The original code is completely lost and code restoration is an NP-hard problem.

The weak point of such scheme is that it significantly increases the size and affects the speed of a program. But protecting an application author usually doesn't need to transform its entire code. It is enough to protect only critical parts of your code, responsible for serial number verification, trial expiration date, and other evaluation restrictions. The rest of application code remains intact and software execution speed remains the same.

Below is a code sample generated by Delphi and a partial (the full listing contains over 500 instructions) listing of the transformed code.

Source code :

writeln('Test OK');

After compilation

mov eax, [$ 004092ec]

mov edx, $00408db4

call @WriteOLString

call @WriteLn

call @_IOTest

After the code transformation (partial):

db 3

add al, $30

xlat

call +$000025b2

jmp +$00000eec

call +$00000941

or al, $4a

scasd

call -$304ffbe9

rol eax, $14

mov edi, [ebx]

jmp +$00001738

mov ebx, eax

shr ebx, $03

push ebx

jmp +$0001b5e

call -$000001eb

jmp +$00003203

jmp +$00005df8

call +$00000910

adc dh, ah

fmul st(7)

adc [eax], al

les eax, [ecx+$0118bfc0]

stosb

http://www.strongbit.com

[EXECryptor software protection]

However ExeCryptor unlike Armadillo and others remains unckracked 2 years. It uses a sort of obfuscation called 'Code Morphing' that is conceptually different form other packers.

The main cores are:

A program is obfuscated on machine code level (not on just the source code)

The original source of a protected by execryptor program is never restored in its original statement even when an app runs.

Really its analysis is NP-hard problem for crackers and remains still open question for them