question + some info. Do you know that academic research has shown that code
combines high cost with very low resilience. Christian Collberg and Chenxi
research matterial. Another thing is that even so general black-box code
(relaxed) obfuscators that are possible (esp. when it concern to the complex
"Nadav" <Nadav@discussions.microsoft.com> wrote in message
news:F9505DDD-437C-485E-AE48-5267BE92E84F@microsoft.com...
> Hi,
>
> I am writing some kind of an encryptor for.NET assemblies, This require
> me:
> A. To encrypt the IL code ( done successfully )
> B. To enable transparent means of decrypting the IL code on run-time in a
> way that the encrypted DLL will stay independent.
>
> Concerning the latter issue, to achieve custom functionality upon EXE
> startup I am trying to inject a DLL to an existing PE image, this is done
> by
> adding an additional DLL import dependency to the existing PE ( e.g.
> editing
> the already existing PE sections ), to achieve what was just described I
> am
> reconstructing the IMPORT, IAT and RELOC tables: adding custom DLL import
> dependency ( in addition to mscoree.dll ). BUT it doesn't seem to work,
> the
> loader produce STATUS_INVALID_IMAGE_FORMAT (0xC000007B) error, when
> reconstructing the tables only with a dependency for 'mscoree.dll'
> everything
> works fine, at the minute I add an additional DLL, the loader fails. doing
> some research I have stumbled upon peverify.exe of the sscli, assuming the
> loader do the same verification done by 'peverifier.exe' I have tried the
> following things:
> I have used peverify.exe on my injected EXE ( with a debugger attached ) I
> got the same results: '[IL]: Error: Unverifiable PE Header/native stub.',
> when breaking with the debugger I get to the following line:
> Peverifier.cpp:
> // There should be only one entry in this table.
> if (IMAGE_IMPORT_DESC_FIELD(pID[1], Characteristics) != 0)
> {
> Log("IMAGE_IMPORT_DESCRIPTOR[1] should be NULL\n");
> return FALSE;
> }
> Peverifier.exe 'verifies' that there is no more then one file dependency,
> SOoo. adding an additional import dependency causes it to report error
> preventing addition of functionality this way. there are some other
> 'strange'
> verifications such as:
> // Check if mscoree.dll is the import dll name.
> static const CHAR s_szDllName[] = "mscoree.dll";
> .
> if (CompareStringAtRVA(VAL32(pID[0].Name),
> (CHAR*)s_szDllName,
> LENGTH_OF_DLL_NAME) == FALSE)
> {
> .
> }
> The imported DLL can be no other then 'mscoree.dll'.
> And there is much more. code segment is mixed with the AIT table: share a
> common address in the PE that is being used for execution as-well as for
> relocation. and there is even more.
>
> Anyhow I am really desperate, I need my encrypted EXE to be independent
> and
> this require me to add some unmanaged functionality to the existing
> managed
> PE. any advice remark or some insight on the process I have described
> would
> be appreciated.
>
> Thanks in advance,
> Nadav,
>
http://www.ddevel.com >
