X hits on this document

389 views

0 shares

0 downloads

0 comments

46 / 120

10, we can obscure the test by checking if 1.2α < 1.210 instead. To make string constants

unreadable in a dump of the .rdata section we can employ a simple substitution cipher

whose decryption function would become part of the machine code. A simple

substitution cipher is an encryption algorithm where each character in the original string

is replaced by another using a one-to-one mapping [20]. Substitution ciphers are easily

broken because the algorithm is the secret [21], so while we will use one for ease of

demonstration, stronger encryption algorithms should be used in real-world scenarios.

Table 7.3 contains the definition of a simple substitution cipher that shifts each

character 13 positions to the right in the local 8-bit ASCII or EBCDIC character set.

Ciphertext is generated or read in printable hexadecimal to allow all members of the

character set, including control characters, to be used in the mappings. Note: unlike

ROT13 [22], this cipher is not it's own inverse—meaning that shifting each character an

additional 13 positions to the right will not perform decryption.

Table 7.3. Simple substitution cipher used to protect string constants.

08:

unsigned char encryptTable[256];

09:

unsigned char decryptTable[256];

10:

char hexByte[2];

SubstitutionCipher.h:

11:

};

Full source code: h t t p : / / r e v e r s i n g p r o j e c t . i n f o / r e p o s i t o r y . p h p ? f i l e I D = 7 _ 2 _ 1

01: 02: 03: 04: 05: 06: 07:

class SubstitutionCipher { public:

SubstitutionCipher(); string encryptToHex(string plainText); string decryptFromHex(string cipherText); private:

38

Document info
Document views389
Page views390
Page last viewedSat Dec 10 20:52:44 UTC 2016
Pages120
Paragraphs2913
Words25794

Comments