X hits on this document





55 / 120

7.6.2 Obfuscating the Numeric Representation of the Record Limit

Having obfuscated the string literals in the program image, we'll assume that a

reverse engineer will need to select the alternate strategy of pausing the program's

execution immediately before specifying the input that causes the trial limitation message

to be displayed. Using this strategy, a reverser can either capture a trace of all the

machine instructions that are executed when the trial limitation message is displayed, or

debug the application—stepping through each machine instruction until a sequence that

seems responsible for enforcing the trial limitation is reached. Recall that in the solution

to the Wintel machine code reversing exercise, an obvious instruction sequence that

tested a memory location for a limit of five password records was found. By using an

alternate but equivalent representation of the record limit we can make the record limit

test a bit less obvious. The technique we employ here is to use a function of the record

limit instead of the actual value; for example, instead of testing for α <= 5, where α is the

record limit, we obscure the limit by testing if 2α <= 25. Table 7.7 gives an example of

the needed code changes to PasswordVault.cpp.

Table 7.7. Using a function of the record limit to obfuscate the condition.

176 void PasswordVault::doCreateNewRecord() 178 #ifdef TRIALVERSION 180 // Add limit on record count for reversing exercise 181 if (passwordStore.getRecords().size() >= TRIAL_RECORD_LIMIT)

==> 181 if ((pow(2.0, (double)passwordStore.getRecords().size()) >= pow(2.0, 5.0)))

The effects of the source code changes in Table 7.7 on the machine code are

shown in Fig. 7.2. A function of the record limit is referenced during execution instead of


Document info
Document views510
Page views511
Page last viewedSat Jan 21 15:44:43 UTC 2017