General Safety Measures.
A lot of protection schemes have been developed over the years to protect binaries, but many protection measures can unfortunately be quite vulnerable to attacks.
These are some of the most widespread protection measures:
- Obfuscation works by reordering instructions, inserting random garbage instructions (never executed), changing internal names, encrypting strings etc. Obfuscation can hide a good deal of your intellectual properties from curious persons, but it does not stop a serious cracker from analyzing the code and making changes.
- Compression of an entire executable does not prevent cracking. Memory monitors will reveal the executable in its pristine form. This technique can include encryption, but that doesn't really matter.
- Compression of a subset of the executable - using delayed decompression of the small subsections - represents a slightly bigger challenge for a cracker. However, at some point decompression will reveal the original form.
- Self modifying code can be implemented in very clever ways, perhaps using decryption of a data block and accessing it as executable instructions, but it is detectable and can be analyzed. Also be aware that this kind of behavior (and some compression schemes as well) may be identified and reported as a virus by some malware scanners.
Anti-debug measures can be implemented in many different ways. Some exploit weaknesses of known cracker tools or secrets of the execution platform. Others try to watch out for known debugger tools - installed or running. It is very much a game of cat and mouse based on a bag of tricks - with the risk of a sudden crack that will reveal it all.
- Self-evaluation is used to test that the executable has not been compromised or tampered with. It can be bypassed.
Most of the protection measures mentioned here primarily suffers from the fact, that at some point the machine code will exist in memory in an unprotected pristine form, which makes analysis possible, thus providing only a light protection level.
Even the most advanced scheme will not provide longterm protection against memory analysis - keeping in mind the possibilities of using memory monitors, hosted emulators and other forms of synthetic environments. This makes analysis possible and only the complications involved in making modifications to the binary may vary.
For some scenarios these technologies may be enough, but you should always consider combining them with stronger protection schemes.