Včera jsem dělal rychlou analýzu CodeEncipheru 2.2.2. Dejte vědet, pokud vás zajímají detaily. Enjoy.
CodeEncipher protects CLI (aka .NET) files by means of encryption. CodeEncipher supports only Unity games running on Mono and is available in the Asset store. It targets Windows and Android platform.
Principles:
CodeEncipher works like a traditional cryptors or packers: it adds its own decryptor that launches when the file is being loaded to memory. The file always stays encrypted on the disk. This forces the attacker to focus on the decryption process.
This kind of protection always suffers from the fact that the attacker just needs to wait until the file is decrypted to memory. The game code (located in Assembly-CSharp.dll file) always contains Unity-defined hardcoded strings like "UnityEngine", "MonoBehaviour", ".ctor" etc. Once the file is decrypted, the attacker dumps all memory of the game process, searches the hardcoded strings and locates start and end offset of decrypted file in the dump. Then he replaces the encrypted file with the restored one and disables the decryptor by patching its code.
Details:
CodeEncipher takes advantage of the Mono runtime. The original runtime (mono.dll on Windows and libmono.so on Android) is replaced by CodeEncipher-specific Mono with added decryptor. The decryptor is executed as part of loading memory image of game code to memory.
The Windows runtime (mono.dll) is additionaly protected with MPress protector. However, the attacker doesn't really need to analyse the decryptor because dumping memory is easier.
The attacker runs the game, waits until it is initialized, attaches a debugger or a dumper and dumps all process memory. This works on both Windows and Android platform.
