Dynamic Anti-Tracking Measures in Single-Chip Microcomputer System Encryption

As we all know, there are some companies or individuals who specialize in decryption services for single-chip microcomputers. In addition, no matter how the instructions of the single-chip microcomputer are encrypted, they can only run in plain text, and the decryptor can use the single-chip microcomputer development system to debug the program in the ROM step by step. When the decryptor understands the running process of the instruction, he also obtains the encrypted program, such as the calculation method of some intelligent meter, etc. By modifying the program and imitating the new ROM chip, the purpose of decryption can be achieved. Therefore, the encryption of the single-chip microcomputer must also be encrypted during the operation of the program, that is, the dynamic encryption measure of the program.

1 Dynamic decoding of the program

Dynamic decoding is to dynamically restore the instructions or data codes of the encrypted program. When the program is running, there is a section of instructions that is specifically used to decrypt the instructions or data codes of a certain area, and when the decrypted code is used up, it must be re-encrypted so that there is no complete program code in the memory. This method is very effective for static analysis of anti-programs, because it is difficult to see the true face of the program from the list of encrypted programs. However, dynamic decoding has its own unique features in terms of anti-tracing of programs. In terms of preventing debugging and tracing with breakpoints, since the program appears in ciphertext before execution, it is difficult for the decryptor to determine the location of the breakpoint setting. If one is not careful, the decryption failure will cause system damage (electrically erasing data in EPROM). The following is a specific example of program dynamic decoding:

...
SUB1: ADD A,#94H; virtual program segment
XRL 54H,#13H
...
MOV R0,#20H
MOV R1,#5
MOV R2,#55H
MOV DPTR,#SUB1
MOV A,#00H
LOOP1: PUSH A
MOVC A,@A+DPTR
XRL A,R2; XOR operation
MOV @R0,A; store actual data
POP A
INC A
INC R0
DJNZ R1,LOOP1
...

This program dynamically transforms the data group (there are 5) starting from RAM address 20H. Because the initial data group is in password form, it needs to be changed during program execution, and the changed data must be used in other segments of the program. Here, the instruction code in the SUB1 program segment (codes: 24H, 94H, 63H, 54H, 13H) is used to dynamically decode with 55H. Data 55H is encrypted data. After "XORing" the instruction code, the correct data is stored in the unit starting from 20H (the result is: 71H, C1H, 36H, 01H, 46H). In order to illustrate the dynamic data decoding process, this example is relatively simple. In fact, when entering this program segment, the data unit address can be generated by certain operations to enhance the program's anti-analysis ability.

2 Program segment modification prevention

In the encryption program, there will not be only one obstacle set. In order to make the encryption measures perfect, the echo of the program before and after in some key places is an effective method for anti-decryption. For some purposes, the decryptor must modify a certain section of program instructions; and program segment modification prevention is a technical means used for this decryption method. In order to achieve the integrity of the encrypted program, instructions or data codes can be taken at the key points of the program to participate in a certain operation, and the result is used as the basis for judging whether the program has been changed. The following is a program segment to prevent modification:

……
SUB2: ADD A,#35H
SUBB A,#05H
……
MOV DPTR,#SUB2
MOV R0,#30H
MOV A,#1
MOV R1,#3
MOV @R0,#24H ；The first instruction code of SUB2 segment is 24H
LOOP2: PUSH A
MOVC A,@A+DPTR
XRL 30H,A ；XOR operation
POP A
INC A
DJNZ R1,LOOP2
MOV A，30H
……
CJNE A,#80H,ERR ；The result is compared with 80H
……
ERR: MOV A，#0 ；Error exit
……

In the SUB2 program segment, some data are calculated through instructions, such as the charging algorithm, etc. The decryptor always has to modify some instructions to achieve a certain purpose. However, the decryption work is in the following LOOP2 program segment, which uses the instruction bytes (here 4 bytes are used) in the SUB2 program segment for calculation (here "XOR" calculation), and its result will directly affect the correct execution of the following program (the correct calculation result is 80H). If the SUB2 program segment is changed, the program will be led astray in the LOOP2 program segment, and will be lost unknowingly. If there is an electrically erasable EEPROM in the hardware design, the data in the program can be further modified (or deleted), so that the tracker can cause "damage" to the device and cannot re-analyze the program.

The microcontroller encryption method introduced above is to prevent the decryptor from illegally obtaining the program in the ROM or to prevent the program in the ROM from running in the copied microcontroller system. In practical applications, there are many ways to judge whether the program is running normally or being tracked. For example, the running time of a certain program segment can be determined based on the clock timing, so as to make different responses, because there is a big difference in time between single-step and continuous operation. In addition, the encryption of the MCU cannot be limited to one of the above methods, and the anti-tracking method cannot be single. Several methods must be used together to achieve good results. For example, software encryption can be combined with hardware encryption, dynamic decoding can be combined with program anti-modification, etc., and new technologies and methods (such as programmable logic devices, etc.) can be fully utilized to make the encryption protection of the MCU more effective.