Encryption and parsing scheme for microcontroller and its program operation

As we all know, there are some companies or individuals who specialize in MCU decryption services. In addition, no matter how the MCU instructions are encrypted, they can only run in plain text, and the decryptor can use the MCU development system to debug the program in the ROM step by step. When the decryptor understands the running process of the instructions, he also obtains the encrypted program, such as the calculation method of some smart meters, etc. By modifying the program and imitating a new ROM chip, the purpose of decryption can be achieved. Therefore, the encryption of the MCU must also be encrypted during the operation of the program, that is, the dynamic encryption measure of the program.

1 Dynamic decoding of the program

Dynamic decoding is the dynamic recovery of the instructions or data codes of the encrypted program. When the program is running, there is a section of instructions that specifically decrypts the instructions or data codes of a certain area, and when the decrypted code is used up, it must be re-encrypted so that the complete program code does not exist in the memory. This method is very effective for static analysis of anti-programs, because it is difficult to see the true face of the program from the list of encrypted programs. However, in terms of program anti-tracing, dynamic decoding has its own unique features. In terms of preventing debugging and tracing with breakpoints, since the program appears in ciphertext before execution, it is difficult for the decryptor to determine the location of the breakpoint setting. If you are not careful, the system will be damaged due to decryption failure (data in the EPROM will be electrically erased). The following is a specific example of program dynamic decoding:

…

SUB1: ADD A,#94H; Virtual program segment

XRL 54H,#13H

…

MOV R0,#20H

MOV R1,#5

MOV R2,#55H

MOV DPTR,#SUB1

MOV A,#00H

LOOP1: PUSH A

MOVC A,@A+DPTR

XRL A,R2 ; XOR operation

MOV @R0,A ; store actual data

POP A

INC A

INC R0

DJNZ R1,LOOP1

…

This program dynamically transforms the data group (set to 5) starting from RAM address 20H. Because the initial data group is in the form of a password, it needs to be changed during program operation, and the changed data needs to be used in other segments of the program. Here, the instruction code in the SUB1 program segment (code: 24H, 94H, 63H, 54H, 13H) and 55H are used for dynamic decoding. Data 55H is encrypted data. After "XORing" the instruction code, the correct data is stored in the unit starting from 20H (the result is: 71H, C1H, 36H, 01H, 46H). In order to illustrate the dynamic data decoding process, this example is relatively simple. In fact, when entering this program segment, the data unit address can be generated by certain operations to enhance the program's anti-analysis ability.

2 Program segment modification prevention

In the encryption program, there will be more than one obstacle. In order to improve the encryption measures, the consistency of the program in some key places is an effective method of anti-decryption. For some purposes, the decryptor must modify a certain section of the program instructions; and program segment modification prevention is a technical means used for this decryption method. In order to achieve the integrity of the encryption program, instructions or data codes can be taken at the key points of the program to participate in a certain operation, and the result is used as the basis for judging whether the program has been changed. The following is a program segment for program modification prevention: [page]

…

SUB2: ADD A,#35H

SUBB A,#05H

…

MOV DPTR,#SUB2

MOV R0,#30H

MOV A,#1

MOV R1,#3

MOV @R0,#24H ;The first instruction code of SUB2 segment is 24H

LOOP2: PUSH A

MOVC A,@A+DPTR

XRL 30H,A ; XOR operation

POP A

INC A

DJNZ R1,LOOP2

MOV A, 30H

…

CJNE A,#80H,ERR ;Compare the result with 80H

…

ERR: MOV A, #0; Error exit

…

In the SUB2 program segment, some data are calculated through instructions, such as the charging algorithm. The decryptor always has to modify some instructions to achieve a certain purpose. However, the decryption work is in the following LOOP2 program segment, which uses the instruction bytes (here 4 bytes are used) in the SUB2 program segment for calculation (here "XOR" calculation), and its result will directly affect the correct execution of the following program (the correct calculation result is 80H). If the SUB2 program segment is changed, the program will be led astray in the LOOP2 program segment, and will be lost unknowingly. If there is an electrically erasable EEPROM in the hardware design, the data in the program can be further modified (or deleted), so that the tracker will cause "damage" to the device and cannot re-analyze the program.

The MCU encryption method introduced above is to prevent the decryptor from illegally obtaining the program in the ROM or to prevent the program in the ROM from running in the copied MCU system. In practical applications, there are many ways to judge whether the program is running normally or being tracked. For example, the running time of a certain program segment can be determined according to the clock timing, so as to make different responses, because there is a big difference in time between single-step and continuous operation. In addition, the encryption of the MCU cannot be limited to one of the above methods, and the anti-tracking method cannot be single. Several methods must be used in combination to achieve good results. For example, software encryption can be combined with hardware encryption, dynamic decoding can be combined with program anti-modification, etc., and new technologies and methods (such as programmable logic devices, etc.) can be fully utilized to make the encryption protection of the MCU more effective.