Developer chooses which functions of the program to protect. This can be done either manually or automatically. Then the Guardant Armor is applied, which protects these functions from reverse engineering. The output is an application with "cut functions", as well as a special container in the form of a DLL library, which contains functions in a protected form.
Obfuscation is a complex of technologies for obfuscating the code of a protected application. As a result of its application, the program retains its functionality in full, but the program code becomes so complex that it is almost impossible to analyze it.
Code mutation is an obfuscation method in which the original control flow graph is supplemented with trash instructions, branches, loops, and even additional logic. As a result of this confusion, it becomes difficult to determine whether the analyzed section of code is an original program or a dummy.
Code virtualization is an obfuscation method in which the source machine code of an application is translated into the instructions of a unique virtual machine generated during the application protection process. These instructions are interpreted directly at the time of program execution.
The peculiarity of this technology is that when protecting the same application, new instructions with different logic and a set of commands are generated each time. And they can be executed only on the virtual machine for which they were generated.
Virtualization ensures the absence of permanent signatures in the program code, countering deployment attempts, integrity control, etc.
An envelope is the packaging and encryption of sections of a protected file. During the launch of the protected application, a special loader decompresses and decrypts the file before control is transferred to the original entry point. The application is encrypted with a symmetric cryptographic algorithm, the key to which is usually stored in an external security component (hardware or software key).
In case of applying obfuscation technologies to each section of the code, the operation of the application can significantly slow down. At the same time, sections that are of absolutely no value to an attacker will be protected. The technology used to maintain the speed of program execution and at the same time protect important parts of the code is profiling technology. The protected application undergoes a thorough static and dynamic analysis, as a result of which the optimal list of protected functions is determined.
Code virtualization makes reverse engineering of a protected application difficult and provides a high level of copy protection.
The selected code sections are converted into a system of commands (byte code) of a unique virtual machine, which ensures their execution at the right moment. The resulting byte code is divided into blocks and securely encrypted. During execution, only the block of bytecode necessary for execution is stored in the computer's memory, which thereby protects the application from a dump.
The ability to simultaneously protect multiple executable files allows you to further confuse the logic of application execution. All calls are routed to a single dynamic library that stores the bytecode common to all files and virtual machine. At the same time, each protected file is packaged and encrypted (covered with an envelope).