Jailbreak Defense

Threat Model

Attackers target the loader-to-payload handoff window. Common vectors include dumping the decrypted payload from memory after Themida unwraps, patching license checks in-memory, and replaying captured heartbeat responses. Defense requires making each of these paths expensive enough that the economics favor purchasing a license.

Layer 1 — Anti-Dump

• ▸Strip PE headers from the mapped payload image immediately after TLS callbacks complete. Set IMAGE_DOS_HEADER.e_magic to zero and overwrite the NT headers region with random bytes.
• ▸Register a vectored exception handler that triggers on EXCEPTION_ACCESS_VIOLATION. On read access to the stripped header region, terminate the process silently.
• ▸Scatter critical license state across heap allocations protected by guard pages — any sequential dump tool hits PAGE_GUARD and faults.

Layer 2 — Integrity Monitoring

• ▸Compute a rolling HMAC-SHA256 of the .text section every 30 seconds from a dedicated watchdog thread. Compare against the link-time baseline stored in a read-only section.
• ▸Walk the IAT at runtime and verify each resolved function pointer still points within the expected module address range. Flag any redirect to unknown memory.

Layer 3 — Anti-Debug

• ▸Aggregate PEB.BeingDebugged, NtGlobalFlag, and ProcessDebugPort via direct syscalls. On any positive signal, corrupt the license cache and exit without an error message.
• ▸Scan for hardware breakpoints (DR0–DR3) by reading the debug registers from a VEH context. Clear them and set a tamper flag.

Layer 4 — Heartbeat Binding

License heartbeats include a server-signed nonce derived from the current .text hash. If the hash changes between heartbeats, the server rejects the session. This binds the license to the exact binary image, making patching infeasible without also breaking the Ed25519 signature chain.