Some thoughts on key checking methods that are hard to reverse engineer
by
dph-man
20 january 1998

Hi there...

One of the best serial no. protections I have ever seen was possesed by

a game called Stars! It wasn't hidden. It wasn't hard to find. It wasn't

cunning. It was merely 8k long of arithmetical transforms, to drive

anyone trying to crack it insane. It made a keygenerator almost

impossible - I didn't like the game **that** much. I was able to brute

force a serial through the checks, but it was very hard. A patch was

useless, because it serial numbers were needed for multiplayer games.



Some thoughts on key checking methods that are hard to reverse engineer:



1. The rcr/rcl trick:

If a rcr/rcl is performed on a value, it becomes much more of a pain to

crack - you can't reverse it with by negating it's effects without

knowing what the value of the carry flag was before the original

operation. If the carry flag is created as a result of some other pain

in the neck operation, you are probably onto a winner.



2. Stick conditional jumps in. Everywhere.

Conditional jumps are not fun to reverse engineer. I don't mean a loop,

I mean jumps which conditionally bypass/include portions of your

wonderful key manipulation code. I mean - there is no easy inverse

operation to be performed here.



3. Use portions of the code as magic number tables. (preferably critical

sections).

You have no idea how annoying this can be, if you're like me and like to

change things around using softice.



4. Play with the cracker's mind.

This one is fun :-) Stick series of nops in, as though you were doing

self-modifying code (oh my god! what the heck! nops? Aha! Self-modifying

code! Idiot spends next three years trying to find the code that should

be there.). Pepper the code with junk instructions. Cut the code up into

little pieces and put them all over the executable, with (preferably

conditional) jumps between them. - Anything which you would find a pain

in the neck.



5. Detect softice. Early. (Thank you +RCG). Now crash the computer.

You can crash a pentium or a pentium with MMX even without a vxd by the

opcode:

F0 0F C7 C8 (illegal form of cmpxchg8b instruction with lock prefix).

Beyond that, we have to resort to the tried and true methods. Using a

vxd, take the CPU out of protected mode. Windows doesn't like that.

Wonder why?



Just some thoughts

:-)

dph-man




You are deep inside fravia's page of reverse engineering, choose your way out:

progcor
Back to the Protectionist's corner

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redJavascript wars redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia+
redIs reverse engineering legal?