How to protect better
(FIRST PHASE of this new section)
by +Rcg, May 1997
Courtesy of Fravia's page
of reverse engineering
~
How to protect better.
1. Why we must do this?
We must learn a lot of new ways to crack and to protect,
(protection=cracking+programming... therefore a more "complete"
work)because as soon Micro$oft "kills" all the few remaining big
software companies, they will begin to "sell" their software.
Or do you really think they will continue all the time
giving their software for free?
Do you really think Money 97 has a toy protection because
they don't know how to protect it better?
This 90 day trial demo is just a "legal" way to defeat all
the others Software developers.
What is more ILEGAL? To sell something at a price lowest than
its developing costs or to teach to crack? And what about selling
at zero price?
When Internet becomes really in a "HighRoad" and you will be able
to download multimegabytes files in few seconds, then the trial
formula will suddendly disappear, and you will pay for every byte and
for every use of the Micro$oft WordProcesor, the Micro$oft SpreadSheet,
you name it, just because in the late '90 they legally "sold" their
software for nothing (defeating all the others software companies).
So we must be prepared for this (or something worse), I personally
think that in a few years, the whole world will be using Windows NT and
nothing else, indipendently from the advantages and disadvantages of this
particular OS.
This OS is more protected, just think how many undocumented
funtions are hidden inside it.
The MS-DOS "little unix" entry will be definitely erased (and or banned)
and programmers will be forced to use Micro$oft functions. We will be at
their feet.
But... here we are (little Frodos)... with the advices of our
master, the "Red" Wizard, we will wage the battle against the
black shadows (and perhaps help in makuing this world a little better).
Remember: there are millions of 'zombies' in the world, it's time
to wake some of them up. Statistically, in my country, people watch TV for
over 3 hours a day....OH!!! MAMMA MIA!!! and I believe that in the States
things are even worse than that.
2. Ok, ok, you have convinced me, but how can I begin?
Simple: download the first's three examples, and learn from
them all you can, and then, try your own protections, use your mind,
donĄt ever be a zombie anymore, spend your useless TV hours developing
your own protections schemes... it's fun and at the same time you will
be preventing your premature cerebral deterioration (known as Alzheimer's
disease) did you know that the TV-drooling zombies have a bigger probability
to catch it?), and then send them to us.
We will publish the best new schemes created by you, thus, more and
more people will have at least some weapons to fight against our common
enemy. This is the reason we ask EXSPECIALLY shareware programmers to help
in this section... strange isn't it? Crackers and Shareware programmers
fighting together... when the crocodile comes, cats and dogs form alliances.
Read first the next guidelines. I know these first three examples
are not the 'panacea' in programing neither in protections, but I think
it's a good, and easy, framework for Newbyes.
Tips:
Example 1: A simple register code scheme.
Example 2: Like 1 plus a NagScreen
(find the trapdoor inside it)
Example 3: Just like 2 but a little WinIce
hostile :-( (You are able to recover the
system, use the stack to find the real
return and restore the stack).
REMEMBER:
DonĄt send us exe files, because we will never execute them. We only
want the sources, we will study them, and then we will compile them, and
then publish them for the HCUkers.
Of course, if you are a little sceptic about this, you can as
well wait 2 weeks, and download only the source with its solution.
Less brain work and less fun, though.
3. What are the usual "approach" metods little crackers use?
Basically (at least until master +ORC teach us other
methods :-) we use two: "Dead listing" and "Debugger tracing".
4. How can we defeat people following these approaches?
4.1. Debugger tracing, is "a priori" the easiest to avoid, just
use the little tricks used in order to know if SoftIce (or any other tsr
debugger) dwells in memory. Read the splendid docoument "WinIce Galore" by
Civetta.
Just look at this:
.
.
lea esi,GetDlgItemTextA
call CheckIce
cmp eax,"ICFI" ;Is Sice Fired?
je Bad_Guy_Crash_system
call esi
.
.
CheckIce:
push esi
push ds
push cs
pop ds ;Now DS=CS
mov esi,[esi+2] ;Get dll function jmp address
mov esi,[esi] ;Get dll function real address
mov eax,[esi] ;Get first bytes of dll function
and eax,0FFh ;Use only first byte
cmp eax,0CCh ;bpxed?
mov eax,"ICFI"
je Ice_Fired
xor eax,eax
Ice_Fired:
pop ds ;Restore ds
pop esi
ret
We can use this simple routine just to know if the little
cracker has commanded a bpx at the next "call dll_function",
exiting (or crashing the system) if Softice is "near".
Another useful anti-debugger trick is:
.
.
mov al,0CCh
mov ecx,Routine_Length
Call Check_CC
Routine_To_Check:
.
.
Check_CC:
mov esi,[esp] ;Ret Address
push ds
push cs
pop ds
Do_More:
cmp al,[esi+ecx]
jne Warning_WinIce_Is_Ahead_Crash_system
loop Do_More
pop ds
ret ;Good Guy
Warning_WinIce_Is_Ahead_Crash_system:
pop cs ;This will crash your system inmediately
ret
What could we use this for?
I.E. to check if actual routine has a "bpx" somewhere or
just to check the entire programm searching for a bpx.
4.2 Once SoftIce is "out of service", Dead listing can be
made more complicated just using indirect calls, like this:
call [Call_Table+4]
this table is in Data segment, so it can be encrypted or loaded at
any time from a file or from whatever hyding ground you can imagine.
You could also use a lot of junk code, and you could "play"
with your stack a lot, this will make the "dead listing" way
horrible... well yes, that's more easy for a single shareware
programmer that may be knows a little assembly than for a big
stupid corporation, which HAS to have clear code in order to
produce quickly, part work among many poor programmerslaves and
try to get a minimum of bugs out... nice sideeffect, isn't it? :-)
5. What is the best way to protect a program?
5.1. Program encrypted (like some viruses) , we avoid totally
Dead Listing and patching as long as the cracker does not find the
encryption routine/schema.
5.2. Self-Modificable Code, look:
push eax
push ebx
Call Check_User_Entry_Code
test eax,eax
je Bad_Guy
nop ;Here we will put the Good_Guy jmp
nop ;it depents of many other calls
nop ;Who knows which?
nop
nop
nop
Bad_Guy: Call Crash_System
5.3. Others methods, simply let your imagination fly!!!!
6. How to implement the techniques we have seen point 5?
VxD. I know this is a big effort, but I'm sure we
will be able to program them in a few months, so we will take
again the control over the system (just like we did in Ms-Dos).
I'm breaking new ground here, therefore I will develop this
as soon as possible.
+rcg 1997
Here we go, download, experiment and learn:
all examples
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
tools cocktails
search_forms
mailFraVia
Is reverse engineering illegal?