How to protect better
(FIRST PHASE of this new section)

by +Rcg, May 1997


Courtesy of Fravia's page of reverse engineering
~

How to protect better.

1. Why we must do this? We must learn a lot of new ways to crack and to protect, (protection=cracking+programming... therefore a more "complete" work)because as soon Micro$oft "kills" all the few remaining big software companies, they will begin to "sell" their software. Or do you really think they will continue all the time giving their software for free? Do you really think Money 97 has a toy protection because they don't know how to protect it better? This 90 day trial demo is just a "legal" way to defeat all the others Software developers. What is more ILEGAL? To sell something at a price lowest than its developing costs or to teach to crack? And what about selling at zero price? When Internet becomes really in a "HighRoad" and you will be able to download multimegabytes files in few seconds, then the trial formula will suddendly disappear, and you will pay for every byte and for every use of the Micro$oft WordProcesor, the Micro$oft SpreadSheet, you name it, just because in the late '90 they legally "sold" their software for nothing (defeating all the others software companies). So we must be prepared for this (or something worse), I personally think that in a few years, the whole world will be using Windows NT and nothing else, indipendently from the advantages and disadvantages of this particular OS. This OS is more protected, just think how many undocumented funtions are hidden inside it. The MS-DOS "little unix" entry will be definitely erased (and or banned) and programmers will be forced to use Micro$oft functions. We will be at their feet. But... here we are (little Frodos)... with the advices of our master, the "Red" Wizard, we will wage the battle against the black shadows (and perhaps help in makuing this world a little better). Remember: there are millions of 'zombies' in the world, it's time to wake some of them up. Statistically, in my country, people watch TV for over 3 hours a day....OH!!! MAMMA MIA!!! and I believe that in the States things are even worse than that. 2. Ok, ok, you have convinced me, but how can I begin? Simple: download the first's three examples, and learn from them all you can, and then, try your own protections, use your mind, donĄt ever be a zombie anymore, spend your useless TV hours developing your own protections schemes... it's fun and at the same time you will be preventing your premature cerebral deterioration (known as Alzheimer's disease) did you know that the TV-drooling zombies have a bigger probability to catch it?), and then send them to us. We will publish the best new schemes created by you, thus, more and more people will have at least some weapons to fight against our common enemy. This is the reason we ask EXSPECIALLY shareware programmers to help in this section... strange isn't it? Crackers and Shareware programmers fighting together... when the crocodile comes, cats and dogs form alliances. Read first the next guidelines. I know these first three examples are not the 'panacea' in programing neither in protections, but I think it's a good, and easy, framework for Newbyes. Tips: Example 1: A simple register code scheme. Example 2: Like 1 plus a NagScreen (find the trapdoor inside it) Example 3: Just like 2 but a little WinIce hostile :-( (You are able to recover the system, use the stack to find the real return and restore the stack). REMEMBER: DonĄt send us exe files, because we will never execute them. We only want the sources, we will study them, and then we will compile them, and then publish them for the HCUkers. Of course, if you are a little sceptic about this, you can as well wait 2 weeks, and download only the source with its solution. Less brain work and less fun, though. 3. What are the usual "approach" metods little crackers use? Basically (at least until master +ORC teach us other methods :-) we use two: "Dead listing" and "Debugger tracing". 4. How can we defeat people following these approaches? 4.1. Debugger tracing, is "a priori" the easiest to avoid, just use the little tricks used in order to know if SoftIce (or any other tsr debugger) dwells in memory. Read the splendid docoument "WinIce Galore" by Civetta. Just look at this: . . lea esi,GetDlgItemTextA call CheckIce cmp eax,"ICFI" ;Is Sice Fired? je Bad_Guy_Crash_system call esi . . CheckIce: push esi push ds push cs pop ds ;Now DS=CS mov esi,[esi+2] ;Get dll function jmp address mov esi,[esi] ;Get dll function real address mov eax,[esi] ;Get first bytes of dll function and eax,0FFh ;Use only first byte cmp eax,0CCh ;bpxed? mov eax,"ICFI" je Ice_Fired xor eax,eax Ice_Fired: pop ds ;Restore ds pop esi ret We can use this simple routine just to know if the little cracker has commanded a bpx at the next "call dll_function", exiting (or crashing the system) if Softice is "near". Another useful anti-debugger trick is: . . mov al,0CCh mov ecx,Routine_Length Call Check_CC Routine_To_Check: . . Check_CC: mov esi,[esp] ;Ret Address push ds push cs pop ds Do_More: cmp al,[esi+ecx] jne Warning_WinIce_Is_Ahead_Crash_system loop Do_More pop ds ret ;Good Guy Warning_WinIce_Is_Ahead_Crash_system: pop cs ;This will crash your system inmediately ret What could we use this for? I.E. to check if actual routine has a "bpx" somewhere or just to check the entire programm searching for a bpx. 4.2 Once SoftIce is "out of service", Dead listing can be made more complicated just using indirect calls, like this: call [Call_Table+4] this table is in Data segment, so it can be encrypted or loaded at any time from a file or from whatever hyding ground you can imagine. You could also use a lot of junk code, and you could "play" with your stack a lot, this will make the "dead listing" way horrible... well yes, that's more easy for a single shareware programmer that may be knows a little assembly than for a big stupid corporation, which HAS to have clear code in order to produce quickly, part work among many poor programmerslaves and try to get a minimum of bugs out... nice sideeffect, isn't it? :-) 5. What is the best way to protect a program? 5.1. Program encrypted (like some viruses) , we avoid totally Dead Listing and patching as long as the cracker does not find the encryption routine/schema. 5.2. Self-Modificable Code, look: push eax push ebx Call Check_User_Entry_Code test eax,eax je Bad_Guy nop ;Here we will put the Good_Guy jmp nop ;it depents of many other calls nop ;Who knows which? nop nop nop Bad_Guy: Call Crash_System 5.3. Others methods, simply let your imagination fly!!!! 6. How to implement the techniques we have seen point 5? VxD. I know this is a big effort, but I'm sure we will be able to program them in a few months, so we will take again the control over the system (just like we did in Ms-Dos). I'm breaking new ground here, therefore I will develop this as soon as possible. +rcg 1997

Here we go, download, experiment and learn:
all examples


You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
search_forms mailFraVia
Is reverse engineering illegal?