protecti.htm: Fravia's "Our protections", a first software anti-cracking lab

How to protect better, by fravia+

project start: may 1997 ~ last update: October 1998

This section is now partly obsolete
go to the HOW TO PROTECT BETTER section.

How to protect better

13 January 1998
Well, dear shareware programmers, if you feel you are advanced enough, and you understand now enough this whole cracking stuff (that is, if you have duly studied a lot of essays) you may now learn and discuss some nice tricks to block any lamer from cracking your code: +RCG has sent for instance a completely new "vxd-cryptological" approach to protecting windoze! (You'll find it inside the Self32 saga) and there is a new heavy protection -ready for you to crack and to learn from- as well :-)

14 January 1998, the day after
Well, Quine has already cracked +RCG's 'heavy' protection... :-(

18 January 1998
Well, here are +RCG's new protection ideas, among other things how to take softice on a boat ride and eventually how to punish stupid crackers... :-)

Old intro (May 1997)
Well, here we go... This whole section is a (very clever) idea from +Rcg
+Rcg's is not a native English speaker (nor am I), and therefore bear with us some language imperfections, as usual only content matters (read knowledge), form and frills may wait. This section could develop and be VERY IMPORTANT for our work, provided many of you will send contributions...

This "protection schemes" section should be very useful for shareware programmers too, in their fight against "moron-pirates" (against real crackers they have of course no chance). The survival of the shareware programmers, strange as it may seem, is OUR CONCERN, as +Rcg explains in his approach... the only enemy of humanity is Micro$oft!
This is the reason we ask SPECIALLY shareware programmers to help in this section... strange isn't it? Crackers and Shareware programmers fighting together... when the crocodile comes, cats and dogs form alliances.

Need new ideas about future protection schemes? Feel free to check our

programmers' corner page as well!

(Of course the more than 200 students' essays will also offer you mighty unvaluable information in order to protect better your programs :-)

HOW TO PROTECT BETTER
(The long road to defeat lamers)

PHASE 1 ~

First attempt, by +Rcg

PHASE 2 ~

Second attempt, by +Sync

PHASE 3 ~

The "Prefetch Instruction Queue" idea, by Camel Eater, 13 Aug 1997

PHASE 4 ~

+Sync's second attempt solution, by +Sync, 14 Aug 1997

PHASE 5 ~

Prefetch Instruction Queue considerations, by Heres, 16 Sep 1997

PHASE 6 ~

PIQ + Pentium, + some general protection thoughts for the HCU, by g(ar), 21 Nov 1997

PHASE 7 ~ +RCG's Self32 saga and beyond
('course only for advanced crackers and advanced protectors :-)

self32.zip, by +RCG, 29 Nov 1997... download icname.dat AND self32.exe and crack it!

first answer, by Zer0+ (26 December 1997)

Enjoy +RCG's

self32 solution! __NEW__
Here you have some tasty snippets out of it:


- Create a Self-Modificable code on the fly 

- modify VxD without restrictions

- if destination is a code segment then it is forbidden to write into it 

  and an exception is generated (and trapped... giving us the error code)

The "self32 solution" link above is at the same time the road to +RCG's new protection approach and his two splendid essays:

CRYPTOGRAPHY AND MATHEMATICS OF CHAOS! __NEW__
and
A FIRST INTRODUCTION TO VxD! __NEW__
In fact +RCG has opened a COMPLETELY NEW AND ADVANCED path with his two essays and with the accompaning programs and source code. Therefore I have decided to link them in an 'unusual' way, to filter lamers and newbyes a little and awaiting +RCG's updates and new promised goodies. He writes: "Soon more (but you must work on your own)" and he's right, of course. This is a WORK IN PROGRESS new section, that will -for obvious reasons- get along our new 1998 +HCU's project 'Our tool' (API monitoring and vxd magic), which starts in these days on the ristrected maillist. So you better contribute (and I mean contribute with some interesting stuff) if you want to remain on this bandwagon... to cite +RCG's words:

you must know that a VxD can do everything

we want, no more Ring3 restrictions, you can

stop completely the system, read or write any

memory address, hook all interrupts or exceptions,

take control of the IO ports

PHASE 8 ~

Flipper's Visual Basic 5 tough protection, by +flipper, 06 Dec 1997
(as the name says... tough Visual Basic 5 protection!)

You'll find inside this same protection tutorial a couple of solutions as well:
-----------------------------------------------------------------------------------
The first solution, by r0ketman (December 1997)
and an answer by flipper (December 1997)
and another solution, by +Rcg (December 1997)
and another answer by flipper (26 December 1997) __NEW__

Average +HCU "deep" cracking time: three to five days :-)

PHASE 9 ~

Fooling Disassemblers (Protecting Applications Against Disassembly), by Snatch, 07 Dec 1997
(The "non-conditional" conditional jump and other tricks)

PHASE A ~

Advanced protection schemes, by tibit, 13 Dec 1997
(How to defeat us crackers at our own game :-)

PHASE B ~

+RCG's heavy protection, by +RCG, 13 Jan 1998 __NEW__

C'mon, everyone: crack the vxd based protection scheme of this official HCU protector program!

Here is what +RCG himself writes about all this

BTW, this doc will teach you to protect, and I will also

attach "the official HCU protector program" and then we

will wait for someone able to reverse it.

Don't worry: I will explain you how it works (I will attach 

the source as well, yet this won't help you too much from

a cracking point of view).

See above the Self32 saga in order to read +RCG's new CRYPTOGRAPHY AND MATHEMATICS OF CHAOS and A FIRST INTRODUCTION TO VxD essays!

Quine's Quick Qrack And on 15 January 1998 -a day after having released +RCG's heavy protection- I have already received a quick solution by nothing less than Quine. +RCG, my friend, I believe we will have to start to prepare "specific" protections against +HCUkers... the only question is: how?

fravia+,



	In taking a break from putting the finishing touches on my HASP

essay (!), I took a look at +RCG's heavy.exe.  It was quite interesting

because his method has weaknesses that are similar to those I found

with the hasp encryption.  The solution, by the way, is to create a

10h byte long file called key.dat which contains 00h through 0Fh.  The

key, as +RCG tells us is too easy, but even with a completely random

key of 10h bytes it would have taken about 2 minutes to find it.  I'm

not going to explain how I figured out that it was a 10h byte string

xor'd with the code from 4012B9h to 401300h because it's fairly easy

to figure that out.  Here's how to find the key.  Isolate the

encrypted bytes in their own file, load that file in HexWorkshop, and

print it out.  You Should have something that looks like this:



00000000 6A31 6A51 2545 066D 08E1 A30A 0C0D 66F7

00000010 2041 02FC 710D EEFD 0809 0AB5 B51F 4E0F

00000020 8934 5223 4405 B906 1B49 0A20 F284 3343

00000030 2041 02BD 6025 4607 813C 422B 4C0D C90A

00000040 4421 4203 0B05 0607



Isn't it convenient how it's lined up so that the first byte of the

key is xor'd with the first byte in each of the rows, and so on with

the second, third, ....  I will refer to bytes in the grid above by

their row and column using hexadecimal and starting with 0.  So, (0,0)

is the first byte and (4,7) is the last.  Ok, here's the weakness of

+RCG's method:  he left the relocation table untouched and there are 9

relocations within the encrypted code.  A relocation entails a four

byte absolute address, usually into the data section.  IDA, to make

things convenient, tells us where these relocations are after we make

the encrypted code undefined.  We know that these addresses will start

with at least 0040 and most of them with 004020 (since that's where

the data section is).  The addresses are at: (0,0), (0,f), (1,c),

(2,2), (2,7), (2,f), (3,4), (3,a), (4,0).  Even if we assume only that

they all start with 0040, that means that we can deduce all but bytes

0, 3, 8, and b of the key right off the bat.  Working on the 004020

assumption (which is correct in all but one case) we can deduce

everything except for byte 8 (needless to say, I had seen the pattern

way before this, but I wanted to explain how it would work for any

key).  However, since we know everything else at this point it would

be fairly simple work to deduce byte 8.  I address a lot of issues

related to this in the hasp essay (they use a 1000h byte long string

for xor'ing) and suggest a more airtight protection method.



P.S.  A further consequence of +RCG's neglect of relocations is that

the program will crash if it is ever relocated by the operating

system.  This is not bound to happen to an exe, but it is extremely

likely with a dll, in which case the operating system will start

adding values to bytes within the encrypted code and that will lead to

an inevitable crash.



Later,

Quine

18 January 1998
Of course things do NOT finish here... and +RCG has sent some new (and very interesting) protection ideas... I'm sure that you'll find the short essay by +RCG: HOW TO PROTECT SOFTWARE BETTER - Part II very instructive. It deals, among other things, with the following questions: Purpose of the "Our protection" section; The "delayed" protection scheme of the future; The Port 70/71 trick; How to take Softice on a boat ride; Softice breakpoint magic explained and defeated.

25 February 1998
A tough assembly protection: crack_me.htm
by +Aesculapius
A beautiful, great contribution by +Aesculapius, who gathers some ideas from Madmax's letters (see below) and has prepared for you a real "cake": aescul.zip ready? steady? Go!

28 February 1998
jackrev.htm: Reversing +Aesculapius, A complete explanation of a very good assembler protection
by Jack of Shadows
A beautiful, great solution by Jack of Shadows!

01 March 1998
aescures.htm: +Aesculapius' Answer to Jack of Shadows and +Seniors
Lotta important things for protectors and crackers alike!

10 March 1998
zelazny.zip: Jack of Shadows Answer: a modified 'Aesculapius_type' advanced protection
Is getting hot interesting for protectors and crackers alike!

12 November 1998
jn_essay.zip: NiKoDeMoS' The New Chaos Protection
'Welcome to a new era of protection, via the route of chaos'

A letter by Madmax! Not everybody agrees with "higher language" protections... here a letter I have received from Madmax! on 18 Sep 97... (I'm sure that most readers of my site know that Madmax! is NOT 'a nobody' :-)



heya fravia+,



its madmax here...i just wanted to comment on the Protecti project, many

of us crackers are a little discouraged about the format involved

here..To have such protectionists that crackers are to write a scheme in

a high level language is rather unfair i'd think...After briefly viewing

over +sync's test, i was afraid to see call after call of manipulating

code..So, i just think that any test for crackers should be written in

Assembly...To further prove my point, I could simply load up Visual

Basic 5(dont hate me for saying that =) and make a simple routine that

would be near impossible to trace...Think about it please...BTW: I

represent some cracker's from IRC also that have agreed, so consider it

please!



see ya,

madmax!

Well, what do YOU say about this matter? Any questions/advices/propositions?
Madmax! is right, as much as an assembly 'pure' good protection is much more difficult to hyde inside calls after calls of overbloated code. Yet I believe that for instance +RCG's 'heavy' protection proves that you can write a (fairly) good protection scheme in windoze, using an exe and a vxd that together sum to less than 15.000 bytes (OK, OK, I know, 15.000 bytes are quite a lot already). Besides, like it or not, most "programmers" out there would not know how to program in assembly anyway, and are lobotomized by the overbloated programming 'languages' of to-days 'frilly' trends, so they need some protection too, don't they?
Well, what do YOU say about this matter? Any questions/advices/propositions?

Here is sanity_sync's answer (15 January 1998):



I say:



your point is well stated. it makes sense not to program cracker

protections in assembly because that is not the kind of experience 

crackers need at this time (unless they are cracking dos apps).

can i make some recommendations for your protecti.htm page? 

Here's what i would like to see:



   stages of protection- ie; easy, medium, difficult, expert

   we need stages in courses like these, and we need to show

   not only HOW to write good protections, but give good SOLUTIONS,

   so a beginner can see how it was cracked, and so crackers

   can practice at whatever skill level they choose. In other

   words, not only improving the quality of the protection but

   also the quality of the cracker! a step by step will make the

   learning curve MUCH easier. 



sanity_sync__

You are deep inside fravia's page of reverse engineering, choose your way out: