How to protect better
(FIRST PHASE of this new section)
by +Rcg, May 1997
Courtesy of Fravia's page
of reverse engineering
1. Why we must do this?
We must learn a lot of new ways to crack and to protect,
(protection=cracking+programming... therefore a more "complete"
work)because as soon Micro$oft "kills" all the few remaining big
software companies, they will begin to "sell" their software.
Or do you really think they will continue all the time
giving their software for free?
Do you really think Money 97 has a toy protection because
they don't know how to protect it better?
This 90 day trial demo is just a "legal" way to defeat all
the others Software developers.
What is more ILEGAL? To sell something at a price lowest than
its developing costs or to teach to crack? And what about selling
at zero price?
When Internet becomes really in a "HighRoad" and you will be able
to download multimegabytes files in few seconds, then the trial
formula will suddendly disappear, and you will pay for every byte and
for every use of the Micro$oft WordProcesor, the Micro$oft SpreadSheet,
you name it, just because in the late '90 they legally "sold" their
software for nothing (defeating all the others software companies).
So we must be prepared for this (or something worse), I personally
think that in a few years, the whole world will be using Windows NT and
nothing else, indipendently from the advantages and disadvantages of this
This OS is more protected, just think how many undocumented
funtions are hidden inside it.
The MS-DOS "little unix" entry will be definitely erased (and or banned)
and programmers will be forced to use Micro$oft functions. We will be at
But... here we are (little Frodos)... with the advices of our
master, the "Red" Wizard, we will wage the battle against the
black shadows (and perhaps help in makuing this world a little better).
Remember: there are millions of 'zombies' in the world, it's time
to wake some of them up. Statistically, in my country, people watch TV for
over 3 hours a day....OH!!! MAMMA MIA!!! and I believe that in the States
things are even worse than that.
2. Ok, ok, you have convinced me, but how can I begin?
Simple: download the first's three examples, and learn from
them all you can, and then, try your own protections, use your mind,
donīt ever be a zombie anymore, spend your useless TV hours developing
your own protections schemes... it's fun and at the same time you will
be preventing your premature cerebral deterioration (known as Alzheimer's
disease) did you know that the TV-drooling zombies have a bigger probability
to catch it?), and then send them to us.
We will publish the best new schemes created by you, thus, more and
more people will have at least some weapons to fight against our common
enemy. This is the reason we ask EXSPECIALLY shareware programmers to help
in this section... strange isn't it? Crackers and Shareware programmers
fighting together... when the crocodile comes, cats and dogs form alliances.
Read first the next guidelines. I know these first three examples
are not the 'panacea' in programing neither in protections, but I think
it's a good, and easy, framework for Newbyes.
Example 1: A simple register code scheme.
Example 2: Like 1 plus a NagScreen
(find the trapdoor inside it)
Example 3: Just like 2 but a little WinIce
hostile :-( (You are able to recover the
system, use the stack to find the real
return and restore the stack).
Donīt send us exe files, because we will never execute them. We only
want the sources, we will study them, and then we will compile them, and
then publish them for the HCUkers.
Of course, if you are a little sceptic about this, you can as
well wait 2 weeks, and download only the source with its solution.
Less brain work and less fun, though.
3. What are the usual "approach" metods little crackers use?
Basically (at least until master +ORC teach us other
methods :-) we use two: "Dead listing" and "Debugger tracing".
4. How can we defeat people following these approaches?
4.1. Debugger tracing, is "a priori" the easiest to avoid, just
use the little tricks used in order to know if SoftIce (or any other tsr
debugger) dwells in memory. Read the splendid docoument "WinIce Galore" by
Just look at this:
cmp eax,"ICFI" ;Is Sice Fired?
pop ds ;Now DS=CS
mov esi,[esi+2] ;Get dll function jmp address
mov esi,[esi] ;Get dll function real address
mov eax,[esi] ;Get first bytes of dll function
and eax,0FFh ;Use only first byte
cmp eax,0CCh ;bpxed?
pop ds ;Restore ds
We can use this simple routine just to know if the little
cracker has commanded a bpx at the next "call dll_function",
exiting (or crashing the system) if Softice is "near".
Another useful anti-debugger trick is:
mov esi,[esp] ;Ret Address
ret ;Good Guy
pop cs ;This will crash your system inmediately
What could we use this for?
I.E. to check if actual routine has a "bpx" somewhere or
just to check the entire programm searching for a bpx.
4.2 Once SoftIce is "out of service", Dead listing can be
made more complicated just using indirect calls, like this:
this table is in Data segment, so it can be encrypted or loaded at
any time from a file or from whatever hyding ground you can imagine.
You could also use a lot of junk code, and you could "play"
with your stack a lot, this will make the "dead listing" way
horrible... well yes, that's more easy for a single shareware
programmer that may be knows a little assembly than for a big
stupid corporation, which HAS to have clear code in order to
produce quickly, part work among many poor programmerslaves and
try to get a minimum of bugs out... nice sideeffect, isn't it? :-)
5. What is the best way to protect a program?
5.1. Program encrypted (like some viruses) , we avoid totally
Dead Listing and patching as long as the cracker does not find the
5.2. Self-Modificable Code, look:
nop ;Here we will put the Good_Guy jmp
nop ;it depents of many other calls
nop ;Who knows which?
Bad_Guy: Call Crash_System
5.3. Others methods, simply let your imagination fly!!!!
6. How to implement the techniques we have seen point 5?
VxD. I know this is a big effort, but I'm sure we
will be able to program them in a few months, so we will take
again the control over the system (just like we did in Ms-Dos).
I'm breaking new ground here, therefore I will develop this
as soon as possible.
How to protect better.
Here we go, download, experiment and learn:
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Is reverse engineering illegal?