

                 
                            
                   
                            
                 

 PE-SHiELD v0.25 (C)Copyright 1998-2000 by ANAKiN [DaVinci]

                  D O C U M E N T A T I O N



0. CONTENT
~~~~~~~~~~
I.     -  Short Overview
II.    -  Disclaimer
III.   -  Commandline Parameters
IV.    -  Technical Notes (-api, -ip)
V.     -  Contacting the Author
VI.    -  What is new?
VII.   -  What is planned?
VIII.  -  Commercial Usage
IX.    -  Greetings



I. Short Overview
~~~~~~~~~~~~~~~~~
I am back again. One year since the last public pe-shield release.
And this is NOT a NEW version. The new more elite version will come
in the next three months, otherwise you can beat me up ;)
So why this new release: simple, there was a stupid bug in my makefile
that made the peshield.exe incompatible to many versions of windows 98.
It was not a problem in the crypter but in the makefile.... -> wrong
parameters... In fact with this parameter combination it was a wonder
that the peshield.exe file works fine on all the other versions of
windows (ALL THE FILES PROTECTED WITH PESHIELD WORK FINE THIS PROBLEM
IS ONLY IN THE OLD PESHIELD.EXE). Additionally i changed some layers
inside and added a new AD trick. This makes PE-SHiELD a little bit
stronger then before.
Btw: Until today there is still no unpacker for the one year old
peshield. All other public pecrypters can be unpacked with special
unpackers or procdump.

PE-SHiELD features:
                                                              Standard
- section name renaming                                       +
- encryption of code and data sections                        always
- resource section encryption                                 +
  (with or without 1. ICON)                                   W/O
- import section handling & encryption                        +
- heuristic virus check                                       +
- the PE-HEADER can be (or not be) overwritten                +
- import section protection                                   -
- BPX protection of imported functions                        -
  (except MFC??.DLL - those functions always caused crashes)
- a nice little STUPID RING0 TRACER KICKER ;)                 always
- protected files cannot be dumped with PROCDUMP              always
  (GROM, author of PROCDUMP, says that this is not true
  on his system, although many guys have asked me how I
  got it working ????)
- protected files cannot be traced by DEBUG API               always
- protected files do not run with SOFTICE in memory           always ;)

And like any other protector this feature:
- protected files can be cracked if the cracker is good       always


II. Disclaimer
~~~~~~~~~~~~~~
I, the author, am *NOT* responsible for any damage caused by the use of
PE-SHiELD.  Although the program was tested with a lot of different ver-
sions of Windows 9x/NT it may be in some cases incompatible. I absolutely
do not know how PE-SHiELD will react in a exotic environment
I hope this was enough to warn you :)


III. Commandline Parameters
~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you want to use PE-SHiELD simply type:


  PESHIELD [options] "filename" [options]
                     ^
                     :--  you can write:  VERYLO~1.EXE
                                     or: "Very Long File Name.EXE"

  an option may start with either '/', '-' or ','

YOU GET MAXIMUM PROTECTION WITH:

PESHIELD filename -API -IP

IF YOU WANT TO HAVE TWO OR MORE LAYERS:

1. PESHIELD filename -API -IP -H-
2. PESHIELD filename -H-
...
x. PESHIELD filename


PE-SHiELD supports the following options:

Options
-------

 -? -h    Shows a short helpscreen

 -o       Original file will not be modified. Output goes into
           OUTPUT.EXE

 -n-      Do not rename sections into PESHIELD

 -hd-     Do not overwrite PE-Header in memory

 -h-      Do not add heuristic virus check to file

 -api     API functions that are executed by the file will be
           protected against BPX during runtime
           Imports from MFC??.DLL will not be protected, because
           this always caused crashes on my system

 -ip      The import section is moved in memory to hinder unpacking
           by simply dumping

 -r       The file will not be crypted, just loaded into memory
           and written back, reducing it to its minimum size without
           any type of compression. Use this after manualy dumping a
           file. It will decrease the size.

 -rs-     The resource section will be left unchanged

 -icn     If the resources section gets encrypted, the icon will
           encrypted, too


IV. Technical Notes
~~~~~~~~~~~~~~~~~~~
The new version of PE-SHiELD is now fully coded in 32-bit WINDOWS assem-
bly. I temporary removed the .DLL support in this version, because I
wanted to add some stuff that is not compatible to .DLLs,  but in fact
I was to lazy to add it yet. Maybe it will come soon.

At the moment PE-SHiELD encrypts all code- and data sections. The relo-
cation table gets compressed (DELTA/RLE compression) and encrypted, too.
You can choose, if the resource section gets encrypted and if the first
ICON stays decrypted. All other sections are left unchanged.
PE-SHiELD will not work, if there is a .EXPORT area hidden in one of the
sections.  (EXAMPLE: OPERA.EXE)       I will fix that soon...

-api   This switch helps again any cracker trying to crack your serial
        or regcode protection, by setting a breakpoint on GetWindowTextA
        or similar function. Those breakpoints will crash the current task
        if set before execution and will disable all BPX set while execution

-ip    The import section will be moved into another part of the memory.
        This makes it very hard for any generic unpacker to find the used
        import table. But even if the generic unpacker finds the right
        table, it is hard to reconstruct, because it will always be de-
        stroyed.

Fake Entrypoint  Because there is no tracer available yet, that can trace
                  through PE-SHiELD, i did not implement Fake Entrypoints


V. Contacting the Author
~~~~~~~~~~~~~~~~~~~~~~~~
You may contact me, if you find any incompatibility or just want to tell
me your opinion (or hints). You should also contact me, if you release
a program protected with PE-SHiELD and send a copy to me :)

contact address: anakin@rockz.org


VI.       What is new?
~~~~~~~~~~~~~~~~~~~~~~
Fixed a few little bugs on request and added some AD stuff.


VII.      What is planned?
~~~~~~~~~~~~~~~~~~~~~~~~~~
I know i already announced new versions of PESHiELD several times
and then nothing happened. At the moment i think of restarting the
PESHiELD project in march. There are still some bugs that occur
with exotic compilers.


IX.   Commercial Usage
~~~~~~~~~~~~~~~~~~~~~~
If you want to use peshield on any type of commercial product,
you MUST contact me! This also counts for shareware software.
Because then I either want some money for the usage, or a copy
of your product. In return those "registered" users can get a
personalized version from me.


IX.   Greetings
~~~~~~~~~~~~~~~
Fashion, Special, Masta, Scamp, Avatar
Riddler, Random, Devil, Egis, Iceman, Halvar
Grom, Stone, Rose, Hanno, BSE

and the rest of exelist

PS: The documentation was modified in a hurry...
