

                 
                            
                   
                            
                 

  PE-SHiELD v0.22  (C) Copyright 1998 by ANAKiN [DaVinci]

                  D O C U M E N T A T I O N



0. CONTENT
~~~~~~~~~~
I.     -  Short Overview
II.    -  Disclaimer
III.   -  Commandline Parameters
IV.    -  Technical Notes (-api, -ip)
V.     -  Contacting the Author
VI.    -  What is new?
VII.   -  What is planned?
VIII.  -  Greetings


I. Short Overview
~~~~~~~~~~~~~~~~~
Ohh yes, ANAKiN is back! I was really lazy the last months. No new tools,
no new programs, no new versions. I spend nearly all my time in swimming,
biking, learning and getting well again. I left school and I am now lazier
than before. <- Ohh yes, I always thought that is impossible, but it is
possible. My english is still bad... I think you have already mentioned
that :-( During the time, more and more ideas for PE-SHiELD grow in my
mind and now I finally created a new version of my lovely crypter, that
now like me has grown up ;)
I release this beta to the public, because it seems to be very stable and
I was not able to find more bugs on my own.
PE-SHiELD features many of the options you can find in other protectors
like PE-CRYPT32 or BFJNT, but it also has some options still missing in
the other protectors.

PE-SHiELD features:
                                                              Standard
- section name renaming                                       +
- encryption of code and data sections                        always
- resource section encryption                                 +
  (with or without 1. ICON)                                   W/O
- import section handling & encryption                        +
- heuristic virus check                                       +
- the PE-HEADER can be (or not be) overwritten                +
- import section protection                                   -
- BPX protection of imported functions                        -
  (except MFC??.DLL - those functions always caused crashes)
- a nice little STUPID RING0 TRACER KICKER ;)                 always
- protected files cannot be dumped with PROCDUMP              always
  (GROM, author of PROCDUMP, says that this is not true
  on his system, although many guys have asked me how I
  got it working ????)
- protected files cannot be traced by DEBUG API               always
- protected files do not run with SOFTICE in memory           always ;)

And like any other protector this feature:
- protected files can be cracked if the cracker is good       always


II. Disclaimer
~~~~~~~~~~~~~~
I, the author, am *NOT* responsible for any damage caused by the use of
PE-SHiELD.  Although the program was tested with Windows95B and Windows
NT 4.0 it may be in some cases incompatible. I absolutely does not know
how PE-SHiELD will react in an different environment (95A, 98, NT 5.0).
I hope this was enough to warn you :)


III. Commandline Parameters
~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you want to use PE-SHiELD simply type:


  PESHIELD [options] "filename" [options]
                     ^
                     :--  you can write:  VERYLO~1.EXE
                                     or: "Very Long File Name.EXE"

  an option may start with either '/', '-' or ','

YOU GET MAXIMUM PROTECTION WITH:

PESHIELD filename -API -IP

IF YOU WANT TO HAVE TWO OR MORE LAYERS:

1. PESHIELD filename -API -IP -H-
2. PESHIELD filename -H-
...
x. PESHIELD filename


PE-SHiELD supports the following options:

Options
-------

 -? -h    Shows a short helpscreen

 -o       Original file will not be modified. Output goes into
           OUTPUT.EXE

 -n-      Do not rename sections into PESHIELD

 -hd-     Do not overwrite PE-Header in memory

 -h-      Do not add heuristic virus check to file

 -api     API functions that are executed by the file will be
           protected against BPX during runtime
           Imports from MFC??.DLL will not be protected, because
           this always caused crashes on my system

 -ip      The import section is moved in memory to hinder unpacking
           by simply dumping

 -r       The file will not be crypted, just loaded into memory
           and written back, reducing it to its minimum size without
           any type of compression. Use this after manualy dumping a
           file. It will decrease the size.

 -rs-     The resource section will be left unchanged

 -icn     If the resources section gets encrypted, the icon will
           encrypted, too


IV. Technical Notes
~~~~~~~~~~~~~~~~~~~
The new version of PE-SHiELD is now fully coded in 32-bit WINDOWS assem-
bly. I temporary removed the .DLL support in this beta version, because
I wanted to add some stuff that is not compatible to .DLLs,  but in fact
I was to lazy to add it yet. Maybe it will come soon.

At the moment PE-SHiELD encrypts all code- and data sections. The relo-
cation table gets compressed (DELTA/RLE compression) and encrypted, too.
You can choose, if the the resource section gets encrypted and if the
first ICON stays decrypted. All other sections are left unchanged.
PE-SHiELD will not work, if there is a .EXPORT area hidden in one of the
sections.  (EXAMPLE: OPERA.EXE)       I will fix that soon...

-api   This switch helps again any cracker trying to crack your serial
        or regcode protection, by setting a breakpoint on GetWindowTextA
        or similar function. Those breakpoints will crash the current task
        if set before execution and will disable all BPX set while execution

-ip    The import section will be moved into another part of the memory.
        This makes it very hard for any generic unpacker to find the used
        import table. But even if the generic unpacker finds the right
        table, it is hard to reconstruct, because it will always be de-
        stroyed.

Fake Entrypoint  Because there is no tracer available yet, that can trace
                  through PE-SHiELD, i did not implement Fake Entrypoints


V. Contacting the Author
~~~~~~~~~~~~~~~~~~~~~~~~
You may contact me, if you find any incompatibility or just want to tell
me your opinion (or hints). You should also contact me, if you release
a program protected with PE-SHiELD and send a copy to me :)

contact address: anakin__@gmx.net


VI.       What is new?
~~~~~~~~~~~~~~~~~~~~~~
This section was moved into HISTORY.TXT


VII.      What is planned?
~~~~~~~~~~~~~~~~~~~~~~~~~~
  DLL support
  Decryption controled by Unhandled Exception Filters
   (my routine already works perfectly, I only have to add it)
  A (better) mutation engine
  maybe ring0
  more compatibility...
  some other stuff that is still secret!


VIII. Greetings
~~~~~~~~~~~~~~~
Marquis    Sorry! I had to kick off some serious bugs, so I wasn't able
            to send a working beta earlier. Hope you will enjoy this beta.
            I do not know if it is working under NT5 or 98. Maybe you or
            someone else will tell me...
            Hope my BJFNT test helped you ;)
eGIS!      Hi, I hope you will enjoy PE-SHiELD more than CrackStop :)
Zenix      Sorry! Same as for Marquis... When we were chatting suddenly
            my time ran out... So we were disconnected during our talk...
            Maybe we will meet sometime again...
Stonehead  Are you working on MESS4PE? May I become a betatester?
djHD       Germany or Cameron will kick Brazil ;-)
Random     I hope you enjoy the new version... I want to see the new
            version of PE-CRYPT
G-ROM &
Stone      First I want to tell you, that PROCDUMP is in my opinion
            a nice unpacker. Maybe it is not(and will never be) able
            to remove the best protectors, but from my point of view
            it is a very handy tool for all the guys who unpack PEs
            on their own. I always use it to unpack PE-CRYPT protec-
            ted files. 3 Dumps at the right positions and you have
            everything you need :)
            I hope the new version of PROCDUMP will be encrypted with
            PE-SHiELD ;) instead of PE-CRYPT
            G-ROM: Everything that runs, can be defeated...
            So as long PROCDUMP runs, it can be... :-))))

Additional greetings fly out to:

 KAOT, LUCE, Ugly Duckling, Dark Stalker, Dark-Man
 Valentino T., Jeremy Lilley, Ralph Roth
 all in UCF, Phrozen Crew, PCE, TPiNC
 all on #ucf2000
 all on #cracking
 all in exelist


PS: The documentation was modified in a hurry...
