How to protect better.


1. Why we must do this?

	We must learn a lot of new ways to crack and to protect, 
(protection=cracking+programming, so is a more complete work)
just because when Micro$oft "kills" all the biggers software 
companies, they will begin to "sell" their software.

	Or do you really think they will continuing all the time
giving their software free? 
	Do you really think Money 97 has a toy protection because
they don't know how to protect it better?
	This is a "legal" way to defeat all the others Software 
developers. (the 90 day trial demo)
	What is more ILEGAL, to sell something at a lowest price
it costs or teach to crack? And if this sale is at zero? 

	When Internet becomes really in a "HighRoad" and you could
download a multimegabytes file in a few seconds, then the trial
formula will disapear, and you will pay for every use of the Micro$oft
WordProcesor,the Micro$oft SpreadSheet, ... just because in 1997 they
"legally" sold their software for nothing (and defeated all the others
software companies).

	So we must be prepared for this (or something worse), I personally
think that in a few years, the whole world will be using Windows NT.
	This SO is more protected, only think in how many undocumented
funtions can be hidden in it. 
	The MS-DOS entry will be definitely erased and we will forced
to use the Micro$oft will functions. We will be at their feet.

	But.....here we are (little Frodos) with the advise of our
master the "Red" Wizard we will be able to win the battle agains the 
black shadows (and perhaps help to make this world a little better).

	Remember there are millions of 'zombies' in the world, it's time
to wake them up. Statistics said that in my country people watch TV for
over  3 hours a day....OH!!! MAMMA MIA!!! and I think in the States 
things are worse.



2. Ok, ok, you has convinced me, but how can I begin?

	Simply, download the first's three examples, and learn of
them all you can, and then, try at your own, use your mind and dont
be a zombie anymore, spend your 3 TV hours developing your own 
protections schemes (at the same time you will be preventing your
premature celebral deterioration know as Alzheimer's disease, who all
TV devourings have a bigger probability to suffer it), and then send
them to us and we will publish the best new schemes created by yours,
thus, more and more people will be prepared to fight agains our enemy.
	Read first the next guidelines. I know these first three examples
are not the 'panacea' in programing neither in protections, but I think
is a good and easy framework for NewBytes. 

	Tips:
		Example 1: A simple register code scheme.
		Example 2: Like 1 plus a NagScreen 
				(find the trapdoor inside it)
		Example 3: Just like 2 but a little WinIce 
			    hostile :-( (You are able to recover the
		  	    system, use the stack to find the real
			    return and restore the stack).
	
	REMEMBER:

	Dont send us exe files, because we never will execute them, we will
delete them inmediately.
	We only want the sources, we will study them, and then we will compile 
them, this is the only way to guarantee our +HCUers total absence of viruses
or whatever stranges things. 

	Of course, if you are a little exceptic about this, you can wait 
2 weeks, and download only the source with the solution, this will 
guarantee you 100% any problem and more or less will have the same 
productivity.
	



3. What are the usual aproach metods little crackers use?

	Basically, at lest, until our master +ORC, teach us others,
we use two: Dead Listing and Debugger Tracing.



4. How can these metods be avoided?

	4.1. Debugger tracing, is a priory, easiest to avoid, just use
a little tricks to know if SoftIce (or other) is in memory. Read the
explendid doc WinIce Galore by Civetta.


	Just look at this:


	.
	.
	.
	lea	esi,GetDlgItemTextA
	call	CheckIce
	cmp	eax,"ICFI"		;Is Sice Fired?
	je	Bad_Guy_Crash_system
	call	esi
	.
	.
	.

CheckIce:       
	push    esi
       push    ds
       push    cs
       pop     ds    	;Now DS=CS
       mov     esi,[esi+2]	;Get dll function jmp address		
       mov     esi,[esi]	;Get dll function real address
       mov     eax,[esi]	;Get first bytes of dll function
       and     eax,0FFh	;Use only first byte
       cmp     eax,0CCh	;bpxed?
       mov	 eax,"ICFI"
	je      Ice_Fired
       xor     eax,eax
Ice_Fired:      
	pop     ds			;Restore ds
       pop     esi
       ret
 

	We can use this simple routine just to know if the little
cracker has put a bpx at the next "call dll_function", exiting 
or crashing the system if Sice is "near".


	Another useful trick is:


	.
	.
	mov	al,0CCh
	mov	ecx,Routine_Length
	Call	Check_CC
Routine_To_Check:
	.
	.
	.



Check_CC:
	mov	esi,[esp]	;Ret Address
	push	ds
	push	cs
	pop	ds
Do_More:	
	cmp	al,[esi+ecx]
	jne	Warning_WinIce_Is_Ahead_Crash_system
	loop	Do_More
	pop	ds
	ret	;Good Guy

Warning_WinIce_Is_Ahead_Crash_system:

	pop	cs	;This will crash your system inmediately
	ret

	
	What is useable this for?

	I.E. to check if actual routine has a "bpx" somewhere or
just to check the entire programm searching for a bpx.



	4.2 Once SoftIce is "out of service", Dead listing can be
avoided just using a indirect calls like:		
	
		call [Call_Table+4]

this table is in Data segment, so it can be encrypted or loaded at
any time from a file or whatever you can imagine.
	You also can use a lot of junk code and "play" with stack, 
this will make the Dead Listing way horrible.


5. What is the best way to protect a program?

	5.1. Program encrypted (like some viruses) , we avoid totally 
Dead Listing and patching.
	5.2. Self-Modificable Code, look:

		push	eax
		push	ebx
		Call	Check_User_Entry_Code
		test	eax,eax
		je	Bad_Guy
		nop		;Here we will put the Good_Guy jmp
		nop		;it depents of many other calls	
		nop		;Who knows which?
		nop
		nop
		nop				
Bad_Guy:	Call	Crash_System
		

	5.3. Others, simply let your imagination fly!!!!


6. How to implement the point 5 techniques?

	VxD. I know this is a big effort, but I'm sure we
will be able to program them in a few months, so we will take
again the control over the system (just like we did in Ms-Dos).




+rcg 1997