Info
----
This is the last fILTER. It contains all usable from previous packages
and something more.

File descriptions:
------------------

ADFLT2.COM (from #4)
- demo on routines bellow

ADFLT.COM (#2)
- do not run it!
- 1st "protector" with autodebugging
- some CPUs may fail
- it uses INT16/0305 instead of OUT 60,F4 (most of keyboards remain locked)
  but try to intelli-trace it, because it contains nice secr. sect.

fDEMO.COM (#1)
- 1st program  with autodebugging
- some CPUs may fail
- it uses GD


##############################################################################
#			       Routine section				     #
##############################################################################

				RM subsection

##############################################################################
Name:
Real mode - final solution
Description:
Once you've detected you're running under RM you can do everything what you
want. For example start PM. PM code is untraceable (by common tools).
It has effect on RM code interpreters (TR/LiuTaoTao) and pretenders (CUP386 /7
/Sage). Interrupts must be disabled and PM code as short as possible.
##############################################################################

.MODEL TINY
.586P

PE  EQU 1

.CODE
.STARTUP
	SMSW  AX
	TEST  AL,PE
	LEA   DX,NoReal
	JNE   Write

	MOV   CX,-1
	MOV   EAX,CR0
	XOR   AL,PE

	CLI
	MOV   CR0,EAX
	;You are in protected mode
	;JMP  $+2  if problems

	STR   CX ;or other

	XOR   AL,PE
	MOV   CR0,EAX
	;Don't use LMSW on 386+!!!
	;Back in real mode
	;JMP  $+2  if problems
	STI

	INC   CX
	LEA   DX,NotPassed
	JE    Write

	LEA   DX,AllRight

      Write:
	MOV   AH,9
	INT   21H
	.EXIT

AllRight  DB  13,10,"Passed!",36
NoReal	  DB  13,10,"Real mode required!",36
NotPassed DB  13,10,"Skipped!",36

END
##############################################################################

			       EMM subsection

##############################################################################
Name:
VCPI Examination
Description:
You are in V86 and you didn't detect Windows. Then try EMS or VCPI services.
When they aren't available then something strange (not EMM) controlls system:
DG/CrazyMaX, TD386, CUP386/3, GTR/Hendrix and you can suspend running.
V86 without Win,EMS or VCPI is always suspicious.

Normal EMMs should support VCPI. By VCPI services 8 and 9 you can get and set
debug registers (legally). Try code bellow under DOS SoftspICE/NuMega.

Under EMM386 also compare CR0 (direct MOV from CR0 vs. VCPI/0DE07H).
##############################################################################

.MODEL TINY
.586P

PE  EQU 1

.CODE
.STARTUP

	SMSW   AX
	TEST   AL,PE
	LEA    DX,NoV86
	JE     Write

	MOV    AX,1600H
	INT    2FH
	CMP    AL,3
	LEA    DX,WinPres
	JGE    Write

	SUB    ECX,ECX
	MOV    FS,CX

	;GETINTVEC1
	PUSH   DWORD PTR FS:1*4
	POP    Old01

	;SETINTVEC1
	PUSH   CS  OFFSET New01
	POP    DWORD PTR FS:1*4

	;EDX=linear adress
	MOV    EDX,CS
	SHL    EDX,4
	ADD    EDX,LARGE OFFSET Watch


	MOV   _DR1,EDX

	;always zero to DR6
	MOV   _DR6,ECX

	MOV    CX,300H + 3 SHL 2  ;see minfo.equ for constants for DR6 and DR7
	MOV   _DR7,ECX

	MOV    AX,0DE09H ;set DRX
	LEA    DI,SetDRX ;ES:DI array of values for DRX
	INT    67H
	OR     AH,AH
	LEA    DX,NoVCPI
	JNE    Write

       Watch:
	JMP    Next

       New01:
	ADD    SP,6
	STI
	MOV    AX,0DE08H
	LEA    DI,GetDRX
	INT    67H

       Next:
	;RESETINTVEC1
	PUSH   Old01
	POP    DWORD PTR FS:1*4

	;always zero to DR7 before end
	SUB    CX,CX
	MOV   _DR7,ECX
	MOV    AX,0DE09H
	LEA    DI,SetDRX
	INT    67H

	MOV    EAX,_DR6
	AND    AX,0E00FH ;see minfo.equ for constants for DR6 and DR7
	CMP    AX,00002H
	LEA    DX,BadDRX
	JNE    Write

	LEA    DX,AllRight

      Write:
	MOV    AH,9
	INT    21H
	.EXIT

AllRight DB 13,10,"Passed!",36
NoV86	 DB 13,10,"V86 mode required!",36
WinPres  DB 13,10,"Can't run under Windows!",36
NoVCPI	 DB 13,10,"VCPI required!",36
BadDRX	 DB 13,10,"Bad DRX system!",36

Old01	 DD ?

GetDRX	LABEL
SetDRX	LABEL
_DR0	 DD ?
_DR1	 DD ?
_DR2	 DD ?
_DR3	 DD ?
_DR4	 DD ?
_DR5	 DD ?
_DR6	 DD ?
_DR7	 DD ?

END
##############################################################################

			      Windows subsection

##############################################################################
Name:
WinICE detection
Description:
In DOS use INT41 detection. If NuMega stops using INT41 in next versions
use code bellow. This is the best detection of lowlevel debugger for NE/PE.
Principle:
Examine descriptor for exception 1 and/or compare offsets of exceptions 3,4,5.
Also showed how to go to protected mode under Windows and how to leave DPMI
without terminating program. For how to go to ring0 see minfo.bat.
##############################################################################

.MODEL TINY
.586P

Yes		     EQU 1
NoNo		     EQU 0

PE		     EQU 1

;options:
KillNonWindowsSystem EQU NoNo ;(Yes/NoNo)
DestroyInts	     EQU NoNo ;(Yes/NoNo)


.CODE
.STARTUP

	SMSW   AX
	TEST   AL,PE
	LEA    DX,NoV86
	JE     Write

     IF KillNonWindowsSystem EQ NoNo   ;no warning
	MOV    AX,1600H
	INT    2FH
	CMP    AL,3
	LEA    DX,NoWin
	JL     Write
     ENDIF

	;Every instruction can be only 15 bytes long (including prefixes)
	Truth  EQU  DB	3EH,2EH,0F2H,66H,67H,0F3H ;for example

	MOV    EBX,"BOMB" ;or whatever abnormal
	MOV    EAX,EBX
	Truth		  ;some emulators still can't emulate
	MOV    EAX,DR7
	CMP    EAX,EBX
	LEA    DX,NoWin
	JNE    Write

	;if needed push registers here

	MOV    _SS,SS
	MOV    _SP,SP

	MOV    AX,1687H
	INT    2FH
	OR     AX,AX
	JNE    IsExit

	PUSH   ES  DI
	POP    GoDPMI

	PUSH   0
	POP    FS

	Vec21  EQU DWORD PTR FS:21H*4

	;GETINTVEC21
	PUSH   Vec21
	POP    Old21

	;SETINTVEC21
	PUSH   CS   OFFSET New21
	POP    Vec21

;HERE SHOULD BE BETTER ALLOCATION!!
	MOV   AX,DS:2
	SUB   AX,SI
	MOV   ES,AX
;----------------------------------

	SUB   AX,AX   ;16 bit
	CALL  GoDPMI
	JC    IsExit

	;Now in protected mode
	SUB   AX,AX
	MOV   CX,1
	INT   31H
	JC    BadDPMI
	MOV   BX,AX

	LEA   DI,BigDesc
	MOV   AX,0CH
	PUSH  DS
	POP   ES
	INT   31H
	JC    BadDPMI

	SIDT  IDT
	MOV   ESI,IDTBase
	MOV   DS,BX

	INT1 =8*01
	INT3 =8*03
	INT4 =8*04
	INT5 =8*05

	DPL3 =3 SHL 5
	AR   =5

	;1st  method
	MOV   AL,[ESI+INT1+AR]
	AND   AL,DPL3
	SETNE ES:DbPres

     IF DestroyInts EQ Yes
	MOV   [ESI+INT1+AR],AL
	MOV   [ESI+INT3+AR],AL
     ENDIF

	;2nd  method
	MOV   EAX,[ESI+INT5+4]
	MOV   ECX,[ESI+INT4+4]
	MOV   EDX,[ESI+INT3+4]
	MOV    AX,[ESI+INT5]
	MOV    CX,[ESI+INT4]
	MOV    DX,[ESI+INT3]
	SUB   EAX,ECX
	SUB   ECX,EDX
	SUB   EAX,ECX
	OR    AL,AH
	OR    ES:DbPres,AL

	MOV   AX,1
	INT   31H
	SETNC ES:Gut
      BadDPMI:
	.EXIT

      New21:
	PUSHF
	CMP   AH,4CH
	JE    IsExit
	POPF
	DB    0EAH
	Old21 DD  ?

      IsExit:
	LSS   SP, CS:MyStack

	PUSH  0
	POP   FS

	PUSH  CS
	POP   DS

	;RESETINTVEC21
	PUSH  Old21
	POP   Vec21
	STI

	;if needed pop registers here


	CMP   Gut,Yes
	LEA   DX,NoDPMI
	JNE   Write

	CMP   DbPres,NoNo
	LEA   DX,DebPres
	JNE   Write

	LEA   DX,AllRight

      Write:
	MOV   AH,9
	INT   21H
	.EXIT

BigDesc  DQ   008FF2000000FFFFH

AllRight DB 13,10,"WinICE not detected!",36
NoV86	 DB 13,10,"V86 mode required!",36
NoWin	 DB 13,10,"Windows required!",36
NoDPMI	 DB 13,10,"Bad DPMI!",36
DebPres  DB 13,10,"WinICE detected!",36

Gut	 DB   NoNo
DbPres	 DB   ?

MyStack  LABEL DWORD
_SP	 DW   ?
_SS	 DW   ?

GoDPMI	 DD   ?

IDT	 LABEL FWORD
 IDTSize DW   ?
 IDTBase DD   ?

END
##############################################################################

			      Dumping subsection

##############################################################################
Name: Passive antidumping (can be seen in AdFlt2.com)
Of course usable only in protector codes against INT21 based dumpers.
##############################################################################

;......

 Delete PROC PASCAL From2,To3
  USES CX,DI,ES
  PUSH CS
  POP  ES
  MOV  DI,From2
  MOV  CX,To3
  SUB  CX,DI
  CLD
  REP  STOSB
  RET
 ENDP

 ClearAll:
  CALL Delete PASCAL,OFFSET INFO,8000H
  PUSH CS:Old21B
  POP  DWORD PTR FS:4*21H
  INT  20H
  ;CALL CS:Old21B

  Yes	EQU 1
  NoNo	EQU 0

  _AX	DW ?
  In21	DB NoNo

 EnCrypt PROC PASCAL From,To2,Consa:byte
  USES	AX,BX
  MOV	BX,From
  MOV	AL,Consa+1
 EE21:
  XOR	CS:[BX],AL
  INC	BX
  CMP	BX,To2
  JB	EE21
  RET
 ENDP

 New21B:
  PUSHF
  CMP AX,4B00H
  JE  NormalInt
  CMP AH,31H
  JE  NormalInt
  CMP CS:In21,Yes
  JE  NormalInt
  CMP AH,4CH
  JE  ClearAll
  MOV CS:In21,Yes
  MOV CS:_AX,AX
  CALL EnCrypt PASCAL,OFFSET RealStart,OFFSET Owner,AX
  STI
  CALL CS:Old21B
  PUSHF
  CALL EnCrypt PASCAL,OFFSET RealStart,OFFSET Owner,CS:_AX
  POPF
  MOV  CS:In21,NoNo
  RETF 2
 NormalInt:
  POPF
  JMP  CS:Old21B
;......
##############################################################################

With above routines and good encryption you are able to write simple protector


Briefly
-------
-Make protector Windows compatible
-Don't use ports (and IRQs) in protectors
-Don't check for 286-
-Under Win: SP_in_INT8 is not equal to SP_before_INT8 - 6
-Don't use duplicate or multiplicate bkpts
-When text file contains more TABs then it was written in DN/RITLabs
-#3 and #4 are available on SatanDischarge (hi david!)

Contact
-------
E-mail for the public is elicz@post.cz. You can try ICQ, #cracking, #EliCZ


pHILO at end
------------
-Compare number of protectors with number of protected files ;)
-The best protected exe is that you can't run!

Bye,
EliCZ, big altruist