("Exploring a weak protection scheme")

by The Undertaker

(24 September 1997, slightly edited by fravia+)

Courtesy of fravia's page of reverse engineering

Well, here is a new essay from our Srilankan friend, The Undertaker, who "tackles" here a commercial protector... and, as usual, said protectors make a very meagre figure! You'll learn something about Keyboard & timer interrupt masking routines and the usual anti-softice trick (MOV SI,4647) here.
A small critic: can you please please remember to GIVE THE EXACT LOCATION where we can download your targets? Yes, we all know how to search and find them... but what's the point of keeping to oneself a basic information like the BEST (quickest, "bandwidthest") location for downloading our targets?

Exploring a weak protection scheme
The Undertaker -=BANDA=-

Well, I thought  that Jeremy was a good software protectionist.
My thoughts  shattered once I saw his protexe! program. 
Actually I expected lots of traps, of anti debugging tricks, of new methods 
of protection from a program named "protexe"! 
But I ended up with a big sad disappointment. 
Here is the story called "Promising a lot and Delivering scant".
I think every reverser will feel like I do about protexe!.

How I did proceed:
First I encrypted a .EXE file using protexe!. 
I called it test.exe
Then I used Soft-Ice 2.80 to analyse the encrypted program. 
Let's go, +friends:
Load the encrypted program using Softice's loader.

ldr test.exe

In the early part of the encrypted file you can see 
Keyboard & timer interrupt masking routines like.

XXXX:XXXX OUT   21,BA           -->     Keyboard mask.
XXXX:XXXX OUT   21,BB           -->     Keyboard & timer mask.

Lame tricks isn't it? 
Avoid all these (don't trace into them) & put a break point & go.


You'll land here...

XXXX:0194 CC            INT     3
XXXX:0195 EBFD          JMP     0194
XXXX:0197 AC            LOADSB
XXXX:0198 00F8          ADD     AL,BH
XXXX:019A 4A            DEC     DX
XXXX:019B 7503          JNZ     1A0
XXXX:019D 83E909        SUB     CX,+9         --> ***
XXXX:01A0 76E3          MUL     BL

Now put a execution break point on 19D & go.

BPX   19D

Then trace through the code until you see this..

XXXX:01F7 E421       IN      AL,21
XXXX:     3403       XOR     AL,03   --> Enabling the previously
XXXX:     E621       OUT     21,AL   --> masked keyboard & timer int.

Rest of the code seems to be CRC checking routine. 
Skip all these junk until you find following snippet:

XXXX:024B E90000        JMP     24E
XXXX:024E E90000        JMP     251
XXXX:0251 8B868802      MOV     BX,[BP+288]

Mmmmm! two near jumps with no effects. 
Suspicious isn't it? 
But these two jumps will take you somewhere else once your .EXE file 
has been compressed before using the protexe!. 
If the file is compressed, these jumps take to the decompression 
routines of the packer. 
But if you didn't use any compression utility, before using the
protexe!, the above jumps have no effect. 
Ok! It does not matetr anyway if those jumps have any effect on your 
own test file or not, just skip the rest of the code (don't trace into 
nor process it) and scroll your code window  until you see following 

XXXX:0352 E2F3          LOOP    347
XXXX:0354 BE4746        MOV     SI,4647       --> **
XXXX:0357 B81109        MOV     AX,911
XXXX:035A CC            INT     3

Remember the Anti-Debugging tricks used to kick Soft-Ice. 
If you don't know or remember them, then read the relevant articles 
provided on Fravia's. 
The above code looks to me as a very simple lame Anti-Debugging trick to kick 
Let's quickly crack this before we proceed.

Before you execute INT 3 set SI=0. 
Otherwise SoftIce get stoned. 
Then execute the INT 3 and process until you see the far jump. 
This jump take you to the original code of the .EXE file.

XXXX:XXXX    JMP  XXXX:XXXX   --> This jump takes you to the
                                  beginning of the unprotected code.

Do you think such a protexe! can protect your  programs? 
D'you think you can get at least a 20% improvement in terms of protection?
I think that our Jeremy should re-think twice the coding of his protection 
Anyway no protector can protect 100% (should you believe you have found one, 
take a little rest and then crack it :-) 
But at least a commercial  protector should be able to do its job by some 
extent. So I was deceived.
But I found a good thing in protexe! Let's give Jeremy some merit: its good 
CRC checking scheme, and its integration, both are good and well written. 
Unfortunately this can be bypassed very easily as well, as you have seen :-)
By the way, let's not have an "eurocentric" vision of the world: most of the 
countries don't have any "software laws" at all! Including my country: Sri 
Because of this, every protectionist's job is and will remain very open and 
So there is no point in annoying the few that try to study seriously all these 
banal and uselessly stupid protection schemes in Europe or in the States... 
should it be necessary, we'll move the whole cracking scene inside a server in
SriLanka or elsewhere... and get much more nastier :-)

Greetings goes to all HCU+ friends....

The Undertaker -=BANDA=-         //SRI LANKA//
(c) The Undertaker 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?