Beijing Paradise BBS Backup

home *** CD-ROM | disk | FTP | other *** search

/ Beijing Paradise BBS Backup / PARADISE.ISO / software / CRACK / CS101.ZIP / CS.DOC < prev next >

Wrap

Text File | 1997-11-16 | 28.7 KB | 593 lines

CrackStop (CS) v1.01 Executable Protection Tool (C) Copyright 1997 Stefan Esser All Rights Reserved July-August, 1997 Program Documentation ────────────────────────────────────────────────────────────────── Table Of Contents ────────────────────────────────────────────────────────────────── 1 CrackStop (CS) ─────────────────────────────────────────────── 1.1 What Is CrackStop? ..................................... 2 1.2 Why Should I Choose CrackStop? ......................... 2 1.3 How To Use CrackStop? .................................. 3 1.4 Commandline-Parameters ................................. 4 1.5 Files That Cannot Be CrackStopped ...................... 4 2 Technical Notes ────────────────────────────────────────────── 2.1 How Does An Unpacker Work? ............................. 5 2.2 How Does CrackStop defeat hacking tools? ............... 6 2.3 Requirements To Use CrackStop .......................... 6 2.4 Compatibility .......................................... 7 2.5 Signatures ............................................. 7 3 Legal Terms And Disclaimer ─────────────────────────────────── 3.1 Disclaimer ............................................. 8 3.2 License - Shareware .................................... 8 3.3 Distribution Restrictions .............................. 9 4 Closing ────────────────────────────────────────────────────── 4.1 Lack of .COM protection ............................... 10 4.2 Registration .......................................... 10 4.3 Updates ............................................... 10 4.4 Enhancements In Future Versions ....................... 11 4.5 How To Contact Me ..................................... 11 4.6 Credits / Greetings ................................... 12 4.7 Finally ............................................... 12 CrackStop Documenation Page 2 ────────────────────────────────────────────────────────────────── ────────────────────────────────────────────────────────────────── Section 1: CrackStop (CS) ────────────────────────────────────────────────────────────────── 1.1 What Is CrackStop? ─────────────────────────────────────────── CrackStop is a tool, that creates a security envelope around your executables, to protect them against crackers. If a cracker wants to "register" shareware, he normaly traces with SoftICE trough the program until it says: "Unregistered Shareware". There he analyses the programcode until he finds the bytes he has to patch, or until he recognized the way the registration number is calculated. And normaly it is not very hard for a cracker to get out, how the registration numbers are calculated,because in most cases programs are written in high-level languages with high-level math routines. And It is not hard for a cracker to recognize, which math routine was called, if he has got the source-code of the libaries. Once some friends of mine thought, that there registration number would be hard to crack and gave it to me for a test. It was really not hard to crack. I used my Turbo Pascal math routine detecter to find out where f.e.: the SQRT is (position in the executable) and voilá they used it several times for their registration numbers. If you really want secure routines, you have to write them on your on in deep assembler (f.e.: one-way math). But if you are not able to write such things you should try Crack- Stop, which encrypts your exefile, so that no scanner can find the routines. The cracker must first unpack it. And because there is no automatic unpacker for CS available he has to do that by hand. On the other hand this encryption hinders him tracing, because he has to remove CrackStop before. 1.2 Why Should I Use CrackStop? ────────────────────────────────── CrackStop is the only protector I know, which cannot be unpacked by all the tools that are spreaded trough the Internet. CrackStop resists even the very best tracer: GTR, which is now a product of the United Cracking Force. Needless to say, that CrackStop cannot be removed by CUP386 or TR by Liu Taotao. If you should find a tool that is able to remove CrackStop, please send it to me and you will get an updated version of CrackStop. If you are the author of such a tool, send it to me, and you will get an *registered* updated version. Using CrackStop will make your programs uncrackable for any begin- ner. Of Course It is possible to remove the envelope by hand, but this takes much time and much experience is a must, because CS has Anti Debugger Code in it, which should even kick some versions of SOFT- and WINICE. CrackStop Documenation Page 3 ────────────────────────────────────────────────────────────────── Another reason is, that the registration - costs of CrackStop are very low and spending 40,- DM will give you a security which is worth more than ten times the registration costs. 1.3 How To Use CrackStop? ──────────────────────────────────────── The command-line syntax for CrackStop is the following: cs filespec [-/options] You can use and mix as many filespecs and options as you want: cs 1.exe -b is just as allowed as: cs 1.exe -o 2.exe -k 3?.* For example to protect all your .EXE files in the current direc- tory without generating backup files type: cs *.exe To protect FORMAT.EXE and generate a .OLD backup file type: cs FORMAT.EXE -o <OR> cs -o FORMAT.EXE CrackStop will automaticly detect if the file is a valid .EXE file and will tell you if its protection was successfull or not. Anyhow you should keep a backup copy of your file, until you know, that your program runs correctly after the process of protection. CrackStop Documenation Page 4 ────────────────────────────────────────────────────────────────── 1.4 Commandline-Parameters ─────────────────────────────────────── CrackStop can handle a number of additional parameters: Parameter Meaning ~~~~~~~~~ ~~~~~~~ -?, -h Displays a short help, how to use CrackStop -^ Shows internal compiler information about the cs.exe file. (f.e.: compilation date) -b Makes a backup file with the extension ".BAK". WARNING: older backup files will be overwritten -o Makes a backup file with the extension ".OLD". WARNING: older backup files will be overwritten! -p Shows the personalised text saved in CrackStop -s "Increase Stack" helps sometimes if the file crashes after protection. DO NOT USE ON ANOTHER LAYER OF CS! -k Do not add the signatures! (only registered version) NOTE: Options are not case sensitive. You can introduce an option with '/', '-' or ','. EXAMPLES: cs /? cs ,p cs -^ cs /o 1.exe 2.exe cs ?.exe -b a*.exe 1.5 Files That Cannot Be CrackStopped ──────────────────────────── CrackStop cannot protect new, linear or portable executables. They are for the Windows(3.1, 95, NT) or for the OS/2 enviroment and do not run under DOS. They only contain a small program(the so called STUB) which tells something like "This program requires Windows". Furthermore, because of the structure of CrackStop, it is not pos- sible to protect files in the 600.000 Bytes neighbourhood. In fact CrackStop can only protect a file if it fits completly into memory during the process of protection. In this version it is also not possible to protect .EXE files with attached overlays, because in many cases these files do not work afterwards. Finally CrackStop also refuses to protect files with an invalid EXE header. Hint: If protecting with CrackStop failes, try to compress the file with a program like WWPACK, PKLITE or LZEXE before. If one of them is able to compress the file you should be able to protect it afterwards. CrackStop Documenation Page 5 ────────────────────────────────────────────────────────────────── ────────────────────────────────────────────────────────────────── Section 2: Technical Notes ────────────────────────────────────────────────────────────────── 2.1 How Does An Unpacker Work? ─────────────────────────────────── There are 4 different kinds of unpackers: Normal Unpackers ~~~~~~~~~~~~~~~~ This kind of unpackers determine if the file is compressed by one of the supported packing tools. Then they either unpack the file with their own code or let the packed program run, until it has unpacked itself. When the unpacking procedure has ended the code is written back to disk. EXAMPLES: unWWPACK Tracing Unpackers ~~~~~~~~~~~~~~~~~ These unpackers are advanced versions of the above unpackers.They additionally trace the file until they get to a known compression routine or an interrupt is called. (IF AN INTERRUPT IS CALLED THE TRACING IS STOPPED WITH AN ERROR MESSAGE) EXAMPLES: UNP, TRON Generic Unpackers ~~~~~~~~~~~~~~~~~ This kind of unpackers hook the Interrupt 21h and wait until the startup code of compilated programs call DOS - API functions. The unpacker then trys to determine, which compiler has compiled the victim and uses compiler- signatures to detect the original file- size. This is done 2 times to reconstruct the relocation table of .EXE files. Those unpackers do not need to know a single compres- sion routine. EXAMPLES: INTRUDER, UPC, TEU, ENTPACK Generic Tracing Unpackers ~~~~~~~~~~~~~~~~~~~~~~~~~ These unpackers do neither know any startup code, nor compression routines. They use advanced tracing methods and anti-anti tracing code to unpack really every file they meet.They often work in the V86-MODUS because some anti-tracing traps can only be defeated in a protected enviroment. They trace until they get to opcodes like JMP FAR, RETF, CALL FAR or IRET . Then they test if the file has been decrypted/decompressed (changes in the first bytes) and dump it back to disk. This is also done with a 2 pass technique to re- construct the relocation table. EXAMPLES: CUP386, GTR CrackStop Documenation Page 6 ────────────────────────────────────────────────────────────────── 2.2 How Does CrackStop defeat hacking tools? ───────────────────── UNPACKERS: ~~~~~~~~~ To prevent unpacking by one of the above described tools CrackStop uses many different methods. I think that the presence of the se- curity envelope by itself is enough to protect your programs again all the 'Normal Unpackers'. They cannot even detect a compression, because there is the envelope around it. To defeat the second type of unpackers ('Tracing Unpackers') CrackStop uses many different anti-tracing tricks. These tricks fool not only all the real mode tracers but also many protected mode tracers and debuggers. CUP386 is the only protected mode tracer I know, who can trace trough all traps (but there are not only anti-tracing traps). During my work I discovered among other thinks, that there is a bug in WIN95 which will be a very big hindrance for all tracers. (THANX GATES!) This is one of the reasons, why it is not possible to trace trough the CrackStop envelope with WINICE-95. To defeat the 'Generic Unpackers', CrackStop uses on the one hand faked startup-code and on the other hand detection of these tools. CrackStop also includes a generic - ' Generic Unpacker ' detection routine which is able to detect Intruder clones like UPC.(NOT TEU) The last type of unpackers ('Generic Tracing Unpackers') can only be screwed up by memory detection and very tricky tracing - traps. The best example is CUP386 v3.3a! This tool can only be stopped by memory detection. SAGE the author of this nearly perfect program has achived very good work. !!! I take off my hat to SAGE !!! DISASSEMBLERS: ~~~~~~~~~~~~~ Disassembling of the CrackStop envelope isn't possible with a tool like Sourcer or IDA, because of multiple layers of encryption and so called smokey - code. You can try to disassemle it by hand, but 3 Kilobytes of assembler code is very much to disassemble... DEBUGGERS: ~~~~~~~~~ The last thing you can try is tracing trough the envelope by hand, but this is only possible, if you are a very experienced person, because of all the anti-debugging traps in CrackStop. For example: CrackStop protected programs do not even run under Soft-ICE, which is known as the best debugger at all. 2.3 Requirements ───────────────────────────────────────────────── CrackStop is written entirely in assembler using the 8086 instruc- tion set. That means, that CrackStop can even run on a XT without problems. Sorry, I cannot test that, because I do not have such an old maschine. Furthermore the security envelope of CrackStop does not use prefetch queue tricks, because they do not work on a iNTEL PENTIUM. It invalidates its prefetch queue if it detects a write to the cached instructions... CrackStop Documenation Page 7 ────────────────────────────────────────────────────────────────── 2.4 Compatibility ──────────────────────────────────────────────── CrackStop was tested on many different systems to ensure compati- bility.In fact the completion of CrackStop was planned to be three weeks ago. But there was an incompatibility with WINDOWS 95. WIN95 contains some 'dirty' parts. Examples: 1. Some instructions do not work during self-tracing sequences. 2. WIN95 does not emulate some port-accesses correctly. But this 'bugs' are eliminated and further testing was successful! Now I cannot find any incompatibilitie,but that does not mean that there are not incompatibilities anymore. If you should find such crap contact me, please. My own system: ~~~~~~~~~~~~~ ASUS -VL- board, INTEL 486 DX/2 66, 256 kb Cache, 8Mb SiMM memory, ca. 1,5GB HD space, 3.5" & 5.25" drives, ET4000 - 1MB, SB AWE 64, Mitsumi 4x CDROM, DOS 6.2, Windows 3.11, Qemm 2.5 Signatures ─────────────────────────────────────────────────── CrackStop adds a 4 byte signature to the end of protected files. The same signature will be placed at offset 1Ch into the exeheader if the program was compressed with WWPACK or LZEXE 0.9? before. Here is the description of the signature: ┌─────────┬────────┬────────┬────────┬────────┐ │ Version │ Byte 1 │ Byte 2 │ Byte 3 │ Byte 4 │ ├─────────┼────────┼────────┼────────┼────────┤ │ 1.01 │ 'C' │ 'S' │ 1 │ 01 │ │ 2.13 │ 'C' │ 'S' │ 2 │ 13 │ └─────────┴────────┴────────┴────────┴────────┘ NOTE!!!: As a registered user, you can order CrackStop to do not add this signature. CrackStop Documenation Page 8 ────────────────────────────────────────────────────────────────── ────────────────────────────────────────────────────────────────── Section 3: Legal Terms And Disclaimer ────────────────────────────────────────────────────────────────── It's a pity we live in a world where the following kind of crap is necessary. Here it goes... 3.1 Disclaimer ─────────────────────────────────────────────────── The only guarantee behind CrackStop v1.01 is that it has the abil- ity to alter EXE files. Due to the enormous number of possible EXE files and variety of computer systems, it is impossible for the author (Stefan Esser) to guarantee CrackStop. CrackStop is pro- vided "as is", and as the user, you have been warned that using CrackStop implies that you understand that compatibility and other problems may arise. You, as the user, are responsible for any dam- age caused by using or misusing CrackStop, and under no circum- stances may the author (Stefan Esser) be held liable for loss of profits or any other damages arising from CrackStop. Also, it is your responsibility to use CrackStop only in a lawful manner. Risk of incompatibility and damages resulting from CrackStop is actually quite small -- I have optimized for maximum compatibility in creating CrackStop. However, if you try to make it mess up, it probably will. Just remember that it is not my fault if you misuse my program. 3.2 License - Shareware ────────────────────────────────────────── CrackStop is neither public domain nor free. The whole package, as it is released by me is copyrighted (C) 1997 by Stefan Esser. All rights reserved. The whole package is protected by the Copyright laws of Germany. Any use of this software, which violates the Copyright law or the terms of this limited license will be prosecuted to the best of my ability. (In my family there are many lawyers!) The conditions under which you may copy this package are clearly outlined below under 'Distribution Restrictions'. CrackStop is distributed as SHAREWARE. You may use CrackStop only for the purposes of evaluation (after understanding the disclaimer and the rest of this documentation) for 50 days. Under no circum- stances you may distribute files, which are protected with the un- registered version of CrackStop. Doing so, violates international laws. If you find CrackStop usefull after your trial period, you must register it. CrackStop Documenation Page 9 ────────────────────────────────────────────────────────────────── I hereby guarantee you a limited licence to use CrackStop for a period of 50 days for evaluation purposes only. If you intend to continue using CrackStop after the 50 day evaluation period, you must make a registration payment to me (Stefan Esser). Using this program after the 50 day evaluation period without registering the software is a violation of the terms of this limited licence and brings automaticly its termination along. I strictly forbid to decompile, disassemble, modify or otherwise reverse engineer this program. ALL RIGHTS NOT EXPRESSLY GRANTED HERE ARE RESERVED BY STEFAN ESSER 3.3 Distribution Restrictions ──────────────────────────────────── As the copyright holder, I authorise distribution by individuals only in accordance with the following restrictions. The package is defined as the entire file either as 'self extract- ing executable' or an 'archive' as distributed by me. Actually the original archive is ZIP packed. In near future I will probably use RAR. It is forbidden to distribute this package, if it was changed in any way. You're allowed to copy the package for your own use or for others to evaluate, ONLY if the following conditions are met. ■ The package - including all related program files and doc- umentation files - must be distributed only in an unmodi- fied way. Small supplements to the package, such as the introductory or installation batch files are acceptable. But ! this should always be done by supplying EXTRA files, never by alering the package as distributed by me. ■ No price or other compensation may be charged for my pack- age!A distribution cost may be charged for the cost of the diskette, shipping and handling, as long as the total (per disk) does not exceed US$ 10. The package MUST NOT be sold as part of some other inclusive package, nor can it be in- cluded in any comercial or noncommercial software package, without a written agreement from me. ■ I prohibit the distribution of an outdated version of this package, without my written permission. If the version is over 12 months old, you must contact me to ensure that you have the newest version available. ■ You may add this package to a Shareware CD-ROM or a 'Disk of-the-Month', but remeber that you have to ensure that it is the most current version. Also a copy of either the CD or the disk would be a nice act. ■ Under *NO* circumstances you may list this package as free or public domain! This is 'Try-Before-You-Buy' software, it is *NOT FREE*! CrackStop Documenation Page 10 ────────────────────────────────────────────────────────────────── ────────────────────────────────────────────────────────────────── Section 4: Closing ────────────────────────────────────────────────────────────────── 4.1 Lack of .COM protection ────────────────────────────────────── There is one major reason, why CrackStop does not include COM file protection: IT IS ABSOLUTELY NOT POSSIBLE TO WRITE A SECURE COM FILE PROTECTION!!! All the tools out, that claim to be secure can be hacked within seconds! Most times it is not even necessary to use a protected - mode unpacker. Many of the so called unbeatable .COM protectors can be unpacked with real mode tools. And advanced protectors may only double the one second unpacking time... If there is any user who nevertheless wish a .COM file protection, I will probably add this useless thing to CrackStop... 4.2 Registration ───────────────────────────────────────────────── Registration costs you 40,- DM per copy. There are NO additionally "run-time fees"! You can protect and distribute as many files as you like with your copy of CrackStop. Please consult REGISTER.FRM for further information. Differences between registered and unregistered version: 1) The registered version contains neither the "beg remark" nor the ASCII - remark in CrackStopped files, saying that it was protected using a UNREGISTERED SHAREWAREVERSION. 2) Files protected with CrackStop will contain your personali- sed text. 3) The order and length of the antidebugging macros is changed, to ensure that future unprotectors for the shareware-version will not work on files protected by a registered version. Furthermore the registered version supports the "/k" switch, which orders CrackStop to do not add the signatures. Additionaly to the registered version of CrackStop you will re- ceive the newest versions of LamerStop, WWPack Mutator as well as beta versions of CrackStop and my other file protection tools, if available! 4.3 Updates ────────────────────────────────────────────────────── I am sure that I will continue the CrackStop development, because I use the security envelope on my own, and I do not want to see my programs cracked at the same day they are released. If you are a registered user, you can order new versions of CrackStop for half price. CrackStop Documenation Page 11 ────────────────────────────────────────────────────────────────── 4.4 Enhancements In Future Versions ────────────────────────────── If there is enough interest (registratrions!) in CrackStop I will probably add the following features: ■ Relocation and compression of your EXE files. ■ A mutation-engine to keep out all wannabes. ■ Password protection of CrackStopped files (optional). ■ Possibility to do not add Anti-Intruder, Entpack, TEU, UPC code, if your program is written in assembly language or you have already a modified start-up code. ■ More traps and different anti-debugging macros. ■ Handling of Windows 95/Win NT (PE) EXE programs. (I now have all the information I need to do PE crypting I already tried it by hand... Maybe it is finished before XMAS'97) 4.5 How To Contact Me ──────────────────────────────────────────── You should contact me: ■ If you want to register CrackStop... ■ If you find a bug... ■ If you are a nice girl... ■ If you want special information... ■ If you hacked the CS.EXE file... ■ If you wrote a CrackStop Remover... ■ If ... Snail Mail: ~~~~~~~~~~ Stefan Esser Ober Buschweg 9a D 50999 Köln-Sürth Germany EMail: ~~~~~ Stefan.Esser@gmx.de (EMail's only during the schoolyear) CrackStop Documenation Page 12 ────────────────────────────────────────────────────────────────── 4.6 Credits / Greetings ────────────────────────────────────────── I want to thank and greet the following people for inspiring me, finding bugs and doing beta testing of CrackStop: ■ Jeremy Lilley (author of Protect EXE/COM) ■ Hanno Böck (author of ChkExe - Thanks for your support) ■ Quarterdeck (authors of QEMM) ■ Bill Gates (for all the bugs in WIN95) ■ SAGE (author of CUP386 - Great WORK!!!) ■ Hendrix (author of GTR - Nearly Perfect WORK!!!) 4.7 Finally ────────────────────────────────────────────────────── Thank you for evaluating CrackStop and actually reading this long documentation! Sorry for all mistakes! I know my english is miser- able. kind regards Stefan Esser ────────────── E N D O F D O C U M E N T A T I O N ─────────────