home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Software Vault: The Diamond Collection
/
The Diamond Collection (Software Vault)(Digital Impact).ISO
/
cdr34
/
prexcm55.zip
/
PROTEXCM.DOC
< prev
next >
Wrap
Text File
|
1995-03-22
|
22KB
|
555 lines
Protect! EXE/COM v5.5
(C) 1993-1995 Jeremy Lilley,
All Rights Reserved
March 22, 1995
Program Documentation
=====================
Contents:
---------
What is Protect! EXE/COM v5.5 ? ................ 1
Some Improvements, Briefly ..................... 2
Requirements ................................... 2
How To Use Protect! EXE/COM .................... 2
Which Files Can't Be Protected ................. 4
Legal Terms / Disclaimer ....................... 4
License ........................................ 5
Protect! EXE/COM Vs. Other Utilities ........... 5
Comments on Hacking Protect! ................... 6
Technical Notes ................................ 6
Compression Notes .............................. 7
What's The Mutation Engine? .................... 8
Closing ........................................ 9
Address ........................................ 9
What is Protect! EXE/COM v5.5 ?
-------------------------------
Protect! EXE/COM is a protection, encryption, and
compression utility that has protected programs from tampering
and reverse-engineering for the last two years (and counting).
By attaching a strong security envelope to your DOS EXE
and COM files, the resulting files run normally but look like a
random series of instructions and garbage bytes. This version
provides compression as well as encryption, so your final files
will be smaller. You can still use any other compression program
with Protect! and you may turn off the integrated compression
altogether if you want to. Most importantly, a modification check
using a high-speed CRC, which can be customized by registered
users, prevents the program from running if it has been tampered
with by hackers, viruses, or simply by accident. That way, you can
be pretty certain that your program will come up with all the
proper screens without crashing or hanging due to unwanted
modification. Your program's underlying data will not be left in
the open (to any Dick or Jane with a hex editor or disassembler) and
your code will be safer from others' eyes.
Page 2
Some Improvements, Briefly
--------------------------
In preparing this new version, I (again) rewrote just about
everything in order to speed execution, to stop hacking programs,
and to integrate the compression. Loading overhead from Protect!
should be slightly lower, particularly for files that are not
compressed. The encryption itself is much more random now due to
some new techniques that I learned. I also took out some anti-
debugging traps that occasionally presented problems under OS/2
(mostly when loading files in the background). The older version
also could cause user's clock to lose a few seconds whenever a
Protected program was run (seconds can add up quickly), but that
is taken care of. Most importantly, the few circulating unProtect
programs will no longer work with Protect! v5.5.
Requirements
------------
Protected programs will basically run on any system that the
normal file would run on. Protect! itself requires DOS 3.x or above
and 64k of memory to run in. The files themselves must be below 600k
because Protect! cannot accommodate large overlay files (actually,
many overlaid files may present a problem for Protect! because the
overlaid data would not be able to be encrypted) in memory. You may
still want to have and use a compression utility such as LZEXE or
PKLite (R) in some circumstances, especially if you are using files
over 300-350k (the relocation tables in Protect! get filled usually
around then, so precompressing those files may be most efficient).
How To Use Protect! EXE/COM
---------------------------
The command-line syntax for Protect! EXE/COM v5.5
(ProtExCm.EXE) can be summarized here:
ProtExCm filename[.EXT] [* CRC_Msg.Fil - Registered*] [-N]
Page 3
The first and only necessary component is the file's name,
with or without the extension (if you have MyProg.EXE and
MyProg.COM, it will do the EXE file if no extension is named).
The modification error message, which is available only to
registered users, is displayed by the file if it has been
modified or tampered with. Unregistered users have a message
stating that the file has been modified but that it was Protected
with an unlicensed copy of Protect! -- a message that you might
not like to place in a file for distribution. Registered users can
save time by putting a message in a file called CRC.MSG or
MODIFIED.MSG (it *must* be in your current directory) and it
will be used unless you specifically specify another file. The
file can be up to 4k and can basically contain any characters
except for the ASCII 0.
Finally, the -N switch prevents Protect! from trying to
compress the file. You may want to use this if compression is not
significantly reducing the file size or if compression is causing
a noticeable loading delay. If your file has been compressed
previously with LZEXE or PKLite, for example, you would probably
want to use this option to save the time it takes to attempt to
compress the file unsuccessfully.
Here are some usage examples:
ProtExCm MyProg.EXE
(To Protect MyProg.EXE)
ProtExCm MyProg
(To Protect either MyProg.EXE or MyProg.COM)
ProtExCm MyProg.EXE -N
(To Protect MyProg.EXE without trying to compress)
ProtExCm MyProg.EXE MyProg.Msg
(To Protect MyProg.EXE using the contents of MyProg.Msg
for the modification error message)
As you can see, adding the security that Protect! provides
is not a difficult task. It might be also helpful to know that if
the Protected file is modified Protect, it returns with an
errorlevel of 250 to DOS.
Remember that the security of Protect! *depends* on the fact
that a Protected file CANNOT be expanded by Protect! after being
Protected (you can probably see why). The backup file (.OLD) is
provided just in case there is a problem with the Protected file.
If there is a problem, you might want to try to reProtect the
original again or to turn on/off compression.
Page 4
Which Files Can't Be Protected
------------------------------
Protect! EXE/COM cannot Protect Windows (R) and OS/2 (R) EXE
files because the formats for these files are substantially
different and more complex than the regular DOS EXE format. For
your information, a Windows EXE basically starts out looking
(from Protect's perspective) like a small DOS EXE that can only
display a message that "This file requires Windows." There is a
pointer to a Windows New EXE header, which Windows finds and uses
as the Windows file. I have written a freeware program called
EXE-Combine that exploits this and allows you to attach a DOS
program to a Windows program. Protect! will now automatically
detect if a file is for Windows or OS/2 so that you don't waste
your time trying to Protect them.
Also, due to the structure of Protect!, files larger than
the 600k neighborhood can't be Protected (because the entire file
has to be able to all fit in memory a once when it loads). This
fact, of course, makes Protect! worthless for xBase files where
the basic "Hello World" EXE can be over a meg. Don't try to
Protect COMMAND.COM, etc.
Legal Terms / Disclaimer
------------------------
The only guarantee behind Protect! EXE/COM v5.5 ("Protect!")
is that it has the ability to alter EXE and COM files. The
problem is that Protect! may not always alter every possible file
correctly, and as the author (Jeremy Lilley), I cannot be sued
for problems due to use and misuse of Protect. Protect! is
provided "as is," and, as the user, you have been warned that
using Protect! implies that you understand that compatibility
problems may arise. You, as the user, are responsible for any
damage caused by using or misusing Protect!, and under no
circumstances may the author be held liable for loss of profits
or any other damages arising from Protect. Also, it is your
responsibility to use Protect! only in a lawful manner. No other
warranties or guarantees, express or implied, exist with Protect!,
especially for this evaluation copy.
Risk of damage resulting from Protect!'s use is actually
pretty small, as long as you use it correctly. However, if you
try to make it mess up, it probably will. Just remember that it
isn't my fault if you misuse my program.
Also, all trademarks used are the property of their
respective owners.
Page 5
License
-------
You may use Protect! EXE/COM for the purposes of evaluating
it (after understanding the disclaimer and the documentation) for
30 days. No files protected by Protect! during this trial period
may be distributed to other computers, commercially or non-
commercially. If you find Protect! to be of use to you, you must
register Protect! with the author ($25). Government, educational,
and commercial institutions must register this program with the
author prior to use (please contact me for quantity discounts).
Sysops, user groups, disk vendors, CD-ROM vendors and other
similar organizations may distribute Protect! provided that no
files are excluded from the distribution and that no more that
$10 (except for CD-ROM) is charged for distribution.
Much of Protect!'s protection and encryption capability
comes from its anti-debugging and anti-hacking code. In order to
keep loading time to a minimum (yes, 1000-bit, military-grade
decryption keys *do* take a while to process), the encryption key
length is nothing (some advanced math with 32-bit numbers) compared
to the encryption keys regulated for export from the US. In
addition, since the decryption mechanism is and needs to be located
on the file, the Protected files themselves are not subject to US
export restrictions. However, the ProtExCm.EXE and this Protect!
EXE/COM package should be kept away from Iran, Libya, and communist/
communist-nostalgic nations that the US has normal trade restrictions
with.
Protect! EXE/COM Vs. Other Utilities
------------------------------------
Protect! EXE/COM's first concern is security. No other
program emphasizes the modification checking using a CRC to the
extent that Protect! does. Try PKLITing an EXE file and change a
byte or two in the middle of the file (find parts of text that
you can still recognize slightly). As long as the program doesn't
crash (it may if you've messed too much with the code portions),
PKLITE won't notice your changes at all. A hacker can also
decompress a program compressed with PKLITE or LZEXE quite easily
-- even if a program is compressed with the "invincible" -E
option on the professional version of PKLITE. After
decompressing, any hacker can change your program (remove
copyright screens, disassemble code, etc...), compress it
again, and spread it around, possibly damaging your profits, your
reputation, and others' computers (I hope you have a good
disclaimer...). Fortunately, hacking is not quite that rampant,
Page 6
but it still is a possibility and a risk, and it is much better
to pay a few dollars up-front to be safe than to be sorry in the
future.
Comments on Hacking Protect!
----------------------------
Some users of Protect! EXE/COM have pointed out files,
mostly found on illegal bulletin boards, that have been able to
remove the protection from previous versions of Protect. It is
sometimes interesting to read their documentations ("aNArky Rulz,
d00Dz") and even more interesting to watch them fail the majority
of the time. The programs themselves often spread viruses to the
curious user. After watching some security mechanisms work better
than others (it will be fun to see the reactions of some hackers
who discover some of the new traps and ideas), I know that no
software-only program (or even hardware-based) is fool-proof,
but Protect! v5.5 puts together some of the toughest combinations
of traps that will work compatibly under the DOS (and Windows/
OS/2) environment.
To put the security capability into a better perspective, an
apt analogy for Protect! EXE/COM would be to an automotive anti-
theft device. The anti-theft device helps deter thieves from
breaking in (most thieves just get the next car over) and also
makes it difficult once they try to get in to drive the car off.
Yet, it is entirely possible for the best of professional thieves
to disable the device (yes, I know somebody who had his car
stolen even with "the Club"), but 99% find another car and won't
go to those lengths. As far as Protect! is concerned, it is just
about the best, least-intrusive, anti-hacking software solution
(just read the documentation files written by some of the hackers
of previous versions of Protect! -- many admit that Protect! was
quite a challenge to break through). Protect! may not be 100%
fool-proof, but it has evolved quite significantly after some
"cat-and-mouse" and it stands before you as the best lock to
prevent people from breaking in to your programs.
Technical Notes
---------------
First of all, thank you to everyone who contributed anti-
debug ideas for this version of Protect. All these new ideas have
helped make Protect! more secure and faster. I have again
rewritten the "mutation engine" (now it is much more random-
looking). There are a few techniques such as prefetch queue
tricks (trying to write to a memory location stored in a
Page 7
processor's instruction prefetch area, which kills debuggers) and
using 386 debugging registers to kill debuggers like SoftIce that
I have not used because they are incompatible with some systems
(like OS/2 -- which really helped in writing Protect).
Protect! v5.5 adds about 1k to a file with an average-sized
modification error message. The mutation engine can vary the size
somewhat, and Protect! will usually be able to take a few hundred
bytes from the file header on EXE's. The encryption is no longer
anything closely resembling a simple-XOR sequence, and having a
string of constant bytes does not necessarily mean constant bytes
in the result file, with or without compression. The compression
is a simple derivative of the Lempel-Ziv algorithm, but it is
nothing compared to the complexity of the compression used in
PKLite. You may layer multiple copies of Protect! on top of each
other, but that will start to cause noticeable delays in loading.
Like v.4.0 and unlike versions before that, Protect! is
written entirely in assembly language, mostly with the A86
assembler. I write and test Protect! on both my 486 DX/2-66
running OS/2 and my not-yet-buried 4.77/10 mhz switchable "turbo"
XT. Protect! has been around for a while, with many people
pitching in ideas to make it more secure. If you have any
suggestions, questions, comments, etc. about Protect!, you can
easily contact me through Compuserve/Internet e-mail (my PGP 2.6
key is available upon request), or if nothing else, postal "snail
mail" and I am usually pretty open to your comments.
Compression Notes
-----------------
One of the improvements to this version of Protect! EXE/COM
is the integrated compression. By using a derivation of the
Lempel-Ziv compression algorithm, both EXE and COM files can
occupy less disk space in addition to being encrypted. One of the
biggest reasons for doing this is to make your files more
secure -- the images of popular code compressors like LZEXE,
PKLITE (R), and TinyProg are all well-known. It is easier for a
hacker or hacking program to trace for or into known code (like
LZEXE's decompressor) than for it to trace directly into the
program or into another layer of Protect. There is also something
to be said for reducing redundant expressions in the code, and
the new encryption algorithms in this version also help hide
redundancy.
You can opt not try attempt to compress a specific file by
putting a "-N" at the end of the command line. You may want to do
this if you are using another compressor with Protect!
(Protect!'s compression ratios may not be as good as those found
in dedicated compressors due to speed considerations). Also, if
you have an especially large file that is only compacted by a few
Page 8
percent, you may want to turn the compression off to eliminate
some loading time overhead. If a file is too small to benefit from
compression or shrinks by less than 5%, it won't be used. For most
files, any compression overhead is unnoticeable, and in general,
leaving Protect! to try to compress files is the best idea.
What's The Mutation Engine?
---------------------------
A portion of Protect! EXE/COM that is largely responsible
for keeping people from making master unProtect programs is the
"mutation engine." It is basically the "front door" that keeps
master unProtects out.
Many utilities that can attach an envelope on an EXE (such
as LZEXE or other file compression utilities) have are the same
every time. That is why UNLZEXE or generic unprotect-type
utilities are pretty easy to make. When an unprotection utility
(such as UNP) unprotects a file, it creates a virtual-DOS
environment for the file to run in until the file finishes
decrypting itself. When it is done decrypting itself, the
unprotect utility simply writes what's in memory to disk and you
have your unprotected file. (not that difficult, right ?) The
program may use a different key every time and even encrypt
itself, but all the unprotect program has to do is just trace
through that until it gets to the original entry point, and all
of that is for naught.
One of the tricks for foiling unprotection utilities and
debuggers lies is the fact that the unprotector must always have
control over the Protected program in order to stop it when it is
decrypted in memory. If you remove the unprotector's control and
subvert it without harming the operating system or other
concurrently-running applications, you are one step ahead in
protecting your programs. However, an unprotect program author
can just instruct his utility to detect the type of file and
blank out the bytes that would kill it when it gets to them. This
would result into a high-tech cat-and-mouse game.
The reason that it isn't too difficult to make normal
unprotects stems from the fact that the protector's security
envelope is the *same every time*. I coded a mutation engine for
Protect! to make sure that the security envelopes wouldn't be the
same every single time a new one is encoded. Instead of being
able to "trace in" a definite number of bytes every time and
being able to blank out a certain number of bytes every time,
these figures will have to vary between each and every different
file that is Protected. If you get one original file and Protect
on several different occasions, it will never be the same length
or have the same content every time (there are thousands and
thousands of different combinations). My mutation engine randomly
decides which machine code instructions to use every time: it may
Page 9
use a 3 or 4 byte equivalent of a 2 byte instruction or vice-
versa in any order that works. Because there are definite rules
for this mutation, it will work every time. Since the mutated
portion is relatively small (but effective), an extra byte or two
in a spot will not adversely affect the performance of your
Protected files. Garbage code and other distractions make it even
more difficult for a hacker to write a master unProtect. Protect!
uses both a mutation engine and a variety of anti-debug tricks
interspersed throughout to help attain maximum security for your
files.
Closing
-------
There is no doubt that Protect! EXE/COM can save you time,
effort, energy, and money in securing your files. There are NO
"run-time fees" or royalties for Protect! EXE/COM; you can
Protect and distribute any number of files (legally, that is)
once you register. The cost is $25 per copy of Protect! EXE/COM
per machine. The registered version will allow you to specify
your own modification error messages and comes without the "beg
screen." Protect! EXE/COM is not "crippleware," so you are
basically on your honor to register before you distribute
Protected files.
There is a definite threat of hackers and viruses on the
loose and it is your responsibility to protect your programs.
What other utilities try, Protect! does. With powerful
encryption, compression, anti-debugging, and modification-
detection abilities, Protect! EXE/COM has the ability to provide
your programs solid protection.
Thank you for evaluating Protect! EXE/COM!
Address
-------
Jeremy Lilley
Protect! EXE/COM
2711 Oak View Circle
Medford, Oregon 97504
Compuserve: 75060,2074
Internet: 75060.2074@compuserve.com