Disassembler

[Olivier Gilloire]

Do you know about a good x86 disassembler, supporting 32 bit and 16 bit code
?

Thanks
Olivier Gilloire

[D. Speir]

Well there's IDApro and Sourcer.
There is a place to download IDA on the net but I forgot where.
It's evidently shareware or trialware.
Sourcer is buy software and is good also, I believe IDA is a
real time dissassembler but Sourcer dissassembles to a
source text file to read after it's done and can be used
"most" of the time to feed back to an assembler.
Sourcer is put out by Vcomm at,
http://www.v-com.com
You can probably do a search for IDA, the HotBot search
engine works good at www.hotbot.com

[David Lindauer]

Olivier Gilloire wrote:

> Do you know about a good x86 disassembler, supporting 32 bit and 16 bit code
> ?
>

you want to go to simtel.net and find a program called IDA. It is a very
goodinteractive disassembler and will fulfill most of your disassembly needs.
This is a freeware version of a commercial package, the commercial
package is even better! There have been hints that this is the year they work
on decompiling C code, guess we'll see how it goes...

David

> Thanks
> Olivier Gilloire

--
---------------------------------------------------------------
David Lindauer mailto:cam...@bluegrass.net ICQ: 8699592

http://www.geocities.com/Area51/Station/5196/index.html (home page)
http://www.geocities.com/Area51/Station/5196/ttc.html (tao te ching)
http://www.geocities.com/Area51/Station/5196/treasure.html (computer page)

some people say he's a dreamer, but he's not the only one.

- John Lennon

[tstrike/dawn]

On 5 Mar 1998, Olivier Gilloire wrote:

> Do you know about a good x86 disassembler, supporting 32 bit and 16 bit code
> ?

Well, depends. If the sourcecode and example is enough then go to:
http://www.mpoli.fi/files and do a search for 'ddasm11'. It's a table
driven (currently dissambles all[?] instructions of Pentium II), and a bit
messy. If you find it usefull I can make a bit cleaner API for it (the
code is actually "based" on one other disassembler [which was written in
C] and I've just "converted" it into asm - and fixed some bugs).

>
> Thanks
> Olivier Gilloire
>

Sami Kantoluoto <tst...@omega.iwn.fi>
a.k.a. -tstrike/dawn-

[Alex Verstak]

Hi,

Olivier Gilloire wrote:
> Do you know about a good x86 disassembler, supporting 32 bit and 16 bit code
> ?

IDA, NDISASM

Later!
Alex

[wbi...@mail.bip.net]

In article <6dmurq$d68$1...@winter.news.erols.com>,

"Olivier Gilloire" <ogil...@sysenhance.com> wrote:
>
> Do you know about a good x86 disassembler, supporting 32 bit and 16 bit code
> ?
>

> Thanks
> Olivier Gilloire
>
>

There are millions of them out there. I made one my self.
Mail me and I'll send you it (100% 16/32-bit asm source + binary)

-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/ Now offering spam-free web-based newsreading

[Jax]

Olivier Gilloire wrote in message <6dmurq$d68$1...@winter.news.erols.com>...

>Do you know about a good x86 disassembler, supporting 32 bit and 16 bit
code
>?
>
>Thanks
>Olivier Gilloire
>

Depending on what you want to disassemble, you might like WDASM. It's
currently at version 8.9, and an evaluation can be downloaded. It's neat,
quick, and pretty smart!
Take a look here for it: http://www/expage.com/page/w32dasm
Good luck,

Jax

[ekstazya!]

wbi...@mail.bip.net wrote:

> "Olivier Gilloire" <ogil...@sysenhance.com> wrote:
> >
> > Do you know about a good x86 disassembler, supporting 32 bit and 16 bit code
> > ?

> There are millions of them out there. I made one my self.
> Mail me and I'll send you it (100% 16/32-bit asm source + binary)

May I have a copy of this disassembler ?

Thank you for your time,
--
Dave Poirier [ ekst...@sprint.ca ]
Oxygen: a research in exokernel development!
[http://www.geocities.com/ResearchTriangle/Lab/1063/]

[Full Name]

On 5 Mar 1998 19:36:26 GMT, "Olivier Gilloire"
<ogil...@sysenhance.com> wrote:

>Do you know about a good x86 disassembler, supporting 32 bit and 16 bit code
>?
>

>Thanks
>Olivier Gilloire
>

Try IDA , the best i have ever seen.
Its homepage is www.datarescue.com.

erhan

[REDEAG...@geocities.co]

Can you please e-mail me your disassembler to the Address listed in the
tagline (main...@ciebergate.net). I tried NASM, but it leaves a lot to
desire, in not being able to re-assemble the file directly, not eliminating
the hex bytes, etc. leaving extra labels that you have to weed through....

... MainLine Consulting (Main...@ciebergate.net)
___ Mountain Reader - 1.3

>> Slipstream Jet - The QWK solution for Usenets #RFMAKRRY

[James MacDonald]

In article <6dov8l$5ku$2...@winter.news.erols.com>, Jax
<j...@rflect.demon.co.uk> scribbled :

>Depending on what you want to disassemble, you might like WDASM. It's
>currently at version 8.9, and an evaluation can be downloaded.

And then you can use W32Dasm to crack W32Dasm. Turning the tables
somewhat, hmm?

>It's neat,
>quick, and pretty smart!

If your code is Windows oriented :)
W32Dasm is sure great for Windows disassembly, but the only time I use
it is when I'm cracking software; otherwise I'll simply use WinIce, IDA,
and Sourcer.

But it makes a hash-up of DOS programs, and binary executables, isn't
multi-processor like IDA, doesn't disassemble Java like IDA [I used this
to crack Simpson's key file system], and the disassembled listing can't
be reassembled like Sourcer's can.
--
UNIX - Saving you from the Gates of Hell.

[Pierre Vandevenne]

In <6du8ep$pib$1...@winter.news.erols.com>, James MacDonald <tr...@netbook.demon.co.uk> writes:

>But it makes a hash-up of DOS programs, and binary executables, isn't
>multi-processor like IDA, doesn't disassemble Java like IDA [I used this
>to crack Simpson's key file system], and the disassembled listing can't

I'd like to say a word about this. Cracking only hurts small and (eventually)
innovative software developers. Big fishes don't care at all. Why ? because
standards or widespread software will most of the time be used in accordance
with the license terms by big corporations.

I'll give a few examples : we sell an anti-virus program that is also
available freely for private users on the internet. Corporations license it
by the tens of thousands (in Belgium) and millions (worldwide) simply
because the license agreement says they should.

We also publish IDA Pro. We know perfectly well that there are several
"cracks" available for our demos, a real crack, some leaked keys, and simply
the full executable sets on warez sites. We could easily break the cracks at
each new release (and we modify the program at least once a month) but the
only ones who'd suffer would be our legitimate users. That's why we have
left it roughly as it was. This becomes problematic when we release a new
evaluation version : at this moment, we are simply swamped by hundreds of
downloads per day on each of our sites. 1 gigabyte a day of bandwidth on
multiple sites is hard to sustain for a small software developer, as some of
you probably know. At that point, bandwidth or the lack of it also becomes
an issue for our registered customers.

The net result of this is that now our evaluation version isn't readily
available anymore and will be even more restricted in the future, if available
at all. We released a freeware version partly because we knew students could
not necessarily afford the full version and also in the hope that it would lure
some of our heavy downloaders away...

Now, a more personal story : a few persons bought IDA Pro and then came
back to us with a detailed account on how they had broken the demo version.
But they had bought the full version ! Idiots you probably think. Well not at all.
As a matter of fact, some of these people are among the most informed and
helpful posters here. They are the clever people with the clever attitude and
that is because they have that attitude that they have reached their current
level of competence.

If you want to crack software, well do it (although a disassembler is best used
to learn, to correct existing problems or to retrieve lost source.) but support the
software you use if you don't want to see it disappear. Think twice about
releasing your cracks.

Register WDASM, buy Sourcer, buy Soft-Ice, buy IDA Pro or if you don't have
money, use the freeware version - it is not limited in any way ! I would rather
see people buy Sourcer or registed WDASM than be satisfied with a cracked
demo. All these products are good products and deserve your support if you use
them regularly.

Do the same for the other pieces of software you use : gentlemen

- support their authors
- use freeware alternatives
- or hack your own solution.

Sorry for my ranting, the free version of IDA is located at

http://www.simtel.net/pub/simtelnet/msdos/disasm/ida37fw.zip

---
Pierre Vandevenne, MD - http://www.datarescue.com
IDA Pro 3.74 - now with regexp, arm710a and TMS320C6 support.

[main man]

On 9 Mar 1998 02:13:40 GMT, pie...@datarescue.com (Pierre Vandevenne)
wrote:
I dont think your ranting at all, us internet users have come to take
software for granted, I remmeber a time when I paid for every piece of
software I used.. it was either that or call a BBs which is expensive
in its own right.

[Jim Fuller]

Alex Verstak wrote:
>
> Hi,

>
> Olivier Gilloire wrote:
> > Do you know about a good x86 disassembler, supporting 32 bit and 16 bit code
> > ?

WDASM is good but no one disassembler will do everything for you.

I suggest a combination of using lastest version of sourcer and the
excellant W32dasm by UR Software Co. . IDA is probably the best all
around package out there and i use a combination of all three to
completely disassemble any asm86 code.

cheers, jimfuller

[James MacDonald]

In article <6dvj8k$50o$1...@winter.news.erols.com>, Pierre Vandevenne
<pie...@datarescue.com> scribbled :

>Register WDASM, buy Sourcer, buy Soft-Ice, buy IDA Pro or if you don't have
>money, use the freeware version - it is not limited in any way ! I would rather
>see people buy Sourcer or registed WDASM than be satisfied with a cracked
>demo. All these products are good products and deserve your support if you use
>them regularly.

Have done so already (apart from IDA Pro, which I plan to purchase
soon). I crack to gain knowledge about how the protections work, not to
get free registered programs, which I could get from any warez site. I
crack because I enjoy wandering around in someone's assembly code with
SoftICE :)

Whilst I unilaterally disapprove of distributing .COM cracks that any
scum can pick up and use without knowledge, I have written, and will
continue to write essays and tutorials on cracking, assembly language
and other similar things, because it's good to know about these things.
Today's crackers are tomorrow's protectionists. A protectionist who has
never cracked a program writes lame protections, encouraging more
cracking.

For examples of this style of cracking (reverse-engineering) visit
http://fravia.org - there are no cracks, and no warez, just essays and
information.

Don't equate cracking with piracy automatically.
Any mindless fool can be a WaReZ d00d.
Cracking >is< piracy when it means .COM cracks intended to rob authors
of their money and other massly-available things. But otherwise, it's
not. Would such a 'lamer' really download SoftICE et al to follow
through a cracking essay, which mainly only highlights a few brief
points?

I think not. Code is under the control of the user; there is nothing you
can do to limit this. You can use legal measures to prevent the
malicious use of someone's reverse-engineering skills, but you should
never ever try to brand all crackers as evil.

BTW: I 'cracked' Simpson to learn how the Java keyfile was implemented.
I'm a protectionist too :)

[Jim Fuller]

> Register WDASM, buy Sourcer, buy Soft-Ice, buy IDA Pro or if you don't have
> money, use the freeware version - it is not limited in any way ! I would rather
> see people buy Sourcer or registed WDASM than be satisfied with a cracked
> demo. All these products are good products and deserve your support if you use
> them regular

better yet make your employer/clients buy them for you.

> Do the same for the other pieces of software you use : gentlemen

> - support their authors
> - use freeware alternatives
> - or hack your own solution.

not at all idealistic in this 'dog eat small children' world of
ours......

> Sorry for my ranting, the free version of IDA is located at

you have every right to rant, you sell a lovely bit of code and should
profit from the fruit of your labours.
( had to reverse the agroengines, please no scenty flamethrowing )

the only problem is that the chaotic nature of the medium creates a
chaotic marketplace with a heavy dose of ducking and diving going on. i
will honestly tell you it makes me feel good ( though i do not do this
anymore i just make clients pay for it ) to use software without paying
for it why ? well i believe its human nature. ITs especially human
nature if a bit of software makes something/task that would be 10 hours
into 15 minutes; or generally save your hide at the right moment.

if there is no 'locked doors' analogy that keeps most people from using
software illegally what will stop them ( lets face it existing systems
need to be better )? What is very fearful is the legal timebomb that is
at this moment ticking with all this illegal software ( legal orgs
worldwide are trying to cash in and will figure out a way; which could
be quite detrimental to the economic wellbeing of a few countries ).

the one thing i disagree with is that the big boys are on the up and up.
from experience i have systematically witnessed under reporting of
implemented software, and very loose auditing procedures if any at all.

cheers, jimfuller

[Pierre Vandevenne]

In <6e70em$glj$1...@winter.news.erols.com>, Jim Fuller <ga...@snooker.force9.net> writes:

>> Do the same for the other pieces of software you use : gentlemen
>
>> - support their authors
>> - use freeware alternatives
>> - or hack your own solution.
>
>not at all idealistic in this 'dog eat small children' world of
>ours......

Well, I said "Gentlemen..."

>you have every right to rant, you sell a lovely bit of code and should
>profit from the fruit of your labours.

Thanks. Financial reward isn't really a problem. Hundreds of mentally impaired
would-be crackers using hotmail adresses to ask idiotic questions are...

>will honestly tell you it makes me feel good ( though i do not do this
>anymore i just make clients pay for it ) to use software without paying
>for it why ?
>well i believe its human nature. ITs especially human
>nature if a bit of software makes something/task that would be 10 hours
>into 15 minutes; or generally save your hide at the right moment.

I did not see a real answer to "why" here. :)

>if there is no 'locked doors' analogy that keeps most people from using
>software illegally what will stop them ( lets face it existing systems
>need to be better )?

No they don't. Because good protections schemes are usually an inconvenience
for the users.

>What is very fearful is the legal timebomb that is
>at this moment ticking with all this illegal software ( legal orgs
>worldwide are trying to cash in and will figure out a way; which could
>be quite detrimental to the economic wellbeing of a few countries ).

We don't need copy protection. If you think of it, our program isn't copy
protected. There is just a limited demo available. We don't need to learn
how to make better copy protections because we will not use them. We
don't feel guilty about "a few countries" because we provide an advanced
free version.

>the one thing i disagree with is that the big boys are on the up and up.
>from experience i have systematically witnessed under reporting of
>implemented software, and very loose auditing procedures if any at all.

A good number of them are honest. I can see both sides because we
distribute a "generic" software as well.

But maybe the whole discussion is a bit out of place here...

---
Pierre Vandevenne, MD - http://www.datarescue.com

IDA Pro 3.74 - the same plus ARM710a support, TMS320C6x...
Very very soon : FLIRT for Pascal 6,7 and Delphi 3.
Very soon : DBG support. Soon ...

[Pierre Vandevenne]

In <6e70et$glj$5...@winter.news.erols.com>, James MacDonald <tr...@netbook.demon.co.uk> writes:

>Have done so already (apart from IDA Pro, which I plan to purchase
>soon). I crack to gain knowledge about how the protections work, not to

Feel free to do so, although it is not the point I was trying to make.

>continue to write essays and tutorials on cracking, assembly language
>and other similar things, because it's good to know about these things.

I agree that knowledge is a good thing.

>Today's crackers are tomorrow's protectionists. A protectionist who has
>never cracked a program writes lame protections, encouraging more
>cracking.

I disagree here. Copy protection is a _big market_ (see the size of their ads)
where awful stuff is sold through truckloads of marketing. You know as
well as I do, and probably better, that some protections are sold with a
varnish of complexity that doesn't even resist a reversed jump. People
employed there just don't give a damn. Marketing sells bad protections, just as
it sells poor operating systems or bloated word processors.

I once got a call from one of those guys and he asked me _if_ our stuff
could be used against theirs. Does that give you a hint of some competence
level found out there.

>For examples of this style of cracking (reverse-engineering) visit
>http://fravia.org - there are no cracks, and no warez, just essays and
>information.

I've heard of this place, yes... I even had a look at some tutorials <g>

>Don't equate cracking with piracy automatically.

I don't

>not. Would such a 'lamer' really download SoftICE et al to follow

>through a cracking essay, which mainly only highlights a few brief
>points?

You would be surprised at the questions I get from some of our evaluators.
"Do I need a ZIP Netscape plugin to use your demo ?" is my favourite.

>malicious use of someone's reverse-engineering skills, but you should
>never ever try to brand all crackers as evil.

I don't. I've looked at protections myself. But buy the software I use.
Heck, I even bought System Commander.

[ama...@tvutel.com]

> Today's crackers are tomorrow's protectionists. A protectionist who has
> never cracked a program writes lame protections, encouraging more
> cracking.

> For examples of this style of cracking (reverse-engineering) visit
> http://fravia.org - there are no cracks, and no warez, just essays and
> information.

There seems to be something like a "feud" in between different factions
of the crackers. While there are many people looking up to fravia's page,
there are many of the "warez-crackers" who are, when it comes to skill,
on a higher level than many on fravia's (with exceptions, of course)

Many of the .com-crackers don't like fravias and make fun of it all the time,
and many of them have been cracking for 4-8 years (!). I do not think that
they'll ever take the role of protectionists.

> I think not. Code is under the control of the user; there is nothing you
> can do to limit this. You can use legal measures to prevent the

> malicious use of someone's reverse-engineering skills, but you should
> never ever try to brand all crackers as evil.

Well, cracking for the fun of it is certainly nice and a good thing to do.
I for myself discovered that cracking of really old DOS programs
("Abandonware") can provide you with hours and hours of fun & enlightment ;-)

The spreading of essay's on pages like fravia's doesn't really hurt the
industry either (IMO), since many people (me included) BUY programs if
they really need it.

What really hurts are "cracking groups" (I am not talking about UCF now ;-)
which have an incredible competition about who's to release the most
cracks. I have seen groups boasting about releasing 20+ cracks A DAY.

These are people who don't crack to learn (my opinion, not based on facts)
but just to show off, and they are the ones that hurt the industry...

Well, it is not an easy topic. I like IDA for giving me a lot of insight
into foreign code ( I am using the freeware version ), and I am going to
buy it once I earn enough money (I AM a poor student, but still I will
buy it :-).

Andrew Matson
(Sorry for the uselessness of this posting)

[Chia Tee-Kiah]

Hi.

> There seems to be something like a "feud" in between different factions
> of the crackers. While there are many people looking up to fravia's page,
> there are many of the "warez-crackers" who are, when it comes to skill,
> on a higher level than many on fravia's (with exceptions, of course)
>
> Many of the .com-crackers don't like fravias and make fun of it all the time,
> and many of them have been cracking for 4-8 years (!). I do not think that
> they'll ever take the role of protectionists.

Just a few of my opinions...

I believe the skills required of a (good) cracker and those required of a
(good) protectionist are quite different. While the cracker must know how to
follow the exact path of execution of a program, or at least modify the path
of execution, the protectionist must know how to make the job of tracing the
program and intercepting its functions fraught with difficulty.

Maybe someone should come out and write some good anti-reverse-engineering
hacks and issue a challenge to ORC+ to crack them. I'll be watching. :)

> Well, cracking for the fun of it is certainly nice and a good thing to do.
> I for myself discovered that cracking of really old DOS programs
> ("Abandonware") can provide you with hours and hours of fun & enlightment ;-)
>
> The spreading of essay's on pages like fravia's doesn't really hurt the
> industry either (IMO), since many people (me included) BUY programs if
> they really need it.
>
> What really hurts are "cracking groups" (I am not talking about UCF now ;-)
> which have an incredible competition about who's to release the most
> cracks. I have seen groups boasting about releasing 20+ cracks A DAY.
>
> These are people who don't crack to learn (my opinion, not based on facts)
> but just to show off, and they are the ones that hurt the industry...

Well, I suppose that should teach people to brush up their anti-reverse-
-engineering skills. :) There are some software whose `defence'
mechanisms are so good that the only way to hack them is to go through a
back door (if they sealed their back door then the hacker will need to get
an In-Circuit Emulator...), but most software contain cracks that are too
easy to break. What a shame.

> Well, it is not an easy topic. I like IDA for giving me a lot of insight
> into foreign code ( I am using the freeware version ), and I am going to
> buy it once I earn enough money (I AM a poor student, but still I will
> buy it :-).
>
> Andrew Matson
> (Sorry for the uselessness of this posting)

Same here. :)

--
___________________________________________________________________________
| |
| Chia Tee-Kiah < mailto:tee...@bigfoot.com > |
| http://wwp.mirabilis.com/8123598 http://teekiah.home.ml.org/ |
| pgp -kvc: 1024/89d8686d 0f f4 b4 d9 2e 12 c7 b2 1a 85 bc 12 8f 54 77 f1 |
|___________________________________________________________________________|

[Chia Tee-Kiah]

Hi.

> >I believe the skills required of a (good) cracker and those required of a
> >(good) protectionist are quite different. While the cracker must know how to
> >follow the exact path of execution of a program, or at least modify the path
> >of execution, the protectionist must know how to make the job of tracing the
> >program and intercepting its functions fraught with difficulty.
>

> The main problem nowadays is that it is hardly possible of creating an
> interesting
> Copy-Protection under Windows. While DOS allowed interrupt-vector-replacement
> etc. , the only way of confusing a debugger under Win would be a VxD, which
> is a
> major pain to program.
> I don't think there will be a battle a lot longer. Crackers will crack weak
> protections,
> programmers will overbloat programs to make them too big to distribute.

Well, at least there's hope. :) Since a VxD run in ring 0 (or so I heard), it
can practically turn the entire system upside down. And that provides an
opportunity for program protection.

Even for DOS, there are problems. The protection schemes I came across are
either pretty lame but work everywhere, or are extremely good but work only
in true real mode (i.e. no V86). It seems that V86 mode somehow messes things
up (e.g. the stack gets messed up whenever there's an interrupt). A possible
workaround would be to use VCPI to switch to true real mode, but this will not
work if the program is running in a (Windows or OS/2) DOS box.

As for overbloating programs, I don't think that's really a good idea,
especially for shareware writers who want their masterpieces to be distributed
as widely as possible.

> >Maybe someone should come out and write some good anti-reverse-engineering
> >hacks and issue a challenge to ORC+ to crack them. I'll be watching. :)
>

> ORC+ has retired years ago :-)

Oops. I didn't know that.

> The people you should be challenging are on the "bad" side of cracking.
> This is one
> thing that disturbs me most, except for Quine, Natzgul and Razzia on
> fravia's page
> there are hardly any GREAT crackers. The great crackers are those guys in UCF
> and a few of the Razor1911 crackers, BeoWulf for example.
> UCF are really amazing, they crank out Key-Generators and emulate dongels at a
> speed and quality that makes you dizzy.
>
> It is strange that the quality on fravia's is significantly lower than the
> methods the
> "bad guys" use.

This makes me wonder... why don't these `bad guys' put up their own web page of
essays and stuff? Maybe it's because there's competition... if they release
their secrets, other hacking groups will have an edge over them...

Actually, I'd like to issue the challenges myself, but I haven't written any
good anti-reverse-engineering stuff yet. I may come up with something once I
manage to set up my home page...

> >Well, I suppose that should teach people to brush up their anti-reverse-
> >-engineering skills. :) There are some software whose `defence'
> >mechanisms are so good that the only way to hack them is to go through a
> >back door (if they sealed their back door then the hacker will need to get
> >an In-Circuit Emulator...), but most software contain cracks that are too
> >easy to break. What a shame.
>

> I don't know, but the problems are in my opinion:
> a) Programmers who don't know Assembler. It is frightening, they will
> never be able to write a decent protection
> b) Baaad commercial products. I have yet to see a truly hard to crack
> commercial protection. Even if it is good, it has an API which makes
> it easy to crack again...

Surprisingly, the best copy protection methods I've seen are commercial.
There's one whose protection is so good that it would be unbreakable (except
perhaps by using an ICE), if the author had not forgotten to clean up the
code segment just before calling the int 0x40 I've hooked...

> The problem is that there are many wanna-be crackers who can't crack
> harder targets and then go on to crack the small shareware, whose Authors
> get hurt badly... I used to crack myself (even "bad" cracking), but have
> retired to writing trainers for DOS-Abandonware...

So it looks like the next logical thing to do would be to write a VxD or
similar for program protection, to help these poor shareware writers.
Unfortunately, I'm not into Windows programming, so this sacred task will
probably have to be handled by someone else...

[Chia Tee-Kiah]

> >Well, at least there's hope. :) Since a VxD run in ring 0 (or so I heard), it
> >can practically turn the entire system upside down. And that provides an
> >opportunity for program protection.
>

> VxDs are the future, but beware: They add instability, too, and if you ever
> had to clean up a crashed NT, you know you don't want it to crash :-)
> Plus: The good crackers are hot on the trail of going after the VxD stuff....

This is getting exciting... :)

> >Even for DOS, there are problems. The protection schemes I came across are
> >either pretty lame but work everywhere, or are extremely good but work only
> >in true real mode (i.e. no V86). It seems that V86 mode somehow messes things
> >up (e.g. the stack gets messed up whenever there's an interrupt). A possible
> >workaround would be to use VCPI to switch to true real mode, but this will not
> >work if the program is running in a (Windows or OS/2) DOS box.
>

> You could hook int's under DOS, you could detect & purge SoftICE under DOS
> etc...
> THere are many possibilities.

>
> >As for overbloating programs, I don't think that's really a good idea,
> >especially for shareware writers who want their masterpieces to be distributed
> >as widely as possible.

> Yepp, you're right when it comes to this one. But Bandwidth is still the
> only thing
> that will keep people from pirating... :-/

:)

> >This makes me wonder... why don't these `bad guys' put up their own web
> >page of
> >essays and stuff? Maybe it's because there's competition... if they release
> >their secrets, other hacking groups will have an edge over them...
>

> Many of them spread the knowlehdge INSIDE their groups and don't want "Lamers"
> to have access to it. So once you're in UCF, they'll answer you
> questions... but
> you have to get there...
>
> Stone/UCF has a (good) Page at http://www.one.se/~stone

Looks interesting...

> >Actually, I'd like to issue the challenges myself, but I haven't written any
> >good anti-reverse-engineering stuff yet. I may come up with something once I
> >manage to set up my home page...
>

> I would be interested in helping/participating with that... I was going to read
> up on VxDs anyways ...

Well, I was thinking about DOS... As I said, I'm not familiar with Windows
programming, but I can definitely write something for DOS (although I don't know
how many people will be able to crack it).

> >Surprisingly, the best copy protection methods I've seen are commercial.
> >There's one whose protection is so good that it would be unbreakable (except
> >perhaps by using an ICE), if the author had not forgotten to clean up the
> >code segment just before calling the int 0x40 I've hooked...
>

> Which one was that ?

It's called lock89 (although I can't remember where you can find it). Anyway,
the program used quite a lot of really weird tricks. It has several layers of
encryption (a chunk of code that just got encrypted is used to encrypted yet
another chunk), it messes up the _entire_ interrupt vector table (not only
crucial entries like int 0x01, int 0x03, int 0x13, int 0x40, etc.), it wraps
around the 1M boundary to access the interrupt vector table (0xfe2c:something),
it performs all kinds of weird transformations on its data, and it even uses
sp as a scratch register. I tried to emulate each and every instruction by
writing them as C code, but after peeling a few layers of encryption I somehow
made a mistake (the decrypted code looked like garbage), and I gave up there.

> >So it looks like the next logical thing to do would be to write a VxD or
> >similar for program protection, to help these poor shareware writers.
> >Unfortunately, I'm not into Windows programming, so this sacred task will
> >probably have to be handled by someone else...
>

> I guess a tough VxD protection would be good. Throw in some File-Accessing
> and the usual crap, and make the cracker's pay for their crack :-)
> If you challenge that protection, though, it will be cracked within 3 weeks at
> most ... :-)
> Well, I would be interested in writing one. My programming skills are
> unfortunately
> Assembler pure, with a working knowledge of ANSI C and no clue about C++....
> so if you're interested in working on a VxD thing together, let me know :-)

I may try my hand at VxDs once I get something working under DOS. :)

[James MacDonald]

In article <6egn51$ki3$1...@winter.news.erols.com>, Chia Tee-Kiah
<tee...@bigfoot.com> scribbled :

>Just a few of my opinions...
>

>I believe the skills required of a (good) cracker and those required of a
>(good) protectionist are quite different. While the cracker must know how to
>follow the exact path of execution of a program, or at least modify the path
>of execution, the protectionist must know how to make the job of tracing the
>program and intercepting its functions fraught with difficulty.

However, +ORC has also said that both good crackers and good
protectionists are trained in historical code. A good cracker should be
aware of the tricks that are used by protectionists and variations upon
those themes, and a good protectionist should be aware of the tricks
that are used by crackers. The whole idea of protection is not to defeat
the cracker, because if the CPU can run it a cracker can crack it, but
to make life sufficiently hard that 99% of the lame .COM crackers will
clear off to find an easier target. This means knowing the tricks that
these sorts of crackers use, and subverting them.

The reason why everything is so easy to crack these days is twofold.
Firstly, Microsloth, in their infinite wisdom, have forced
protectionists to go VxD to implement Pretty Good Protection(TM) in
Win32 apps. This means that people wanting to implement PGP will need to
get a DDK and write some serious assembler. Painful.

<Sweeping generalisation>

Secondly, protection exists for ONE reason. To make money.
Protectionists are naturally very lazy people; they simply want to stop
piracy. They don't actually care about how they stop it, they just want
to stop it. This leads to weak protection systems, simply to stop the
casual piracy.

</Sweeping generalisation>

>Maybe someone should come out and write some good anti-reverse-engineering
>hacks and issue a challenge to ORC+ to crack them. I'll be watching. :)

^^^^
+ORC - his students are <Student>+ :)

Have you ever seen a HackMe/CrackMe?

Solar Designer's Emulated Solar CPU is extremely tough to crack, because
it both uses a strong encryption algorithm to hide a password, and an
'emulated' x86 CPU to make debugging *extremely* hard.

>
>Well, I suppose that should teach people to brush up their anti-reverse-
>-engineering skills. :)

You can't be anti-something without knowing what that something is. So
get reverse-engineering first, then figure out how to stop yourself :)

> There are some software whose `defence'
>mechanisms are so good that the only way to hack them is to go through a
>back door (if they sealed their back door then the hacker will need to get
>an In-Circuit Emulator...),

'Back door'? Huh?
Practically all software has a 'back door' in some way or another - the
biggest one of these is dynamic linking. This is why cracking Delphi
apps gets so infuriating when using SoftICE - your breakpoints don't
fire, because the EXE is statically linked.

> but most software contain cracks that are too
>easy to break. What a shame.

Can you say 'virtual processor'?

I have felled a couple of 'tough' protection schemes on my DEC Alpha,
using FX!32 and other software to emulate an x86, and capture memory
snapshots, disassemble etc., at various points throughout the software.
To the application, it looks as if nothing is happening, but it in fact
is running in an emulated CPU being highly scrutinised. The HASP dongle
protection system reroutes interrupts, uses SMC and other devices, but
is useless when running in an emulated CPU. The same tactic is also used
to strip EXE and COM file of envelope protection - CUP386, GTR, TEU et
al use this 'emulated CPU' technique. The only problem with such
programs is that they are all buggy and can all be detected in some way:
for example, TEU and UPC leave signatures on the INT 21 vector that can
be scanned for.

As I said before, if the CPU can run it, it can be cracked. If an image
appears in memory, there is ALWAYS a way to extract that image and
reassemble it to make up the original protected application.