reader-reader - V. Sirotkin. Protection program (look at the problem).

<b>reader-reader</b> - V. Sirotkin. Protection program (look at the problem).

   IFC: The list below
article was written by the author for a long time and therefore 
does not reflect the most recent advances in the installation 
and removal of protections. However, as we see it, it will be 
very useful novice programmers and the Hacker.


   I am pleased to provide
place in a magazine describing the latest advances in this
area.



         V. Sirotkin.

       PROTECTION PROGRAM

    (View on the issue).



   Necessary retreat ...

   I hasten to warn that
the author has always been and will be against
every where, as of programming,
and hardware protection. Any
"Pretty good" protection, sooner or later
opened, and what it is "cooler"
the stronger its desire Hacker
removed.

  And in general, to protect the safe
and the long program for the Spectrum is virtually impossible. 
You can, of course, bells and whistles mountain protection, but 
the more complex protection, the more memory it occupies in

damage to the parent program. But in
this case, burglary protection - it
only a matter of time.

   Yes, programs need to be protected,
but not a hardware / software, and
LEGAL!


            *


   But as programs to protect and will long continue to defend
just all sorts of software and hardware techniques, let's see 
how this can be done. 

   Basically, all means of information protection can be 
divided into 3 categories, which are closely interrelated and 
interact with each another.


   Protective measures are divided into:

   1. Organizational, (here and
legal, economic, and
administrative).

   2. Programming (coding,
dynamically change their preferences, hidden passages, a 
non-standard formatting, etc.). 

   3. Hardware (special
board access, secure chip-type ULA, the newest circuit design).

   The first way to protect us in the
the country is still in its infancy, although in the West, he
is decisive in
programistskogo business.

   The second and third paragraphs are inextricably linked, and
currently dominate the protection of the Spectrum program.

   Let us dwell a bit on the hardware protection.

   The computer itself Spectrum originally represented the 
"black box" to outsiders because of ULA chip on the 
motherboard. Such protection has been successful, and long time 
could not fully "Bite" of the circuitry

sensitive circuits.

   Now, when the country is "walking" more than a dozen versions
Spectrum, compatibility with the prototype, and hence with the 
software is just determined by how well hardware circuit is 
composed of discrete elements, replacing

IC ULA.

   In the same way the developers have gone a computer 
"ATM-TURBO" important components of which are collected on

chips with custom logic firmware that can not be regarded as 
conventional methods, (So-called chip FPGA).


   Such protection in the end
opened, but it makes its
case, and some time remains available for development
piracy and bring money and moral profit
its author.

   We are also in this paper will
primarily interested in the protection program.

   Mechanism for protecting software
software can be reduced to the following items:
 1. Unit to protect against "stripping."
 2. Block of copy protection.
 3. Block the response to
"Stripping" or illegal copying.

   1. The block to protect against "stripping" is a huge amount
methods and techniques that have successfully (or 
unsuccessfully) applied and used in programs for the Spectrum.


   This custom loaders from the tape, and encryption and the 
use of undocumented commands of the processor, and 
self-generating executable commands, and operations in the 
second interruption, and control the runtime of individual 
pieces and much another.


   The whole point of this protection comes down to not to give 
a quick bite Hacker main module of the program, and to confuse 
Hacker, confusing and not give the possibility to use

there all sorts of monitors, debuggers and tracers.

   On this subject has been written
numerous articles and books, and we
consider only some of the principles of typical protection, 
knowledge of which will be useful for beginners programmers.



            Encryption.


   This is, in general, the theme for a thick book. Basically, 
in Encryption software is on the

principle KSORKI (team XOR).

   Take the piece of program and
Ksor - or with the same value, or the value of register 'R', or 
the value number of the resulting

arithmetic and logical operations.
In some programs, one of its
Part Ksor with the second part.

   But Encryption can occur not only with-XORkomandy. You can 
encode and using arithmetic, logical command shift and rotation.


   A typical case of "cool"
ksorki is the following example, taken from a single program.
148.
; Disassembly listing of the module decoder.

START DI; ban interruption

        LD A, 0; zeroes A

        LD HL, DECODE +1; load the starting address

                       ; Encrypted module

        LD BC, # 64, the length of the encoded

                       ; Block

        LD R, A; Record the value in

                       ; Register 'R'

        LD A, R; and immediately return to work

        IM 2; interrupt TWO
2
(First, the misleading, second, involved in the formation
register 'R', and thirdly - can
hang the debugger tracing and fourth - the first team 
rasksorennogo block can be 'EI', and the program immediately

then it will take to process the interrupt handler).
148.

        XOR # 71; decode the first time

        XOR HL; decode the second time

        LD (HL), A; and write to memory

        INC HL; increase the address

                      ; Decoded block
DECODE DJNZ ADRES; return if the entire

                      ; Block is not decoded

                      , Followed by the encrypted block
2

   Looking at the listing for fugitive
look, you can not see in
what is "cool" zakovyka.
But the fact that the address is first loaded into register 
'HL', indicates the offset value in

operator DJNZ. Just from this
zanacheniya and starts decoding.

   What gives?

   And that is unknown to
closed loop rasksorivaniya. Using the register 'R' for
formation of primary key
decoder can not trace the work of the decoder in step mode. 
Breakpoint put too is impossible, as it

change the decoder or knock
value in the registration 'R'.

    Writing this piece to work out
completely - not a solution either: that
there goes the first team -
Unknown! The only thing that
you can do in this situation
for "cracking", is ...

   And yet, to smash his head
themselves.

   This program can also be used as a decoder, and how
encoder at different times.

   And if such modules in the program a lot and they encrypt - 
decrypt not only the parent module, but also each other, then 
we can say with certainty - track

Victory at the Hacker will not.


      Armor.


   This method involves
team 'JP', 'CALL' on dynamically modify the addresses and 
self-generating executable chunks (for example, as a result of 
some arithmetic operations). It also may include work in the 
second interruption, constant monitoring particularly important 
pieces by count checksum and control

time performance of individual modules (on the register
'R').


   HID (implicit) transition.


   Instead of teams 'JP', 'CALL'
You can use the command
'RET', 'RETN', 'RETI', pre-recorded in a stack of necessary 
addresses received by some abstruse way. Or use non-standard 
entries in the ROM SOS or TRDOS where lay the necessary

You command.


    Receive "Baba Yaga" or running

        ahead of the engine.


   1. The stack is determined directly in the area of the 
executable commands and data stored in

stack, are like part of
generated code sequence.

   2. For each sub-
allocated a small stack,
lying just outside the most routine above addresses.

   The first way is to use a self-proclaimed program, which in 
the generation of executable code runs up the address, but 
after her run her stack, paste the following modules 
generation. A stack for running codes generated module.


   A program that can be said to be running ahead of the engine.

   The second way - not only confuses the attacker, but also 
provides good protection against Magik button, because when you 
click on her stack of the current subroutine

end, and will be erased already
working codes.


           Pacifier.


   Inclusion in the body of the program
important to look at, but never ispolnyamyh pieces, which 
simulates the transfer of control. 

   The body of the pacifier should attend the "important" 
sub-type "print", "referring to drive "," decoding "and others 
for attract the attention of Hacker. On

disassembly of such dummies are usually
spent much time and distracts attention from the main module.

   Can be done differently. In the body
pacifiers include several critical key commands with implicit 
transitions. 

 NON-STANDARD compression.


   Typically, compression algorithms
programs for the Spectrum based
on counting identical bytes and repetitive entries instead of
This code sequence - "kind of bytes + the number of repetitions 
of this byte. But to confuse Hacker, be creative its different 
from other compression algorithm. This may be pack of 2 
adjacent bytes in one compression with the use of special 
tables, etc. It is also strongly reduce the rate of

autopsy program.


        WORK ON THE SCREEN

        (The display RAM).


   This is the most extended ones method of protection for the 
Spectrum, and mud, this method is still relevant.


   Here, a wide scope for imagination: You can embed executable 
code in the sprite fonts, drawings.


   And when this image, or
sprite will be displayed on a screen pass control to
lying there program. This
greatly complicate the tracing
program debugger, if any, trace becomes possible.


   2. Copy protection.


   All these above mentioned methods are designed to protect
body of the program from breaking,
but these measures are combined
with copy protection, then
level of security programs
becomes much higher.

   Protecting tape programs from copying constructed
tend to change the standard constant signal read or write.

   Among the most notable
protection can cause such as:
"Jerks tone" - floating rate signal, the excess length of the 
module, add extra bytes after byte parity, global change signal 
structure, turbo-loading, loading backward-ahead and others ...


   Without dwelling on
tape protection (this
written many books and pamphlets), proceed directly to 
consideration of protection disc. 

   The first of defending the program works by the distortion 
of information in the directory of the disk. Distorted values 
of "volume file in the sectors for BEYSIKprogramm and modify 
data in 8th sector zero track

(Bytes' number of files on disk, byte "double-sided - 
single-sided disc," B "started and the amount of free space. "


   The entire directory entangled so
that the copyist could not correctly copy the selected program.

   An example of this - the program CLOSE. This program resets 
the 13th bytes in BASIC headers, distorts bytes "beginning" and 
"free space" on the disk, disc type, number of files on

disk. Change is also subject to name the first file on the disk:
it is introduced "nonprinting"
code.

   Program on the disk after a run defense as usual, as amended 
in bytes startup process is not involved.


   It's a simple defense, but the team TRDOS "COPY" or copyist
Type MOA-SERVICE here is to do nothing. With such a disk should
or remove the protection, or (what
easier) to copy it TRACK
copiers.


             *


   The following method of protection is the way to the 
distortion of all the information in the directory. All Service 
information header clogged with zeros or false

data.

   In this case,
program named 'boot', which has the "right" title
and contains a table of all
"Correct" titles on the disc. This program should be
boot (of course, not on
BASIC), which would be able to download code blocks programs
drive from the values of the internal table.

   Can be done differently
and write for each program
a separate loader in the form of a file. Remember disc 
"coordinate" these files (this is the length block, the number 
of primary sector initial track) and immediately distort / 
erase these coordinates from directory.


   To call these downloaders
require the parent program,
which is true about bootloaders and proceedings
reading and running.

   Naturally, the loader must be encrypted and encoded, and 
then all of the above lose all meaning.


   But in this case potrekovaya copy the entire disk drives 
such protection to no! 

   Logical continuation of the above method was a way to boot 
the location or on service tracks on a disc

(83-85 cylinders) and / or non-standard sectors (sector number
greater than 16, and / or the length of the sector <> 256 
bytes). 

   In this case,
program custom formatting, and this, as you know, work at the 
lowest level through the ROM TRDOS.


   Discs with such protection does not come from "normal 
track-copiers and are sufficiently protected for commercial

proliferation.

   From the perspective of a Hacker
disc is being copied fairly easily. To scan
structure of the format of all tracks
disk (for example, by
"ADS" or through the command VG93
"READ WHOLE TRACK"; # E0),
extract all the "wrong" sectors and tracks.

   Next, format the drive with
the same format and copy-protected disc first
conventional track-copiers,
dokopirovat the "wrong"
sector and a track with
TRDOS functions (C = # 05 - Reading
sector and the C = # 06 - recording sector).

   The highest software aerobatics
the protection is the way
global change method
formatting.

   For example, in the "gaps" recorded bytes excellent
from byte # 4E. Changing the length of
"Gap". Type of sector (ie, its
length) indicates byte
greater than 3, which, in principle,
indicates the magnitude of the sector>
1024. Byte "of the disc and
"Track number" also indicates "the ceiling" ...

   Leading the program is on the disc should examine these
non-standard size and come to a conclusion: "native or not
native is the drive? ".

   To copy such a disk
You will need to know not only
the exact number of sectors, their length and quantity on 
track, but generally the whole structure of the format.


   Exit here alone - to copy
format of each track a bit in a bit.
Make such a program is not so
too difficult, it is necessary to remember only
one point:


  Whatever was to change the format
SOME BYTES AND THEIR The sequence
      ACTIVITIES OF ARE

       MANDATORY!


   Are mandatory bytes
(Already recorded) and their sequence (in order of succession):

# A1, # FE-address label index

     data about the track and sector;
# A1, # FB-address label data.


   The conclusion here is simple and obvious ...

   Forgive me for who
protects your discs from being copied - below I present a short 
algorithm universal vseformatnogo copyist discs. 


   1. Read command controller # E0 entire track entirely in 
RAM, a sub- TRDOS # 3FDB <# 3FE5> (give the command 4-5 times 
for the faithful). 

   2. On labels to determine the IAM:
how many sectors per track,
the length of the sectors and sector numbers. Remember 
somewhere the data obtained. 

   3. Software to analyze and change the read dump:
 a) If bytes less than # F4 -
remain unchanged;
 b) if the byte is # A1, instead of
# F5 him to write and write on
adrs-1 and adrs-2 from this site
the same as if the adrs +1 code
# FE or # FB;
 c) If the byte is # FE - leave;
 d) If the byte is # FB - leave;
 e) instead of six bytes (first byte from # A1; # FE) SUPPLY
B # F7 (there should be 2
byte checksum);
 e) The further you should simply skip the data area. Length
area depends on the type of sector
and the first byte after the field
Data should be replaced by byte # F7 (2 bytes of control
amount);
 g) Go to "a)" and repeat until until the end of the entire 
dump track. 

    4. Now, when we dump format ready to burn it to
the proper path of another
DISC command # F4 through routine TRDOS # 3FC0 <# 3FCA>
(Repeat 4-5 times for the record
fidelity).
 - Analyze what numbers of sectors indicated in the format and 
number.  - Read a disc to be copied

relevant sector (can
even function TRDOS, but only
in one sector) in the allotted
buffer in RAM.
 - Record the relevant sectors from the buffer RAM to the disk 
with our format.  - Repeat all again for the rest of the tracks.



   This program is expedient to set up two disk drives, but it 
is possible for one (if you have 3 minutes ache hand, changing 
discs in the drive). 

   A further complication of copy protection measures can be
forward on the path of "laser holes" and "floating bytes'. You 
can also go the way of recording region of space bytes large,

than # F4 (without chip
VG93 - otherwise fails).

   But for these there are ways to protect countermeasures. Can
only to recognize that the land would not fail Hacker. And 
Arsenal means removing protection is much more sophisticated 
and numerous than Arsenal for their installation.


   To conclude this article a few words about the last block in
complex defenses. This unit "response" to hacking
or illegal copying. Here
much wider scope for the imagination:
from the threatening signs, whistles,
attempts to erase / format
drive attempts to "break" the drive, giving him the command to 
"go 255 cylinder "or" find 243

track ".