Move #02 03 февраля 1997

Софт

XOR'em ALL - XOR'ki and how to deal with them: IMP PROTECTION SYSTEM'95 & GOLDEN EAGLE PROTECTION SYSTEM.

                XOR'EM ALL

(C) Ars


   At this time I could not find a more
stupid classes, than to write about ksorki.
True, at first I wanted to say something
Oh, so to speak, programming techniques,
multicolor type or scroll to Border,
but then changed his mind. Download the much better themselves 
STS'ku and see for yourself what you interested. Although, 
frankly, today has no program can not find where

could safely dig. Everywhere
worked hackers ponastaviv ksorok and
dekranchingov.

   Well with decrunching'ami really okay, everything is
clear - a useful thing: the same as the extractor, but much 
cooler and brake. Not you can always wait for the start of the 
program, and wants to press Reset (especially

when there is no progress indicator, as in the demo FastCode). 
However, memory saving nemeryannom. Take now for instance 
Lemming'ov (By PSG), wedged into 128Kb (!): And yet

previously occupied the whole disk. Well, okay,
you can wait a bit, just such cases.

   But xor'ki, on the contrary, litter the memory, both 
literally and in figurative sense. Depending on the degree of 
perverted they devour from tens of bytes to tens of sectors. 
And laziness is not someone All zaksorivat? Clearly, if not

laziness, that means it is for some reason needed. In
Basically, we should understand is ksorka
one way to protect information and copyright, though very 
primitive. 

   Clearly only one thing: from whom all
protected? Of users? Well, not all because
people the word "monitor" is associated with expressions of 
"STS" or "button NMI". From hackers? - Unless you can protect 
yourself from hackers? Only possible to suspend the process

break for a few seconds (hours), and all
well in fact to the target will get. So, let me say: if you're 
going to protect your product, then do not expect ksorki!

Better to put somewhere in the middle
code any izvratskuyu check
For example:


       RLC E, (IX + # 13)

       RET C

       INC SP

       SRL E

       RET PO

Find in 128 kilobytes of memory such
protsedurku and enter what you need it is always much harder 
than even untwist most sophisticated ksorku. And generally, the

I think if you put too ksorku, then
only that which is most difficult
hack, even knowing how it works. But
is it possible?

   To conclude this, I think, real hard delirium, and bring 
some of the most colorful creations of computer thoughts and 
ways of dealing with them: 

   IMP PROTECTION SYSTEM'95. The entire Mortal
Combat at the time defended polls
for some reason this ksorkoy. And some
people like Andy2 and Warlock, even chtoto there trying to 
refine it (the latter added, "ubivalku monitor"). Immediately 
after launch (# 5D74) ksorka spreads in purified screen and 
gains control. Her top looks pretty crazy: forwarding between 
registers, handling to PZUshke, some calculations on a 
calculator ... I think that tracing and ksorku understand why 
that has no sense. Much more efficient in this case is to look 
more or less "normal code. At # 40C6 find the following:


# 40C3 JP PO, # 40CA
# 40C6 LD A, R

       XOR (HL)

       LD (HL), A
# 40CA LDI

       RET PO

       DEC SP

       DEC SP

       LD L, L

       RET PE

And this is a standard stack ksorka.
Setting for this address breakpoint
obtain the following register values:
 HL = # 40D3; source - zaksorenny code
 DE = # 44CC; appointment - executable code
 BC = # 00FF; block length
Pay attention to the stack, to be exact
on its content:
 SP = # 402F (SP) = # 44CB (SP-2) = # 40C3
That is: as long as BC is not 0, the address output
# 44CB passed on the stack and Administration
RET PE team sent to the address # 40C3.
Once, after a LDI, register
BC becomes zero, is activated RET PO and exits the loop. 
Scrolling times three cycles ksorki the monitor and then set a 
breakpoint at address # 44CB, we get to boot. In cell # 40DE 
retained load address block, and # 40E0-it length. It remains 
to add that after as flashes blue border and the download 
starts from the disk management in the stack is passed address 
# 412E. 

   GOLDEN EAGLE PROTECTION SYSTEM. Privacy
was put on loader'y Silicon Brains. Based on the original idea 
of ​​using stack in the body ksorki. Working with memory is

only through PUSH'ey and POP'ov. I've seen
several options for protection, but they differed by only a few 
commands: 

# 5DC5 DI | EXX

      LD SP, # 5DFB | LD A, R

      LD BC, # 005F | XOR L

      LD A, # 28 | LD L, A

      LD R, A | LD A, R
# 5DD0 POP DE | XOR H

      POP HL | LD H, A

      EXX | PUSH HL

      POP HL | LD A, R

      POP DE | XOR E

      LD A, R | LD E, A

      XOR E | LD A, R

      LD E, A | XOR D

      LD A, R | LD D, A

      XOR D | PUSH DE

      LD D, A | # 5DFA POP DE

      PUSH DE | # 5DFB POP HL

      LD A, R | POP DE

      XOR L | POP HL

      LD L, A | DEC BC

      LD A, R | LD A, B

      XOR H | OR C

      LD H, A | JR NZ, # 5DD0

      PUSH HL | # 5E03 ....

Of course, that initially nothing like the cycle is not 
observed (shown here already rasksorenny block), and since 
Address # 5DFB (here set stack startup) is unintelligible 
nonsense. The first thing ksorka restores its

Last 8 bytes (4 times and 4 PUSNa POP), and
reaching # 5DFA addresses it finds its
"Natural" look. Well, a further by
4 POP'ov stack is shifted by 8 bytes up
ie address # 5E03, and the circle is closed ...


                (Maybe to be continued ...)