Move #05 18 мая 1997

Программирование

XOR'em ALL - Algorithms protection software: ALKATRAZ, SPEEDLOCK.

         XOR'EM ALL (Continued)

(C) Ars MDM 249-9753


    One of the most perverse ways
protection of downloaders are multiksorki.
They appeared quite long ago, when it is widely used in various 
tape tread, such as Alcatraz'a and SpeedLock'a.

Their main purpose was that
to better hide any custom loader, do not allow for
copy of the program by conventional means.
Protecting disk tool also does not cost
without embedded ksorok. So in 1995, was released by SoftLand 
hit of the season - the game "Field of Miracles." Since it was 
written in Basic language and, given the large demand for

such popular products, the toy was
sternly defended - "smeared" throughout the
drive and a slightly Zaksor. This is the "slightly" takes about 
40 (!) Sectors. Another striking example of this coding are all 
(especially Sanalex'om) beloved little thing called 
MultiProtect (author-MastSoft). Protection was put on top 
MicroProtect'a and included start-Basic-block and multiksorku 11

sectors. I should say that DeadLock
(The so-called MultiProtect MastSoft'a),
served its purpose - stealing programs
for many it was stopped at a sufficiently long period of time - 
until the moment when become common disc copiers

type McDonald'a. It is interesting to note that
This protection seems like not only
trader'am Minsk and other cities. For example, in the toy 
SquareHead from OutLand'a used a protection statement.

What is a multiprotekt?
This sequence of primitive ksorok
Type:

         DI

         LD A, par1

         LD R, A

         LD HL, address-1

         LD DE, par2

         LD BC, length
 cycle LD A, R

         XOR (HL)

         XOR D

         XOR E

         LD (HL), A

         INC HL

         DEC BC

         LD A, B

         OR C

         JR NZ, cycle
address ...

Follow ksorki can have exactly the same form (with other 
parameter values) or a little different, for example: used to 
loop command DJNZ, do not use registers DE, etc. Private ksorki 
themselves are elementary, but they are a huge number, measured 
sectors, forces immediately abandon the idea to untwist them 
manually. Especially because at the time of occurrence of such 
protection did not exist STS and catch the change register R 
had its own. Great disadvantage multiprotekta (in contrast to 
the same Alcatraz'a) was that he was very

too primitive in the sense that consisted of
virtually identical ksorok in which
There was nothing original. Ie protection
should have been conceived as the authors simply
speaking, to starve out the hapless hacker. It is easy to be 
predpolzhit that the encryption is performed using the files of 
some, and hence cracking process can easily be automated. It 
was necessary to take into account following circumstances:

1. the first step of the cycle ksorka restores address 
conditional jump (cell address-1);

2. value of the register R, given in ksorke can be used as a 
primary parameter in subsequent ksorkah; 3. Size ksorok 
consistently varies depending on their type; 4. ksorka be 
unmovable. 

    Propose a way to solve this
puzzles:

; DEXORING SYSTEM
; Written by Ars 1995

st_code EQU # 9EC1; top ksorki
len_code EQU # 14E7; length ksorki
zapas EQU # 0500
; Need "just in case" to the latter; Applying ksorka not 
zaportila piece of code dopusk EQU # 0020

; Max possible size ksorki: it is for
, This criterion shall stop, then
, Is the place where it ends and ksorki
; Begins loader, for whom everything
; Do ...
double EQU st_code + len_code + zapas
, A copy of the source code ksorki
START EQU double + len_code
'S address early Stage


        ORG # 9C40

        DI

        LD HL, st_code; Current Address
        LD (curr), HL; top ksorki

        LD BC, len_code; Make a copy of the code

        LD DE, double; all ksorki

        LDIR
NEWXOR LD A, # 77; Search LD (HL), A

        CALL SEAR_B; see Remark 1

        CALL WORK

        CALL COPY

        CALL START; Rasksorivaem 1

        LD (dexor), A; bytes - for JR NZ

        LD A, # 20; JR NZ Search

        CALL SEAR_B

        INC DE

        LD A, (dexor); Write the correct

        LD (DE), A; jump address

        INC DE

        LD (curr), DE; now promoted
        CALL WORK; Vai all ksorku

        CALL COPY

        CALL START

        JR NEWXOR; etc.
SEAR_B LD (byte +1), A

        LD HL, (curr)

        PUSH HL

        CP # 20

        JR Z, metka

        LD DE, # 0006, departed for

        JR plus; to skip
metka LD DE, # 0001; possible komanrlus ADD HL, DE; between LD 
DE, par 

        EX DE, HL; where par can

        POP HL; be code # 77
BNF LD A, (DE)
byte CP 0; Exit if to
        RET Z; manda found

        INC DE

        PUSH HL

        PUSH DE

        EX DE, HL

        XOR A

        SBC HL, DE

        XOR A

        LD BC, dopusk

        SBC HL, BC

        POP DE

        POP HL; cycle, if by
        JR C, BNF; mandates could not be found

        POP HL; Full output

        EI; whether the code is not found

        RET; at length dopusk
WORK XOR A; Copy code

        EX DE, HL; ksorok in buffer

        SBC HL, DE

        PUSH HL

        POP BC

        EX DE, HL

        LD DE, (buffer)

        LDIR

        LD (buffer), DE

        LD A, # C9; Set point

        LD (DE), A; stop

        LD (curr), HL; Keeping current
        RET; schy address
COPY LD HL, double

        LD DE, st_code; Restore

        LD BC, len_code; "original"

        LDIR

        RET

curr DW 0
buffer DW START
dexor DB 0

I can not guarantee that an optimal solution, however, the 
idea, I think, is clear.