Protect! EXE/COM v5.5 (C) 1993-1995 Jeremy Lilley, All Rights Reserved March 22, 1995 Program Documentation ===================== Contents: --------- What is Protect! EXE/COM v5.5 ? ................ 1 Some Improvements, Briefly ..................... 2 Requirements ................................... 2 How To Use Protect! EXE/COM .................... 2 Which Files Can't Be Protected ................. 4 Legal Terms / Disclaimer ....................... 4 License ........................................ 5 Protect! EXE/COM Vs. Other Utilities ........... 5 Comments on Hacking Protect! ................... 6 Technical Notes ................................ 6 Compression Notes .............................. 7 What's The Mutation Engine? .................... 8 Closing ........................................ 9 Address ........................................ 9 What is Protect! EXE/COM v5.5 ? ------------------------------- Protect! EXE/COM is a protection, encryption, and compression utility that has protected programs from tampering and reverse-engineering for the last two years (and counting). By attaching a strong security envelope to your DOS EXE and COM files, the resulting files run normally but look like a random series of instructions and garbage bytes. This version provides compression as well as encryption, so your final files will be smaller. You can still use any other compression program with Protect! and you may turn off the integrated compression altogether if you want to. Most importantly, a modification check using a high-speed CRC, which can be customized by registered users, prevents the program from running if it has been tampered with by hackers, viruses, or simply by accident. That way, you can be pretty certain that your program will come up with all the proper screens without crashing or hanging due to unwanted modification. Your program's underlying data will not be left in the open (to any Dick or Jane with a hex editor or disassembler) and your code will be safer from others' eyes. Page 2 Some Improvements, Briefly -------------------------- In preparing this new version, I (again) rewrote just about everything in order to speed execution, to stop hacking programs, and to integrate the compression. Loading overhead from Protect! should be slightly lower, particularly for files that are not compressed. The encryption itself is much more random now due to some new techniques that I learned. I also took out some anti- debugging traps that occasionally presented problems under OS/2 (mostly when loading files in the background). The older version also could cause user's clock to lose a few seconds whenever a Protected program was run (seconds can add up quickly), but that is taken care of. Most importantly, the few circulating unProtect programs will no longer work with Protect! v5.5. Requirements ------------ Protected programs will basically run on any system that the normal file would run on. Protect! itself requires DOS 3.x or above and 64k of memory to run in. The files themselves must be below 600k because Protect! cannot accommodate large overlay files (actually, many overlaid files may present a problem for Protect! because the overlaid data would not be able to be encrypted) in memory. You may still want to have and use a compression utility such as LZEXE or PKLite (R) in some circumstances, especially if you are using files over 300-350k (the relocation tables in Protect! get filled usually around then, so precompressing those files may be most efficient). How To Use Protect! EXE/COM --------------------------- The command-line syntax for Protect! EXE/COM v5.5 (ProtExCm.EXE) can be summarized here: ProtExCm filename[.EXT] [* CRC_Msg.Fil - Registered*] [-N] Page 3 The first and only necessary component is the file's name, with or without the extension (if you have MyProg.EXE and MyProg.COM, it will do the EXE file if no extension is named). The modification error message, which is available only to registered users, is displayed by the file if it has been modified or tampered with. Unregistered users have a message stating that the file has been modified but that it was Protected with an unlicensed copy of Protect! -- a message that you might not like to place in a file for distribution. Registered users can save time by putting a message in a file called CRC.MSG or MODIFIED.MSG (it *must* be in your current directory) and it will be used unless you specifically specify another file. The file can be up to 4k and can basically contain any characters except for the ASCII 0. Finally, the -N switch prevents Protect! from trying to compress the file. You may want to use this if compression is not significantly reducing the file size or if compression is causing a noticeable loading delay. If your file has been compressed previously with LZEXE or PKLite, for example, you would probably want to use this option to save the time it takes to attempt to compress the file unsuccessfully. Here are some usage examples: ProtExCm MyProg.EXE (To Protect MyProg.EXE) ProtExCm MyProg (To Protect either MyProg.EXE or MyProg.COM) ProtExCm MyProg.EXE -N (To Protect MyProg.EXE without trying to compress) ProtExCm MyProg.EXE MyProg.Msg (To Protect MyProg.EXE using the contents of MyProg.Msg for the modification error message) As you can see, adding the security that Protect! provides is not a difficult task. It might be also helpful to know that if the Protected file is modified Protect, it returns with an errorlevel of 250 to DOS. Remember that the security of Protect! *depends* on the fact that a Protected file CANNOT be expanded by Protect! after being Protected (you can probably see why). The backup file (.OLD) is provided just in case there is a problem with the Protected file. If there is a problem, you might want to try to reProtect the original again or to turn on/off compression. Page 4 Which Files Can't Be Protected ------------------------------ Protect! EXE/COM cannot Protect Windows (R) and OS/2 (R) EXE files because the formats for these files are substantially different and more complex than the regular DOS EXE format. For your information, a Windows EXE basically starts out looking (from Protect's perspective) like a small DOS EXE that can only display a message that "This file requires Windows." There is a pointer to a Windows New EXE header, which Windows finds and uses as the Windows file. I have written a freeware program called EXE-Combine that exploits this and allows you to attach a DOS program to a Windows program. Protect! will now automatically detect if a file is for Windows or OS/2 so that you don't waste your time trying to Protect them. Also, due to the structure of Protect!, files larger than the 600k neighborhood can't be Protected (because the entire file has to be able to all fit in memory a once when it loads). This fact, of course, makes Protect! worthless for xBase files where the basic "Hello World" EXE can be over a meg. Don't try to Protect COMMAND.COM, etc. Legal Terms / Disclaimer ------------------------ The only guarantee behind Protect! EXE/COM v5.5 ("Protect!") is that it has the ability to alter EXE and COM files. The problem is that Protect! may not always alter every possible file correctly, and as the author (Jeremy Lilley), I cannot be sued for problems due to use and misuse of Protect. Protect! is provided "as is," and, as the user, you have been warned that using Protect! implies that you understand that compatibility problems may arise. You, as the user, are responsible for any damage caused by using or misusing Protect!, and under no circumstances may the author be held liable for loss of profits or any other damages arising from Protect. Also, it is your responsibility to use Protect! only in a lawful manner. No other warranties or guarantees, express or implied, exist with Protect!, especially for this evaluation copy. Risk of damage resulting from Protect!'s use is actually pretty small, as long as you use it correctly. However, if you try to make it mess up, it probably will. Just remember that it isn't my fault if you misuse my program. Also, all trademarks used are the property of their respective owners. Page 5 License ------- You may use Protect! EXE/COM for the purposes of evaluating it (after understanding the disclaimer and the documentation) for 30 days. No files protected by Protect! during this trial period may be distributed to other computers, commercially or non- commercially. If you find Protect! to be of use to you, you must register Protect! with the author ($25). Government, educational, and commercial institutions must register this program with the author prior to use (please contact me for quantity discounts). Sysops, user groups, disk vendors, CD-ROM vendors and other similar organizations may distribute Protect! provided that no files are excluded from the distribution and that no more that $10 (except for CD-ROM) is charged for distribution. Much of Protect!'s protection and encryption capability comes from its anti-debugging and anti-hacking code. In order to keep loading time to a minimum (yes, 1000-bit, military-grade decryption keys *do* take a while to process), the encryption key length is nothing (some advanced math with 32-bit numbers) compared to the encryption keys regulated for export from the US. In addition, since the decryption mechanism is and needs to be located on the file, the Protected files themselves are not subject to US export restrictions. However, the ProtExCm.EXE and this Protect! EXE/COM package should be kept away from Iran, Libya, and communist/ communist-nostalgic nations that the US has normal trade restrictions with. Protect! EXE/COM Vs. Other Utilities ------------------------------------ Protect! EXE/COM's first concern is security. No other program emphasizes the modification checking using a CRC to the extent that Protect! does. Try PKLITing an EXE file and change a byte or two in the middle of the file (find parts of text that you can still recognize slightly). As long as the program doesn't crash (it may if you've messed too much with the code portions), PKLITE won't notice your changes at all. A hacker can also decompress a program compressed with PKLITE or LZEXE quite easily -- even if a program is compressed with the "invincible" -E option on the professional version of PKLITE. After decompressing, any hacker can change your program (remove copyright screens, disassemble code, etc...), compress it again, and spread it around, possibly damaging your profits, your reputation, and others' computers (I hope you have a good disclaimer...). Fortunately, hacking is not quite that rampant, Page 6 but it still is a possibility and a risk, and it is much better to pay a few dollars up-front to be safe than to be sorry in the future. Comments on Hacking Protect! ---------------------------- Some users of Protect! EXE/COM have pointed out files, mostly found on illegal bulletin boards, that have been able to remove the protection from previous versions of Protect. It is sometimes interesting to read their documentations ("aNArky Rulz, d00Dz") and even more interesting to watch them fail the majority of the time. The programs themselves often spread viruses to the curious user. After watching some security mechanisms work better than others (it will be fun to see the reactions of some hackers who discover some of the new traps and ideas), I know that no software-only program (or even hardware-based) is fool-proof, but Protect! v5.5 puts together some of the toughest combinations of traps that will work compatibly under the DOS (and Windows/ OS/2) environment. To put the security capability into a better perspective, an apt analogy for Protect! EXE/COM would be to an automotive anti- theft device. The anti-theft device helps deter thieves from breaking in (most thieves just get the next car over) and also makes it difficult once they try to get in to drive the car off. Yet, it is entirely possible for the best of professional thieves to disable the device (yes, I know somebody who had his car stolen even with "the Club"), but 99% find another car and won't go to those lengths. As far as Protect! is concerned, it is just about the best, least-intrusive, anti-hacking software solution (just read the documentation files written by some of the hackers of previous versions of Protect! -- many admit that Protect! was quite a challenge to break through). Protect! may not be 100% fool-proof, but it has evolved quite significantly after some "cat-and-mouse" and it stands before you as the best lock to prevent people from breaking in to your programs. Technical Notes --------------- First of all, thank you to everyone who contributed anti- debug ideas for this version of Protect. All these new ideas have helped make Protect! more secure and faster. I have again rewritten the "mutation engine" (now it is much more random- looking). There are a few techniques such as prefetch queue tricks (trying to write to a memory location stored in a Page 7 processor's instruction prefetch area, which kills debuggers) and using 386 debugging registers to kill debuggers like SoftIce that I have not used because they are incompatible with some systems (like OS/2 -- which really helped in writing Protect). Protect! v5.5 adds about 1k to a file with an average-sized modification error message. The mutation engine can vary the size somewhat, and Protect! will usually be able to take a few hundred bytes from the file header on EXE's. The encryption is no longer anything closely resembling a simple-XOR sequence, and having a string of constant bytes does not necessarily mean constant bytes in the result file, with or without compression. The compression is a simple derivative of the Lempel-Ziv algorithm, but it is nothing compared to the complexity of the compression used in PKLite. You may layer multiple copies of Protect! on top of each other, but that will start to cause noticeable delays in loading. Like v.4.0 and unlike versions before that, Protect! is written entirely in assembly language, mostly with the A86 assembler. I write and test Protect! on both my 486 DX/2-66 running OS/2 and my not-yet-buried 4.77/10 mhz switchable "turbo" XT. Protect! has been around for a while, with many people pitching in ideas to make it more secure. If you have any suggestions, questions, comments, etc. about Protect!, you can easily contact me through Compuserve/Internet e-mail (my PGP 2.6 key is available upon request), or if nothing else, postal "snail mail" and I am usually pretty open to your comments. Compression Notes ----------------- One of the improvements to this version of Protect! EXE/COM is the integrated compression. By using a derivation of the Lempel-Ziv compression algorithm, both EXE and COM files can occupy less disk space in addition to being encrypted. One of the biggest reasons for doing this is to make your files more secure -- the images of popular code compressors like LZEXE, PKLITE (R), and TinyProg are all well-known. It is easier for a hacker or hacking program to trace for or into known code (like LZEXE's decompressor) than for it to trace directly into the program or into another layer of Protect. There is also something to be said for reducing redundant expressions in the code, and the new encryption algorithms in this version also help hide redundancy. You can opt not try attempt to compress a specific file by putting a "-N" at the end of the command line. You may want to do this if you are using another compressor with Protect! (Protect!'s compression ratios may not be as good as those found in dedicated compressors due to speed considerations). Also, if you have an especially large file that is only compacted by a few Page 8 percent, you may want to turn the compression off to eliminate some loading time overhead. If a file is too small to benefit from compression or shrinks by less than 5%, it won't be used. For most files, any compression overhead is unnoticeable, and in general, leaving Protect! to try to compress files is the best idea. What's The Mutation Engine? --------------------------- A portion of Protect! EXE/COM that is largely responsible for keeping people from making master unProtect programs is the "mutation engine." It is basically the "front door" that keeps master unProtects out. Many utilities that can attach an envelope on an EXE (such as LZEXE or other file compression utilities) have are the same every time. That is why UNLZEXE or generic unprotect-type utilities are pretty easy to make. When an unprotection utility (such as UNP) unprotects a file, it creates a virtual-DOS environment for the file to run in until the file finishes decrypting itself. When it is done decrypting itself, the unprotect utility simply writes what's in memory to disk and you have your unprotected file. (not that difficult, right ?) The program may use a different key every time and even encrypt itself, but all the unprotect program has to do is just trace through that until it gets to the original entry point, and all of that is for naught. One of the tricks for foiling unprotection utilities and debuggers lies is the fact that the unprotector must always have control over the Protected program in order to stop it when it is decrypted in memory. If you remove the unprotector's control and subvert it without harming the operating system or other concurrently-running applications, you are one step ahead in protecting your programs. However, an unprotect program author can just instruct his utility to detect the type of file and blank out the bytes that would kill it when it gets to them. This would result into a high-tech cat-and-mouse game. The reason that it isn't too difficult to make normal unprotects stems from the fact that the protector's security envelope is the *same every time*. I coded a mutation engine for Protect! to make sure that the security envelopes wouldn't be the same every single time a new one is encoded. Instead of being able to "trace in" a definite number of bytes every time and being able to blank out a certain number of bytes every time, these figures will have to vary between each and every different file that is Protected. If you get one original file and Protect on several different occasions, it will never be the same length or have the same content every time (there are thousands and thousands of different combinations). My mutation engine randomly decides which machine code instructions to use every time: it may Page 9 use a 3 or 4 byte equivalent of a 2 byte instruction or vice- versa in any order that works. Because there are definite rules for this mutation, it will work every time. Since the mutated portion is relatively small (but effective), an extra byte or two in a spot will not adversely affect the performance of your Protected files. Garbage code and other distractions make it even more difficult for a hacker to write a master unProtect. Protect! uses both a mutation engine and a variety of anti-debug tricks interspersed throughout to help attain maximum security for your files. Closing ------- There is no doubt that Protect! EXE/COM can save you time, effort, energy, and money in securing your files. There are NO "run-time fees" or royalties for Protect! EXE/COM; you can Protect and distribute any number of files (legally, that is) once you register. The cost is $25 per copy of Protect! EXE/COM per machine. The registered version will allow you to specify your own modification error messages and comes without the "beg screen." Protect! EXE/COM is not "crippleware," so you are basically on your honor to register before you distribute Protected files. There is a definite threat of hackers and viruses on the loose and it is your responsibility to protect your programs. What other utilities try, Protect! does. With powerful encryption, compression, anti-debugging, and modification- detection abilities, Protect! EXE/COM has the ability to provide your programs solid protection. Thank you for evaluating Protect! EXE/COM! Address ------- Jeremy Lilley Protect! EXE/COM 2711 Oak View Circle Medford, Oregon 97504 Compuserve: 75060,2074 Internet: 75060.2074@compuserve.com