Some thoughts on key checking methods that are hard to reverse engineer
20 january 1998
One of the best serial no. protections I have ever seen was possesed by
a game called Stars! It wasn't hidden. It wasn't hard to find. It wasn't
cunning. It was merely 8k long of arithmetical transforms, to drive
anyone trying to crack it insane. It made a keygenerator almost
impossible - I didn't like the game **that** much. I was able to brute
force a serial through the checks, but it was very hard. A patch was
useless, because it serial numbers were needed for multiplayer games.
Some thoughts on key checking methods that are hard to reverse engineer:
1. The rcr/rcl trick:
If a rcr/rcl is performed on a value, it becomes much more of a pain to
crack - you can't reverse it with by negating it's effects without
knowing what the value of the carry flag was before the original
operation. If the carry flag is created as a result of some other pain
in the neck operation, you are probably onto a winner.
2. Stick conditional jumps in. Everywhere.
Conditional jumps are not fun to reverse engineer. I don't mean a loop,
I mean jumps which conditionally bypass/include portions of your
wonderful key manipulation code. I mean - there is no easy inverse
operation to be performed here.
3. Use portions of the code as magic number tables. (preferably critical
You have no idea how annoying this can be, if you're like me and like to
change things around using softice.
4. Play with the cracker's mind.
This one is fun :-) Stick series of nops in, as though you were doing
self-modifying code (oh my god! what the heck! nops? Aha! Self-modifying
code! Idiot spends next three years trying to find the code that should
be there.). Pepper the code with junk instructions. Cut the code up into
little pieces and put them all over the executable, with (preferably
conditional) jumps between them. - Anything which you would find a pain
in the neck.
5. Detect softice. Early. (Thank you +RCG). Now crash the computer.
You can crash a pentium or a pentium with MMX even without a vxd by the
F0 0F C7 C8 (illegal form of cmpxchg8b instruction with lock prefix).
Beyond that, we have to resort to the tried and true methods. Using a
vxd, take the CPU out of protected mode. Windows doesn't like that.
Just some thoughts
You are deep inside reverser's page of reverse engineering,
choose your way out:
Back to the Protectionist's corner
Is reverse engineering legal?