JEREMY LILLEY'S PROTEXE! EXE/COM V5.5
("Exploring a weak protection scheme")
by The Undertaker
(24 September 1997, slightly edited by fravia+)
Courtesy of fravia's page
of reverse engineering
Well, here is a new essay from our Srilankan friend, The Undertaker, who "tackles"
commercial protector... and, as usual, said protectors make a very meagre figure! You'll
learn something about Keyboard & timer interrupt masking routines and the usual
anti-softice trick (MOV SI,4647) here.
A small critic: can you please please remember
to GIVE THE EXACT LOCATION where we can download your targets? Yes, we all
know how to search and find them... but what's the point of keeping to oneself a basic
information like the BEST (quickest, "bandwidthest") location for downloading our targets?
JEREMY LILLEY'S PROTEXE! EXE/COM V5.5
Exploring a weak protection scheme
The Undertaker -=BANDA=-
Well, I thought that Jeremy was a good software protectionist.
My thoughts shattered once I saw his protexe! program.
Actually I expected lots of traps, of anti debugging tricks, of new methods
of protection from a program named "protexe"!
But I ended up with a big sad disappointment.
Here is the story called "Promising a lot and Delivering scant".
I think every reverser will feel like I do about protexe!.
How I did proceed:
First I encrypted a .EXE file using protexe!.
I called it test.exe
Then I used Soft-Ice 2.80 to analyse the encrypted program.
Let's go, +friends:
Load the encrypted program using Softice's loader.
In the early part of the encrypted file you can see
Keyboard & timer interrupt masking routines like.
XXXX:XXXX OUT 21,BA --> Keyboard mask.
XXXX:XXXX OUT 21,BB --> Keyboard & timer mask.
Lame tricks isn't it?
Avoid all these (don't trace into them) & put a break point & go.
You'll land here...
XXXX:0194 CC INT 3
XXXX:0195 EBFD JMP 0194
XXXX:0197 AC LOADSB
XXXX:0198 00F8 ADD AL,BH
XXXX:019A 4A DEC DX
XXXX:019B 7503 JNZ 1A0
XXXX:019D 83E909 SUB CX,+9 --> ***
XXXX:01A0 76E3 MUL BL
Now put a execution break point on 19D & go.
Then trace through the code until you see this..
XXXX:01F7 E421 IN AL,21
XXXX: 3403 XOR AL,03 --> Enabling the previously
XXXX: E621 OUT 21,AL --> masked keyboard & timer int.
Rest of the code seems to be CRC checking routine.
Skip all these junk until you find following snippet:
XXXX:024B E90000 JMP 24E
XXXX:024E E90000 JMP 251
XXXX:0251 8B868802 MOV BX,[BP+288]
Mmmmm! two near jumps with no effects.
Suspicious isn't it?
But these two jumps will take you somewhere else once your .EXE file
has been compressed before using the protexe!.
If the file is compressed, these jumps take to the decompression
routines of the packer.
But if you didn't use any compression utility, before using the
protexe!, the above jumps have no effect.
Ok! It does not matetr anyway if those jumps have any effect on your
own test file or not, just skip the rest of the code (don't trace into
nor process it) and scroll your code window until you see following
XXXX:0352 E2F3 LOOP 347
XXXX:0354 BE4746 MOV SI,4647 --> **
XXXX:0357 B81109 MOV AX,911
XXXX:035A CC INT 3
Remember the Anti-Debugging tricks used to kick Soft-Ice.
If you don't know or remember them, then read the relevant articles
provided on Fravia's.
The above code looks to me as a very simple lame Anti-Debugging trick to kick
Let's quickly crack this before we proceed.
Before you execute INT 3 set SI=0.
Otherwise SoftIce get stoned.
Then execute the INT 3 and process until you see the far jump.
This jump take you to the original code of the .EXE file.
XXXX:XXXX JMP XXXX:XXXX --> This jump takes you to the
beginning of the unprotected code.
Do you think such a protexe! can protect your programs?
D'you think you can get at least a 20% improvement in terms of protection?
I think that our Jeremy should re-think twice the coding of his protection
Anyway no protector can protect 100% (should you believe you have found one,
take a little rest and then crack it :-)
But at least a commercial protector should be able to do its job by some
extent. So I was deceived.
But I found a good thing in protexe! Let's give Jeremy some merit: its good
CRC checking scheme, and its integration, both are good and well written.
Unfortunately this can be bypassed very easily as well, as you have seen :-)
By the way, let's not have an "eurocentric" vision of the world: most of the
countries don't have any "software laws" at all! Including my country: Sri
Because of this, every protectionist's job is and will remain very open and
So there is no point in annoying the few that try to study seriously all these
banal and uselessly stupid protection schemes in Europe or in the States...
should it be necessary, we'll move the whole cracking scene inside a server in
SriLanka or elsewhere... and get much more nastier :-)
Greetings goes to all HCU+ friends....
The Undertaker -=BANDA=- //SRI LANKA//
(c) The Undertaker 1997. All rights reversed
You are deep inside fravia's page of reverse engineering,
choose your way out:
Is reverse engineering legal?