Program: ARM Protector v0.2
Author: SMoKE
Date: 2004
Code: Pure Win32 ASM (big part of loader coded with opcodes, i dont
need mnemonics anymore ;)
Intro
-----
ARM Protector is a Windows Portable Executable (PE) file protector and cryptor
against reverse engineering (cracking, debugging and other illegal modifications).
It has some nice protection options (i'll keep adding them as much as i can)
Protection Options
------------------
- Anti Ring3 Debugger (Application Level)
- Anti SoftIce and Monitoring Tools
- Exit In Case Of Bad CRC
- Erase API/DLL Name Strings (Destroy IT)
- Anti API Breakpoint
- Anti In-Loader API BPX (Prevent Unpack)
- Anti In-Loader Code BPX
- Anti Hardware Breakpoint
- Password Protect
- Anti Ring3 Debugger (Application Level)
executable will refuse to run if it detects that the process is working under
application level (ring 3) debugger (debuggers that use debug APIs).
- Anti SoftIce and Monitoring Tools
executable will refuse to run if there is active SoftIce/Trw system debuggers
and plus some of well known Monitoring Tools (like RegMon and FileMon).
- Exit In Case Of Bad CRC
executable will refuse to run if it detects that the file is modified, changing
even one byte will make executable un-runable.
- Erase API/DLL Name Strings (Destroy IT)
if the file protected with this option, there wont be any API and DLL names in
the memory after startup. So the import table (IT) will be destroyed.
- Anti API Breakpoint
this option will fight against breakpoints on apis which executable uses (APIs from
import table). So if there will be any breakpoint executable will refuse to run.
- Anti In-Loader API BPX (Prevent Unpack)
and this option checks breakpoints for apis that in-mem loader uses (emulated APIs).
- Anti In-Loader Code BPX
this option will fight against software breakpoints, if there will be any breakpoint
in the loader body program will refuse to run.
- Anti Hardware Breakpoint
and this option will fight against hardware breakpoints, that system (ring0) debuggers
use to break on (hmm.. ring3 debuggers use hardware breakpoints aswell :)
- Password Protect
if you choose this option, protected file will ask for a password at run-time,
entering wrong password will crash program (read more in ABOUT PASSWORD PROTECTION)
Default Options
---------------
and there are some default options. that means they always present in protected executable,
which makes loader code and whole protector more secure.
here the some of them...
+ Every time even the same file is encrypted in different way. So there isn't standart en-decryption
key/mechanism that one can use to attack this protector.
+ Code of in-mem loader is very confusing, thats make debugging and unpacking a bit harder.
+ As you can see there is no import table after protecting, and of course all gets emulated.
+ Even after raw dumping there won't be any protector code parts, loader deletes itself before
passing execution to program, so attacker can't disasm decrypted loader's code and try to attack.
+ Advanced import related stuff random encryption
i think thats enough for those who want to protect file with ARM Protector, more info is dangerous
for security of the protector...
debug it, if you need more infos hehe ;)
To do...
--------
for now i think about this options to add...
icedump detection for Win9x platforms
some anti tracing stuff... (theoretically i know what to do)
softice detecting with interrupt gate and self-tracing... more advanced method to detect sice
all this wont be hard to implement, i need only patience to do this...
History
-------
v0.2 - fixed a lot of bugs, all this gets +100 lines,
now should work correct
v0.1 - now it called ARM Protector (ARMENIAN PROTECTOR)
probably the first :)
packed original exe...
v0.8 - now you can protect your executables with custom password,
changed GUI
v0.7 - added new, very advanced encryption mechanism for
import related stuff (name string, thunk_data, IID etc etc...)
reverser, i made import handling a bit harder ? :)
v0.62 - fixed bug in Anti Ring3 Debugger option. Now protected
exe will work phine in Win98 aswell as in WinXP
v0.61 - fixed bug with ordinal handling
v0.6 - added new great option to fight against hardware
berakpoints in loader code
v0.5 - minor bug fix in Anti In-Loader Code BPX code
v0.4 - finally i implemented Anti In-Loader Code BPX stuff, added
drag/drop support and option to backup file before protection
v0.3 - finally fixed problems with Anti Ring3 debugger option to
work under WinXP, successfully tested with TASM 5.0, MASM32 v8,
FASM v1.5, Borland Delphi 2-7, MS Visual C++ 4, 6, 7,
MS Visual Basic 5, 6, Borland C++ 1999, Borland C++ 6
v0.3b - removed Erase PE Header (was very crappy and buggy) and added
new option instead of SoftIce detection, and changed
Crash Ring3 Debugger option a little...
v0.2b - fixed some bugs and added function to prevent double protecting
v0.1b - first public release
Bugs
----
i guess there are no bugs atm...
but still waitin for your bugreports, to make this project perfect :)
Bug? - i can say only one thing atm, but thats not my fault, thats
M$ fault. The problem is in Win2000.
So... Win2000 loader cant load executable without no import
table, i know thats stupid, coz there is a lot of executables
(and even anyone can code tons of such exes) that doesnt
have import table, so exe without no imports just wont
run in Win2000. So as you can see, any exe protected with
ARM Protector wont have import table anymore, so as you can
guess, wont load in Win2000. I think the only way to solve
this problem, is to have import table, but that will not be
so secure as now :)
SORRY ALL THOSE WHO IS STILL USING THIS M$ WINDOZE 2000 CRAPPPPPP !
Some InfoZ
----------
anyway ARM Protector tested only on Win98SE and WinXP, as you already
know protected exes wont run on Win2000 (and you even know why :))
dunno about Win95, WinNT (4.0...), WinME and Win2003...
but think that should work ok. If there is someone who tested
on this OS, let me know...
ABOUT PASSWORD PROTECTION
-------------------------
why the program crashes when you enter wrong password instead just
saying that ?...ok, i made that way coz of security reasons, so this
way i dont keep *good* password, and program doesnt know about *right*
password, it just decrypts program with password entered, so if it was
wrong one, junk will be generated and program will crash...
you can enter password of length 1 to 100 and i think thats enough.
so now attacker can only do brute-force... hmm which is not very
good method to unpack :)
Thanx & Helloz
--------------
s0nkite - thank you for testing on WinXP and tellin me some errors
FlameGod - thanx for WinXP testings
ScoRpIo - thanx for testing with a lotta compilers under WinXP
_pusher_ - thankyooz for holdin me up :-)
AleksV - thank you for testing on Win2000
zombie - for telling me bug about bad ordinals handling, fixed now :)
YOU - thank YOU for using this stuff... :)
thats it for now... keep checking for the newer versions.
P.S.
for any advice, ideas, bugs and even if you can be good
beta-tester feel free to contact me.
[email]smoke@freenet.am[/email]
[课程]Linux pwn 探索篇!
