ۻ ۻ ۻ ۻ ۻ ۻ ۻ ۻ ͼ ۺ ۻ ͼ ۺ ɼ ۻ ۻ ۻ ɼ ۻ ۺ ۺ ۺ ۺ ɼ ۻ ۺ ͼ ͼ ͼ ۺ ۺ ۺ ۺ ۻ ۺۻۺ ۺ ۺ ۻ ۻ ɼ ۻ ۺ ۻ ۺ ۺ ۺ ͼ ͼ ͼ ͼ ͼ ͼ ͼ ͼ ͼ ͼ :M: SECURE WINDOWS NT/9X EXE & DLL PROTECTOR ____________________ PELOCKnt v2.04 *For non-commercial use only* ____________________ PELOCK.nt.Console ____________________ Version 2.04 ____________________ Copyright (C) :MARQUIS:DE:SOIRE: ____________________ All rights reserved ____________________ 04/07.98 ____________________ Updates: http://www.fortunecity.com/greenfield/tigris/26/ 0. Documentation 1. Description 2. Requirements 3. Features 4. Options 5. Error Values 6. Development 7. What's new 8. Sidenote 9. Q & A 10. Revision 11. Greetings 12. Registration 13. Address 14. Epilog ____________________ 1. Description PELOCKnt is designed to protect ANY Windows NT4/5 or Windows 95/98 EXE and DLL file against reverse engineering and patching. Basically it will crypt all objects of a PE (Portable Executable) file leaving it executable. Such a crypted file is compatible to all PC's, very fast and strong. I added a lot of new features like the dynamic ImportTableLoader, full DLL support, 32-bit Virus protection, various debugger protections and much more to keep PELOCKed files modern and as secure as possible. Other packer often work well with small files too. But do you ever tried to pack/crypt large files like excel.exe? While some packer needs forever like WWPack32 (you can go drink a coffee in the meantime) or sometimes fail with a nice General Protection Fault, PELOCKnt will crypt the file instead fast and reliable in a few seconds. PELOCKnt was successful tested with nearly every sort of 32 bit files: GUI applications like EXCEL.EXE or AGENT.EXE, DLL's like MFC42u.DLL, MSVBVM50.DLL and CONSOLE programs like LINK.EXE. It seems to be as compatible as possible now. PELOCKnt itself is a Windows Console program running in a DOS-Box. If you wan't to know what's NEW in v2.04 please read section 7. ____________________ 2. Requirements WINDOWS NT4/5 or 95/98 and some EXE- or DLL-files you want to protect. ____________________ 3. Features - Protect any Windows 32-bit Portable EXE & DLL file, leaving it executable. - Full support for Windows NT4, NT5, W95, W98 and SoftIce. - Crypting EXE & DLL files up to 64 MB in seconds. - 32-bit Virus protection. - Protecting all PE.objects against reverse engineering or patching. - Integrated ImportTableLoader support imports by name and ordinal. - Integrated RelocationTableLoader supports any imagebase. - Up to 50% faster 32-bit crypting compared to the former version. - BPX protection. - Generic API.Hook protection. - Generic File.Tracer protection. - Support for EXE files with Export Directory Table. - TLS (Thread Local Storage) auto handling. - Hiding .object names. - DAR DLL.Auto.Recognition - APC Anti.Procdump.Code - User.options to protect any crypted file against SICE and NTICE. - Generic 32-bit CRC selfprotection against viruses, file manipulations, or decrypting errors. If the CRC32 check fails PELOCKnt will display a window and than close the protected program to prevent a datalost. A General Protection Fault INSIDE PELOCKnt is almost impossible. The failure can be caused by: a) Virus or FileManipulations (check with your antivirus program) b) Strange TLS values (try to protect the file with option -Xy) c) external packer/protector (do you used other packers too?) d) internal crypting failure (wait for an update) - ...and much more. (Technical infos in PERULES.TXT) ____________________ 4. Options PELOCKnt.exe File2Crypt.exe [-options] Options: -A0 API protection against winice BPX OFF (default=ON) -B0 Create BACKUP file .org OFF (default=ON) -V0 32-bit CRC VIRUS check OFF (default=ON) -N reNAME/hide objects to PELOCKnt OFF (default=ON) -C Crypt .CODE section ONLY ON (default=OFF) -K KILL generic Win9x tracer ON (default=OFF) -W1 NAGSCREEN if winice found (NT/W95/W98) ON (default=OFF) -W2 EXIT program if winice found ON (default=OFF) -W3 HANGUP windows if winice found ON (default=OFF) -Xy eXclude PE.object No.y from protection (e.g. X3) -? Display only fileinfos, don't crypt it -T"text" Displays a USER-defined TEXT inside a MessageBox Example: PELOCKnt.exe excel.exe (for full protection of excel.exe) PELOCKnt.exe myprog.exe -T"Get full version at www.mypage.com!" -A0 Don't terminate the program if any API function of the protected file is hooked. -A1 DEFAULT, close the program if any API function of the protected program is hooked by a debugger. Some words about option A: by default calc.exe would work normal as long as you don't hook (bpx) any API which calc.exe uses. Let's assume you protected it without any option "pelocknt calc.exe". Inside winice you disabled all breakpoints "bd *", than calc.exe would just run as normal as before. You know one of the API's calc.exe uses is: CheckDlgButton. If you hook this API by "bpx CheckDlgButton" and try to execute calc.exe again it would just terminate. IN GENERAL: "BPX API.program.is.using" IS NOT ALLOWED (DEFAULT). But if you apply option -A0 "pelocknt calc.exe -a0" calc.exe would even execute normal if you hooked API's like "bpx CheckDlgButton". Sidenote: A few API's belonging to PELOCKnt itself can't be hooked with BPX or PELOCKnt will terminate. -B0 Will prevent PELOCKnt from creating a backup copy of the file you want to protect. -B1 DEFAULT, create a backup copy of the original program called .ORG. If .ORG already exists PELOCKnt will NOT overwrite it, but skip the backup process. -C This option is almost never needed, but if a protected file refuse to work or crash try to crypt the CODE only "pelocknt program.exe -CA0NB". -N By default PELOCKnt will overwrite any crypted .object name with his own name to hinder analysing and unpacking. If you use option -N all .object names are preserved. -V0 By default the 32-bit CRC selfprotection of PELOCKnt protected files is activated with -V1 (Virus check ON). There is NO reason to deactivate it with -V0, that's why I might remove this option in furure versions. Instead you should use only the option -Xy to find the object, which can't be handled correct by PELOCKnt. -V1 DEFAULT, 32-bit selfprotection enabled. -W0 DEFAULT, no winice checks. -W1 "pelocknt calc.exe -w1" would not prevent program execution if you have winice loaded but display a Nagscreen "You would never see this without a debugger in the background". After you press OK calc.exe works 100% normal. -W2 Check either for softice95 or softiceNT and exit the program if the debugger is present. -W3 Hangup windows if softice is present (NT and 9x). -Xy DEFAULT is -X0. This option is like -V0 for experts only and should be used almost never (I might remove it soon). The default option -X0 protects all possible objects. Only a number between -X1 and -X9 can be applied. A few files have strange entries pointing to a object which should NOT be crypted. If PELOCKnt would crypt such a object, the internal CRC32 virus check handles this anyway and close the protected file. But option -X2 might force PELOCKnt to leave e.g. object No2 untouched, protect the rest...and the file will work well. Examples to protect strange programs which can't be handled automatic: "pelocknt ZOC.EXE -x9" (don't touch segment No 9) "pelocknt AGENT.EXE -x2" "pelocknt WINWORD.EXE -x4" -? "PELOCKnt.exe program.exe -?" displays informations about any Portable Executable file, but don't crypt or protect it. -T"Text" By default PELOCKnt protected files will not display any text. But if you want to inform the user inside a MessageBox about something special use option -T combined with text included in " " or ' '. Such a text can have a maximum of 255 chars. Examples: pelocknt myprog.exe /T"Don't try to hack me!" or pelocknt myprog.exe /T'Contact me at peter@myisp.com' ____________________ 5. Error Values Use GetExitCodeProcess to retrieve the Process's uExitCode for PELOCKnt. The possible values are: 0h = Normal ExitCode, anything went well. 0FFFFFF10h = ErrorExitCode while trying to protect a file. 0FFFFFF20h = ErrorExitCode from a PELOCKnt protected file itself caused by: a.) a hooked API function (use "bd *") b.) non-available API function (update your DLL's) c.) internal error (try option -Xy) ____________________ 6. Development PELOCKnt was careful developed and tested under Windows NT4 and Windows 95. Former versions were reliable; this new version includes some needed enhancements like DLL crypting and is still as secure as possible. It will protect EXE or DLL files by crypting every PE.object and adding a few KB of extracode the file. Included files are: PELOCKnt.EXE - Console version of the protector itself PELOCKnt.TXT - This file PERULES .TXT - General protector & packer rules Bugreports are welcome, especially from WinNT5 and Win98 users. Such a report should look like: OS : WinNT5 Filename which caused the error: mspaint.exe How often protected with what? : 4 times PELOCKnt (incl. switch -N and -C" Version of PELOCKnt used : 2.04 ... A bug report including a (protected) file will be ignored and just deleted! I email you if I need the file, often I have it already. ____________________ 7. What's new NEW in V2.04: - Improved the TLS handling, means option -Xy is more seldom required. - Fixed option -C, which wasn't recognized anymore. - Altered some minor things. NEW in V2.03: - Option -T"text" to displays a USER-defined TEXT inside a MessageBox. - Fixed the Win95/98 PAGEFAULT in PELOCKnt itself. This error was hopefully seldom but serious, thanks to Wiesel for reporting it. - Changed the internal Interrupt 1 behaviour to a more secure version. NEW in V2.02b: - Fixed the SHARED SECTION problem which could caused a internal CRC32 error, thanks to Random for reporting it. - Sometimes an error/GPF occured while you close the protected application. This is fixed and was a Runtime-Thread-Creation-Bug. - Fixed the RESOURCE calculation causing a false Virus alert/CRC32 error. The following programs will work now: ACDSEE32.EXE etc. and all already crypted programs. - Changed some internals and the Win9X Winice detection. NEW in V2.01: - BugFixed the segment check which caused an error under Win98. NEW in V2.00: - PELOCKnt includes some major changes to .BJFnt, the name reflect this. - Full DLL-PROTECTION support for WinNT4/5 and Win9X. Tested successful with a lot of huge DLL's, e.g. MSPAINT.EXE/MCF42u.dll (NT4) both crypted and the program works still perfect. MSVBVM50.DLL (W95) and many more were tested too without problems. - Dynamic ImportTableLoader including several error-checks. Of course the IMPORT-TABLE will be crypted now (EXE and DLL). Finally I'm erasing the whole IMPORTTABLE expect the IMPORT ADDRESS TABLE itself. The DLL-NAME RVA will be ZERO to indicate this. - DAR (DLLAutoRecognition), you can just crypt a renamed DLL. - Generic internal 32-bit Virus check. - Option -V0 to disable the new internal 32-bit CRC VIRUS check. - Option -Xy. eXclude the given object.number y from protecting. - Full RELOCATION support for any EXE/DLL, even for future versions of Win. All former versions just crypted the relocations, but were unable to apply them. For the first time PELOCKnt will now handle the whole fixup- process itself. Successful tested for instance by crypting the old MIRC32.EXE(W95) with a imagebase of 10000h, a rebased CALC.EXE (Imagebase=300000h) and other files. - Support for all those EXE files which exports functions like a DLL. - Winice BPX checks. - Hooked APIs might result in a program termination. - AntiProcdump&SimilarProgsCode like: AFDC (AntiFileDumpCode) AFTC (AntiFileTraceCode) ITDC (ImportTableDestroyCode) RAC (RelocationApplyCode) RDC (RelocationDeleteCode) - Option -? will only display infos about all fileobjects but don't crypt or alter the file itself. - Up to 30% faster 32-bit crypting. - Warning: the "unpacked" version of PELOCKnt will simply crypt wrong. Changed: - Option -B altered in -B0/1. B1 (default) will craete a backup .ORG while option B0 will skip the backup process. - Option -I removed, because the .idata will be crypted anyway. - Option -K. Such a protected file will now kill SoftIce95 and similar tools (I changed the detection and killing to a more generic one). The program execution itself and PC's without SoftIce will not be affected. NTIce will not be detected/killed by the -K switch. - NameHiding (see option -N). Former versions renamed by default ANY object to PELOCKnt unless you used the option -N. This version will ONLY rename crypted objects to PELOCKnt but leave the name of uncrypted objects as they are (Renaming a object don't affect the program execution at all). Fixed: - Bug for NT5 and Win98 programs: the calculation of the imagesize was wrong, some crypted programs refused to execute. - Working imagebase relocation fixups for files like the old MIRC32.EXE. - Some minor internal errors (e.g. VirtualFree). ____________________ 8. Sidenote A PELOCKnt crypted file will sometimes not display the original icon at your desktop (this is no problem at all), unless you use option -C or -Xy. ____________________ 9. Q & A Q: Is PELOCKnt for WinNT only? A: No, it crypts Windows 95/98 exe or dll files too with no difference. Q: How can i be sure my crypted file will work? A: I'm sure, there will always a few files which can't be crypted without problems. But if you execute your PELOCKnt protected file twice without any (windows-initializing) error it's crypted well and will work forever. Or you can try option -Xy and -C (crypt .code only), because 1 out of 10.000 files are compiled by a strange linker which requires this option. Q: Can I crypt the exe- AND the dll-file of my project or only one file? Of course you can crypt both files. It's even possible to crypt your DLL file multiple times, which is more secure against crackers. Q: When I execute a PELOCKnt protected file nothing happens or the program itself seems to terminate. A: Termination means a security flag inside PELOCKnt was touched, maybe by a debugger like winice. If you don't have any debugger or similar tool installed I urge you to email me at martino@gmx.net describing the problem. If you have softice installed, disable all breakpoints "BD *" and the program should work well, unless it was protected with the option -W2/3. Q: I have this program which I can't protect without getting a General Protection Fault while executing it. What can I do? A: Protect the original program again with the less secure options: "pelocknt yourprog.exe -CA0N". Now it should work. If not please email me details about your program. Keep in mind: never ever hook PELOCKnt internal API's like ExitProcess, MessageBoxA. The program would not work. Q: I emailed you several times describing my problem. Why you never answer? I feel sorry, I'm not the kind of guy who likes to write emails, but be sure I read your email at least and think about it. ____________________ 10. Revision v1.0a - First version ever v1.1bd - First public BETA-test version v1.2rc - RainbowCode version v1.3 - BugFixed ULC version v1.4 - Internal version only v1.5 - Internal version only v2.00 - Complete new version v2.01 - Small bugfix v2.02 - BETA only v2.03 - Bugfix v2.04 - Minor update ____________________ 11. Greetings FrMaid, Eddie, Acpizer, Stone, the UCF-crew, Random, Riddler, Jrg A., The Owl, Misha, Lost Soul, G-Rom, Khadgar, Peter K., Phenox, Ritzelmut, Huy Hoang, Patricia, Solar Designer, Anakin, Microsoft, Nu-Mega, #cracking and the one I forgot. ____________________ 12. Registration Not planned. ____________________ 13. Address Marquis de Soire PELOCKnt v2.04 Email: martino@gmx.net URL: http://www.fortunecity.com/greenfield/tigris/26/ -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.63ui mQCNAzXHfLgAAAEEAM4U/yvnRcvTOcYgFeG6P7Tgcyzy83ujmTYUMqFEkAF3axf+ 5iR6/ryuDkdsrujh6J72euIATCZLUqLhKV37PNr/JfqXKJScfgOS4k3JYl1PO3BU JqbAOW0tMewR4F2NGMtoTmUBI+WefpjOqOq2qquZkpjz7w+VM4aL5/PhatE5AAUR tAdtYXJ0aW5v =jhxj -----END PGP PUBLIC KEY BLOCK----- ____________________ 14. Epilog It's not done till it's done and it sure is no fun.