Program: ARM Protector v0.1 (EXE Shield v0.8) Author: SMoKE Date: 2004 Code: Pure Win32 ASM (big part of loader coded with opcodes, i dont

                  need mnemonics anymore ;)

Intro ~~~~- ARM Protector is a Windows Portable Executable (PE) file protector and cryptor against reverse engineering (cracking, debugging and other illegal modifications). It has some nice protection options (i'll keep adding them as much as i can)

Protection Options ~~~~~~~~~~~~~~~~~~ - Anti Ring3 Debugger (Application Level) - Anti SoftIce and Monitoring Tools - Exit In Case Of Bad CRC - Erase API/DLL Name Strings (Destroy IT) - Anti API Breakpoint - Anti In-Loader API BPX (Prevent Unpack) - Anti In-Loader Code BPX - Anti Hardware Breakpoint - Password Protect

Anti Ring3 Debugger (Application Level) executable will refuse to run if it detects that the process is working under application level (ring 3) debugger (debuggers that use debug APIs).
Anti SoftIce and Monitoring Tools executable will refuse to run if there is active SoftIce/Trw system debuggers and plus some of well known Monitoring Tools (like RegMon and FileMon).
Exit In Case Of Bad CRC executable will refuse to run if it detects that the file is modified, changing even one byte will make executable un-runable.
Erase API/DLL Name Strings (Destroy IT) if the file protected with this option, there wont be any API and DLL names in the memory after startup. So the import table (IT) will be destroyed.
Anti API Breakpoint this option will fight against breakpoints on apis which executable uses (APIs from import table). So if there will be any breakpoint executable will refuse to run.
Anti In-Loader API BPX (Prevent Unpack) and this option checks breakpoints for apis that in-mem loader uses (emulated APIs).
Anti In-Loader Code BPX this option will fight against software breakpoints, if there will be any breakpoint in the loader body program will refuse to run.
Anti Hardware Breakpoint and this option will fight against hardware breakpoints, that system (ring0) debuggers use to break on (hmm.. ring3 debuggers use hardware breakpoints aswell :)
Password Protect if you choose this option, protected file will ask for a password at run-time, entering wrong password will crash program (read more in ABOUT PASSWORD PROTECTION)

Default Options ~~~~~~~~~~~~~~- and there are some default options. that means they always present in protected executable, which makes loader code and whole protector more secure. here the some of them... + Every time even the same file is encrypted in different way. So there isn't standart en-decryption key/mechanism that one can use to attack this protector. + Code of in-mem loader is very confusing, thats make debugging and unpacking a bit harder. + As you can see there is no import table after protecting, and of course all gets emulated. + Even after raw dumping there won't be any protector code parts, loader deletes itself before passing execution to program, so attacker can't disasm decrypted loader's code and try to attack. + Advanced import related stuff random encryption

i think thats enough for those who want to protect file with ARM Protector, more info is dangerous for security of the protector... debug it, if you need more infos hehe ;)

To do... ~~~~~~~~ for now i think about this options to add... some anti tracing stuff... (theoretically i know what to do) softice detecting with interrupt gate and self-tracing... more advanced method to detect sice

all this wont be hard to implement, i need only patience to do this...

History ~~~~~~- v0.1 - now it called ARM Protector (ARMENIAN PROTECTOR)

    probably the first :)
    packed original exe...

v0.8 - now you can protect your executables with custom password,

    changed GUI

v0.7 - added new, very advanced encryption mechanism for

    import related stuff (name string, thunk_data, IID etc etc...)
    reverser, i made import handling a bit harder ? :)

v0.62 - fixed bug in Anti Ring3 Debugger option. Now protected

    exe will work phine in Win98 aswell as in WinXP

v0.61 - fixed bug with ordinal handling v0.6 - added new great option to fight against hardware

    berakpoints in loader code

v0.5 - minor bug fix in Anti In-Loader Code BPX code v0.4 - finally i implemented Anti In-Loader Code BPX stuff, added

    drag/drop support and option to backup file before protection

v0.3 - finally fixed problems with Anti Ring3 debugger option to

    work under WinXP, successfully tested with TASM 5.0, MASM32 v8,
    FASM v1.5, Borland Delphi 2-7, MS Visual C++ 4, 6, 7,
    MS Visual Basic 5, 6, Borland C++ 1999, Borland C++ 6

v0.3b - removed Erase PE Header (was very crappy and buggy) and added

    new option instead of SoftIce detection, and changed
    Crash Ring3 Debugger option a little...

v0.2b - fixed some bugs and added function to prevent double protecting v0.1b - first public release

Bugs ~~~~ i guess there are no bugs atm... but still waitin for your bugreports, to make this project perfect :)

Bug? - i can say only one thing atm, but thats not my fault, thats

   M$ fault. The problem is in Win2000.
   So... Win2000 loader cant load executable without no import
   table, i know thats stupid, coz there is a lot of executables
   (and even anyone can code tons of such exes) that doesnt
   have import table, so exe without no imports just wont
   run in Win2000. So as you can see, any exe protected with
   ARM Protector wont have import table anymore, so as you can
   guess, wont load in Win2000. I think the only way to solve
   this problem, is to have import table, but that will not be
   so secure as now :)

SORRY ALL THOSE WHO IS STILL USING THIS M$ WINDOZE 2000 CRAPPPPPP !

Some InfoZ ~~~~~~~~~~ anyway ARM Protector tested only on Win98SE and WinXP, as you already know protected exes wont run on Win2000 (and you even know why :)) dunno about Win95, WinNT (4.0...), WinME and Win2003... but think that should work ok. If there is someone who tested on this OS, let me know...

ABOUT PASSWORD PROTECTION ~~~~~~~~~~~~~~~~~~~~~~~~- why the program crashes when you enter wrong password instead just saying that ?...ok, i made that way coz of security reasons, so this way i dont keep good password, and program doesnt know about right password, it just decrypts program with password entered, so if it was wrong one, junk will be generated and program will crash... you can enter password of length 1 to 100 and i think thats enough. so now attacker can only do brute-force... hmm which is not very good method to unpack :)

Thanx & Helloz ~~~~~~~~~~~~~~ s0nkite - thank you for testing on WinXP and tellin me some errors FlameGod - thanx for WinXP testings ScoRpIo - thanx for testing with a lotta compilers under WinXP pusher - thankyooz for holdin me up :-) AleksV - thank you for testing on Win2000 zombie - for telling me bug about bad ordinals handling, fixed now :) YOU - thank YOU for using this stuff... :)

thats it for now... keep checking for the newer versions. P.S. for any advice, ideas, bugs and even if you can be good beta-tester feel free to contact me.

smoke@freenet.am

Title	Content
Title	ARM Protector
Version	v0.1
Author	SMoKE
Description	Program: ARM Protector v0.1 (EXE Shield v0.8) Author: SMoKE Date: 2004 Code: Pure Win32 ASM (big part of loader coded with opcodes, i dont `need mnemonics anymore ;)` Intro ~~~~- ARM Protector is a Windows Portable Executable (PE) file protector and cryptor against reverse engineering (cracking, debugging and other illegal modifications). It has some nice protection options (i'll keep adding them as much as i can) Protection Options ~~~~~~~~~~~~~~~~~~ - Anti Ring3 Debugger (Application Level) - Anti SoftIce and Monitoring Tools - Exit In Case Of Bad CRC - Erase API/DLL Name Strings (Destroy IT) - Anti API Breakpoint - Anti In-Loader API BPX (Prevent Unpack) - Anti In-Loader Code BPX - Anti Hardware Breakpoint - Password Protect Anti Ring3 Debugger (Application Level) executable will refuse to run if it detects that the process is working under application level (ring 3) debugger (debuggers that use debug APIs). Anti SoftIce and Monitoring Tools executable will refuse to run if there is active SoftIce/Trw system debuggers and plus some of well known Monitoring Tools (like RegMon and FileMon). Exit In Case Of Bad CRC executable will refuse to run if it detects that the file is modified, changing even one byte will make executable un-runable. Erase API/DLL Name Strings (Destroy IT) if the file protected with this option, there wont be any API and DLL names in the memory after startup. So the import table (IT) will be destroyed. Anti API Breakpoint this option will fight against breakpoints on apis which executable uses (APIs from import table). So if there will be any breakpoint executable will refuse to run. Anti In-Loader API BPX (Prevent Unpack) and this option checks breakpoints for apis that in-mem loader uses (emulated APIs). Anti In-Loader Code BPX this option will fight against software breakpoints, if there will be any breakpoint in the loader body program will refuse to run. Anti Hardware Breakpoint and this option will fight against hardware breakpoints, that system (ring0) debuggers use to break on (hmm.. ring3 debuggers use hardware breakpoints aswell :) Password Protect if you choose this option, protected file will ask for a password at run-time, entering wrong password will crash program (read more in ABOUT PASSWORD PROTECTION) Default Options ~~~~~~~~~~~~~~- and there are some default options. that means they always present in protected executable, which makes loader code and whole protector more secure. here the some of them... + Every time even the same file is encrypted in different way. So there isn't standart en-decryption key/mechanism that one can use to attack this protector. + Code of in-mem loader is very confusing, thats make debugging and unpacking a bit harder. + As you can see there is no import table after protecting, and of course all gets emulated. + Even after raw dumping there won't be any protector code parts, loader deletes itself before passing execution to program, so attacker can't disasm decrypted loader's code and try to attack. + Advanced import related stuff random encryption i think thats enough for those who want to protect file with ARM Protector, more info is dangerous for security of the protector... debug it, if you need more infos hehe ;) To do... ~~~~~~~~ for now i think about this options to add... some anti tracing stuff... (theoretically i know what to do) softice detecting with interrupt gate and self-tracing... more advanced method to detect sice all this wont be hard to implement, i need only patience to do this... History ~~~~~~- v0.1 - now it called ARM Protector (ARMENIAN PROTECTOR) `probably the first :) packed original exe...` v0.8 - now you can protect your executables with custom password, `changed GUI` v0.7 - added new, very advanced encryption mechanism for `import related stuff (name string, thunk_data, IID etc etc...) reverser, i made import handling a bit harder ? :)` v0.62 - fixed bug in Anti Ring3 Debugger option. Now protected `exe will work phine in Win98 aswell as in WinXP` v0.61 - fixed bug with ordinal handling v0.6 - added new great option to fight against hardware `berakpoints in loader code` v0.5 - minor bug fix in Anti In-Loader Code BPX code v0.4 - finally i implemented Anti In-Loader Code BPX stuff, added `drag/drop support and option to backup file before protection` v0.3 - finally fixed problems with Anti Ring3 debugger option to `work under WinXP, successfully tested with TASM 5.0, MASM32 v8, FASM v1.5, Borland Delphi 2-7, MS Visual C++ 4, 6, 7, MS Visual Basic 5, 6, Borland C++ 1999, Borland C++ 6` v0.3b - removed Erase PE Header (was very crappy and buggy) and added `new option instead of SoftIce detection, and changed Crash Ring3 Debugger option a little...` v0.2b - fixed some bugs and added function to prevent double protecting v0.1b - first public release Bugs ~~~~ i guess there are no bugs atm... but still waitin for your bugreports, to make this project perfect :) Bug? - i can say only one thing atm, but thats not my fault, thats M$ fault. The problem is in Win2000. So... Win2000 loader cant load executable without no import table, i know thats stupid, coz there is a lot of executables (and even anyone can code tons of such exes) that doesnt have import table, so exe without no imports just wont run in Win2000. So as you can see, any exe protected with ARM Protector wont have import table anymore, so as you can guess, wont load in Win2000. I think the only way to solve this problem, is to have import table, but that will not be so secure as now :) SORRY ALL THOSE WHO IS STILL USING THIS M$ WINDOZE 2000 CRAPPPPPP ! Some InfoZ ~~~~~~~~~~ anyway ARM Protector tested only on Win98SE and WinXP, as you already know protected exes wont run on Win2000 (and you even know why :)) dunno about Win95, WinNT (4.0...), WinME and Win2003... but think that should work ok. If there is someone who tested on this OS, let me know... ABOUT PASSWORD PROTECTION ~~~~~~~~~~~~~~~~~~~~~~~~- why the program crashes when you enter wrong password instead just saying that ?...ok, i made that way coz of security reasons, so this way i dont keep good password, and program doesnt know about right password, it just decrypts program with password entered, so if it was wrong one, junk will be generated and program will crash... you can enter password of length 1 to 100 and i think thats enough. so now attacker can only do brute-force... hmm which is not very good method to unpack :) Thanx & Helloz ~~~~~~~~~~~~~~ s0nkite - thank you for testing on WinXP and tellin me some errors FlameGod - thanx for WinXP testings ScoRpIo - thanx for testing with a lotta compilers under WinXP pusher - thankyooz for holdin me up :-) AleksV - thank you for testing on Win2000 zombie - for telling me bug about bad ordinals handling, fixed now :) YOU - thank YOU for using this stuff... :) thats it for now... keep checking for the newer versions. P.S. for any advice, ideas, bugs and even if you can be good beta-tester feel free to contact me. smoke@freenet.am
View:	1688
Publish time	5 years ago 2018-10-30 02:42:51
Download	ARM Protector v0.1 (EXE Shield v0.8).zip [Size: 10.4 KB ] [Downloads: 321 ]
AcTioN	[ Abuse / Report ]

#webscene

ARM Protector