#The biggest in small world

Do you have question about this tools? You can ask here.


Title Content
Version 0.25

0. CONTENT ***** I. - Short Overview II. - Disclaimer III. - Commandline Parameters IV. - Technical Notes (-api, -ip) V. - Contacting the Author VI. - What is new? VII. - What is planned? VIII. - Commercial Usage IX. - Greetings

I. Short Overview ****~ I am back again. One year since the last public pe-shield release. And this is NOT a NEW version. The new more elite version will come in the next three months, otherwise you can beat me up ;) So why this new release: simple, there was a stupid bug in my makefile that made the peshield.exe incompatible to many versions of windows 98. It was not a problem in the crypter but in the makefile.... -> wrong parameters... In fact with this parameter combination it was a wonder that the peshield.exe file works fine on all the other versions of windows (ALL THE FILES PROTECTED WITH PESHIELD WORK FINE THIS PROBLEM IS ONLY IN THE OLD PESHIELD.EXE). Additionally i changed some layers inside and added a new AD trick. This makes PE-SHiELD a little bit stronger then before. Btw: Until today there is still no unpacker for the one year old peshield. All other public pecrypters can be unpacked with special unpackers or procdump.

PE-SHiELD features:

  • section name renaming +
  • encryption of code and data sections always
  • resource section encryption + (with or without 1. ICON) W/O
  • import section handling & encryption +
  • heuristic virus check +
  • the PE-HEADER can be (or not be) overwritten +
  • import section protection -
  • BPX protection of imported functions - (except MFC??.DLL - those functions always caused crashes)
  • a nice little STUPID RING0 TRACER KICKER ;) always
  • protected files cannot be dumped with PROCDUMP always (GROM, author of PROCDUMP, says that this is not true on his system, although many guys have asked me how I got it working ????)
  • protected files cannot be traced by DEBUG API always
  • protected files do not run with SOFTICE in memory always ;)

And like any other protector this feature: - protected files can be cracked if the cracker is good always

II. Disclaimer ** I, the author, am NOT* responsible for any damage caused by the use of PE-SHiELD. Although the program was tested with a lot of different ver- sions of Windows 9x/NT it may be in some cases incompatible. I absolutely do not know how PE-SHiELD will react in a exotic environment I hope this was enough to warn you :)

III. Commandline Parameters *****~ If you want to use PE-SHiELD simply type:

PESHIELD [options] "filename" [options]

                 :~~  you can write:  VERYLO~1.EXE
                                 or: "Very Long File Name.EXE"

an option may start with either '/', '-' or ','


PESHIELD filename -API -IP


  1. PESHIELD filename -API -IP -H-
  2. PESHIELD filename -H- ... x. PESHIELD filename

PE-SHiELD supports the following options:

Options ~~~~~~-

þ -? -h Shows a short helpscreen

þ -o Original file will not be modified. Output goes into


þ -n- Do not rename sections into PESHIELD

þ -hd- Do not overwrite PE-Header in memory

þ -h- Do not add heuristic virus check to file

þ -api API functions that are executed by the file will be

       protected against BPX during runtime
       Imports from MFC??.DLL will not be protected, because
       this always caused crashes on my system

þ -ip The import section is moved in memory to hinder unpacking

       by simply dumping

þ -r The file will not be crypted, just loaded into memory

       and written back, reducing it to its minimum size without
       any type of compression. Use this after manualy dumping a
       file. It will decrease the size.

þ -rs- The resource section will be left unchanged

þ -icn If the resources section gets encrypted, the icon will

       encrypted, too

IV. Technical Notes *****~ The new version of PE-SHiELD is now fully coded in 32-bit WINDOWS assem- bly. I temporary removed the .DLL support in this version, because I wanted to add some stuff that is not compatible to .DLLs, but in fact I was to lazy to add it yet. Maybe it will come soon.

At the moment PE-SHiELD encrypts all code- and data sections. The relo- cation table gets compressed (DELTA/RLE compression) and encrypted, too. You can choose, if the resource section gets encrypted and if the first ICON stays decrypted. All other sections are left unchanged. PE-SHiELD will not work, if there is a .EXPORT area hidden in one of the sections. (EXAMPLE: OPERA.EXE) I will fix that soon...

-api þ This switch helps again any cracker trying to crack your serial

    or regcode protection, by setting a breakpoint on GetWindowTextA
    or similar function. Those breakpoints will crash the current task
    if set before execution and will disable all BPX set while execution

-ip þ The import section will be moved into another part of the memory.

    This makes it very hard for any generic unpacker to find the used
    import table. But even if the generic unpacker finds the right
    table, it is hard to reconstruct, because it will always be de-

Fake Entrypoint þ Because there is no tracer available yet, that can trace

              through PE-SHiELD, i did not implement Fake Entrypoints

V. Contacting the Author **** You may contact me, if you find any incompatibility or just want to tell me your opinion (or hints). You should also contact me, if you release a program protected with PE-SHiELD and send a copy to me :)

contact address: anakin@rockz.org

VI. What is new? ******* Fixed a few little bugs on request and added some AD stuff.

VII. What is planned? ***** I know i already announced new versions of PESHiELD several times and then nothing happened. At the moment i think of restarting the PESHiELD project in march. There are still some bugs that occur with exotic compilers.

IX. Commercial Usage ******* If you want to use peshield on any type of commercial product, you MUST contact me! This also counts for shareware software. Because then I either want some money for the usage, or a copy of your product. In return those "registered" users can get a personalized version from me.

IX. Greetings ***~ Fashion, Special, Masta, Scamp, Avatar Riddler, Random, Devil, Egis, Iceman, Halvar Grom, Stone, Rose, Hanno, BSE

and the rest of exelist

PS: The documentation was modified in a hurry...

View: 3346
Publish time
5 years ago
2018-10-22 05:33:20
AcTioN [ Abuse / Report ]

Please login/register to Leave a Reply

Digital.Spirit Digital.Spirit