ÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ENryptCOM v3.06 (Academic Version) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄ By Stewart Moss (smoss@icon.co.za) http://www.smoss.org.za/ Disclaimer ÄÄÄÄÄÄÄÄÄÄ "The program" is ENcryptCOM v3.06 and any other files included in the original archive as compiled by Stewart Moss ("the author"). I have tested "the program" fully, but due to the nature of anti-debugging code, I can not guarantee "the program" will work as documented or even work at all. I also can not guarantee that files encrpyted with this package will work. So please make backups. I can not accept responsibility for any damage caused (Directly or Indirectly) by "the program" or any encrypted files. By using "the program" you agree to these conditions. Introduction ÄÄÄÄÄÄÄÄÄÄÄÄ This program will encrypt your .COM files so that they will be hack resistant. I have tried to make the file as hard to crack as I could but I am not saying it is impossible. This program will encrypt your .COM file and put a hack resistant layer around the decryptor. It will also mutate the decryptor. The output file is intended to make unpacking it as difficult as possible. About the academic version ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This version, an Academic version, is just for study only. Although the greatest care has been made to ensure all the code works, it might not. If you experience any problems or notice anything, let me know. I was quite supprised to see an unpacker for ENCOM 3.01 written by Dr.NO, because I didn't know anybody used it enough to care to make an unpacker. If you do program an unpacker for this program please e-mail me a copy. This program represents the next stepping stone onto the elusive ENcryptCOM 4.0 (or 5.0) which promises to be very tough to crack and / or unpack, and almost impossible to make an unpacker for. How to use ÄÄÄÄÄÄÄÄÄÄ Just type in ENCOM . eg ENCOM TEST.COM OUT.COM The output file will be 435-929 bytes larger than the original. On average the file will be 631 bytes larger. I have tested the output files with every available anti-virus scanner. If a virus warning appears on any of these files, please let me know. There is a file called SCANENC.EXE. This is a generic scan for ENCOM files, even ones created before the ID bytes was tagged on the end. (Most versions prior to v3.0) Unfortunatly this does not detect versions 3.0 and above, without the ID bytes. Technical Information ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ I have tried to make the decryption routine as complex as I could. I am not saying this is as complex as I could have made it, but I have tried to make it difficult to write an automatic decryptor for ENCOM. The file does not use any 386 debug traps yet. This is because ENCOM as it stands it written in Turbo Pascal and TP does not support in-line assembley of 386 instructions. ENCOM tags an ID byte to the end of the output file. It is "ENc" and then two bytes. The first byte is the major version and the last is the minor version. The decryption routine is mutated and covered with a mutation envelope. Once again this envelope is not hack proof, but it covers the real decryption routine from Heuristic scanners like TBAV and F-PROT. By the way, the encrypted file does not give any Heuristic warnings what so ever. I have tested this program on a 386dx40 CRYIX and on an INTEL Pentium 90. It has been tested under Win 95, WIN 3.1 and MS-DOS 6.22. It will not work on a machine less than a 286. The "checking" phase of the encryption, is when ENCOM checks to make sure that there are no INT 21h or INT 26h opcodes in the encrypted section of the file. This is to prevent too many Heuristic warnings. It will only repeat this processs 75 times, so as not to hang the machine. That is what the "Itterrations" status means. More Notes :- ---------- - It appears that any COM files compressed by PKLITE v1.12 to v1.20 does not work when encrypted by ENCOM. So UNP the PKLited files and re-PKLite with a better version of PKLite [V2.0 works well] Features :- -------- - Mutating, polymorphic encryption shield - Restistant to TBAV Heuristic Analysis - Moderatly strong debug protection - Resistant to the following :- UPC 1.06, Intruder, GTR 1.90, CUP386 3.4, TBClean 8.03, IUP 0.67, UNP 4.12B, TEU 1.80, TD386, DumpEXE 2.4, and all automatic generic unpackers - Not Resistant to :- Dg 0.4rc, TD386 (If you know what you are doing), Modified / Protected S-Ice, TR - Encom Signature to tell the Version No. and Encryptor - Uses the FOG encryption engine - Uses INT 8 Traps, Modifies Int 3 Pointer, Jumps back to entry point to fool automatic dumpers Plans for Future Versions ------------------------- - Make the code TR, DG, TD386, S-Ice resistant. I have done more research since I last modified this program. - DRx and CRx tricks - More debugger traps inside the polymorphic decryptor - Make the program decryptor more polymorphic - EXE file encryption - Make debug tricks polymorphic ie MOV DR7,EAX could be MOV DR7, reg32 - Much later I will make the whole decryptor polymorphic with my new decryptor / encryptor algorithms Files ÄÄÄÄÄ anti-vir.dat - TBAV Checksum file encom.doc - This file encom.exe - The ENCOM Executable file_id.diz scanenc.exe - A file to check for the ENCOM signature and also for previous versions of ENCOM (Without signature). Acknowledgments ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ROSE : for his very informative FAQ for anti-debugger tricks. Eclipse : for his FOG (Funky Opcode Generator) which used in the encryption envelope. I changed the ID bytes to include my modifications. Frank Zago : For IUP. Christoph Gabler : For Trap. Hann0 Boeck : For a cool mailing list. Dr. NO : For writing an unpacker for ENcryptCOM v3.01. (Delirium Tremens Group) LiuTaoTao : For TR and TRW. Both excellent debuggers. PHaX : For GetTyp. ST!LLS0N : For ExeScan. The ugly duckling : For the best filebase. The Webmaster of : For a really cool EXECOMP filebase SUDDDEN DISCHARGE All my friends : Hi Guys!!! ** All the readers of EXECOMP Mailing List ** History ÄÄÄÄÄÄÄ ENCOM has been developed over a period of years. I originally wrote it to encrypt .COM files for my own use. 1.0 - 1.10 ÄÄÄÄÄÄÄÄÄÄ Encryption with a very basic decryption engine. 2.01 - 2.06 ÄÄÄÄÄÄÄÄÄÄÄ Basic anti-debugging stuff in the decryptor. Triggered many TBAV flags. Stupid decryptor. The decryptor was the same one used in a virus and caused a virus warning in F-Prot and MCAfee. A switch back routine caused a "Variant of VCL" in F-Prot. This was probably caused by the following opcodes Mov cx,Length mov si,StartPtr Looper: Xor word ptr [si],Key Loop Looper 2.07 - 2.09 ÄÄÄÄÄÄÄÄÄÄÄ Added stuff to prevent TBAV flags. A bit more complex debugger tricks. Added a rotating key for the encryption and changed the Decryption algorithm. Removed switch back routine. 2.10 ÄÄÄÄ The anti-hack tricks contained prefetch instruction queuing which caused the pentium processor to hang. 2.11 ÄÄÄÄ Removed PIQ. 3.0 ÄÄÄ Added mutation engine and encryption envelope, increased the number and complexity of the anti-hack tricks. Also added an ID String to the end of the encrypted file. The ID string is:- db 'ENc',3,0 3.01 ÄÄÄÄ Optimised unpack routine. Removed IN AL,DX and IN AX,DX from the mutation engine because this was causing some unpredictable lock ups. 3.01 to 3.02 ------------ Added more debug traps and added a mutating envelope half way through the decryption evenlope unfortunatly this version is a bit buggy Version Change 3.02 to 3.03 --------------------------- Removed minor bugs from decryptor Version Change 3.03 to 3.04 --------------------------- Minor Optimizations Major Bug fix Version Change 3.04 to 3.05 --------------------------- - Found an unpacker for EnCOM 3.01. The unpacker hooks int 03 and then patches the code accordingly. It also reads the decryption values off directly. The decryption envelope about half way through should prevent this from happening again. - Complete Bug Fix I had problems with the delta offset all the way through the code. This has been fixed. Version Change 3.05 to 3.06 --------------------------- - Removed int 03 from decryptors entry-point. This was a S-Ice for DOS trick. - Changed header to: mov ah,30h; int 21h; jae $+2; retn; (17 bytes smaller) - Fragmented the code a bit more. - Removed all IN Acc, Port# and OUT Acc, Port# from both the decryption engine and polymorphic engine. These opcodes have been causing random bugs to pop up in my code. - Added some routines to fool Auto-Dumpers