NOTE THIS IS THE MANUAL FOR HS 1.19, build 201 THE MANUAL FOR HS 1.19 build 206 IS "UNDER WRITEING"! Check: http://come.to/rose_swe for current HS versions! USER MANUAL HACKSTOP ΔΝΝ[ 1 HACKSTOP (HS) ]ΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΔ Synopsis: HackStop (HS) protects DOS COM and DOS EXE files against hacking, analysis, reverse engineering and unpacking. HackStop additionally encrypts COM and EXE files! HackStop uses a variety of different anti-debugging tricks to prevent hacking of Hack- Stopped programs. HackStop is distributed as Shareware. A few questions: ― Have you ever written a program, then found out the next day that your program had been cracked or hacked and uploaded to all the "warez" BBB'es and ftp sites across the world? ― Have you ever invest a lot of time and money developing a pro- gram, which you released as Shareware with a registration op- tion? Just to find out that someone made a generic "key" re- gistration program to register your current and future versions of that software? ― Have you ever invest money in purchasing a copy-protection prod- uct like a key-disk or a dongle plug protection to protect your software from being copied by everyone? Then discovering the next day a cracked copy of your program on a BBS - even though it was "protected"? IF YOU ANSWERED YES TO ANY OF THE ABOVE, THEN THIS IS WHAT YOU SHOULD TEST: HACKSTOP We are all sick of those hackers and crackers who steal our soft- ware investments; it's time to do something about it. This program was not written to make money (you can not do this with a share- ware program like HackStop), it was written to help the hard work- ing computer programmers like yourselves :-) The registration costs are very low, for the amount of time it took me to develop HackStop. HS.DOC Documentation for HackStop Page 1 1.1 Table of Contents 1 HackStop (HS)...........................................1 1.1 Table of Contents...................................2 1.2 Why Should I Choose HackStop?.......................3 1.3 How To Use HackStop?................................3 1.4 Files That Can't Be HackStopped.....................4 1.5 Commandline-Parameters..............................4 1.6 Why Should I Use HackStop?..........................5 2 Technical Notes.........................................6 2.1 How Does an Unpacker Work?..........................6 2.2 How Does HackStop Work?.............................6 2.3 Requirements........................................7 2.4 About HackStop......................................7 2.5 On-Line Compressors.................................7 2.6 More Protection?....................................8 2.7 Protection against Viruses?.........................8 2.8 Impact on the scene.................................8 3 Legal Terms and Disclaimer..............................9 3.1 Disclaimer..........................................9 3.2 Documentation.......................................9 3.3 License - Shareware.................................9 3.4 Distribution Restrictions..........................10 4 Closing................................................11 4.1 Registration.......................................11 4.2 Personalised Versions of HS........................11 4.3 Updates............................................11 4.4 How to get the newest version of HackStop..........12 4.5 My Address.........................................12 4.6 Enhancements In Future Versions....................12 4.7 Some technical stuff...............................12 4.7.1 Version Number..............................12 4.7.2 Build.......................................13 4.8 Credits............................................13 4.9 Authors............................................14 HS.DOC Documentation for HackStop Page 2 1.2 Why Should I Choose HackStop? HackStop is designed to encrypt and secure your executable program files by placing a special security envelope around them. To protect a specific file, simply run HackStop on it, and you and your users will never know that it's there unless somebody tries to hack or analyse it. Do not expect to be able to easily trace through HackStop's security envelope with a debugger - advanced debug traps help destroy this option. Furthermore HackStop has different levels of encryption to stop tracing or analysing at- tempts on protected programs. HackStop is the most advanced exe- cutable protection program of its type that you can buy to keep your programs from being altered or reverse engineered! HackStop was written because all the other programs I know have security holes (see below). HackStop is very popular in the under- ground and very often used. To disable any tool that will use a simple 'XOR' technique Hack- Stop has included a simple "mini mutation engine" to ensure that the encryption keys are unique! HackStop uses "memory encryption" - only the current running procedure is unencrypted! After finish- ing that procedure it will be encrypted again with a different key! In the current version HackStop has five (5) layers of en- cryption. HackStop has included code against all popular hacking tools like: ― TRON -p, CUNP, UNP, GTR, CUP386 /7, TEU, UPC, Debug ― AutoHack, SnapShot, Intruder, CUNP, XO, X-Tract Please refer to the file HISTORY.DOC to see all "supported" un- packers. 1.3 How To Use HackStop? The command-line syntax for HackStop is the following: Hs [filename] [-/options] For example to protect your new program in the current directory: Hs megaprg.exe To protect all EXECUTABLE (COM & EXE) files in the current di- rectory type: hsall *.* HackStop will only protect files ending with "COM" and "EXE"! Please note that a file CAN NOT be expanded after being protected with HackStop (you can probably think why). So please preserve a back-up file until you are sure that the protected file runs cor- rectly. Some incompatibilities may possibly arise with certain files, especially with overlaid EXE programs. For this reason, HackStop does create back-up files, see section "Parameters". Your original file is renamed to the extension ".BAK". To make different back-up files invoke HS with the additionally option "-bh". Example: HS.DOC Documentation for HackStop Page 3 Hs myfile.exe -bh This is all that you need to know before you can really start pro- tecting your program files with HackStop. 1.4 Files That Can't Be HackStopped Files smaller than 68 bytes and COM files larger than approxi- mately 61000 bytes, Windows and OS/2 files cannot be protected by HackStop. The reason for this is that a Windows or OS/2 program is basically a small DOS program (also called stub) that says some- thing like "This program requires Windows" with a pointer to the actual Windows program. HackStop will automatically detect if a file has a Windows, OS/2 or a linear executable header and does not waste your time trying to protect it. Also -due to the struc- ture of HackStop- files larger than the 600-KB neighbourhood can- not be HackStopped because the entire file has to be able to fit in the memory once when it loads. Please note that files with overlays cannot be HackStopped because the "Load Window" of DOS could now be too small for this file. Also, HackStop will not pro- tect files with a weird EXE header for your own safety. Also Hack- Stop can not handle files with more than 3.000 relocations - files which never have been seen in real life! In the case you have a file with more than 3.000 relocations you must compress the file first (we recommend UPX). Hint: Try to compress such files before HackStop'ing them! If you can compress and run them, you should be able to protect them with HackStop afterwards! You can technically protect files like COMMAND.COM but in my opi- nion it makes no sense to protect DOS system files. 1.5 Commandline-Parameters HackStop can be invoked with the following additional commandline parameters: Parameter Meaning -? -h Display a short help, how to use HackStop. -ii Show HS internal compiler information. -bh Make a back-up file with the extension ".EHS" for EXE files and ".CHS" for COM files. Warning, old back-up files are overwritten! -i Shows a little intro with greetings and other nice stuff - now with Adlib sound! For the intro you need a 386 CPU! -k Kills the "HSxxMsDos" signature at the end of Hack- Stopped files. You can use this option to fool un- packer tools. This option is only available in the registered version! HS.DOC Documentation for HackStop Page 4 -nb Does not encrypt the body of EXE files -nr Does not encrypt the relocations of EXE files -p Show the release number and the personalised text of HS. -pb Show the build version of HackStop. For more details see chapter below Remark: Options are not case sensitive. You can use "-", "/" and "," to introduce an option! Examples: hs -? hs /^ hs -p hs /pb hs comfile.com ,bh hs realexe.exe -k hs -i 1.6 Why Should I Use HackStop? HackStop's first concern is security. Do you think compressing your files with PKLITE or something similar is protection enough? A hacker can also decompress a program compressed with PKLITE or LZEXE quite easily. Even if a program is compressed with the sup- posedly "invincible" -E option of the professional version of PKLITE or the "pu" option of WWPack. There are a lot of tools that can do this. I have at least about 40 different unpackers who can unpack PKLITE or LZEXE. I have at least three batch files (!) which are able to remove protection from COM files added by most of the popular protection tools! This batch file works with all protection programs I have access to, except with HackStop and RCRYPT! If you are interested in such un- packers, then try to request the archive UNTINY.* at your local ROSE Dist Site (see ROSEBBS.TXT). After decompressing a compressed program, any hacker can change your program (remove copyright screens, disassemble code, etc...), compress it again, and spread it around. Fortunately, hacking is not quite that rampant, but it still is a possibility and a risk, and it is much better to pay a few "DM" up-front to be safe than to be sorry in the future. Thinking NO software protection program is 100% foolproof, I am pretty sure this program is a good choice for protecting your programs. This is the main reason, why I first developed RCRYPT for COM files, ROSETINY for EXE files (which requires TinyProg) and then HackStop. ROSETINY is the predecessor of HS, using only one debug- ger trap and has NO encryption at all! HS.DOC Documentation for HackStop Page 5 ΔΝΝ[ 2 TECHNICAL NOTES ]ΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΔ 2.1 How Does an Unpacker Work? When an unprotection utility (such as X-Tract, TPCX, CUP, XOPEN, UNP or TRON) unprotects a file, it creates a virtual DOS environ- ment for the file to run in until the file finishes decrypting or unpacking itself. When this is done, the unprotects utility "simply" writes what is in memory back to disk. Now you have your unprotected file. The program may use a highly sophisticated decryption every time, but all the unprotecting program has to do, is just trace through the decryptor until it gets to the entry point of the host program. Then all encryption is for naught. One of the tricks for fooling unprotection utilities and debuggers lies in the fact that the unprotector must always have control over the HackStopped program in order to stop it when it is de- crypted in memory. If you remove the unprotector's control and subvert it without harming the operating system, you are one step ahead in protecting your programs. 2.2 How Does HackStop Work? To fool unpackers or generic cracking/disinfection programs you must *ONLY* disable single step tracing, memory dumping and break- points, that's all! HackStop uses a variety of different anti-de- bugging techniques, therefore most unpackers I know will crash when trying to trace through HackStopped programs. This is so ef- fective that even older TRON and UNP versions will crash if they ONLY TRY to determine the type of packer used. For this reason any HackStopped program header looks like ordinary code to confuse all tracing programs like RVK, DECOM, TBCLEAN, TRON or UNP and all virus scanners using heuristic search methods! The second part of the HackStop header is multiple encrypted to disable setting breakpoints or to disassemble the code. In my opinion it is almost impossible to trace HackStopped pro- grams with a real-mode software program! Additionally HackStop uses opcode (the famous "Nebelbombs") and normal encryption, so it could take days to disassemble the code! Sure it's possible to un- pack every program using 386 hardware breakpoints. For this, you just use an protected mode debugger like Soft-Ice or TD/386 (HackStop knows them and disables them). Furthermore HS386 is available - disabling the use of hardware breakpoints - with one drawback: it requires a 386 CPU. There is a second method to unpack programs: If your program is written in a high level language like Pascal, C or Basic the com- piled program uses some interrupt calls which are typically for the used compiler. Tools like UPC, Intruder and TEU simply wait for these interrupts and searches the original entry point of the program (because meanwhile the protector has done it's work). So how does HackStop stop such unpackers? HackStop simply simu- lates the start-up code! Those tools will detect a false start-up code and dump up to 2-MB scratch to disk, claiming that this is the unpacked program. HackStop currently simulates more than 10 different start-up codes! Furthermore multiple generic shields against dumping are included in the HackStop envelope. HS.DOC Documentation for HackStop Page 6 2.3 Requirements The requirements to run HackStop are basically zero: DOS 3.30, an IBM AT with 256 KB, etc... Please note that HS 1.18/32 or better requires at least a 80386/SX CPU to protect files. However pro- tected files only require a 8086 CPU to run. For the HackStop in- tro you need a VGA card and a 80386 CPU or better. Protected files can run on my 8 Mhz XT and I have done much test- ing of HackStop on even this lowest common denominator type of ma- chine, to make sure that HackStop will run on every type of com- puter from 8088 to Pentium Pro and beyond. Start HackStop with the option "hs -^" to see our testbed. 2.4 About HackStop HackStop is written entirely in assembly language (MASM 6.xx + macros + ASM libraries). We have written and tested HackStop on different development platforms (see hs -^). Furthermore we have tested HackStop on more than 50 different machines with different DOS and Windows versions. HackStop's anti-debugging technique (which uses the same anti-debugger macros like ROSETINY, CHKPC or HMS) has been around for over seven years, with many people pitch- ing in ideas to make it more secure. Additionally all programs from ROSE SWE are protected with HackStop - these means about 75.000 users running HackStopped programs! If you have any sug- gestions, questions, comments etc. about HackStop, you can contact us. See address below. HackStop adds something in the neighbourhood of 3500 bytes to the average, depending on the program type (COM or EXE) and released version. If you ever have programmed in assembler you will know that more than 3 kilobyte of anti-debugger code is a lot of stuff to trace through! Note that HackStopped programs require DOS 3.30 or better (is there anybody using DOS 2.x?). HackStop keeps the time and date stamp of the files the same after HackStop'ing as it was be- forehand. 2.5 On-Line Compressors You do not need to have an on-line compressor, but you are STRONGLY recommended to use one because it garbles the program and makes it harder to modify or to patch. Please note that Hack- Stopped files normally are no longer compressible due to the strong encryption! I strongly recommend to compress files before they are HackStopped. This makes it harder to attack them af- terwards. COM files are generally easy to hack, because DOS is an unsecured OS and does not clear the used memory, so the unpacked programs can the found in memory. COM files fit into one segment and have no relocations. HS.DOC Documentation for HackStop Page 7 If you have the choice between COM and EXE file type, choose EXE files, they are safer! For this reason an additional program (COM2EXE) is included in this package to convert COM files to EXE. You can protect COM files with HackStop - convert them with COM2EXE and protect them again with HackStop. This adds a two- level security envelope around your file that makes the hacking a little bit harder. 2.6 More Protection? I suggest first to compress your program with your favourite com- pressor and then protect it with HackStop (see above). All utili- ties to check files for compression will fail because they are en- crypted! I have not encountered a program with is able to re- cognise compression on HackStopped files... BTW, some popular online compressors like WWPack, UPX, Pklite, LZEXE or Diet put a signature into the exe-header. If HackStop finds this signature it will replace it with "HS". I think COM files do not need ANY further protection, because COM files are encrypted too! After HackStop'ing them you can be sure NOBODY is able to debug or hack your programs! 2.7 Protection against Viruses? HackStopped programs are immunised against the standard Jerusalem (1808) virus family (for this reason all HackStopped programs end with the sign "MsDos"). Additionally tracing viruses like Happy_Shiny or DAME:Trigger will hang the system if they are try- ing to infect programs protected with HackStop. If you need addi- tional protection use a file shield like VSS, F-Xlock or FileShield. The basic idea behind this philosophy is that you are able to protect, scramble or compress HackStopped programs fur- thermore after adding HackStop to them. It may be possible for a protected program to set off some anti- viral programs that have heuristic abilities. This has not hap- pened to my knowledge (they cannot seem to trace through the de- cryption algorithm) but some are (AVP, F-Prot, RHBVS, Suspicious and Toolkit) set to alert the user if they detect a decryption algorithm at the beginning of a file's execution. So far, however, none of the heuristic programs I have tested seem to be able to identify the decryption algorithm as being such. TBSCAN did not indicate any heuristic flag! 2.8 Impact on the scene HackStop has managed it to become the most famous DOS protector in the world! Every advanced group has released cracked HackStop ver- sions as well as tried to write an unpacker for HackStop. But you can guess that HackStop will render them in a short time into a useless piece of software. I give credits to all those guys who have managed it to write an unpacker for HackStop. Writing a new HackStop version by-passing this unpacker has made HackStop much more secure! HS.DOC Documentation for HackStop Page 8 HackStop has inspired many programmers to write programs with the same functionality or just rip the HackStop code. Some of the greatest rips are DarkStop and CrackStop. Furthermore the look and feel (even the same options!) or the name of HackStop has been ripped in such protectors and unpackers like KillHS, unpHS, Suck- Stop or LamerStop. ΔΝΝ[ 3 LEGAL TERMS AND DISCLAIMER ]ΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΔ 3.1 Disclaimer HackStop basically has no legal guarantee and warranty because I do not want to get sued over it, and should be used "as is." Here is the official disclaimer: HackStop ("program") DOES ALTER EXECUTABLE FILES and may have or cause compatibility problems with them (that is why YOU should keep a back-up file, in case of incompatibility with a particular file) in certain cir- cumstances. Under no circumstances may ROSE SWE, Ralph Roth ("author") be held liable or accountable for any damage to system files, executable files, data files, or any other system or data damage due to use or misuse of his program. The author also may not be held accountable for loss of profits or for any other damages incurred by the use or misuse of his program. The author has fore- warned any users that damage to files may occur with use or misuse of his program, and in executing the program, the user fully understands these risks and this disclaimer. 3.2 Documentation Information in the documentation is subject to change without no- tice and does not represent a commitment on the part of ROSE SWE. 3.3 License - Shareware The supplied software contains NO public domain program(s). The program and all accompanying documentation are Copyright (c) 1994- 98 by ROSE SWE. All rights reserved. The Copyright laws of Germany protect this software and accompany- ing documentation. Any use of this software in violation of Copy- right law or the terms of this limited licence will be prosecuted to the best of our ability. The conditions under which you may copy this software and documentation are clearly outlined below under 'Distribution Restrictions'. HackStop is distributed as SHAREWARE. You may use HackStop for the purposes of evaluating it (after understanding the disclaimer and the documentation) for 60 days. No files protected by HackStop during this trial period may be distributed to OTHER computers at all, commercially or non-commercially. If you find HackStop to be of use to you, you must register HackStop with the author. HS.DOC Documentation for HackStop Page 9 ROSE SWE hereby guarantees you a limited licence to use this soft- ware for evaluation purposes for a period not to exceed sixty (60) days. If you intend to continue using this software (and/or its documentation) after the sixty (60) day evaluation period, you must make a registration payment to ROSE SWE. Using this software after the sixty (60) day evaluation period without registering the software is a violation of the terms of this limited licence! You shall not use, copy, emulate, clone, rent, lease, sell, mo- dify, decompile, disassemble, otherwise reverse engineer, or transfer the program, or any subset of the program, except as pro- vided for in this agreement. Any such unauthorised use shall re- sult in immediate and automatic termination of this licence. ROSE SWE reserves all rights not expressly granted here. 3.4 Distribution Restrictions As the copyright holder, ROSE SWE authorises distribution by indi- viduals only in accordance with the following restrictions. The package is defined as the entire file either as 'self ex- tracting executable' or an 'archive' as distributed by ROSE SWE. The authenticity of the package can be verified by contacting ROSE SWE or using the program CrCheck. The original archive is packed by RAR, using its AV check. If the package is changed in any way, the distribution is forbidden. Please contact ROSE SWE to obtain a complete package suitable for distribution. You are hereby granted permission by ROSE SWE to copy the package for your own use or for others to evaluate, ONLY when the following conditions are met: ― The package - including all related program files and doc- umentation files - CANNOT be modified in any way and must be distributed as a complete unchanged package, without exception. Small supplements to the package, such as the introductory or installation batch files are acceptable. This should always be done by supplying EXTRA files, never by altering the package (file) as distributed by ROSE SWE. ― No price or other compensation may be charged for the package. A distribution cost may be charged for the cost of the diskette, shipping and handling, as long as the total (per package) does not exceed US$ 10. The package CANNOT be sold as part of some other inclusive package, nor can it be included in any commer- cial or non-commercial software-packaging offer, without a writ- ten agreement from ROSE SWE. ― ROSE SWE prohibits the distribution of outdated versions of the package, without written permission from ROSE SWE. If the ver- sion you have obtained is over twelve (12) months old, please contact ROSE SWE to ensure that you have the most current ver- sion. ― The package, program(s) or documentation cannot be 'rented' or 'leased' to others. If you wish to add any of our packages to a CD-ROM or other collection, please check the release date of the version you have. If the version is over twelve (12) months old then please contact ROSE SWE to ensure that you have the most current version. ― If you would like to distribute the package as a 'Disk-of-the- Month', or as part of a subscription or monthly service, then you must contact ROSE SWE in advance to ensure that you have the HS.DOC Documentation for HackStop Page 10 most current version of the software. Only current versions may be shipped as 'Disk-of-the-Month' disks. ― You may not list any of my products in advertisements, ca- talogues, or other literature that describes this product as 'FREE SOFTWARE'. This is 'Try-Before-You-Buy' software, it is not free! ΔΝΝ[ 4 CLOSING ]ΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΝΔ There is no doubt that HackStop can save you time, effort, energy and money. There are NO "run-time fees", "royalties" or anything of the type attached to the cost of HackStop. You can protect and distribute as many files as you want with HackStop ONCE YOU REGIS- TER. The cost is DM 30,-- per copy of HackStop. Please use the file REGISTER.DOC to order a registered version of HackStop! Please send the register form to my address, even if you have transferred the money to my bank account, because our address will often be unreadable on checks! 4.1 Registration There is almost no difference between the registered and unreg- istered version of HackStop except for the "beg remark" and the ASCII remark in HackStopped programs, saying that it is an UN- REGISTERED SHAREWARE version. The registered version of HackStop has a different 'data offset', other antidebugging macros and a different protector length, so programs protected with the Share- ware version will always differ from the registered versions! Ad- ditionally the registered version of HackStop supports the switch "-k" to remove the HackStop signature. Along with registering HackStop you will receive the newest currently available version of HackStop! To register your copy of HackStop please print out the file REGISTER.DOC. Additionally with the registered version of HackStop you will re- ceive the newest versions of ROSE COM Crypt/286, ROSE EXE Cryptor (REC) and ROSETINY (Freeware) as well as beta versions of HackStop or other file protection tools, if available! German users will additionally receive some bonus antivirus programs in German writ- ten by ROSE SWE. I always try to put as many programs as possible (packed with RAR) on the disc containing HackStop... 4.2 Personalised Versions of HS You can obtain a so-called "personalised" version of HS. The dif- ference between the normal version and this version is that your copy of HS carries your name and address or an advertising slogan. For this reason personalised HS versions will produce HackStopped programs with a different length and a different offset that means that they are harder to attack than the registered (standard) or Shareware version. COMMERCIAL USE OF HACKSTOP REQUIRES A REGISTRATION! Please note: Some users want to have a "personalised" string like: (C) by SuperSoft etc. Please do not use "(C) by" or "Copyright by" because this is confusing who has developed HackStop. :-) If you want, you can include up to 6-10 lines of text into your person- HS.DOC Documentation for HackStop Page 11 alised version! You can send us your ASCII text logo to be in- cluded in HS.EXE. There is also a version available with no text. This makes the envelope a little bit smaller and harder to detect. 4.3 Updates I am sure that we will make enhancements to HS in further re- leases. You, as a registered user, can order then the newest ver- sion of HS for half price. 4.4 How to get the newest version of HackStop First take a look at the file ROSEBBS.TXT - it contains addresses providing new HackStop version for downloading. Hanno Boeck has established a new HackStop distribution list. Over this mailing list I will send the newest HackStop (and related programs from ROSE SWE). Take a look at the file HS_DIST.TXT en- closed in the HackStop archive! Join your mailing list at subscribe-rose_swe@eGroups.com - see ROSEBBS.TXT for further details! 4.5 My Address ROSE Softwareentwicklung Dipl.-Ing. Ralph Roth RalphRoth@gmx.net Check the file REGISTER.DOC and ROSEBBS.TXT for the com- plete address, PGP key and Email address! 4.6 Enhancements In Future Versions If there is enough interest (registrations!) in HackStop the fol- lowing features could be implemented: ― Enhanced encryption of the HackStop header using a mutation en- gine. This will be done in HS 1.20 using the SHAME mutation en- gine from Stonehead's Mess. ― Virus selfchecking of COM and EXE files (optional). ― Password protection of HackStopped COM and EXE files (optional). ― Optional 80386 checking of HackStopped programs. ― More traps and different debugging macros. ― A version supporting coff2 files (produced by GNU DJGPP com- piler) ― HackStop for Linux (elf file format) ― Handling of Windows 95/Win-NT (PE) EXE programs. A PE (Win95/NT) prototype already exists. Thank you for evaluating HackStop and actually reading the documentation! Happy HackStop'ing! All improvements and sugges- tions will be welcome! HS.DOC Documentation for HackStop Page 12 4.7 Some technical stuff 4.7.1 Version Number With version 1.11, HackStop adds a signature to programs protected with HackStop. You will find at the last 9 bytes at the end of the file the following code: "HS", verhi, verlo, "MsDos" "verhi" and "verlo" are the version numbers of the used HackStop program. If you have used version 1.11 then verhi is 1 and verlo is 11. Some C code: printf("Version used: %i.%02i", verhi, verlo); With HS 1.18 I have added a program called ChkHS that demonstrates the detection of protected files. Please note that you can remove this signature with the "-k" switch in the registered version of HackStop! 4.7.2 Build With version 1.18 HackStop has the option "-pb". This option shows the currently build version and the actual protector length. This option was written for ChkExe, ScanExe and other tools to deter- mine the different HackStop versions. Please note that person- alised registered versions of HackStop have a different build than registered versions or the shareware version! This is an typical output of hs -pb HS-ID = HS.386, Build=61.2867.3078 - pre-release for ... HS-ID = HS, Build=68.3058.3130 - Special X-Mas release! The HS-ID tells you if it is the 8086 (HS) or the 80386 (HS.386) version of HackStop. Build is split in build counter, COM protec- tor length and EXE protector length. Sometimes an internal remark will follow just like "beta version" etc. 4.8 Credits I would like to thank and send "greetings" to the following peo- ples for pitching in ideas, finding bugs and doing beta testing of HS the last years: ― Andreas Marx (author of CGL AV and TScan) ― Ben Castricum (author of UNP) ― Christian Ghisler (author of Win-Commander) ― Grischa Brockhaus (author of SkullCheck) ― Hanno Boeck (author of ChkEXE) ― J.H. Dinges ― Peter Hubinsky (Sysop SAC BBS/SAC ftp) for being the first distributor of HackStop world-wide. ― Rafal Wierzbicki & Piotr Warezak (authors of WWPack & SacView) HS.DOC Documentation for HackStop Page 13 ― Ralph Biedermann (sysop of LionBox/Germany), all the sysops distributing HackStop! ― Rene Rudolf ― Stefan Kurtzhals (author of SSC) ― Stonehead (author of Mess and HackStop) ― Vrt­kSoft - J. Valky & L. Vrt­k (authors of TraceLook). THX guys for pitching in so many ideas in HackStop. ― Walter Gabor for correcting the docs. ― Willi Marquardt for antidebugging tricks and for being the first person hacking HS. ― Members of X-Adi, UE, UCF, TPiNC, Vandals etc. - look at the comments in the intro :) ― All those I have forgotten to mention: Run HS.EXE with the option "-i" 4.9 Authors ― ROSE SWE - main development of HackStop 0.9x up to HackStop 1.18 ― Stonehead - main development of HackStop 1.19 /* the end */ HS.DOC Documentation for HackStop Page 14