iLUCRYPT v4.019 Copyright (c) 1995-99 by Christian Schwarz [iLUVATAR] -- What is iLUCRYPT ? iLUCRYPT is a nice DOS executable file protector. -- Features  highlights - intensive use of code/data hardware breakpoints - floating point operations for decryption - compressed relocation table (results in smaller EXE files) - password protection (block cipher using 128bit key and 64bit data blocks) - some new techniques to kick general dumpers/tracers  usual stuff - INT0,INT1,INT3,INT4,INT8 - running line - keyboard lock - interrupt table scrambling - invalid opcode trick - entry point faking - exit fake (option /EXIT) - anti reload function -- Requirements and incompatibilities protected programs won't run without:  80486+ processor AND coprocessor  DOS v3.3+ protected programs were successfully tested with:  processors - i486DX, UMC U5SD, Cyrix 486S, i486DX2, Cyrix 6x86, AMD K5, Pentium, Pentium MMX, AMD K6, Pentium II ? If someone has got a i386 or any other processor not mentioned ? above, please let me know if iLUCRYPT works correctly.  operating systems - Microsoft DOS v[6.20,6.22] - Caldera OpenDOS v7.01 - Novell DOS v7.0  memory managers - Mircosoft EMM386 v[4.48,4.49,4.95] - Quarterdeck QEMM v[7.0,7.02,7.03,7.5,8.0,9.0] - Caldera/Novell EMM386 v[3.0,3.06] NOTE! In no case protected programs will run under Windows 95 or Windows NT ! So far I could not test it, but I think this also applies to OS/2 and Linux. protected programs are known to be "incompatible" with following programs  general dumpers - COMDUMP v1.0, DUMPCOM v3.55 PRO, UCOMUX  COM entrypoint dumpers - COMUNP v0.1f, DECAY v0.05  compiler specific dumpers - ENTPACK 16.1.98, TEU v[1.80,1.82d], UPC v[1.04,1.05,1.10,1.11]  general tracers (single step) - DECOM v1.26/RVK v1.26, IUP v0.6.7, TRON v1.30 -u, TD/TD286, UNP v[4.11,4.12] -t  general tracers (CPU emulation) - ICEUNP v[0.1.5,0.2.9], LTR 1.0 (caused really some headaches), TR for DOS up to v2.52  general tracers (v86 monitor) - CUP386 v[3.0b,3.2,3.3a,3.4], DEGLUGGER v[0.04b3,0.04rc] (crashed nearly any system i've tested on), GTR v[1.84,1.90,1.A0,1.B0,1.CI], RIPPER/32 v2.01, SoftICE v2.80, TD386, TRON v1.30 -p Also some resident anti virus blockers (like IBMAV, which is part of PC-DOS 7.0) may interference with iLUCRYPTed programs. Besides iLUCRYPT uses special code to kick all tracers/debuggers which store programs registers anywhere in the 1st meg. -- Usage iLUCRYPT Program [/STAMP:h] [/PW:x] [/EXIT] [/MOD:x[,y[,z]]] /STAMP:n This option forces the loader of a protected program to store a 32 bit hexadecimal number (hhhhhhhh) at PSP:007C. So your program can easily check if the protection had been removed ! /PW:x Protects program with a case sensitive password (1-31 characters long). /EXIT iLUCRYPT inserts special code (executes the DOS-termination function 4c00h) to kick some stupid dumpers. /MOD:x[,y[,z]] Use this option to add own anti debugging moduls to the loader. X, y and z are COM files containing your anti debugging code ! Take a look at chapter "Modul Technique" for further information. -- Modul Technique All moduls you want to link with option /MOD must start with the IC4M- header which has the following structure: +00h 1 dword - badge "IC4M" +04h 1 word - header version (at the moment 0) +06h 10 byte - name of the modul +10h 20 word - relocation table +38h ? byte - code (up to 4KB) This example should be enough to show you the general structure of a modul. code segment assume cs:code org 100h start: db 'IC4M' ; badge dw 0 ; header version db '_testmodul' ; name of the modul dw offset rel00 ; 1st relocation dw 19 dup (0ffffh) ; ffffh = no entry push cs pop ds mov ah,9 mov dx,offset mess0 rel00 equ this word-2 ; adress of reloc. int 21h ret ; return to loader mess0 db 'Hello world !',13,10,'$' code ends end start Note: Your modul should keep some rules in order to run without problems. - restore all interrupt vectors you've changed - use a NEAR RET to exit the modul The iLUCRYPT v4.019 ZIP file should also contain two other demo moduls (with sources):  KICKGTR - identifies GTR v[1.84,1.90,1.A0,1.B0,1.CI] using IDT/GDT limits and base addresses - resets/hangs the machine if in GTR session  OUTSB - writes value 43h (INC BX) to port 21h (Interrupt Mask Register) - overwrites a part of the own code (reset instruction) with harmless actual port 21h value 43h If you coded own moduls - please let me know ! -- History + added * modified ! bug fix v4.014 [04-01-98] + loader patches the interrupt handlers of COMDUMP v1.0, DUMPCOM v3.53 and UCOMUX to avoid unpacking + added a new procedure which should be able to fuck up all tracers/ debuggers (CUP386 /1/7, ICEUNP, TR, TRON, UNP, ...) which stores programs registers within the 1st meg v4.015 [04-14-98] * rewritten the first part of the loader + NOTing the complete interrupt table + new algorithm using memory hardware breakpoints to kick ENTPACK, UPC and similar shit + protected programs now cancel if running under Windows or OS/2 + new option /STAMP:hhhhhhhh (a hex double word) which forces the loader of a iLUCRYPTed program to store hhhhhhhh at PSP:007C + invalid opcode trick v4.016 [05-11-98] * loaders structure has changed very much - the foundation for the use of plugins within one of the next versions + password protection added ! bug fix: invalid opcode trick hang on some systems (thanx Szaszi) v4.017 [06-10-98] * improved the use of memory hardware breakpoints against ENTPACK, UPC, ... * some minor enhancements v4.018 [07-03-98] + switch /MOD:x[,y[,z]] to add own anti debugging moduls + test if hardware breakpoints are working (hw bp are not available under any Win) * minor speed up v4.018b [09-03-98] ! serious bug fix: an error in TP6/BP7 CRT-initialization caused a runtime error on fast processors (especially Pentium II) ! bug fix: fixed a small bug in screen writing ! bug fix: in seldom cases the DUMPCOM search routine could crash * some minor changes/improvements * ILUCRYPT.EXE: changed BP7 startup code to prevent compiler detection :) v4.018c [05-01-99] * some minor changes/improvements/bugfixes + protected programs now are able to run under all EMM managers which support Windows Init Broadcast function (successfully tested with MS EMM386 v[4.48,4.49,4.95], QEMM v[7.0,7.02,7.03,7.5,8.0,9.0], Caldera/Novell EMM386 v[3.0,3.06]) - if you have other memory managers/v86 monitors like RM386,386MAX,MICEMM... or older versions - please send me an email with file attachment :) + ILUCR18C.ZIP should contain two sample moduls (link with /MOD switch) v4.019 [05-27-99] + added some stuff to kick LTR :) * a few minor changes -- Future versions + mutation engine (CSCRYPT-like) ! bug fix: ILUCRYPT.EXE hang (in very rare cases) while doing BOUND-encryption What else do you need ? -- Thanks Jibz for making a bloody good executable packer Fauzan Mirza for his Tiny Encryption Algorithm (iLUCRYPT uses a modified version for password encryption) -- Greetings Szaszi good work - keep on coding UnPackStop PS: why your invalid opcode trick runs properly under QEMM ? Zenix i must admit: FSE rules over all ! Hendrix! congratulations! after years now GTR finaly reflects hw breakpoints to v86 mode PS: i need your help! my own enhanced-v86 mode monitor has still problems with the virtual PIC. do you know a possibility to trigger an IRQ manually ? do you know anything about PIT2 (8254) which triggers NMI frequently ? Liu TaoTao TR and TRW are really messy LADO nearly perfect work - i'm shocked: LTR traces through iLUCRYPT PS: what's about improving the user interface/break- point system ? could i get a regged version ? -- Author Christian Schwarz GutsMuthsplatz 18 99610 Smmerda Germany email: eschwarz.sda@t-online.de -- Christoph Gabler (CRAP) coding lessons :) deine insider.faq ist doch wohl ein schlechter witz - wohl in zusammen- arbeit mit ROSE geschrieben ? mal davon abgesehen, da jeder zeitgeme debugger ber die billigen "anti debugging" tricks lacht, beweist du durch diese ansammlung von fehlern, miverstndnissen und halbwahrheiten auf beeindruckende weise deine inkompetenz. jetzt aufgepasst du profi ! >; Realmode detection by Christoph Gabler. >mov eax,cr0 >cmp eax,10h ; Compare CR0 with 10h, if so, we must be in realmode. >je Real_Mode_Found > >; Protected Mode (QEMM, EMM386...) detection by Christoph Gabler. >mov eax,cr0 >cmp al,1 >je Protected_Mode_Found > >; V86 (Windows 3.x and Windows 95) detection by Christoph Gabler. >mov eax,cr0 >cmp ax,0000 ; CPU is in Virtual 8086 mode if CR0 is 0000. >je V86_Mode_Found 0. never use cr0 to determine actual CPU mode because mov r32,crx/ mov crx,r32 faults to v86 monitor (if installed) which than has to emulate the instruction (try GTR with /cr switch). that's why you should always use smsw r32 which never faults - so you get the true cr0. 1. cr0.bit4 (extension type) can be used to seperate between 386dx/sx and can only cleared on 386dx - but has absolutely nothing to do with realmode ! 2. if cr0.bit0 set, must be v86mode because DOS programs NEVER run in pure protectedmode ! 3. your v86 detection is completely nonsens. ; simplest CPU mode detection by iLUVATAR (SCMDBi) smsw eax ;=CR0 test al,1 jz realmode jmp v86mode >Protectedmode debugger use/need the following things : > >- INT10 >- Keyboard (INT9,Port 60h and 64h or 21h) >- Sometimes DRx too stupid - ever heard something about interrupt descriptor table (IDT) and I/O permission bitmap ? do you think a good v86 mode tracer calls the the original INT 9/10h or let you play around with I/O ports you shouldn't play with ? i don't think so. > ͷ > 32 Bit Control- & Debug Register FAQ > By Christoph Gabler (C) > ͼ no comment - to all who want to know the truth about control/debug registers: take a look at opcodes.lst (part of Ralf Browns Interrupt List) or ASMEDIT's help. ich empfehle dir wrmstens das PC-Hardwarebuch von Addison-Wesley, da steht alles drin was du nicht weist. PS: TRAP sucks just as HackStop/CrackStop The End--