ŪŪŪ² ß²²ŪÜÜÜÜŪ²±° ²° Ü ° ÜÜÜÜÜŪ °Ž±±±Ż ÜÜÜÜ°°±±Ż ßßßßßßßßßßܲ±°ßÜ°°² ßßß²²²²Ż ܱ±±ßÜ ÜÜÜÜÜÜÜÜÜ°ŪŪßßßß±±²²(pm!)ŪßÜ° ÜŪŪ°ß Ū²ßß ±±±±° Ž°°°Ż°ŽŻ °Ū²±° Ž²±Ü° ܲŪßßŪŪÜÜ ²° ß ŽŪŪŻŻ° ŪŻŻ° Ž°°°°Ü °Ū°°°Üß ÜßŪŪÜÜ Ū²ßŻ Ž²±ŻŻ°Ž²ŪŻŻŪŪÜ° ßŪŪÜÜ Ū²ÜÜ °ßßßßßßß °²ßßÜÜ Ż°Ž²ŪŻŻ°Üß ß²ŪÜÜŪŪßß ²Ū²² ÜŪŻ Ūß°ß ßŪ²ÜÜ ²²²²° ßÜŪŪßß ²ß°Ū °ŪßÜÜÜÜÜ ÜŪŪßß °°ßßn ŪŪܲ °Ž±²ŻŻ Ž±±±±² ßŪ²ŪŻ °Ūß°ÜÜÜܲŻ °°°ŪŽŪ²ŻŻ° °°°° ßß±° ܲŪß² ß°°°°ŪÜÜÜ°²±t ŪÜŪpŪ²Ū°± °Üܲ° ß²° Ü ±±±± cŪŪ°ÜÜÜܱ° ° °ßßßßßŪ°°ŪŻ °°°° °ŪŻ°ŽŽŻŻ ßßßßßß ²²²² ßßßßßßßßŪŪ°ŪŻ °ß ±±±± ßßßßiß°Ü ß ²²²² ŚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄPR0GRAM iNF0ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄæ | PR0GRAM : Messśśśśśśśśśśśśśśśśś CPU : 386+śśśśśśśśśśśśśśśśś | : VīRSi0N : 1.31śśśśśśśśśśśśśśśśś LANGUAGī : MASMś6.13śśśśśśśśśśśś : : UTiL TYPī : Scramblerś(COM/EXE)śś RīLīASīD 0N : 01ś09ś99śśśśśśśśśśśśś : | C0DīR : Stonehead^TPiNCśśśśśś RATiNG 1/10 : :) | ĄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄŁ ŚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄD0CUMīNTATi0NÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄæ | | : This program is a scrambler. Thus it should protect and encrypt : ł executable files against reverse engineering on 386+ computers. ł ś ś ś ś I hate centering text. This program does the same as HackStop, with the exception that Mess is freeware for non-commercial use. This documentation does not include information for starting users. I advise those to read the HackStop documentation first. Ok, let's be straight about it - I haven't coded on Mess for ages. In fact v1.31 is nothing new since v1.30. I decided to release it to get some feedback about bugs, although I got reports that recent versions worked under NT. (At least without /T switch.) Since the last release, v1.20, nearly everyone who mailed me should have received an actual build, except some losers who didn't pass the *@aol.com procmail filter. It's about time to make the few changes public. EDump-II seems to be the ultimate unpacker. There's nobody going to detect this one in another way than memory detection, and that's lame. So probably I will stop coding on Mess, even while I still may have fun with the SHAME engine and some floating-point shit. I think I'll continue work on HackStop, just for fun. Working together with Ralph has been great fun. That's the reason this release is a ROSE-SWE-release. It was quite amazing to find PRNREGS 1.50 on a "Hacker-Tools CD-ROM" in my local bookstore, accompanied by several other ROSE-releases, mostly virusscanners. If you are reading this file on the 2001 edition of that CD, you know I was right choosing Ralphs distribution channel ;) Actually I think my harddisk *does* give an idea what this scene has been doing in the last five years. Sources of ALEC, UPC, HS, DeGlucker, TEU, IceUnp, EDump, SDW plus 30 megs of other exepackers. Weird to see it slowly go, as my own interests have moved to higher languages. It has become an addiction to collect compilers. Did I already publicly credit DarkGrey for his great Mess 1.20 unpacker? If not, again. I have been searching everywhere for the July99-released PCrypt 3.51 source, too. DTG is one of the very best groups I've seen. Maybe it's nice to misuse this documentation to dedicate this version to Dark Stalker too. His nice DS-CRP didn't survive version 1.31 either. :) Hmm, I guess that's about it. I'm typing this in the now-freeware and source-released Dos Navigator 1.51 (www.ritlabs.com). Another one of my favorites is DOSDoom (http://frag.com/dosdoom). Ah, it's still fun to reboot to DOS. I should connect my XT to the Internet using DosLynx. :) Cya, Stonehead (pp@hoeba.org), 01.09.99 P.S. The rest of the documentation is copyright 1997 or so ;) cp. Resurrection [Chris Perez Band] Positive things 1. Register Mess by creating a file MESS.KEY with your name. MESS.COM looks for MESS.KEY, WHATEVER.COM for WHATEVER.KEY. 2. Mess is freeware, but commercial usage is prohibited. 3. Mess generates a different decryptor each time, using a mutation engine called SHAME. The number of decryption layers is random between 4 and 11. You can override this using the /L switch. More layers make the loader slower. 4. If the input is a COM, the output is an EXE. 5. You can recognize Mess (not /m): 1. On the exeheader (checksum=version, 1C-1F = 'MESS') 2. On the entrypoint ('MESS') 3. After execution: at 0040:00f8 ('MESS') 4. If /b wasn't used, the parameter // prints it on screen :) 5. Mess 1.26 runs correctly on Rose's Cyrix and takes about 0,1 second runtime on a 486/25. 6. I have Mess seen working under Linux' DosEmu, unlike HackStop. Negative things 1. Mess cannot handle PE/NE/LE/LX/W3 executables. 2. The generic anti-teu trick used in /t mode (v1.27+) DOES NOT RUN WITH WINDOZE NT. It is buggy on big files like ndd.exe that play with memory, too. I'm still looking for help with it. Note that the default Mess decryptor does not kick TEU. Throw something like the newest HS over it. Just like I decided to misuse my newest found TR bugs for HS instead of ripping the old tricks out of Mess, I'm not going to make another HS-clone. 3. I didn't have the time to code SHAME all over again, so I generalized the public trick to fool DarkGrey's unpacker. So far for the positive. However, there is a *very* small, theoretic chance that the fake encryption takes place at the very offset where the instruction is run - thus causing problems with the prefetch queue and all the rest. I have a few samples where mess /l50'ed files crashed for some weird reason and I guess this is why. It does not depend on the file to be protected; if your messed file crashes just restore the backup file and protect again. (Even smaller chance that it'll crash twice :)) Undocumented features in v1.20 1. "mess /teusux!" unpacked itself. 2. Userdefined code in SHAME, found in a MESS.RIC file with less than 50 bytes of machine code. Credits: Rich856. 3. Mess on the moon. Was automatically invoked if Mess was runned in Xmas night. Works on comfiles. Fun ratio equal to RSCC. Triggers TBScan # flag, unpackable by RVK when compiled with debug flag on. Internal notes 8. MASM 6.13 rules. It is the only MS product I don't hate, despite its slowness. 5. By origin, SHAME is based on the disassembly by Darkman/VLAD of Wild W0rker's Small Polymorphic Engine. Only the encryption is still the same, which is only important for Mess/m and things like DarkGrey's unpacker. ;) 2. I finally removed Bushwoelie's presence, the file handling was really too crappy to maintain. :) 2. Mess/t only uses "fair" tricks. It doesn't check OS-dependent addresses, doesn't overwrite code in memory, doesn't lock the keyboard, jump to the screen or play with video ports, doesn't use prefetch tricks and doesn't use the infamous fake jumps. For the rest, it uses everything that isn't possible in Win32. ;] 7. I dedicate SHAME to Anakin, because of his SimpMut engine. (Rose thinks you ripped it ;)) SHAME is better, but that's not important. I still think it was a cool reply just to code a MTE. I moved to Linux in the meantime; you won't see me coding a PE crypter soon.. if I do you'll get it as first. 3. I removed a lot of "standard" AD. Mess has a new generic anti-TEU/UPC trick now, so I could delete about 7 fake HLL startupcodes. That stupid softice worm triggered only medieval Softices, it's hell slow and actually ripped from the DS-CRP 1.29 source I got dcc'ed from Dark Stalker :) You won't find that worm anymore as well. Everytime you guys see a HBOOT somewhere, I hear you exclaim (Fred Flintstone voice) "Yabbadabbadoo! A Magic Tunneling Softice Worm!!" External notes 1. Mess is recognized by DąrK-Mąļ's Scanexe, Hanno B”ck's ChkExe and Stills0n's ExeScan. PHaX' GetTyp will be updated soon ;) 2. Mess can sometimes protect files with overlays, using UNP: unp l program.exe out.exe -r+ mess out.exe unp o program.exe out.exe ś ś ś ś ł and i'm here to remind you of the mess you left when you went away ł : it's not fair to deny me of the cross i bear that you gave to me : | | ĄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄŁ ŚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄRīLīASī HiST0RYÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄæ | | : Mess, Copyright (c) Stonehead^TPiNC 1996,1997,1998 : ł only releases mentioned ł ś ś ś Scram! į5, 25ś12ś96, com decryptor 412 bytes ś ! initial release, coded together with bushwoelie Mess 7, 26ś01ś97, com decryptor 582 bytes exe decryptor 736 bytes + exe support up to 64 kb like exe2com * com: resists random's killhs 1.2 - keyboard lock, screen black ! birthday release Mess 1.07, 05ś05ś97, com decryptor 1549 bytes exe decryptor 933 bytes * one program for both exe & com * unlimited com & exe support - keyboard traps * resists ka0t's uncom, upc 1.06.3, teu 1.66 xpack 1.67f, intruder, autohack, snapshot ! first serious release ;) version /= 10 Mess 1.14į, 17ś09ś97, com decryptor 1917 bytes * p90 & 386sx bugfixes + mess on the moon * resists teu 1.69,1.72,1.73,1.74 * resists upc 1.10,1.11 * resists iceunp 0.1.4,0.1.5 + exe: Stonehead's Adjusted Mutation Engine ! beta version spread over the net by Valentino Tosatti Mess 1.15į, 22ś09ś97, com decryptor 2020 bytes * resists gtr 1.81,1.82,1.83 + hardware int 8 ! beta version spread over the net by sharewarez Mess 1.20, 18ś12ś97 * resists gtr 1.84,1.85,1.90 * resists teu 1.75,1.76,1.77,1.78,1.79 * tbscan stack flags ? and K fixed + shame: multiple layers, heavily improved - com decryptor * exe: maximum memory problem fixed ! public christmas release Mess 1.29, 03ś11ś98 * recoded to MASM 6.13 + /M, /Lx switches * resists dg 0.04, cup386 3.4 /7/d, tr 2.00, iceunp 0.1.5ud, iceunp 0.2.6, teu 1.82, ! unreleased Mess 1.31, xxś12ś98 <-- hmm :)) * fixed major bug with NT4 * fixed COM stack + added fake encryption in SHAME + cpuid gimmick ś ś ś symbols: ! info ś ł + new ł : * fixed : | - removed | ĄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄŁ ŚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄUNPACKiNGÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄæ | | : Unmess 1.07, August 1997, by Falcon, TASM : ł + Unpacks Mess 1.07 COM & EXE correctly ł ś ś ś MESSR 1.1, October 1997, by Stefan Esser, Turbo Pascal ś + Unpacks Mess 1.07, 1.08, 1.12-1.15 EXE correctly ! You are right Stefan, I forgot int 8. Thanks! MUM, October 1997, by Richie, TASM + Unpacks Mess 1.13, 1.14 EXE without relocations TR 1.98, February 1998, by LiuTaoTao, TASM + Traces Mess 1.20 correctly GTR 1.b0, February 1998, by Hendrix/UCF, TASM + Traces Mess correctly TEU 1.80, February 1998, by JVP, TASM/AsmEdit/CodeNuker + Unpacks Mess 1.20 correctly Unmess 1.20, September 1998, by DarkGrey & MERLiN (Delirium Tremens) + Unpacks Mess 1.20 correctly ! Decrypts SHAME ungenericly, which has taken some effort. Great work! ś ś ś ś ł ł : you? : | | ĄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄŁ