------------------------------------------------------------------ ROSE SWE EXE Cryptor Small/Antivirus $Id: RECSMALL.DOC,v 2.9 2004/08/18 21:35:08 ralproth Exp $ ------------------------------------------------------------------ ____ ____ ___ ___ /\ _`\ /\ _`\ /\_ \ /\_ \ \ \ \L\ \ __ ___\ \,\L\_\ ___ ___ __ \//\ \ \//\ \ \ \ , / /'__`\ /'___\/_\__ \ /' __` __`\ /'__`\ \ \ \ \ \ \ \ \ \\ \ /\ __//\ \__/ /\ \L\ \/\ \/\ \/\ \/\ \L\.\_ \_\ \_ \_\ \_ \ \_\ \_\ \____\ \____\\ `\____\ \_\ \_\ \_\ \__/.\_\/\____\/\____\ \/_/\/ /\/____/\/____/ \/_____/\/_/\/_/\/_/\/__/\/_/\/____/\/____/ --=[ REC/Small - ROSE SWE EXE Cryptor ]=--------------------------------------- The simplest EXE file Cryptor without relocation routines and a little encryption. You must compress your EXE file before adding REC to it because REC/Small will not handle relocations. After all you should protect your EXE files with HS to avoid false positive from virus scanners! :) Currently REC/Small adds nearby 87 bytes to protected files. I release this stuff because: 1.) it's the shortest DOS Cryptor in the world I know 2.) because it's a "beta" test for HackStop 1.3x (maybe :) 3.) Uses simple anti debugging tricks against dumb tracers 4.) .... Usage: RecSmall file_to_protect.exe Generates the encrypted file OUT.EXE Use the included batch files to automatically rename OUT.EXE back to the original file name. Bugs: * Stack is weird -> TbScan & ExeHead (should be fixed with RecSmall 1.04) * Can "only" handle files up to 640 KB length :) * Uses stack of program to be protected (fixed 1.04) * Doesn't handle EXE files with relocations --=[ RecSmall/BiosCrypt ]=-------------------------------------------------- This is an experimental Cryptor using the first 16 bytes of your BIOS for crypting, thus protected executables should only run on your system. This was a 15 minute quick hack for an user request... (Andy Holovac). Copyright: * (c) by ROSE SWE - all rights reserved * Free for personal use only! * NO WARRANTIES! Hints: * The first one who releases an unpacker for REC/Small will get the title "World's greatest unpacker coder! (a.k.a. lamer)" }:-(( * Use Com2Exe from the HackStop package to convert COM's to EXE's for encrypting. * Use ROSE SWE Relocation Packer to pack relocations (WWPack pr fails on files with one relocation entry :) History: Version Protector Date Remarks length 1.09 92 18-Aug-2004 Added check for EXE header, added version string to envelope (e.g. 3.71 as of 18.08.2004) 1.08 86 07-Nov-2003 Small fixes (text, doc etc.) 1.07 87 21-May-2002 Better encryption routine 1.06 84 12-Dec-2001 Small fixes/enhancements 1.05c 83 04-Sep-2001 Tried to make it more compatible with Olaf´s 386 CPU 1.05b 83 26-Feb-2001 Re compiled with URL and Email added 1.05a 83 14-Aug-2000 NT Fixes in the batch files 1.05 83 25-Jun-99 Decryption is done using the stack, so every real mode tracer will fail on this decryption loop (UNP t, cup /1). 1.04 72 21-Jun-99 optimized one byte :) Fixed min/max memory allocation. 1.03 73 15-Jun-99 Added a small anti-debug trick for tracing unpackers. 1.02a 70 04-Apr-98 Re-release, because 1.02 was not widely available. 1 Byte shorter 1.02 71 06-Jan-98 Rearranged the startup code, because TBAV, Suspious Scan and RHBVS triggers a false positive. 1.01 71 26-Nov-97 Prefetch queue bug fixed. Stronger encryption added. Stack is now even. 1.00 66 20-Nov-97 Initial release Mail to ------- (C)opyright 1987-2004 (ALL RIGHTS RESERVED!) __________ ________ ____________________ ___________ _____________ \______ \\_____ \ / _____/\_ _____/ / _____/ \ / \_ _____/ | _/ / | \ \_____ \ | __)_ \_____ \\ \/\/ /| __)_ | | \/ | \/ \ | \ / \\ / | \ |____|_ /\_______ /_______ //_______ / /_______ / \__/\ / /_______ / \/ \/ \/ \/ \/ \/ \/ -------------------------------------=----------------------------------- ROSE SWE See ROSEBBS.TXT for Dipl.-Ing. Ralph Roth full address, FAX and PGP keys. http://come.to/rose_swe rose_swe@hotmail.com All Rights Reserved! -------------------------------------=----------------------------------- Some notes by users :) ------------------------------- Message Contents ------------------------------- Hiya Ralph, here a message from your truly lamest beta tester (if no one was first.. ;)) RecSmall is buggy. I'm not the one to blame you for that, but you forgot the prefetch queue. You change the segment in the JMP FAR SEG:OFS, but you forget to do a jmp $+2 to forbid the prefetch queue to jump to the old value!! I unpacked the thing merely with Decay and CUP386, it's not really a hard job. Remember to use CUP386 /7/d/k when you really can't find the bug ;)