ROSE SWE EXE Cryptor Small/AntiVirus $Id: RECSMALL.DOC,v 2.2 2001/09/04 17:42:56 ralph Exp $ --=[ REC/Small - ROSE EXE cryptor ]=---------------------------------------- The simplest EXE file cryptor without relocation routines and a little encryption. You must compress your EXE file before adding REC to it because REC/Small will not handle relocations. After all you should protect your EXE files with HS to avoid false positive from virus scanners! :) Currently REC/Small adds nearby 83 bytes to protected files. I release this stuff because: 1.) it's the shortest cryptor in the world I know 2.) because it's a "beta" test for HackStop 1.20 (maybe :) 3.) Uses simple anti debugging tricks against dumb tracers 4.) .... Usage: recsmall file_to_protect.exe Generates the encrypted file OUT.EXE Bugs: * Stack is weired -> TbScan & ExeHead (should be fixed with recsmall 1.04) * Can "only" handle files up to 640 KB length :) * Uses stack of program to be protected (fixed 1.04) * Doesn't handle EXE files with relocations Copyright: * (c) by ROSE SWE - all rights reserved * Free for personel use only! * NO WARRANTIES! Hints: * The first one who releases an unpacker for REC/Small will get the title "World's greatest unpacker coder! (a.k.a. lamer)" }:-(( * Use Com2Exe from the HackStop package to convert COM's to EXE's for encrypting. History: Version Protector Date Remarks length 1.05c 83 04-Sep-2001 Tried to make it more compatible with Olaf´s 386 CPU 1.05b 83 26-Feb-2001 Recompiled with URL and Email added 1.05a 83 14-Aug-2000 NT Fixes in the batch files 1.05 83 25-Jun-99 Decryption is done using the stack, so every realmode tracer will fail on this decryption loop (unp t, cup /1). 1.04 72 21-Jun-99 optimized one byte :) Fixed min/max memory allocation. 1.03 73 15-Jun-99 Added a small anti-debug trick for tracing unpackers. 1.02a 70 04-Apr-98 Re-release, because 1.02 was not widely available. 1 Byte shorter 1.02 71 06-Jan-98 Rearranged the startup code, because TBAV, Suspious Scan and RHBVS triggers a false positive. 1.01 71 26-Nov-97 Prefetch queue bug fixed. Stronger encryption added. Stack is now even. 1.00 66 20-Nov-97 Initial release Mail to ------- (C)opyright 1987-2001 (ALL RIGHTS RESERVED!) ROSE SWE, Dipl.-Ing. Ralph Roth, RalphRoth@gmx.de, http://come.to/rose_swe See ROSEBSS.TXT for full address (PGP key, Email, FAX etc.) Some notes by users :) ------------------------------- Message Contents ------------------------------- Hiya Ralph, here a message from your truly lamest beta tester (if no one was first.. ;)) RECSmall is buggy. I'm not the one to blame you for that, but you forgot the prefetch queue. You change the segment in the JMP FAR SEG:OFS, but you forget to do a jmp $+2 to forbid the prefetch queue to jump to the old value!! I unpacked the thing merely with Decay and CUP386, it's not really a hard job. Remember to use CUP386 /7/d/k when you really really can't find the bug ;)