squidge
November 12th, 2002, 19:16
Well, just downloaded this to see what it has over the competition. It claims to be a Cryptor, CRC Protect, Anti Dump, Anti Softice & Anti smartcheck. Well, that's what you get from the program.
In reality, it must be the weakest EXE protector out there. I don't know if things are different under 98, but under XP it takes about 5 seconds to unpack a program "protected" with it.
It adds about 30Kb to the site of any EXE protected. The first thing you notice with the packed and "protected" program is that all the programs protected by it smell of UPX, and that is because they are UPX-packed programs (well, the loader is anyway). However, unpacking them, dumping them from memory/etc is useless as all you'll get is the loader. You'll not get the original program.
Look at the main protector program again and you'll find it also packed with UPX, and once unpacked, find out it's written in Delphi.
Unpacking the loader reveals more interesting information though:
c:\temp27¦_$\
Yup, you guessed it. All protected apps, when run, are unpacked into that directory. They have the hidden bit set, but that's about it. Copy the EXE out of that directory, and you have the unpacked program in it's original form - not even slightly modified.
Now what I can't believe is that this "protector" is shareware, and they expect you to pay money for it.
Am I missing something here, or does this program simply take your EXE, encrypt the entire file as if it was just a straight binary file, and then stick it's own AntiSoftice, AntiSmartcheck, CRC Protected stub on the start?
In reality, it must be the weakest EXE protector out there. I don't know if things are different under 98, but under XP it takes about 5 seconds to unpack a program "protected" with it.
It adds about 30Kb to the site of any EXE protected. The first thing you notice with the packed and "protected" program is that all the programs protected by it smell of UPX, and that is because they are UPX-packed programs (well, the loader is anyway). However, unpacking them, dumping them from memory/etc is useless as all you'll get is the loader. You'll not get the original program.
Look at the main protector program again and you'll find it also packed with UPX, and once unpacked, find out it's written in Delphi.
Unpacking the loader reveals more interesting information though:
c:\temp27¦_$\
Yup, you guessed it. All protected apps, when run, are unpacked into that directory. They have the hidden bit set, but that's about it. Copy the EXE out of that directory, and you have the unpacked program in it's original form - not even slightly modified.
Now what I can't believe is that this "protector" is shareware, and they expect you to pay money for it.
Am I missing something here, or does this program simply take your EXE, encrypt the entire file as if it was just a straight binary file, and then stick it's own AntiSoftice, AntiSmartcheck, CRC Protected stub on the start?
.
