Hm. Worth a try, or is this an enhanced virii..

http://www.xprotector.com/xprotscr.htm


Especilly check out this option:

http://webpages.charter.net/nikolatesla20/antidebug.jpg

Option 4 is appalling.

Um, you know, it "might" be illegal to crack - (if it is, prove it. I can crack anything I want on my own computer, as long as I don't distribute it, so there - the data is on MY hard drive), but I would think crashing the system could be equally accountable. Two wrongs don't make a right, do they?

Wonder if I'll get in "trouble" for "stealing" their graphic

-nt20

I've taken a look at this protector, and all I can say is - who will use it? Hopefully very little. Most software makers want to simply go "protect exe" and be done. It can take about 15 minutes to go through all the questions than XP asks. At one part it mangles you code and interleaves it with it's own, and then asks you to test to program to ensure it doesn't crash. Therefore, I doubt many people will use it.

Think about it - prog is developed, protected, and finally sent to beta testers. Testers report faults. Developers can't reproduce the fault as it was because the protected has mangled the code too much.

I think the name does it well however - "Xtreme" is a perfect word, although I think it's too extreme.

No doubt however, that once the relevent signatures have been applied, you can trace the injected code and remove it. Although, to be honest, I'm not really interested in the program after it added 1.2mb of code to my standard "hello world!" masm prog (1536 bytes - used for unpacking packers/protectors).

I also tried it myself, my program in memory went from 4MB to 16MB, 1 thread to 64 threads. Took a while to load when I first executed the proggie with the protection. It adds a ton of stuff and slows down the code

I tried booting the protector under Windows 98 and it crashed.

I don't think too many shareware developers will use this

Tend to agree, great in theory but fails in practice. Still, it's interesting to study the techniques even if it won't fly as a viable protector.

Five pages of notes later, ... Within the 3Mb packer exe file contains a complete dynamically loaded vxd, XPROTVXD, which is decrypted and run if you get by the debugger check. This is unique, the vxd may be 'bound' to the original PE file much as can be done with a dll, such as various PE binders do. Nice way to hide a vxd (can you find its sys counterpart in 2K?) The vxd code simply returns the INT 1 and INT 3 IDT address entries for ultimate hooking, maybe in ring3.

The SMC code of the packer itself is kind of funny because it makes extensive use of the SIDT and RDTSC commands, perhaps to scare the cracker into thinking its using these to access the IDT or use as a single step timing trap, but they do nothing but add some obfuscation. There's no tricky SEH used in general from what I could see, but there's these little stack jump loops providing partial decryption mixed in with the SIDT/RDTSC twiddlings and everything runs through Call EAX calls.

The SMC is a little different from what I've seen, but you can certainly walk through it if you last long enough. It begins with walking the export directory of kernel32, getting LoadLibraryA and associated calls, accessing start addresses of user32, advapi32, ntdll.dll, doing a \\.\ NT/SICE and SIWVID thing with CreateFileA, then starts getting the rest of the imports. The vxd is loaded later, Icedump /protect seems to be handled. No idea if a packed file behaves the same way, but I always like to look at the packer itself first.

It's ironic, if you don't have API bp's set, after the vxd loads it "announces" itself in the Softice window, 'Copyright the XProtector Team'. Tadaahh... Wait a minute, the End User should never see that!! I'll give it an A for originality

Kayaker

Well, unfortuately for me, it rebooted my system - guess I didn't have SI hid well enough? oh well.

-nt20

Ajo,

I tried allso xprotector, seems it doesn,t allow to set any kind of bpx's or bpm's.Try to trace one instruction and the prog. crashes like hell.(anti tracing).I could bypass the debugger check but fails on the crackers toolz detection..........
Wonder how i could bypass that anti-tracing stuff??


SpeKK.

You have to be careful as well if you crash messing around with this because the vxd can stay loaded and your INT 1&3 IDT addresses will stay corrupted, requiring a manual fix or a reboot. The hidden driver trick is used in a packed file as well, at least in Win98.

There's only 1 section of code pointed to by the Control proc jump table addresses which does anything other than return immediately. It appears to only pass an address pointer back through the DIOCParams structure to 2 dwords indicating the IDT entries for INT 1&3. There's no indication of *how* it gets those addresses, but some of those earlier SIDT commands may actually do something.

Just for the hell of it, here's the vxd code



The list of tricks employed in this PE-PROTECTOR enhancement is impressive, and even the help file is worth a look. The bottom line in a practical sense though is - like was said, a 3Kb exe file exploded to 1,123Kb with a minimum of options selected. That kind of says it all..

Kayaker

In any case, it seems like the guys who created it had quite a fun time doing it. Damn, they put some serious work into this one.

Seems they had loads of fun inventing their pricing, too. EUR 800 for "Company License". Good Joke Well, at least the logo is neat

remind me of PE-Protector ... after i unpacked it, Windows 98 was unusable with most drivers corrupted... such bad coding practise .. ... the thing was tt PE-protector was a collection of anti-debug, anti tracing and anti-dumping found on the web put together plus the multiple thread/process of armadillo... and banally repeated a zillion times... no fun learning new tricks... the specs of XProtect looks almost same as PE protector except that tricks are repeated TWO zillion times instead :/...

seems this Rahucha DONT learns here:
Replacing INT1 & INT3 is INCORRECT!!!

Because at least other protectors does test this
handlers...

LEARN or be learned...

ROFL...nice way to make your application unstable and eat loads of memory+ you have to pay for this shit...geee

Whole Xtreme Protector is very wrong protected. I don't know who first started use change IDT and other important structures. Every normal person can recognize it isn't right. It isn't right if some applications call Ring0 in wrong way. Then is whole system unstable and random crash and if someone try run two applications protected with different stupid protectors then crash and nobody will help it.

Thier idea of SMC code is good, but it isn't new. They lie, they are not first! Who will first use full metamorphism in his protector he will be first. But it isn't easy and we will wait some time for this protector. They stolen many of code from other protectors, some coded alone, but this code is not important. Nothing new? Yes, I never seen before protector which protect 11kb application and after protection files has 1.2MB. It is crazy and if they are think it will be help against debugging they are crazy too. It isn't problem skip all no important parts and debugg only important. If they are thinking debugging is not possible, then is possible emulate their code with code emulator and their stupid protector will never find it. I don't need soft-ice or icedump find what protector does.

I don't know if they are tried run protected application at slow computers, but it must take maybe minutes.

I tested some applications and their brand new thread system "little" slow down them. If protection spoil functionality of application then it isn't good protection.

Last stupid thing about this protector is price. I don't know but many better protectors cost less and I don't know if someone will pay many for protector which does these crazy things. But who know? Maybe someone will pay them

I am sorry for long post, but I hate stupidity and Xtreme Protector is pretty stupid application.

Btw: I am sorry for my horrible english

I tried it on my Portable, 133 Mhz with 48MB RAM. I have two other protectors on my portable that perform rather well considering my slow computer.

I took a Delphi app with one form and nothing else, it is 286K after compiled. It took nearly 10 minutes for X-Protector to protect the application LOL.... I nearly fell asleep. The application swelled to over 1 MB eekkkkkk. After protection my computer crashed (win 98) so I rebooted. It took 10 seconds for the protected app to boot. My OS is now unstable for some strange reason aughhhhhhhhhhhhhhh.

X-Protector is on Download.com at $212.00 U.S. Are these guys insane?????

Evaluator, I think IDT (Int1-3) is restored at OEP, because after XProtector I execute SVKP (that executes Int1 trick on Win2K) and works fine


Gaia


cracking VBOLock...

New version of xtreme...


Gaia

- =(SoftIce is my best friend)= -

to Gaia:
Did you try to run SVKP and X-treme shit in same time? I think it will not work. If yes, then they after thier int procedure call real int procedure. But I think, it will not work because they are not that smart

As I wrote in other place in this forum. I had big problem with thier driver. It crash sometimes (not sometimes, but always ) my Outlook.

I started work on this shit and it is possible debug it with my Sice on Win2k. I will post some information very soon. Maybe I will post log from emulator where will be possible find what protector does.

DeaR GAIA!
1, While XPROTECTOR1.02 is running on my XP, INT1 & INT3 are set to FFFFFFFFh.
bug??????

2. you mean, in newest version this removed?
Ok, I will see..

just checked 1.03 version..
all is same. While it is running, INT1 & INT3 are set to FFFFFFFFh.

enjoe!?

I attached XP's partial IDT. {DOCUMENT}

Is your IDT dumped after OEP? Strange because I try to execute Win32Debug (Iczelion examples) and it works

Gaia

Hello,

Sergio and I are the programmers of Xtreme-Protector. It's hard to see how old friends of us criticize our hard work and don't want to help us at all. I know that most of the crackers are very strict with their comments towards software protections (well, I was the same when i was younger ), that's not a problem and I accept all your comments with respect. What it's really amazing for me is that you are not willing to help us even a bit. Instead of just saying "Xprotector is shit cos my program crashes....." you could send us your program and we'll work hard and fast to make your program compatible with Xprotector. We'd like to have much money and have plenty of computers and many programs to test Xprotector, but that's not our case and we need the support of friends to help us. When you see that Xprotector works with your programs and you think that our protection is weak or crap anyway, then you could post here how bad Xprotector is as a software protector, and criticize Xprotector as an experienced cracker that has studied the protection itselft.

This new technology might seem quite incompatible (IDT modification, drivers...) but we have been working almost a year to make this technology fully compatible with all programs and processors. Yes, you could try to run Xprotected programs and other programs that make INT1/3 tricks, all of this will work with no crashes.

Separator, I'm willing to hear from you and solve your problems with your crash and outlook. We have released this because after hundreds of tests we didn't report any bugs. Of course, our tests don't cover all kind of programs and configurations, but with the help of all of you, Xprotector can be fully compatible. We have done the automatic bug report to make even easier for YOU to send the information about your crash....but nobody seems to use that.

Xprotected programs might seem very big, slow, etc....Well, we were not planning to do a protector for Pentium 1 computers because computers are changing and we think that protections should change too.

Please, if you want to help us, send us an email with the program that you see the bug and your Windows platform. If you don't want to help us and want to continue critizing about how incompatible/bad/crap Xprotector is, that's fine too.

Thanks a lot for testing Xprotector,
Rafael

Seems a reasonable request. Good Luck.

Regards,
Kayaker

I didn't start this thread to criticize the product itself, I started it because I don't agree with the option to "reboot windows". I think even if the software is being cracked, that is NEVER a polite thing for a commercial product to do. I would be more like something a virii would do. Frankly, if a company had this type of protection which can do such a thing, there would be many that would definitely not buy it. Also, if the product is so uncrackable, that what would such an option be useful for? It only "protects" itself by crashing the system. Once again, that is not protection, it is comparable to a virus in that it could damage the system. Rule one of any protector should still be "do no harm". What if someone installed a debugger on a critical machine and they did not know there was a program that used XProtector on the machine already? What if this was a machine used for medical purposes? It is slipperly ground to be playing in this way.

The other argument I put forward is that messing with ring0 is definitely more powerful. However, without intimate knowledge of the operating system, you can never guarantee any type of real stablility. Here is the crux: Crackers like to play with ring0 because they can gain more power. But their "adjustments" are local to their machine. A commercial product that plays with system structures should be a little more scrutinized.

Unless of course, you pass your protection driver through Microsoft's Compatability labs and get it certified.

-nt20

well ive got Athlon 1800 XP, 256MB ram and your message box "intro" is started ~10s after i double click on it , should i buy Pentium 5 ?, another thing, nice compression ratio 1:1000 :P, and finally it doesnt work on my Win98 box without all kinds of debuggers/tools (ive send you example, but i didnt receive fixed version of protected exe to test it), but anyway good luck with it.

I protected a program in Delphi 4 using X-Protector. I left Delphi 4 running in the background. When I executed the protected program Delphi 4 generated an error which I could not shutdown.
I had to turn the power off, this is not good. could be the debugger in Delphi that triggered X-Protector??

Also, X-Protector does not work in Virtual PC or VMware.
Lots of users use these enviroments especially companies.
I use them for testing the different platforms for my software.
I would not buy a product that did not run in these enviroments.

Lots of users still have machines between 300-850 Mhz
and this protector is too slow for these older machines.

rebooting or freezing the system if a Debugger is active is serious stuff.

I would bring the price down to under $100.00 and get customers using your protector until it is stable then increase the price.

nikolatesla20:

I agree with you about that option and understand why you started this thread. Reboot your system is a very strict way to finish your program in case that a debugger is found. I would never protect my software with that option. We just wanted to give some freedom to the end user and it is his/her responsability of using that option and the damage that they could cause (If you have a look to the Xprotector help file, you can see that we make a clear advise about this)

bart:

We have tested Xprotector in 450Mhz and 2Ghz processors mainly. Amazingly, there is not much difference between this two processors when running a protected program (at least that you inserted hundreds of decryptors, specially drx decryptors).It surprises me a lot that it's so slow in your 1800Mhz. Have you put a patch in a critical part of your program? We have fixed all the problems with all the EXEs that people have sent us, Im really sorry but Im afraid that we didn't get yours. If you could send it again, that would be perfect.

gorge:

Thanks for telling us that bug. We are going to try to reproduce the same bug and fix it.

Xprotector doesn't run on VMware. I tried it long time ago and I realised that every program that modifies the IDT cannot be executed under VMWare. Then, I tested other protectors and most of them didn't work either. I wrote an email to VMware Inc. long time ago telling them this. I didn't get any replies back. Is it our fault that we cannot run under VMware or is it VMware the one that should support this?

About the price...Many shareware authors have told us that the money is OK for a good software protector. If you think that a good software protector could increase your sales (selling ONLY 5 more copies) you could get your money back. Isn't that a good investment?


Thanks again for all your support,
Rafael

rahucha:

I just wanted to tell you I appreciate your reasonable responses. It would be easy for some developers to get upset and start a flame as a rebuttal. Thanks for keeping this peaceful

-nt20

Hello, again.

IDT dump I made after XPROTECTOR.EXE starts & appears its window.
So that is...INT1 & INT3 are killed.

But! Very can be, Rahucha does this only for XPROTECTOR.EXE
& for protected program INTs will restored!?
OR this is BUG for XP?

What is your answer, Rahucha?

PS.
Statistic:
On my PIII600CEL:
1. XPROTECTOR.EXEv1.02 window appears in 4sec
2. XPROTECTOR.EXEv1.03 window appears in 2.5sec

Why are you guys helping him? In my opinion he doesn't deserve that since he just takes advantage of getting free beta testing time. If I wanted to give away bug reports of this kind at a technical level I'd be sure I got paid for my time too. If he really means that he's thankful for this kinda help I think he should go share the incomming money with you or just pay you freelance per hours spent.

But the truth is he cares shit about you as any other protection developer does. Thats why I care shit about them too.
After all as a developer of this kind he must see you as the enemy since thats what his product is about. Thats why the more talk he can get out of you of what weaknesses and bugs you find the more he is able to improve it to make it harder for you. Is that what you want?
Earlier in this thread most of you guys said this program was kinda useless protectionwise so why are you helping him improving it?

I could go give suggestions how to improve X-Protector too but until someone pays me I'll keep my mouth shut.

// CyberHeg

I care about you CyberHeg

Yeah,

As i recall Ni2... you didnt want to help me at all last time... after i posted my finding abt PE-Protector you simply disappear... so why should we crackers/reversers help u now? You did not want to help others, tell me a good reason why i should do otherwise?

I got a Blue screen and half my messages in OutLook Express Disappeared when I was testing X-Protector. I removed this crap from my system as it is very unreliable. Testing is over. It is not compatible with a lot of regular software.

Hello,

evaluator:

The state of the IDT for XPROTECTOR.EXE and protected programs are the same. It's not a bug what you see in your XP (should be the same in all Windows platforms). All your programs should work fine. Even at the same time with packers with INT1-3 tricks.

Thanks for your time stats for Xprotector. We are going to study if we can make it faster in a next version.

cyberheg:

None of you are my enemies but all the way around. In fact, many things that I know I learnt them when I was much younger with the help of people from the scene and I also shared my knowledge with the rest of you. I will never forget the help that many of you gave me.

About the "free" tests...I'm just like one of you and not a company with money. Sergio and I just decided to make something difference sacrifrycing many things during the time that we've been programming xprotector, because we believed in that. We have the same money as a "normal" cracker has and we have done everything by ourselves and with the help of friends (tests, english corrections...). We just can give big thanks to all of them and offer our help whenever they need it. Ask for help is our only way to get out of this. And one thing....Windows XP also makes the automatic bug report when your system crashes....and they don't pay us for that.

Anyway, I didn't enter in this forum to ask for help. I just got impressed about how some people that don't have idea about our protection can say that it's crap because it crashes (a BSOD can be fixed in a few minutes) or we have a shitty protector because if you put SKVP it WOULD crashes because the IDT is "destroyed" (when they DON'T even tested that!) and instead of test it, It's faster for them to write a post here ard say that we are not so clever to do that, xprot shit....I didn't want you to make tests so we sell more copies or something like that, I wanted that xprotector will work on your computer so you can make REAL comments about the protection itself.

crusader:

I remember that I tryied help you in a few bits in Pe-Protector. I didn't enter much here as I only had inet at work (not very nice to enter here from your work ) Besides, following the rules of this protection/cracking game....crackers must discover how things work internally without the protection author tell them....at least that was one of the rules long time ago

gorge:

I'm really sorry for your BSOD. We'd like to have many computers so we are the only ones that get those nasty BSOD. Thanks a lot for trying Xprotector and sorry again if you lost some data. I understand that you don't want to test it again.

Best regards,
Rafael

Grrr I lost the message that I had typed in

Anyway,

All I wantto say is that I am too busy to take new things apart these days.

However, I have watched the wrapper wars for years, and protection by bordom simply dosn't work, layer upon layer of the same old crap dosn't cut it.

SMC & the like dosn't work (honeltly remember when the 486 was introduced), and bloated/slow apps just annoys everybody and creates a reason for cracking the app, this reason is "TO TRY AND MAKE IT RUN PROPERLY."

Those reversers who don't like any info going to protectors and commercial coders avert your eyes now !

Wrappers don't work for very long !

Shareware authors need to learn to code !

Currently they draw their little boxes in VB & Delphi (some even venture into VC), and type in their couple of hundred lines of code and hit F7, then they call themselves programmers.

The app automagically (sic) appears and they don't know what's going on under the covers.

In Borland & M$ we trust

Asprotected apps are often cracked, why is that ?

Simple they compile their app, run asprotect, upload to their website then watch the cracked version of their app appear across the internet.

I'm sure Alexy gets a lot of complaints, but how much more can he do ?

However (as I remember with my very bad memory) asprotect does allow additional protection, for functions to be decrypted only if a valid serial number is present, but how often that ability used ?

When is the last time you saw an asprotect license generated, a very long time ago is when.

Even games companys have caught onto this and securom provides triggers that games authors (much more knowledgeable than shareware authors usually) can set up triggers that cause problems with unwrapped games.

So how do you protect an app from me ?

Easy create it in VB, and I will simply refuse to install it. I am tired of VB installs screwing up my machine. This is the real future of protection

So what would I do to protect an app ?

I have written a dumper for a certain well known wrapper (very commercial) and wish to give it to some friends, however I do not wish for it to spread (I don't want any (more) real trouble turning up at my door.)

So what can I do well I need somehing that provides encryption, secure keys, locking to particular machines and date or # of run limitation.

After looking at many packages the only one that seems to provide some reasionable security,reliability & stability is asprotect.

Unfortunitely apart from not having any money I don't wish to buy an cryptor for the sake of the 9 ot 10 people who I wish to have the unwrapper. I also wish Alexy well as he also bears us no ill will (as people like us generate his income,) so I will not be ripping off asprotect.

Though if he wants to give me a copy I would be be very happy.

Regards,

Kilby...

'elo! i agree to kilby by like 100%. it's not so hard to create a good individual protection for a piece of software in a reasonable time. of course this requires a bit more knowledge than many semi- or non-professional developers have. probably this isn't even a formal question of qualification but of interest and commitment. on the other hand i understand some programmers very well. programming a useful and stable software can take much time and many programmers simply don't be inclined to spend many hours of work in the development of a good protection, because the only reasons which make such protections necessary are crackers like us and insincere users.

ni2 and his friend showed us the result of their hard work. no doubt they put a lot of work in that protector, but that's no real reason for their pricing model. sooner or later they will probably spend 10 minutes of hard work into a marketing lesson and correct their pricing



who believes this ? you released the protector as commercial software, thus you want to earn money with it. people on this board are for sure the best testers for your software you can get for free. they have more knowledge than most of your current/future software developers (at least concerning software protections - i'm sure). but why the hell should they help you ? friendship ? that's a dubious excuse for imposing other peoples kindness (always remembering your commercial interest). i'm sure it would be a different story if you'd have released that protector as freeware.

i can't say anything about the quality of the protection xtreme protector offers, because i didn't even try to have a look at its protection components. my personal opinion (as simple user) is that i don't like it because of the huge size increasements and the startup-delay of protected applications. if you won't spend much work on it again to get rid of these disadvantages and the compatibility issues i can read about on this board, i doubt about a promising future of xtreme protector.

anyway, at least you are not only talking but try to invent something new. hats off for that. greets to you and all the other guys hanging around here

tE!

Hey guys I don't think we need to bust on x-protector, it has its advantages and disadvantages just like any other protector out there. I'm glad finally someone came out with a protector that does a little more than mess around with the imports. This x-protector is their first attempt at it, I'm sure it will evolve into something worth while. The reason for their first release is to get reactions just like they are getting now so they can improve. I understand people don't want to help because they are not getting paid to do so and that's fine but busting on the product when it's in its early stages doesn't do anyone any justice.

I think x-protector has some good ideas just have to be implemented differently. The main reason why so many protections out there don't do so much is because the end user will not talorate the application's behavior. There are sacrifices that developers make like whether you want to satisfy the end user and make money or protect the app to death so no one can steal it but sell very little copies. This is something that x-protector guys need to think about.

I personally think that if x-protector is kept up it could be a great product, just need to see what the market is looking for. Don't secure Fort Knox to a point where you can't get access to your own gold.

goatass

I'm not coming down against Xtreme protector it's good to see people trying, it's harder to create than destroy.

Xtreme isn't snake oil, butI feel that they are on the wrong track when the app bloats.

Once you suss out what a packer does, it becomes relatively easy to unpack.

Without the author working to the strengths of a packer/cryptor the battle is already lost.

There will always be a way in that the cryptor author hasn't thought of, the easy crack. If not the packer then the algo used for the registration keys.

The future is to provide an API to the apps author and to get him/her to use it. It dosn't matter how good an reverser you are if the code isn't ever decrypted, unless a valid key is present (and then you can fingerprint for the key used).

I wish Ni2 & friend all the success the success they can get but I do urge an rethink of their methods. If an product gets an reputation for problems (even on inital release) then it will be avoided.

Regards,

Kilby...

You're wrong. This is exactly a example of snake oil in terms of protection. If these guys opened the source code to the public would it have same strength? Doubtfully.

The whole idea about protections like these is that people don't know how it works and/or because of the zillion checks like crusader pointed out it gets too boring to trace through it.
But if you look at the components of this protection it doesn't change in any way from Asprotect, Armadillo etc. etc. You still got the same scenario. First you got a loader which decrypts the real program then you got a jump from this loader to the real program. Whether you like it or not protections of this kind only works until people find a way to emulate the environment so the loader thinks it's not beeing spy'ed on.
There are technologies here though which makes this system stronger then others like automatic patching of the unencrypted programs.

// CyberHeg

Exaclty.

The only true protection a shareware author could make is either a demo, in which the full software code IS NOT PRESENT, or to follow the instructions corrrectly (for instance, with asprotect), and use encrypted sections of code that don't get decrypted unless you have a code.

However, as Splaj mentioned before, one key can be used in aspr to force it to work as a keygen.

There will always be SOME way around, if a cracker is determined enough.

-nt20

Hmm seems to load fine on my comp, took about same time as asprotect to load!

got 700 P3 , 384 ram and XP Pro!

maybe guys should try to unload som shit , i don't have softice or anti debugger stuff on same time, turned of most background progs, still np....

and i know after this topic i get about 50 crap msg...about how much idiot i am )

Cyberheg,

I disagree with Xtremem falling into the category of Snake Oil, for me this is reserved for special items which don't do anything vaguely like what they claim (bi-tarts products come to mind about this).

Xtreme Protector simply dosn't do things the way that we would choose to do it. If it stops a crack due to bordom then it has done it's job (not very classy but technically a success).

nikolatesla

If alexy didn't carry about the blacklisted serials then things would be a bit harder

But either demos with 'missing code' not disabled buttons, or properly encrypted registered functions are the only practical way to go.

LowF

If I wanted application conflicts then I would buy an Apple Mac

However I don't want application conflicts.

We are in a multitasking, multi threading environment and it should be coped with properly.

May god help their customers tech support departments, I'm sorry sir you must remove these apps before our product will run

Example:

I run softice legally in work and at home, and I reserve the right to have whatever programs or hardware I own !

Having softice installed won't crack an app, try finding a key for Secure CRT using softice, it's not a magical path to free apps.

Sometimes the presence of softice is a sign that you are installed on a developers machine and I often work from home so as I can see my kids sometimes.

Therefore if a cryptor is secure it should be able to tolerate the presence of a debugger (I have yet to see an eula which says you are not allowed a debugger on your machine).

Note:

I will run one of my little apps across xtreme protecter to see what happens abd post it here, provided my ADSL connectivity has returned.

Anyway regards,

Kilby...

Killby,



I beg to differ... you could say things like that about Bi-tart because you have done much work with it... i have done little work with Bi-Tart, a bit here and there but never a full research though i have done a fairly thourough job with PE-Protect and all i could say is, the task of reversing PE-Protector is like looking at the code, clean junks, then search through code archives on the web for old and known tricks... I still have the comprehensive listing of most of PE-Protector features i found in the packed version of PE-Protector itself and looking at the comparison to XProtector, not much has changed... though i admited i only had a brief look at the old version of XProtect

I would say PE-Protector was more like a complete collection of anti-stuff found on the web, and if XProtector is the same, it would be stealing/packaging the free knowledge shared by this community and charge an exorbitant amount of money for it... the reason is that i found some code in PE-Protector which was an exact copIES of example code someone else posted for free in this community... which is NOT very nice...

though snake oil is a strong word, it is SNAKE OIL comparing to other product of that price range... imagine it is more expensive than IDA ... in fact a few times more... what a laugh...

Hello, Rahucha!

1.
You are RIGHT!
In tricki way you rehandle INT01 & INT3.
I tested this R3 protectors:
.telock
.pcguard4.06
.pelock1.05

2.
I know way(R3), when your driver can't handle INT01 & does BSOD.

3.
&&&&&&&& ANYWAY!!
Doing this with INT01 & INT3 is incorrect.

Many other protectors (unknown for us, or in future..)
just checks in IDT location of INT01 & INT3 handlers,
if they are in NTOSKRNL range etc. (SVKP1.051 I know).

So I recommend: use INT01 & INT3 handlers, BUT
restore immediatelly after use.

Crusader,

I think you hit the nail on the head in the last sentance, snake oil is too strong a term for xtreme protector, but it's not a product that I would wish to rely on, even if it was $10.

The only reason I mentioned crunch2 is that it did NONE of what it claimed (it was the first thing I ever unpacked after 5 hours of study), with my limited ability that is a poor proformance on the part of the protector.

I mention this nodue to false modesty but due to the fact that a little zen, lateral thinking and a refulal to be beaten are the reasons I beat targets, and not great technical abilitys like many here.

I only spent a few minutes with xtreme and don't really feel that I have a right to comment on the technical ability behind it, and the same with svkp which I think may be a similar item with waves of the same old code thrown at the reverser.

BTW I have to congratulate you on your recent essays they are excellent .

Regards,

Kilby...

If that's the case then why does Xtreme protector itself reboot my machine which has DS2.7 installed.

-nt20

Well maybe it thinks your PC need to rest for some time?

I think real software developers who use all kinds of debuggers rtc. to make software fucking luv all those protectors with anti tricks

It starts becoming fun when a developer is told to evaluate a protector on the latest development build of a project, only to find out is blindingly resets his machine without warning just because he has developer tools installed, such as Softice.

If I was the developer the above happend to, I certainly wouldn't be recommending the application, that's for sure. There should at least be a warning of this when the program is being installed, so it can be uninstalled again without running it.

I had forgotten about this thread.

I think we all agree that we wouldn't pay $149 for somthing that causes instability and bloats apps as much as this currently does.

Snake Oil = matter of opinion.

Anyway just to say regarding the detection of softice in packers.

The game Chaser (by Jo Wood) which I bought is a securom app which then appears to be packed with the SVKP.

Why mention this well it detects NTICE even when the debugger service isn't actually started, to play/install the damn game I have to actually uninstall softice.

Personally I find that very intrusive, it's also very hard to get a refund on a PC game.

As I have a legit sice I really should complain to Jo Wood as I don't thinks it's their place to say what can be installed on my machine, unless it's directly attacking one of their products.

Regards,

Kilby...

I agree , exactly. I think is B. S. when they detect just that you have it installed. Like I've said before, this ISNT PROTECTION. A true protection can stand up to being debugged, right? I don't consider it a protection when you simply don't allow any debugger to exist.

Also, I agree, they have no right to decide what's installed on my machine.

-nt20

just when you mentioned chaser there, it is one of the most protected games i know, not only svkp, it had securom and armadillo.. jowood are paranoid.. and yet the game was cracked so all their efforts were kind of pointless, which further reinforces the futility of these protection products

No wonder theres so many complaints about the game crashing, with all those in there

Previously I had thought that Jo Wood where just crap at their quauality testing, and now I find it's deliberate

Speaking of such things apparently the coders of starforce 3 have decided that nobody should have both SCSI & IDE cdroms in their PCs.

Yeah like I'm gonna disable any of my hardware or software for some damn game.

Kilby...

I used to a have a SCSI cdrom in my system until it packed up and waved byebye, now I just stick to ide as they are pretty much the same. Only SCSI in here now is harddisks.

Personally though, I hate this "generalization" protectors are starting to use. "Most people will not have scsi cdroms, so we will not work on those that do", "Most people will not have softice, so we'll crash those systems that do", etc, etc. It's all about working on the majority now and stuff the rest of the people. Soon it'll be if you've not got a standard spec major brand PC system, then appX will not work as your obviously a hacker or pirate of some sort.

Webpage:


hxxp://www.wiretapped.net/~fyre/sst.html





Once again, unless your driver becomes Microsoft Certified I think you should at least inform users that there is inherent dangers in using it. And what about user's customers?


-nt20

Hello,
I checked Chaser some time ago. Joowood are really paranoid, because they used more protections in same time.
I am using Soft-Ice and installer detected it too when I disabled it. It wasn't SVKP, but Armadillo! I can't install game because stupid detection of two CD-Roms. It wasn't problem with patch.

Joowood used SVKP to main exe and enveloped with it SecuRom. Main exe worked fine.

Btw: Did someone unpack main XProtector's EXE?

>>Btw: Did someone unpack main XProtector's EXE?

you mean protector himself? or in that game is..

to evaluator: Yes, I am talking about protector himself.

Simple answer: No - and it will took the reverser some time. Btw and im not think to go on, on this target cause it can destroy your machine nicely.

It is pleasant to hear, people still keep common sense,
but whether for a long time?
I have thought that cd-game was protected by it..

as about unpucking,
I little played with xprot without debuger & unpucked it until "last" step;
(e.g. stripped code peaces)
maybe If I somehow shall get second-hand HDD, i will continue this useless playing..

evaluator, i thought you used a translator to post here. how the hell did it give you "peaces" instead of "pieces"?

hi ppl !

it's been a while since i post .. and now i saw this ... i looked a lil and this technic of coding is looking very known to me ..

^D^ man did u done that ??

Disavowed, if you thought that eval is using a translator you really can't have been paying much attention to his posts. The closest thing to a translator that might possibly have been used to generate that is a PRNG.

Just some notes.

First of all, this protector is not a so-much fun.
I participate in a kind of business where lots of software authors are using Xprotector, just as "security by obscurity" principle.
I already managed to dump several executables protected by it, but only partially (yes, missing the well-known IAT )
Sorry saying this, but I have some interests in being able to dump these, so I won't help you Sergio&Rafael out with the method (unless you give the clue restoring IAT for *current* versions )
You might say it is not fair, although this is the point when our interests are the opposite.
(Others are welcome for subject, thou' )
After all, I need to express my personal problems with this.

- Yes, you give the freedom to users to choose "RESET WINDOWS" option in general. This would be a fair offer if and only if our world were homogene (people with different skills equally filling up the population). BUT since this is NOT the case, and 88% out of software authors are IDIOTS, who still believe this intellectual property shit, but won't even like to ever make a *PERFECT SOLUTION* (ytes, we came to the difference between theory and practice, got it?), instead, believing reset for a false alarm is the greatest fun.
I have an application I already dumped, and great for reversing, although I miss some APIs since NO IAT rebuild is done. I tried several (not so much, anyway, for example, let it be 100) times to find it out, although the 243k software (which is now 2.1M) loads on my 3GHz P4 in 8-10 seconds, I try to make an operation, and in less than a sec (let it be 1 s) it reboots my computer, which process lasts say 2 minutes.
That is, in our example:
15 minutes total of program "loading"
1.5 minutes total of experimenting (in 1s fractions, anyway)
3 hours and 20 minutes of computer POST and boot process.
Please, tell me, this had to be the fun??
(any help is welcome)

Yes, if it'd run under VPC or VMWare, I would had only to restart it, it is not a crisis, but it does not.

- My program utilizes (very nice indeed.......) a Schlumberger Cyberflex E-Gate Smart Card protection, which consumes a bit of CPU time, so when I load the app, and it interacts with the JavaCard, sometimes it shuts down the SB subsystem with a message related to no access to PC/SC interface, if not, I should wait for the end of operation for GDI to redraw its form. All this on my mentioned computer (it has 512M DDR533 BTW).
This is remembering me to my old PM experiments, when I tried to save/restore the TSS of my 1 running task for every single instruction (breakpoint yeah).
Just wondered what my CPU was capable to.
Now I see, thanks

- Among others, sometimes the app itself resets with no obvious reason.
(I think should first disable this reset thingy)

- After all, I can ONLY close my program with Kill Process option, if not, I get an infinite loop in a thread running on PL0 (i hate your "ring" word) with TP_TIME_CRITICAL...

That's all for now. Any ideas, helps on IAt or any other clear mechanism of this stuff is welcome.

>this protector is not a so-much fun.
it is on last level of incorrectness.
Those, who use xprotected-programs,
are under serious risk to crash own hardware.

Recommended:
Try to search for other users of these programs(in forums, groups)
& togather perform simple customer attack:

"Dear sir, we are very interesting in your software.
"But your program in 98% of cases resets our PC.
"As we informed, this happens because of dangerous protector.
"Do not hesitate, and use other correct protector,
"or we shall not buy your software.
"Or! Give us full Warranty for case of hardware crash,
"which will include all commercial loss.

we can support this attack with our opinion.

>where lots of software authors are using Xprotector
Can't beleave if lot of authors lost money in xprot!
(maybe, mostly they was "protected for free"!?)
Anyway, point me to this "software area".(here or in PM)

later about IAT.

Did anyone actually take a look at XProtector's KMD
(until that one takes over, there seems to be nothing really new)?

I'm always getting caught on some JMP [ESP-0C],
where [ESP-0C] points to current EIP, thus ending in an infinite loop.
Guess this must be some kind of "running line" stuff, but there's no LastBranch record helping me out on my damn P4...

I'd really like to get to the rebooting triggers...
Btw, is it the keyboard controller method or some triple faults?



Guess no serious developer/publisher would really use such a hardware kicking protector for retail soft, but it seems like it might be real fun to reverse it...



regards,
Pyrae

you must guess that trick,
remember you are in R0, look at stack when trace..

AND this easy trick is incorrectly done!!!

Ok, I found out how to quickly bypass it, but must admit, that I still don't really know what makes the difference between single-stepping and letting it run...
What is so R0-specific about this one, eval?
And why do you think this trick is incorrect? Because it uses undefined stack space?

Back to the code woods,
Pyrae

Maybe this is a new trend in protection. I guess it would be difficult to find your 11kb in a 1.2Mb pool.

Zwyzum

nothing new? still stuck with IAT...

I always wondered why protectors made themselves obvious by jumping to or calling the program (going to the OEP). I thought it'd be more effective to line the protector code right up against the program code, so there's no jump. I thought it'd be more efective to have some sort of periodical CRC check of memory segments. But the only thing I couldn't figure out is how to automate all that, while still remaining stable.

After I skimmed through the whitepaper thing, I must admit I became a little intimidated. Little did I know that in a minute I'd discover it's a small dog that barks and doesn't bite.

I downloaded the trail, and the first thing I tried was to apply this protector to the standard Notepad.exe that comes with Windows XP. I upped all the settings, including the keygen thing. Well, the keygen failed. So I removed that, and tried again. So about 5-7 minutes later, the final exe was ready. I launch it. And about 15-20 seconds later I see a "This software has been protected with the DEMO version of x-protect... blah, blah, blah". And another 10 seconds later I get the standard Windows XP box that comes up when software crashes.

Now, I don't have debuggers installed (except Olly, which wasn't running), and the only thing I had running was the usual Winamp, Internet Explorer, Norton AntiVirus, etc.

And about those times... they seem too slow. I mean, I know I don't have a top of the line system, but I'd think 1.9 Ghz, 512 DDR ram would launch notepad succesfully sooner than 30 seconds.

I must say that whoever is thinking of charging 200 dollars for this has bitten down on his penis too hard.

Let's talk practice... The only software packages that'd need this sort of protection are better off handing out dongles with the executables actually inside the dongle, decrypted with a serial number and then a check from the internet servers at least 50 times throughout the application, all while still asking for a CD. But then, the CIA doesn't publically release any of their computer things.

Most of us aren't limber enough to "bite down hard" on our penis, or maybe we just aren't that well endowed.

Regards,

Please note that these statements by JMI do in no way necessarily represent all members of the admin/mods team.

And here we have dELTA, shamelessly and wishfully discussing his "member' again. We may need to adopt a "truth in advertising" policy for the Board.

Regards,

Your files will need a diet after that...

Why couldn't you have said that he bit his tongue...honestly...bite the little general...

I don't even joke about that...

X-Protector Unwrapped by Eithel in ExeMp3 2.21

really? who is Eithel??
and which version of Xprotector?

EXEMp3 = Asprotect

[EDIT]

EiTheL do pack their cracked asprotect file with their leet XProtector nothing more.

At least one game seems to have been packed with xtreme protector hxxp://www.nforce.nl/nfos/clear_txt.php?id=56710

Any news about this unpacker?
Does anyone succeed in unpacking X-prot protected aplication

firstly, does anyone succed to find valuable program protected by it?
once i dld 19 megs, & it was shamelest VB's shamelest program..fif, fif..

2evaluator: Try Jazl.rR.dio. Hope it's enough "crypted", JMI for sure around.

Nah. He's probably sleeping and won't notice and probably can't break the clever code anyway.

Regards,

I see that some people claim to unpack x-prot but I do not see any Ideas here.
I remember the times when people wrote tutorials and shared their ideas.

2JMI: LOL, 2 persons inside you ? Don't worry inside me too.

I try never to limit myself to just "two" personalities.

Regards,

heh!
Jasler was that shamelest prog i dumped..

Evaluator i remember i asked you gently to dump Jazler.and not to crack it ..not matter it is VB the main idea was only to dump it. but i also remember that i asked you how you did it.. but i never got a response/answer

and that rar file you supplied me with Jazler included (dumped)
.. you wrote me the pass..... but never worked ... maybe you were just jocking?

if you want to practice with a delphi one (XPROCTECTED) look for handycafe and tell us how you do it in case of success. i'll private message you the link to download directly...

Regards

Why would you need to send him the link when any simple search with a search engine would find the download?

Regards,

sure! i did because maybe he would say hey.. i'm lazy can't find it LOL

crk, remember me, what password i sad to you? write here.
But i can remember, i wrote, how i dumped it.

So any news about unpacking or you want to keep your knowledge for youself.
After many tryes I have no idea how to unpack such a target even without IAT restoring

Just stumbled upon this thread ~6 years later and read it all the way through. Must say it's interesting to see how far Xtreme Protector has evolved from its roots (it's known as "Themida" these days ). Many compliments to Rafael and sergio for sticking to it and never giving up on their little project. I imagine it has paid off by now (several million euros over )

Sorry mods for bumping, but it's really interesting to see the contrast. Xtreme protector 6 years from now. Themida today.

did they removed arrogant methods?

I have Breakaway Broadcast Processor which is protected by WinLicense (Themida+more bells n whistles). BBP also installs itself as an audio driver. It never caused any trouble on any of the computers i installed it on (one Vista 64, two XP 32, not tested on my Win7 laptops yet).

So i'd say they did iron out most bugs. However, it's still getting cracked. It also seems like NOD32 detects all Themida protected apps as viruses since they found there is much more malware packed with Themida vs actual useful programs. Its encryption evades many AV engines, probably this is why it's preferred by malware authors.

Yep. They removed driver completely. Now it's just Ring 3 shell with good VM

Which is odd considering it uses standard compression and a 3 line xor,add algo. It's definitely a good protection, as noted by rendari however they greatly depend on their superiority. Which however is no longer there, this makes them sloppy, very sloppy. Though rumor has it they're working on a new protector, let's hope they're focusing their efforts on that.

I never worked on xtreme protector, to young an RCE'er for that but it seems they did do some major improvements coning from there. But as of late it seems no longer..