..---------------------------------------..
..    Crypted functions xmplz on x86     ..
.._______________________________________..


   Sometimes, when  you  write any  stealhed  warez (virz,  bdz,  etc) you
   need  to  protect  it from  lotz of  watcherz:  reverserz,   antiviriz,
   disassemblerz  and  etc.  The first  way  is  to  use  any  packerz  or
   protectors.  Packerz crypts your code, so it's hard to analyze disasmz,
   if u  dunno  which  algorithm  used.  Protectorz  uses  more  difficult
   operations. So, to fuckup any packer u just need to dump memory area of
   the prog - its  image  will  be  already  unpacked. But if you had used
   protectorz, dump disasming may  be not easy - this  kind  of warez uses
   many triks to tangle us.

   Another  way  is  to  crypt  prog'z image.  Looks  good,  but  it  just
   discommodes analyzing of dump.

   And what if we'll crypt only some functions, which can be easy detected
   by antivirii or which will used only in some cases?  So, it's fast  and
   eyase. Well, that's what we'll do now =))

   Btw,  all xmplz in this article  are on asm, cuz  this language is best
   for  organize protection. First of all, letz look what da hell we wanna
   do.

   Letz write some functionz, which we wanna protect:

 .code
 ;----------------------------------------------
 Test1 proc
	 	pusha
	 	mov	eax, 1
	 	mov	ebx, 2
	 	xor	eax, ebx
	 	popa

	 	ret
 Test1_endp:
 endp
 ;----------------------------------------------
 Test2 proc
	 	pusha
	 	mov	eax, 2
	 	mov	ebx, 3
	 	xor	eax, ebx
	 	popa

	 	ret
 Test2_endp:
 endp
 ;----------------------------------------------
 Test3 proc
	 	pusha
	 	mov	eax, 3
	 	mov	ebx, 4
	 	xor	eax, ebx
	 	popa

	 	ret
 Test3_endp:
 endp


   Now,  to  find  our  function in memory and decrypt it, we have to know
   it's addr  and  size.  And  there u'll understand why i code this  xmpl
   on asm - function's addr we can get just with offset op. On C it's more
   long way to do it ))

   To  be  available  get addr of any funcion at any time its good idea to
   store them  somewhere. I choose this variant: in begin of .data section
   i locate struct like this:

  offset  Size   Description
  0       2      -count of crypted functions
  2       4      -addr of first func
  6       4      -size of first func
  .....
  n       4      -addr of n-th func
  n+4     4      -size of n-th func

   This struct should be filled before compilation. After it we'll got all
   needed information.

 .data
   	Proc_Entries_Num	dw 3				; count of funcz

    Proc_Entries:
   		Test1_addr	dd offset Test1			; addr of first function...
   		Test1_len	dd Test1_endp - offset Test1	; ...and its size

   		Test2_addr	dd offset Test2			; addr of second function
   		Test2_len	dd Test2_endp - offset Test2	; its size

   		Test3_addr	dd offset Test3			; addr of third function
   		Test3_len	dd Test3_endp - offset Test3	; its size

       	curr_proc		dd ?				;to store addr of current func
        curr_proc_size	dd ?				;to store size of current func
				; we need it to again crypt fucntion after its execution..


   Okay. Now, we got compiled exe-phile with none-crypted funcz  inside. I
   write  tiny  utility which reads funcz  addrz and their  sizes fr0m our
   struct and  crypts them with choosed method. You can see its sourcez in
   ./include/crypt_func. Its easy ))

   A little bit about cryptography: its the  most interesting :) Here  you
   can use  any algorithm  in func CryptProc i.e. BlowFish, MD5, DES. Just
   don't forget update DecryptProc also ) I'm using xor in this xmpl:

 DecryptProc:
 		mov	esi, eax
 		mov	edi, offset Proc_Entries
 		movsx	ecx, word ptr Proc_Entries_Num

 search:
   mov	edx, dword ptr [edi]
 		cmp	edx, esi
 		jz	found
 		add	edi, 8
 		loop	search

	 	ret
 found:
 		mov	ecx, dword ptr [edi+4]   ;ecx  - size of func
 		mov	dword ptr [curr_proc], eax
 		mov	dword ptr [curr_proc_size], ecx


 decrypt:                       ; crypto algorithm..
 		xor	byte ptr [esi], 66h
 		inc	esi
 		loop	decrypt

		ret


EncryptProc:
		mov	esi, dword ptr [curr_proc]		; offset of our function
		mov	ecx, dword ptr [curr_proc_size]	; its size


crypt:								; crypto algorithm
		xor	byte ptr [esi], 066h
		inc	esi
		loop	crypt

		ret


   Flawz of this technique:

   a) you have to manually fill funcz struct.

   b) if you lost structure in memory, it's not easy to restore it.You may
      try any CRC-algorithm on some function or on whole struct.

   c) its sux to use this tech in BIG projects...

   The  crypting of some  functions is not so big problem, so good luck in
   your researching!!

   In include/crypt_func u'll find:

   test.asm   -  example prog
   crypt.asm  -  utility to crypt functions in compiled prog.
