ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ºÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿º º³ BETA VERSION - PLEASE DO NOT DISTRIBUTE! ³º ºÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙº ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ Bug Report, 31-Aug-99 (stn) - HS build 222 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ CODE 1.19 MAJOR - iceunp 0.3.1, 0.3.2, 0.3.x - improve cup34 - specific platform tricks (realmode, WindowsDRx, fpu, mmx) - HackStop crashes under Linux' Dosemu - ltr 1.01+ / gtr kick by jumping into pmode - deglucker 0.05 - test P3/K7 processors - TEU reported to unpack HS 1.19 without trouble (Zenix) MINOR - add > 64k reloc handling (rhrg.exe), see Mess source - build 198-200 protected files sometimes insert random keys into the keyboard buffer (rar 07-Dec-98) - @screw_intruder needs cleanup, int 0-2c loop is very inefficient - bugfixes for NT 4.00 - win16/win32/overlay files are killed (win32 even with display error) (reported by Valery) - COM body encryption is sometimes very boring (Valentino) Analyse: possible repetition rate differs heavily (5 to 86) and seems to be output of Roses mini-mte which produces random encryption algorithms.. - prnregs test for pmode int handlers. nt will probably not permit search algorithms in pmode code, realmode check first FEATURE - We have had a discussion in the mailinglist maintained by Zenix, concluding that there is no clean way to detect EDump-II. Therefore we officially state that EDump is able to unpack HackStop - this is not a HS bug. However, we continue to study the inner working of EDump. We might someday get a great idea ;) REC BUGS - exebody length is filled in wrong sometimes - UPX'ed aurora.exe can not decently be REC'ed. Research shows that the encrypted exe body is damaged at offset 9BB0 (during 930 bytes = length decryptor??) and even still encrypted after offset 123E0. Did someone say "REC is buggy" out there? CODE 1.50 - SHAME ][ - PSP moving trick, only if it's compatible - EDUMP / GTR (hmm, I bet this note will stay here long :)) DOCS 2.3 typically -> typical REMAINING BUGS PLATFORM LIST: + all builds work on Win95/P2-233 (Stonehead) + all builds work on DOS62/Intel 486SL25 (Stonehead) + all builds work on DRDOS6/Cyrix 486 (Ralph Roth) 2 + build 183 86 works under NT 4.0/586 6 + build 187 86/386 works on i486 (stn) 9 + build 188 86 works on NT (Rose) 14 + build 190b 86/386 works on Win98 (Pietro Liguori) 18 - build 190? 86/386 doesn't work on NT (Thorsten Weber) ^ hs86 fixed in b192, hs386 fixed in b198 22 - build 191 386 doesn't work on NT: NTVDM error (Jauming Tseng) ^ fixed in b198 20 + build 192 86 works on NT (Valery Shabaev) 23 + build 192 386 works on Win95a/P-MMX200 (rar) 25 + build 192 86/86d/386d work on NT (Rose) 27 + build 198 works on NT 4.0/P-MMX-166, Win95a/P-MMX-200 (rose) 28 + build 198 works on NT (Valery Shabaev) 31 + build 199 works on the XT (stn) 32 + build 203 works on Valentino's DOS 6.0 + EMM386 33 - build 203 crashes (protected files) on Roses P2-333. Win95b 34 + build 205 works on my dads P2-400, Win98 (stn) 35 + build 205 works on the P2-333 (rar) 36 - build 207 crashes (protected files) on Andreas Marx' P2-400 37 - Win98 bug in b206 reported by wanghao and Szaszi fixed in b209 38 + build 209 works on the XT (stn) - build 209 crashes DEabcdeIJKLfghiMNOPjk01lmn2BADCHKSUM368904 (Andreas Marx) 39 - build 210 crashes DEabcdeIJKLfghiMNOPjk01lmn2BADCHKSUM (Andreas Marx) should be DEabcdeIJKLfghiMNOPjk01lmn2368904 40 - build 211 crashes DEabcdeIJKLfghiMNOPjTk01lmn2BADCHKSUM (Andreas Marx) 41 + build 211 works DEabcdeIJKLfghiMNOPjTk01lmn2368904 (ColdIce/Sascha Bielski/Cel450) 42 + build 212 works DEabcdeIJKLfghiMNOPjTk01lmn23689704 (Anakin) 43 - build 212 crashes DEabcdeIJKLfghiMNOPjTk01lmn2BADCHKSUM (hs386, Andreas) DEabcdeIJK fghiMNOPjk01lmn2BADCHKSUM (hs86, Andreas) 44 - build 213 crashes DEabcdeIJKfghiMNOPjTk01lmn2BADCHKSUM (hs386, Andreas) DEabcdeIJKLfghiMNOPjk01lmn2BADCHKSUM (hs86, Andreas) 45 + build 214 works DEeIJKLfghiMNOPjk01lmn23689704DEefghi8904 (hs386, Andreas) should display DEeIJKLfghiMNOPjk01lmn23689704, HS.EXE displays DEefghi8904 when protecting. BUILD HISTORY: 80 rose 120898 initial build HS 1.19, more comments 180 stn 200898 code review, new 386 anti-tr trick 181 stn 240898 relocation handling 182 stn 020998 better stack handling 183 rose 080998 secret.inc 184 stn 280998 exe body encryption 184a rose 290998 com length bug 185 stn 121098 cmdline handling: filespec -> filename SS had far too high value at entry relocation encryption exe body encryption constants randomized 186 rose 151098 revision control 187 stn 181098 -nb -nr switches added last segment of exe body was corrupted bugfix for exeheaders > 64k 188 stn 191098 resists tr 2.03 (xt's too) more exeheader brandmarks recognized 189 stn 241098 hs386 with anti-teu trick (exe only release) secret area overwritten at startup (thx 2 mr-d) 190 stn 021198 minor fixes 190b stn 081198 try to fix some bugs under NT this fixes a "hs386 infectme.exe -nr" hang on the cyrix (Rose) 190c rose 151198 TR200 fix? started hs beta mailing list 191 stn 161198 try to fix some bugs under NT 192 stn 191198 running line-bugfix for hs386 on my p2 this fixes bugs under Win310 (Valentino Tosatti), P200-MMX/Win95a (Rose) and P2-233 (stn) 192a rose 191198 cosmetic changes 193 stn 211198 reset TRON ifdefs, error handling improved, removed dr6 194 stn 241198 some macros were using ds=0, fixed. @screw_deb?? 194a: protecting: abcdefghi4 protected files: abcdefghijk01lmn234 194b: protecting: abcdefghi4 protected files: abcdefghijk565601lmn234 195 stn 261198 more debugging info for this fucking NT bug 198/197/195: protecting: DEabcdefghi4 protected files: ABCDEabcdefghijk565601lmn234 196 not existing 197 rose 281198 major NT fixes: thrown away Dark Stalkers cup386/7 trick added a cli before dr7 stuff on strategic places 198 stn 291198 cosmetic changes 199 stn 0x1298 1st try to fix J flag by tbscan hr in protected exes (rar) resists DeGlucker 0.04rc improved pure exe body encryption (Valentino) analysed PGMPAK - HS won't support it, it's buggy added errormessage for #rels > headersize (Valentino) done the build 192 bugfix for coms (was necessary coz I changed something else and it crashed.. weird) (was necessary to run on xts too) 200 rar 071298 New option -te, fixed the DeGlucker AD trick fixed heuristics virus detection flags of TbScan & RHBVS 201 stn 091298 fixed error when COM too large (Valery) analysed com body algorithm, not fixed yet (Valentino) fixed word algo bug in REC 202 stn 141298 fixed "This file has been protected.." while protecting fixed minimum and maximum .COM file size (rar) tested HS with a nuked int1/3 added large debug info in COM decryptor protecting exes: abcdefgabcde protecting coms: abcdefgabcde4567wxz123yOPQOPQwxz123y4567 protected coms: abcdefgabcdehijlmnopqrsOPQtuwxz123yv894567ABICDJKLMNEFGH 203 stn 161298 fixed CUP386 3.4 being able to unpack HS :)) (Zenix) fixed coprocessor instruction in @fuck_unrec added more debug info for Valentino added debug info around overlay-renaming (3 ones) protecting exes: abcdefgabcdeMNOPMNOP protecting coms: abcdefgabcde4567wxz123yOPQOPQwxz123y4567 protected coms: abcdefgabcdehijlmnopqrsOPQtuwxz123yv894567ABICDJKLMNEFGH protected exes: IJKLMNOP .. 204 stn 020299 kicked ltr 1.01 (exe) 205 stn xx0299 tested Blast Wave HS119/cup13.exe: recognizes HS118 and reboots at 2nd run Mess130/cup13.exe: successful dump Mess130t/cup13.exe: ununpacked/unsuccessful dump :) .. 206 rar 110599 Released 207 stn 130599 added verbosedebug lines from previous builds again protected exes should display DEabcdeIJKLfghiMNOPjk01lmn234 (mislabeled as build 206) 208 stn 190599 protecting exes display: DEabcdefghi8904 protected exes display: DEabcdeIJKLfghiMNOPjk01lmn2368904 209 stn 270599 b208 with TR-trick being fixed by Rose 210 stn 080699 reset TR200_2 macro, added two TR macros from Mess 1.30 added int21randomer 211 stn 080699 reset TR200_1 macro protected exes display: DEabcdeIJKLfghiMNOPjTk01lmn2368904 212 stn 090699 removed all code possibly nuking DS (which is not executed anyway according to the debuginfo provided), checked all differences since the correctly-working build 209 213 rar 110699 small fixes 214 stn 130699 removed hsmacro.inc, cleaned up rose.inc, added kill_winice2 removed LTR trick at startup (fixes Andreas' crash) 215 stn 130699 fixed @tr200_4 (bx had to be bp, otherwise not ss but ds reference) re-added all fuckups in @TR200_1 - @TR200_4, @Kill_WinIce2 moved @TR200_3 into loop (no checksum yet) to make tr scripts a tiny bit more difficult added push ax/pop ss for hs386 at the end of the decryptor verbose* : ifdef VERBOSE compiles these now. reset int 10 in @screwdeb (rose.inc): ifndef DEBUG around it added section in hsexe.inc that does a xor dr7,dr7 in hs86 (!) if the cpu detected is 386+ (nice for UNHS :)) added @iceunp1 macro in rose.inc (not yet in hsexe.inc) 216 rar 200699 recav protected HS+REC files hangs.... maybe a bug of rec 0.40.05? Rec 0.40.06 screws hs.exe (orig. 30 KB > 90 KB)! this version may kick unHS, how knows :) 219 rar 140899 added iceUNP detection. Tested HS/recAV etc. under Win 2000 Server Beta 3. 220 rar 150899 changed HSCRC 221 rar 270899 changed some macros, thus dumb TR scripts may fail (not tested :) 222 stn 080999 fixed a bug when inthandler=FFFF:FFFF. Credits: M.Hering 223 rar 220100 released as version 1.20 for beta testers, (c) 2000 etc. fixes 224 rar 290100 added iceUNP & eDUMP detection 225 rar 060200 small fixes 227 rar 080400 win2000, internal releases, beta release for Hanno's EXE List