Congratulations! You’ve just cracked Defender! This is quite impressive,
considering that Defender is quite a complex protection technology, even com-
pared to top-dollar commercial protection systems. If you don’t fully under-
stand every step of the process you just undertook, fear not. You should
probably practice on reversing Defender a little bit and quickly go over this
chapter again. You can take comfort in the fact that once you get to the point
where you can easily crack Defender, you are a world-class cracker. Again, I
urge you to only use this knowledge in good ways, not for stealing. Be a good
cracker, not a greedy cracker.
Protection Technologies in Defender
Let’s try and summarize the protection technologies you’ve encountered in
Defender and attempt to evaluate their effectiveness. This can also be seen as
a good “executive summary” of Defender for those who aren’t in the mood for
50 pages of disassembled code.
First of all, it’s important to understand that Defender is a relatively power-
ful protection compared to many commercial protection technologies, but it
could definitely be improved. In fact, I intentionally limited its level of protec-
tion to make it practical to crack within the confines of this book. Were it not
for these constraints, cracking would have taken a lot longer.
Localized Function-Level Encryption
Like many copy protection and executable packing technologies, Defender
stores most of its key code in an encrypted form. This is a good design because
it at least prevents crackers from elegantly loading the program in a disassem-
bler such as IDA Pro and easily analyzing the entire program. From a live-
debugging perspective encryption is good because it prevents or makes it
more difficult to set breakpoints on the code.
Of course, most protection schemes just encrypt the entire program using a
single key that is readily available somewhere in the program. This makes it
exceedingly easy to write an “unpacker” program that automatically decrypts
the entire program and creates a new, decrypted version of the program.
The beauty of Defender’s encryption approach is that it makes it much more
difficult to create automatic unpackers because the decryption key for each
encrypted code block is obtained at runtime.
Relatively Strong Cipher Block Chaining
Defender uses a fairly solid, yet simple encryption algorithm called Cipher
Block Chaining (CBC) (see Applied Cryptography, Second Editionby Bruce
Schneier [Schneier2]). The idea is to simply XOR each plaintext block with the
Breaking Protections 415