The first thing, the cracker needs to do is to check, if the EXE isn't packed by some sort of EXE packer or crypter (like UPX
, PE-Crypt and others). If it is, the cracker has to unpack it.
To unpack an EXE file, an Unpacker
is used. There are many unpackers available today - AntiASPack, DePePack, DePeProt and many others, but these unpackers are designed to unpack only some versions of these packers. There are also so-called Generic unpackers, which are able to decompress almost any packed EXE.
But don't be afraid - it is possible to find EXE packers which can't be unpacked by generic unpackers and there is no unpacker for them. You just have to look for them on the internet. If there is no unpacker available, cracker has to unpack it manually. This is in some cases very painful job and often ends with no success (for example PE-Crypt was very long a tough protection, until "Bye PE-Crypt" unpacker was made).
After unpacking, the EXE can be disassembled and debugged by a disassembler
. But the tool most used for debugging is NuMega SoftICE
. This is the tool, which are protection programmers most afraid of. SoftICE is a kernel mode debugger - it starts before Windows and allows you to debug everything (including Windows kernel). The debugger shows you assembly listing of EXE file, allows you to set breakpoints, modify processor registers, modify the program in memory and many other things.
ACLib contains lots of functions detecting this dangerous tool. Unfortunately, there is a SoftICE-Masking program called FrogsICE
, which is designed to hide SoftICE from other programs. But FrogsICE contains a bug, which helps us to protect our application against this tool. Before you start SoftICE detection, it is important to call Detect_FrogsICE_Kill
procedure to make sure, that FrogsICE is not running.