MOW v1.5 by Tpinc
1 of 2 files
stonehead
-
This download is an executable MS-DOS program that will not run on a modern computer.
It needs a DOS emulator such as DOSBox-X, Staging;
or a virtualized MS-DOS or FreeDOS system.
Browsers may flag this download as unwanted or malicious. If unsure, scan it with VirusTotal. -
Last modified Dec 3, 2017 7:32:40 PM
MD5 checksum e7cece68426a2b847e5ed89592b0bb4f
Mime type Zip archive data
Download mow.15-stonehead.zip
Size 14 kB
4 items in the archive
- FILE_ID.DIZ
- MOW.DOC
- MOW.EXE
- MOW.PAS
MOW doxx.. v1.4, April 97.
This program was not inspired by Roses AHCR (use the newest
UPC to unpack AHCR.EXE) but was started about January 1997
before I knew AHCR.
Of course, MOW's _name_ is inspired by Rose :)
I hate those assembler macro's like
; machine code
push bx ; 53
@@1: mov bx, 04EBh ; BB EB 04
pop bx ; 5B
jmp @@1+1 ; EB FC
db 9ah ; 9A (not runned: fake code)
@@2:
What do these commands do? In fact, it is just a jump to the
@@2 label. At the position @@1+1 are the bytes EB 04.
(Remember that a word is reversed in memory.) The code EB 04
means: jump to the next byte after 04 bytes. That's at @@2.
The code EB FC means: skip -4 bytes. That is right. Remember
that the "cursor" (IP), after executing a command, points at
first byte of the next instruction, so the bytes FC, EB, 5B and
04 are skipped.
Now you see that the code was only meant to lose brightness.
If I want to hack this, I can just NOP it. Placing NOP
commands over the code means that the patched code does 'No
OPeration': it is skipped by the processor. You'll get this:
; machine code
nop ; 90
@@1: nop ; 90
nop ; 90
nop ; 90
nop ; 90
nop ; 90
nop ; 90
nop ; 90
@@2:
Now everyone can see that the previous instructions in fact
didn't do anything. The "fake jump" has been cleared.
Rose uses these jumps about 29837523 times to "protect" his
program from hackers. When I met him at the TPiNC party, I
tried to persuade him that nobody is stopped by this lame
stuff, but he thinks it is a kind of protection, not against
some lame 1960 debuggers that might crash on it, but to make
the code harder to understand. I agree with him that it is
more annoying to debug, but I think that - no matter the
macro's - anyone will get through, so they are in my opinion
just a way to show that the author of the scrambler isn't
creative enough to develop really good antidebugtricks.
Instead he uses all this fucking stuff and has no time to
code nicer things.
Well.. Here is a solution to view a clear source of HackStop.
Unpack HS.EXE (I use myself a combination of KiLLHS and
CUP386 /3/D at the moment, because KiLLHS 1.2 isn't able to
open REC), run MOW over it to kill the macro's, and
disassemble HS.NOP using Sourcer. This will hopefully give
you a more readable source.
If you want to unpack HS/386, first use a good 386 debugger,
for example a anti-backdoored WinICE.
You can use MOW also on, for example, TEU. I used CUP386 to
unpack v1.66d. The lame method works too: just set one
breakpoint on cs:100h and you're ready to dump. TEU's code
contains tons of shit. MOW will get rid of about 900 macro's..
Only search on EB04 and EB02 and remove by hand the few
not-scanned macro's (MOW nearly supports them all!)
MOW will never be complete, but I used rather much code to
test it: HackStop, DS-CRP, Fds0ft-CRP, SafeLock, DECOM, RCC,
a Ciphator decryptor, TEU and some weird one-day macro's.
I want to greet Bushwoelie^MSH, who coded his own ASM version
of this theme (RoseNop) because an old version of MOW seemed
to have a bug. Kevin Tseng bugfixed my search engine.
My previous code has been published in the TPiNC mailinglist.
MOW itself is too lame to keep the source private, so here
you have the full source. It is a kind of an EXE patcher. Do
with it what you want.
I wanted to code fast, so it's not ASM but Pascal. The first
part is a real mess, because it has been coded in stages. Do
not expect a cleaning in a next version, but I'll try
something to get it readable :)
See you, Stonehead^TPiNC.