

  ۻ  ۻ ۻ       ۻ   ۻ ۻ  ۻ
  ۻ ͼ ۺ      ۻ ͼ ۺ ɼ ۻ   ۻ ۻ
  ɼ ۻ   ۺ      ۺ   ۺ ۺ      ɼ  ۻ  ۺ ͼ
  ͼ  ͼ   ۺ      ۺ   ۺ ۺ      ۻ  ۺۻۺ    ۺ
  ۺ      ۻ ۻ ɼ ۻ ۺ  ۻ ۺ ۺ    ۺ
  ͼ      ͼ ͼ  ͼ   ͼ ͼ  ͼ ͼ  ͼ    ͼ :M:
                
                  SECURE WINDOWS NT/9X EXE & DLL PROTECTOR




  
____________________ PELOCKnt v2.04     *For non-commercial use only*

____________________ PELOCK.nt.Console
____________________ Version 2.04  
____________________ Copyright (C) :MARQUIS:DE:SOIRE:
____________________ All rights reserved
____________________ 04/07.98
____________________ Updates: http://www.fortunecity.com/greenfield/tigris/26/



 0. Documentation
   1. Description
   2. Requirements   
   3. Features
   4. Options
   5. Error Values
   6. Development
   7. What's new
   8. Sidenote
   9. Q & A
  10. Revision
  11. Greetings
  12. Registration
  13. Address
  14. Epilog
   


____________________ 1. Description
   PELOCKnt is designed to protect ANY Windows NT4/5 or Windows 95/98 EXE
 and DLL file against reverse engineering and patching. Basically it will
 crypt all objects of a PE (Portable Executable) file leaving it executable.
 Such a crypted file is compatible to all PC's, very fast and strong.
   I added a lot of new features like the dynamic ImportTableLoader,
 full DLL support, 32-bit Virus protection, various debugger protections
 and much more to keep PELOCKed files modern and as secure as possible.
   Other packer often work well with small files too. But do you ever tried
 to pack/crypt large files like excel.exe? While some packer needs forever
 like WWPack32 (you can go drink a coffee in the meantime) or sometimes fail
 with a nice General Protection Fault, PELOCKnt will crypt the file instead
 fast and reliable in a few seconds.
  PELOCKnt was successful tested with nearly every sort of 32 bit files:
 GUI applications like EXCEL.EXE or AGENT.EXE, DLL's like MFC42u.DLL,
 MSVBVM50.DLL and CONSOLE programs like LINK.EXE. It seems to be as
 compatible as possible now.
  PELOCKnt itself is a Windows Console program running in a DOS-Box. If you
 wan't to know what's NEW in v2.04 please read section 7.



____________________ 2. Requirements
  WINDOWS NT4/5 or 95/98 and some EXE- or DLL-files you want to protect.



____________________ 3. Features
 - Protect any Windows 32-bit Portable EXE & DLL file, leaving it executable.
 - Full support for Windows NT4, NT5, W95, W98 and SoftIce. 
 - Crypting EXE & DLL files up to 64 MB in seconds. 
 - 32-bit Virus protection. 
 - Protecting all PE.objects against reverse engineering or patching.
 - Integrated ImportTableLoader support imports by name and ordinal.
 - Integrated RelocationTableLoader supports any imagebase.
 - Up to 50% faster 32-bit crypting compared to the former version.
 - BPX protection.
 - Generic API.Hook protection.
 - Generic File.Tracer protection.
 - Support for EXE files with Export Directory Table.
 - TLS (Thread Local Storage) auto handling.
 - Hiding .object names.
 - DAR DLL.Auto.Recognition 
 - APC Anti.Procdump.Code
 - User.options to protect any crypted file against SICE and NTICE.
 - Generic 32-bit CRC selfprotection against viruses, file manipulations,
   or decrypting errors. If the CRC32 check fails PELOCKnt will display a
   window and than close the protected program to prevent a datalost. A
   General Protection Fault INSIDE PELOCKnt is almost impossible.
   The failure can be caused by:
   a) Virus or FileManipulations  (check with your antivirus program)
   b) Strange TLS values          (try to protect the file with option -Xy)
   c) external packer/protector   (do you used other packers too?)
   d) internal crypting failure   (wait for an update)
 - ...and much more.
   (Technical infos in PERULES.TXT)



____________________ 4. Options
 PELOCKnt.exe File2Crypt.exe [-options]
  Options: -A0      API protection against winice BPX     OFF (default=ON)
            -B0      Create BACKUP file .org               OFF (default=ON)
            -V0      32-bit CRC VIRUS check                OFF (default=ON)
            -N       reNAME/hide objects to PELOCKnt       OFF (default=ON)
            -C       Crypt .CODE section ONLY               ON (default=OFF)
            -K       KILL generic Win9x tracer              ON (default=OFF)
            -W1      NAGSCREEN if winice found (NT/W95/W98) ON (default=OFF)
            -W2      EXIT program if winice found           ON (default=OFF)
            -W3      HANGUP windows if winice found         ON (default=OFF)
            -Xy      eXclude PE.object No.y from protection    (e.g. X3)
            -?       Display only fileinfos, don't crypt it             
            -T"text" Displays a USER-defined TEXT inside a MessageBox   
 
 Example: PELOCKnt.exe excel.exe       (for full protection of excel.exe)
          PELOCKnt.exe myprog.exe -T"Get full version at www.mypage.com!"  

 -A0 Don't terminate the program if any API function of the protected file
     is hooked.
 -A1 DEFAULT, close the program if any API function of the protected program
     is hooked by a debugger. 
     Some words about option A: by default calc.exe would work normal
     as long as you don't hook (bpx) any API which calc.exe uses. Let's
     assume you protected it without any option "pelocknt calc.exe". Inside
     winice you disabled all breakpoints "bd *", than calc.exe would just
     run as normal as before.
     You know one of the API's calc.exe uses is: CheckDlgButton. If you
     hook this API by "bpx CheckDlgButton" and try to execute calc.exe
     again it would just terminate.
     IN GENERAL: "BPX API.program.is.using" IS NOT ALLOWED (DEFAULT).
     But if you apply option -A0 "pelocknt calc.exe -a0" calc.exe would
     even execute normal if you hooked API's like "bpx CheckDlgButton".
     Sidenote: A few API's belonging to PELOCKnt itself can't be hooked
     with BPX or PELOCKnt will terminate.
 -B0 Will prevent PELOCKnt from creating a backup copy of the file you
     want to protect.
 -B1 DEFAULT, create a backup copy of the original program called .ORG.
     If .ORG already exists PELOCKnt will NOT overwrite it, but skip the
     backup process.
 -C  This option is almost never needed, but if a protected file refuse to
     work or crash try to crypt the CODE only "pelocknt program.exe -CA0NB".
 -N  By default PELOCKnt will overwrite any crypted .object name with his
     own name to hinder analysing and unpacking. If you use option -N all
     .object names are preserved.
 -V0 By default the 32-bit CRC selfprotection of PELOCKnt protected files
     is activated with -V1 (Virus check ON). There is NO reason to deactivate
     it with -V0, that's why I might remove this option in furure versions.
     Instead you should use only the option -Xy to find the object, which
     can't be handled correct by PELOCKnt.
 -V1 DEFAULT, 32-bit selfprotection enabled.
 -W0 DEFAULT, no winice checks.
 -W1 "pelocknt calc.exe -w1" would not prevent program execution if you have
     winice loaded but display a Nagscreen "You would never see this without
     a debugger in the background". After you press OK calc.exe works 100%
     normal.
 -W2 Check either for softice95 or softiceNT and exit the program if the
     debugger is present.
 -W3 Hangup windows if softice is present (NT and 9x).    
 -Xy DEFAULT is -X0. This option is like -V0 for experts only and should be
     used almost never (I might remove it soon). The default option -X0
     protects all possible objects.
     Only a number between -X1 and -X9 can be applied.
     A few files have strange entries pointing to a object which should
     NOT be crypted. If PELOCKnt would crypt such a object, the internal
     CRC32 virus check handles this anyway and close the protected file.
     But option -X2 might force PELOCKnt to leave e.g. object No2 untouched,
     protect the rest...and the file will work well.
     Examples to protect strange programs which can't be handled automatic:
              "pelocknt ZOC.EXE -x9"      (don't touch segment No 9)             
              "pelocknt AGENT.EXE -x2"   
              "pelocknt WINWORD.EXE -x4" 
 -?  "PELOCKnt.exe program.exe -?" displays informations about any Portable
     Executable file, but don't crypt or protect it.
 -T"Text" By default PELOCKnt protected files will not display any text.
     But if you want to inform the user inside a MessageBox about something
     special use option -T combined with text included in " " or ' '. Such
     a text can have a maximum of 255 chars.
             Examples: pelocknt myprog.exe /T"Don't try to hack me!"
                   or  pelocknt myprog.exe /T'Contact me at peter@myisp.com'



____________________ 5. Error Values
   Use GetExitCodeProcess to retrieve the Process's uExitCode for PELOCKnt.
  The possible values are:
          0h = Normal ExitCode, anything went well.
  0FFFFFF10h = ErrorExitCode while trying to protect a file.  
  0FFFFFF20h = ErrorExitCode from a PELOCKnt protected file itself caused by:
               a.) a hooked API function        (use "bd *")
               b.) non-available API function   (update your DLL's)
               c.) internal error               (try option -Xy)


   
____________________ 6. Development
  PELOCKnt was careful developed and tested under Windows NT4 and Windows 95.
 Former versions were reliable; this new version includes some needed
 enhancements like DLL crypting and is still as secure as possible. It will
 protect EXE or DLL files by crypting every PE.object and adding a few KB of
 extracode the file.

 Included files are:
 PELOCKnt.EXE  - Console version of the protector itself
 PELOCKnt.TXT  - This file
 PERULES .TXT  - General protector & packer rules
 
 Bugreports are welcome, especially from WinNT5 and Win98 users.
 Such a report should look like:
 OS                             : WinNT5
 Filename which caused the error: mspaint.exe
 How often protected with what? : 4 times PELOCKnt (incl. switch -N and -C"
 Version of PELOCKnt used       : 2.04 
 ...
 
 A bug report including a (protected) file will be ignored and just deleted!
 I email you if I need the file, often I have it already.



____________________ 7. What's new
 NEW in V2.04: 
 - Improved the TLS handling, means option -Xy is more seldom required.
 - Fixed option -C, which wasn't recognized anymore.
 - Altered some minor things.
 
 NEW in V2.03:
 - Option -T"text" to displays a USER-defined TEXT inside a MessageBox.
 - Fixed the Win95/98 PAGEFAULT in PELOCKnt itself. This error was hopefully
   seldom but serious, thanks to Wiesel for reporting it.
 - Changed the internal Interrupt 1 behaviour to a more secure version.
 
 NEW in V2.02b:
 - Fixed the SHARED SECTION problem which could caused a internal CRC32 error,
   thanks to Random for reporting it.
 - Sometimes an error/GPF occured while you close the protected application.
   This is fixed and was a Runtime-Thread-Creation-Bug.
 - Fixed the RESOURCE calculation causing a false Virus alert/CRC32 error.
   The following programs will work now: ACDSEE32.EXE etc. and all already
   crypted programs.
 - Changed some internals and the Win9X Winice detection.
 
 NEW in V2.01:
 - BugFixed the segment check which caused an error under Win98. 
 
 NEW in V2.00:
 - PELOCKnt includes some major changes to .BJFnt, the name reflect this. 
 - Full DLL-PROTECTION support for WinNT4/5 and Win9X.
   Tested successful with a lot of huge DLL's, e.g. MSPAINT.EXE/MCF42u.dll
   (NT4) both crypted and the program works still perfect. MSVBVM50.DLL (W95)
   and many more were tested too without problems.
 - Dynamic ImportTableLoader including several error-checks.
   Of course the IMPORT-TABLE will be crypted now (EXE and DLL). Finally
   I'm erasing the whole IMPORTTABLE expect the IMPORT ADDRESS TABLE itself.
   The DLL-NAME RVA will be ZERO to indicate this.
 - DAR  (DLLAutoRecognition), you can just crypt a renamed DLL.  
 - Generic internal 32-bit Virus check.
 - Option -V0 to disable the new internal 32-bit CRC VIRUS check.
 - Option -Xy. eXclude the given object.number y  from protecting.
 - Full RELOCATION support for any EXE/DLL, even for future versions of Win.
   All former versions just crypted the relocations, but were unable to
   apply them. For the first time PELOCKnt will now handle the whole fixup-
   process itself. Successful tested for instance by crypting the old
   MIRC32.EXE(W95) with a imagebase of 10000h, a rebased CALC.EXE
   (Imagebase=300000h) and other files.
 - Support for all those EXE files which exports functions like a DLL. 
 - Winice BPX checks.
 - Hooked APIs might result in a program termination.
 - AntiProcdump&SimilarProgsCode like:
   AFDC (AntiFileDumpCode) 
   AFTC (AntiFileTraceCode)
   ITDC (ImportTableDestroyCode) 
   RAC  (RelocationApplyCode)
   RDC  (RelocationDeleteCode) 
 - Option -? will only display infos about all fileobjects but don't crypt
   or alter the file itself.
 - Up to 30% faster 32-bit crypting.
 - Warning: the "unpacked" version of PELOCKnt will simply crypt wrong.  
 Changed:
 - Option -B altered in -B0/1. B1 (default) will craete a backup .ORG
   while option B0 will skip the backup process.
 - Option -I removed, because the .idata will be crypted anyway.
 - Option -K. Such a protected file will now kill SoftIce95 and similar
   tools (I changed the detection and killing to a more generic one). The 
   program execution itself and PC's without SoftIce will not be affected.
   NTIce will not be detected/killed by the -K switch.
 - NameHiding (see option -N). Former versions renamed by default ANY object
   to PELOCKnt unless you used the option -N. This version will ONLY rename
   crypted objects to PELOCKnt but leave the name of uncrypted objects as
   they are (Renaming a object don't affect the program execution at all).
 Fixed: 
 - Bug for NT5 and Win98 programs: the calculation of the imagesize was
   wrong, some crypted programs refused to execute.
 - Working imagebase relocation fixups for files like the old MIRC32.EXE.
 - Some minor internal errors (e.g. VirtualFree).



____________________ 8. Sidenote
  A PELOCKnt crypted file will sometimes not display the original icon at
 your desktop (this is no problem at all), unless you use option -C or -Xy.



____________________ 9. Q & A
 Q: Is PELOCKnt for WinNT only?
 A: No, it crypts Windows 95/98 exe or dll files too with no difference.
 Q: How can i be sure my crypted file will work?
 A: I'm sure, there will always a few files which can't be crypted without
    problems. But if you execute your PELOCKnt protected file twice without
    any (windows-initializing) error it's crypted well and will work forever.
    Or you can try option -Xy and -C (crypt .code only), because 1 out of
    10.000 files are compiled by a strange linker which requires this option.
 Q: Can I crypt the exe- AND the dll-file of my project or only one file?
    Of course you can crypt both files. It's even possible to crypt your
    DLL file multiple times, which is more secure against crackers.
 Q: When I execute a PELOCKnt protected file nothing happens or the program
    itself seems to terminate.
 A: Termination means a security flag inside PELOCKnt was touched, maybe by
    a debugger like winice. If you don't have any debugger or similar tool
    installed I urge you to email me at martino@gmx.net describing the
    problem. If you have softice installed, disable all breakpoints "BD *"
    and the program should work well, unless it was protected with the
    option -W2/3.
 Q: I have this program which I can't protect without getting a General
    Protection Fault while executing it. What can I do?
 A: Protect the original program again with the less secure options:
    "pelocknt yourprog.exe -CA0N". Now it should work. If not please email
    me details about your program. Keep in mind: never ever hook PELOCKnt
    internal API's like ExitProcess, MessageBoxA. The program would not work.
 Q: I emailed you several times describing my problem. Why you never answer?
    I feel sorry, I'm not the kind of guy who likes to write emails, but be
    sure I read your email at least and think about it.



____________________ 10. Revision
 v1.0a  - First version ever
 v1.1bd - First public BETA-test version
 v1.2rc - RainbowCode version
 v1.3   - BugFixed ULC version 
 v1.4   - Internal version only
 v1.5   - Internal version only
 v2.00  - Complete new version
 v2.01  - Small bugfix
 v2.02 - BETA only
 v2.03  - Bugfix
 v2.04  - Minor update



____________________ 11. Greetings
   FrMaid, Eddie, Acpizer, Stone, the UCF-crew, Random, Riddler, Jrg A.,
 The Owl, Misha, Lost Soul, G-Rom, Khadgar, Peter K., Phenox, Ritzelmut,
 Huy Hoang, Patricia, Solar Designer, Anakin, Microsoft, Nu-Mega, #cracking
 and the one I forgot.



____________________ 12. Registration
  Not planned.



____________________ 13. Address
                     Marquis de Soire
                     PELOCKnt v2.04
                     Email: martino@gmx.net
                     URL: http://www.fortunecity.com/greenfield/tigris/26/

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.63ui

mQCNAzXHfLgAAAEEAM4U/yvnRcvTOcYgFeG6P7Tgcyzy83ujmTYUMqFEkAF3axf+
5iR6/ryuDkdsrujh6J72euIATCZLUqLhKV37PNr/JfqXKJScfgOS4k3JYl1PO3BU
JqbAOW0tMewR4F2NGMtoTmUBI+WefpjOqOq2qquZkpjz7w+VM4aL5/PhatE5AAUR
tAdtYXJ0aW5v
=jhxj
-----END PGP PUBLIC KEY BLOCK-----



____________________ 14. Epilog
  It's not done till it's done and it sure is no fun.
   
