I said earlier that this is potentially dangerous. CrypKey analyses directory entries in conjunction with the (first) FAT table so as to identify such slack space behind EXE and COM files (for which size changes are unlikely) and performs lots of cloak-and-dagger absolute disk IO to read and write signatures, most of which you'll only find with a sector-level disk editor. The slack space only comes into play when a file's proper size changes. So how do they do it? Well, they use two tricks, one brash and presumptuous, the other (on FAT systems) subtle and potentially dangerous to the good health of your PC. I haven't tested whether or not ghosting the machine works, but, for reasons that will be clear shortly, this tactic will only work if the ghosting software does a complete sector-by-sector rebuild of the hard disk drive on which the program was originally installed, and/or you happen to be exceptionally lucky. Apparently, the only way to obtain a fresh trial licence is to format the hard disk and reinstall everything from scratch, which definitely isn't a very pretty or practical solution. Uninstalling and reinstalling doesn't give you a new trial licence either, even if you take the trouble of preparing a system snapshot (disk files & registry) prior to installation so that you can manually 'restore' the system to what it was when the trial expires. This dialogue is difficult to read, let alone capture, due to its brief appearance.Ĭopy of the protected program, the later copies all somehow know that a prior copy already exists on the machine. The first strange thing I noticed was that after installing a CrypKey protected program (in this case CKI & SKW), firing it up for the first time caused a message dialogue to briefly pop up, saying something about checking the eligibility for a trial licence. NT-based systems use an entirely different mechanism, even if all of the available fixed disk partitions are formatted FAT rather than NTFS, but more on this later. The reader should note that the investigations were carried out on an Intel PIII running Windows 98, and hence most of the information which follows regarding disk usage by CrypKey does not apply in the case of NT-based systems (i.e. The emphasis is on the disk activity that occurs on a system that has been 'infected' with CrypKey. The Summa Discologica This section will describe conceptually some of the low-level operational details of the first part of the protection mechanism used by CrypKey.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |