PROTECTiON NOTE
---------------
The Vertigo Sound plugins have unique protection. You need to have valid
license and good undesrtanding of Windows PE to achieve the full plugin
rebuilding like this release.
Let's check VSC-3 VST3 x64 (67MB) plugin.
The plugin checks license at startup, and extract Core DLL (32MB) to the
%TEMP%\VSC-3 directory. Core is VST3 plugin itself but it has some extra
tricks to avoid being directly loaded without main plugin.
Here is the section of Core DLL:
.text (Code)
IPPCODE (IPP Code)
.xcode (Encrypted Code, Writable)
.rdata (Read Only Data)
.data (Read/Write Data)
.pdata (Exception Table)
IPPDATA (IPP Data)
.rsrc (Resource)
.reloc (DLL Relocation)
And its exports:
ExitDll (VST3 UnInit)
GetPluginFactory (VST3 Factory)
InitDll (VST3 Init)
Vertigo (Protection Callback!)
To rebuild Core, you need to rebuild ".xcode" section and kill "Vertigo"
protection. VST3 functions (ExitDll, GetPluginFactory, InitDll) are
placed in ".xcode" section, not ".text" section like normal plugins.
HOW PLUGIN LOADS CORE
---------------------
Extract Core to %TEMP%\VSC-3\*.tmp.
Load Core by LoadLibraryW().
Decrypt ".xcode" section. (Key and IV is acquired from license)
Call Entry Point of Core with magic number.
Get pointer of "Vertigo" function by GetProcAddress().
Call "Vertigo" function to set protection callback pointer.
At the startup of Core, protection callback (set by "Vertigo" func)
is called. Callback returns 1 if license is valid.
Core now works!
ENTRYPOINT TRICKS
-----------------
The Entry Point of Core is not a real one. Here is pseudo code:
BOOL WINAPI CoreEntryPoint(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved
) {
if ((INT_PTR)lpReserved == MAGIC_VALUE) {
return RealEntryPoint(hinstDLL, fdwReason, NULL);
} else {
return TRUE;
}
}
When Windows loads this Core, lpReserved is 0, it just returns TRUE without
initializing DLL. This "fake" is needed, because ".xcode" section is not
decrypted yet. Calling real initialization code will crash.
After plugin decrypts ".xcode" section, plugin call CoreEntryPoint again,
The value of lpReserved is not 0 but MAGIC_VALUE (0x2CE520 in VSC-3 VST3
x64). Now Core calls real EntryPoint and finally initialize the DLL.
When you rebuild the Core without the requirement of wrapper plugin, you
need to set real Entry Point to the DLL, to make DLL be initialized by
Windows like formal DLL.
SO, IS IT STRONG?
-----------------
The protection of Vertigo Sound plugin is not strong when we compare to the
other popular protectors. However, if hacker does not have any Windows
coding experience, he may have hard time. That's all. It does not even take
hours from experienced hackers before they start claiming "our ones work
better then legit version!".
The first thing Vertigo should do is fixing the critical bug in the DLL
unloading, which does not happen in our release :)