SecureEngine® is an innovative and revolutionary technology for protecting Microsoft Windows applications against modern cracking. Its architecture and design is a completely new idea, never seen before in the software security-world. Other software protectors use normal application privileges, supervised and restricted by the operating system kernel. Most of modern crackers tools are also running in the operating system (kernel) level making it very easy to study and attack their protection routines, since they are running in a lower level (application level).

SecureEngine® has been designed with a different approach to avoid this common scenario. Its code is running on the same level as the operating system (kernel) with all privileges enabled. That allows the executing of any kind of protection technique without being restricted by the operative system. On the other hand, current cracker tools are unable to detect, study and attack protection routines that have designed for and run on the same level (kernel). This innovative technology is compatible with all popular Windows versions, 98, ME, 2000, XP and 2003. Both of our products,
Themida® and WinLicense® are enhanced with the SecureEngine® technology.

SecureEngine® implements the following techniques to keep an application fully protected against advanced reverse engineering and cracking:

(Please select to view extended information)

The Windows operative system, OS, architecture is designed to work in two levels of operation: Ring0 runs Windows kernel and device drivers code while Ring3 runs normal applications code. Ring0 code supervises and controls normal Windows applications that execute in Ring3 level. This means that normal applications are not allowed to run high priority code.

Since SecureEngine® executes some of its code in the Ring0 level it has the ability to run high priority code to implement very powerful techniques against cracking tools. The Ring0 technology is a revolutionary technology never seen before in a widely available commercial software package. This technology allows the developing of other SecureEngine® Ring0 features such as MonitorBlockers, MemoryGuard, IntDebugShield, etc.

Most of the current software protectors only execute their code in the Ring3 level therefore they can not implement effective anti-cracking protection schemes.



SecureEngine® operates at the same level of priority as the OS, so it has the ability to work in conjunction with the OS and supervise the execution of protected applications. This technique offers one of the strongest ways to protect applications against potential attackers.

Most of the current software protectors available can not work at the same level of priority as the OS thus they cannot implement this kind of protection.

The following pictures shows the difference between common software protectors and SecureEngine®. The main difference is that SecureEngine® can supervise the whole system for cracking tools while the rest of software protectors are limited by the OS.



All software protectors keep the protected application encrypted before they run. When a protected application is launched, the application must be decrypted in order for it to be executed by the CPU.

Many attackers have access to tools that allow them to dump a running application from memory to disk. If successful the attacker will be able to reconstruct the original application with this technique.

SecureEngine® implements never-seen-before techniques to avoid a protected application from being dumped to disk. These techniques work against all kind of dumping tools, even the most powerful dumpers that run as a device driver.

Most of the current software protectors use very weak techniques against memory dumpers such as destroying the executable header at runtime. These techniques can easily be bypassed with newer dumping tools.

The following pictures show an example of an original application dumped from memory before and after being protected with AntiDumperPro technology



CodeReplace is a new technology that randomly takes some parts of an application code and replace them with garbage code. SecureEngine® encrypts and stores the real code in a secure place mixed with SecureEngine® itself. The real code is dynamically decrypted and executed only if the protection scheme is valid and present. CodeReplace has specialized techniques to defeat all debuggers when the real code is executed. If an attacker tries to recompose the original program he will get the garbage code instead of the real code. In the unlikely event that an attacker totally removes the protection scheme, he will also remove the original code that has become part of SecureEngine®.

This technology is not implemented in other software protectors. Only a few software protectors try to use a similar technology, but they are based in removing single instructions not big blocks of code as SecureEngie® does.



The SecureEngine® VirtualMachine is a powerful technology that allows the execution of code compiled for an imaginary CPU. When this compiled code is executed, a cracker cannot recognize the code that is being executed and cannot understand what a specific algorithm is doing. Current software protectors do not include this protection technique due to its complexity to implement.



DebuggerGuard technology introduces revolutionary techniques to detect a debugger in memory. These techniques cannot be bypassed by any known cracking tools and are almost impossible to bypass even if an attacker knows how they work. This technology ensures that a protected application can only be run in safe environments, without the presence of debugging tools.

Standard software protector use very well known tricks to detect the presence of debuggers in memory. These tricks have been described in many documents, online and even in books. Now, due to the Windows NT platform architecture, most of the classic techniques to detect debuggers cannot be applied causing most software protectors to use weak techniques to detect debuggers.



SecureEngine® adds a large amount of protection code to protect each application. In order to avoid that the protection code looks the same in each application, SecureEngine® uses SmartMetamorph technology that mutates original instructions into different ones but with same functionality. This technology ensures that an attacker will not easily recognize the protection code that is inserted into each protected application, forcing him to independently study each protected application.

The newest software protectors also use this technology, but it is only applied to some specific routines and not the main code, allowing an attacker to identify the main functionality of the protection code.

The following pictures show an example of how SmartMetamorph technology is applied to a block of code.



When an application is going to be protected, SecureEngine® removes the entry point of the application, the first instructions that are executed in an application, and overwrites them with garbage code. The original instructions are then scrambled and integrated into SecureEngine® code. If an attacker finds the application entry point, he will only get the garbage code.



When an attacker tries to remove the protection scheme he needs to know which APIs are called by the application. SecureAPIWrapper protects all the Windows APIs called from a protected application rendering all cracking tools useless. If a protected application is partially dumped to disk, an attacker will not know which APIs are called by the application because they are scrambled by the SecureAPIWrapper technology.



To combat disassembly of the protection scheme or a protected application, SecureEngine® uses encryption layers. These encryption layers keep the code totally encrypted only decrypting the code when it needs to be executed by the CPU.

To strengthen the encryption, SecureEngine® uses polymorphic encryption layers. Each polymorphic layer has a different algorithm and encryption key making it impossible to recognize where an encryption layer starts and finishes.

The following pictures show two difference instances of a protected application with PolymorphicLayers. Every time that an application is protected, the polymorphic layers are totally different in functionality and format.



Many attackers use file or registry monitors to see which files or registry keys are accessed by an application. Many applications store their trial period information in files or registry keys. Attackers will detect those files or registry keys that could give him clues about how to cheat the trial period of an application

SecureEngine® implements very advanced techniques to detect any kind of file or registry monitors running in the system. These techniques are extremely strong and have not been used before in software protectors.

Most of the current protectors offer file or registry monitors detection techniques, like finding a specific window class name registered in the system or detecting a specific executable running in memory. An attacker can easily bypass these techniques if he has custom file or registry monitors.

The following pictures show how the MonitorBlocker technique affects Regmon, a well-known and powerful tool used by crackers, to monitor access to the registry.



SecureEngine® uses AntiCrackTools technology to detect any dangerous cracking tools running in memory and stops the execution of the protected application or executes a custom protection routine when one of those tools is detected.

The AntiCrackTools technology uses sophisticated techniques to detect cracking tools in memory. These new techniques are implemented in kernel mode operation.



The GarbageCode feature mixes the real code in an algorithm with garbage code. After doing so, an attacker is forced to deal with lots of garbage code when trying to study a specific routine. The GarbageCode technique uses advanced algorithms to generate garbage code that is quite similar to the real one, making it almost impossible to recognize which code is real and which is garbage. For example, if an attacker views a disassembled application, they will have to study 8,000 instructions instead of the original 1,000 instructions.

Some software protectors use this technique but use a restricted set of garbage code to be mixed with the real code, so an attacker can easily differentiate which code is real and which is not. Often only a few routines are mixed with garbage code.

The following picture shows an example of a block of code and how that block of code is transformed after applying the GarbageCode technique.



ClearCode technology offers the ability to remove blocks of code after being executed. When an application is running in memory, an attacker may use a dumping tool to dump the contents of the memory to disk. ClearCode knows what code can be removed after being executed and deletes it from memory thus ensuring that an attacker can not recompose dumped code.



The CodeEncrypt technology provides the ability to select blocks of code that will be encrypted all the time while it is not executed. Once executed, the code gets encrypted again to avoid a possible reconstruction of that code if an attacker manages to dump a protected application from memory to disk. SecureEngine® uses strong encryption algorithms to ensure that an attacker can not reconstruct an encoded block of code.

The following picture shows an example of a protected application when CodeEncrypt is applied in some routines.



The x86 architecture offers debugging capabilities to be used by software debuggers. Without those debugging capabilities, software debuggers are unable to operate properly. SecureEngine® takes full control of the x86 debugging capabilities in order to ensure that no debuggers are running when a protected application is run. Traditional software protectors cannot implement this powerful technique, because they do not operate in kernel mode thus the OS limits their operations.



In some situations an attacker will not try to reconstruct the original code of a protected application. Instead he will change some of the data or code in memory to change the behavior of an application. This common scenario is often found in computer games where an attacker will modify the behavior of the game to get extra features.

SecureEngine® uses a sophisticated protection technique to avoid an attacker from overwriting the data or code of a protected application when it is running in memory.

Standard software protectors do not offer this kind of technology. There are a few programs that check if the protected program code has been modified when the protected application is loaded in memory, but an attacker can easily bypass them.



The RealTimeSpy technique uses the power of the ThreadEngine to continually check that a protected application is running in a safe environment and no attack has been attempted on the protected application.

Many software protectors leave the protected application running alone in memory after they have been fully decrypted. This becomes a very weak point for those software protectors since an attacker can use certain tools to reconstruct the decrypted application in memory.



When SecureEngine® protects an application, it uses different encryption algorithms and keys, avoiding the possibility that an attacker will find a generic way to decrypt all protected applications. These extremely strong cryptographic algorithms fully protect against reverse engineering.



InteractiveEngine technology allows a two-way communication between SecureEngine® and the protected application. The protected application can "talk" at any time with SecureEngine® to verify its presence in memory and checks that there have not been any cracking attempts. With InteractiveEngine, SecureEngine® and the protected application work as a single unit.

If the protection scheme is removed by an attacker, the protected application will be notified about this and finish the execution of the application in memory.



The MutatorEngine technique inspect specific instructions in the application to be protected and change them with equivalent ones. This technique will avoid that a single application has the same code in each protected instance and obfuscate specific blocks of code to make reverse engineering much harder.



Normally an attacker will use a debugger to set up breakpoints in an application. A breakpoint allows an attacker to stop the execution of an application when a certain event occurs and study what the application is doing at that point.

SecureEngine® offers advanced techniques to detect any kind of breakpoints, bypassing them and finishing the execution of the protected application.

Most of the current software protectors use weak techniques to detect breakpoints in a protected application. For example, they check the first instructions on an API routine to see if a breakpoint has been inserted. To bypass this technique, an attacker will put a breakpoint in the middle of the API where it will not be detected. Moreover, most OS breakpoint detecting schemes can easily be bypassed using general cracking tools.



Often an attacker will try to study the APIs that are called by an application in order to see how it works and subsequently bypass the protection. Many commonly available tools will allow an attacker to do this. To avoid this kind of attack, SecureEngine® offers AntiAPISpyer technology that makes "invisible" the APIs that are called by a protected application.



The ThreadEngine is a powerful technique that supervises and protects an application at runtime. The ThreadEngine is composed by a "web" of threads that work cooperatively with the protected application threads as a single unit. If an attacker threatens a thread, a neighboring thread will report an alert message to the rest of the threads thus exiting the application from memory or executing a customized routine to stop the attacker.

Only a few software protectors use a similar technique, but they do not use a strong communication protocol between each thread and the protected application threads. In this scenario, each thread runs independently making it easy for an attacker to attack each thread to bypass this protection technique.



SecureEngine® can add password protection to an application to avoid unauthorized running of the application. This technique uses a highly secure cryptographic algorithm to encrypt and decrypt the protected application with the given password. In unlikely event the password checking routine is bypassed by an attacker the application will be decrypted with an incorrect password thus causing invalid instructions and other errors when it is executed.



SecureEngine® uses a highly optimized algorithm to compress applications and their resources. It also allows compressing the protection code that is inserted into an application and uses a very fast decompression algorithm that does not decrease the application performance when loading into memory.