Cold Zero´s new Protection (encryption) ??? [Archive]

View Full Version : Cold Zero´s new Protection (encryption) ???

cdkiller

16-04-2003, 10:09

i browsed through the ColdZero.exe and found something
interesting. the executable is protected by SecuROM but
it must be packed / encrypted with another tool.
there is a section called "chirpy".
anybody know wich packer / encrypter was used ???

here is the PE-Header:
----------------------

MZ......................
@.......................
.....................!..
L.!This program cannot b
e run in DOS mode....$..
....&..^b...b...b.......
a.......h.......D.......
....b...j.......`.......
l.......f.......c...b...
........a...6...S.......
c...Richb...........PE..
L...A..=..............SR
..............0.. 0.. 2.
..@.....................
......N.................
........................
.....q2.P.... H.........
........................
........................
..................... 2.
........................
.....text....p..........
................ ..
`.rdata..^^............. -> RData
............@..@.data...
<.......................
....@....ntsc.........$. -> ntsc (?)
.................... ..`
.chirpy.......(......... -> chirpy section ???
............@....idata.. -> idata
.3..../.................
....@..@.text1....... 0.-> text
.................... ..`
.data1....... 2..`... .. -> data
............@....pdata.. -> pdata
..... 4.................
....@....rsrc -> Ressource section

please no newbie posts about this,
i need help from people who are skilled...

cdkiller

18-04-2003, 02:42

i know it´s securom but the Addd string with the version number isn´t there. so it must be encrypted.
(securom 4.8x can be viewed in win32dasm, this file not)

TippeX

18-04-2003, 15:00

theres multiple variants, what you're seeing is the cms_* sections renamed, the AddD missing well... look harder
search the exe for the AddD string, you'll find it
the data after it is indeed encrypted, also theres less appended data, the securom dlls are now stored within the image itself sometimes.. like i said.. variants .. securom 4.84.7x now has 'variations' incl. diff api wrappers

cdkiller

19-04-2003, 02:24

ok, but bad for my filescanner :(

TippeX

19-04-2003, 03:43

nope, just some more coding to do isnt it? mine works fine heheh ;)

cdkiller

19-04-2003, 05:17

ok i´ll first do a search for Addd + version at the end of the file.
then i know it´s securom.

TippeX

19-04-2003, 08:08

the AddD tag +Version aint at the end of the file now is it? ;p
if you looked at the end of the file and then thought about the number stored there you might get an idea of how to do away with a byte scan for 'AddD', and theres other methods to detect the variations in the securom itself, try section size matching, byte pattern matching import usage.. its all there, just start comparing exes