|
Securom 7 Antidumps
Hello,
i am trying to deal with Securom 7.34 for a while now. Now i have encountered problems with the antidumps. The ones inside the "antidump call table" are already fixed, but threre are some other ones left i cant find. Normally, my fixed dump crashes after splashscreen, but when i patch kernel32.dll in memory so it returns the the pid while dumping, it always crashes after intro. Conclusion: At least one pid and more antidumps are unfixed. I searched and patched all pids, no success, the ones in the memory i dumped i have also fixed, but they are not executed during startup neither. Bad thing is, that many antidumps are also as "normal" function there, e.g. rtlgetlastwin32error as check if cfgs are already there. Does someone have experience with Securom antidumps here? (I know complete owing already.) My target is V1.1 and uncracked, V1.0 was done by Fairlight. Securom only uses disc check, no pa. |
you've only done about 1/2 the job.. the vm has more checks than just the pid.. try looking a bit deeper.. there's a lot more involved than just a dump and patching kernel32 to return the right pid (which is a bad idea to begin with btw)
|
I know, openevent, closehandle, maybe mutex, user and system name, tlsgetvalue, rtlgetlastwin32error, resetevent, cpuid, crc of some system dlls...
There is call table with many calls to antidumps, all there are already fixed. My problem is finding the other ones. Some of them i find, but patching them dont help and they are also untouched in crack for V1.0 =>They belong to the game and not to securom. I patched every pid and it crashes after splashscreen, but with kernel mod after intro. How can i find the unresolved pid check and the other antidumps? Can i name the target here? |
some aren't api stuff.. and yeh u can name the target.. considering its a 7.34 it doesn't really matter anyway as 7.40 is the current version, so you've got a lot of work ahead of you..
put simply the method you are using is the flaw... if you put some time in and figured out how the vm worked, then you could remove securom entirely.. as, with your method if the vm is doing something you won't see it (because you blindly dumped it), so if the code has checks in it they will fail and you're doomed.. |
It is Stranglehold V1.1.
One antidump e.g. returns its own address, that one is fixed. This method is described in Complete Owing and there are lot of cracks (also for higher sr versions) that there made with exactly the same method. |
yeh i know the complete owning document, and its far from complete owning, they missed a lot of things, some of the anti dump functions do different things when called with different parameters, i think its the vm thats causing your crash.. so you really should investigate that.. it will take some time, but its definately worth it as then you can convert the vm code back to x86 code and then you might see some of the checks you've missed which were 'embedded' in the vm 'script'...
in all honesty, the method you're using was the 'typical' method used by some of the crackers in the time, but its out of date now and isn't exactly 'clean' (by this i mean the cracked executable should be about the size of the protected one or slightly smaller.. i've seen some of the cracks using this method being 50mb+ bigger than the protected exe, and thats bad in my book).. |
If the document was called "Chocolate Sauce and Banana's" I may consider reading it :P
But "Complete Owning" is a bit elitist and no doubt is full of flaws. |
Complete Owning is wrong, but there are mentioned antidumps (the ones that are not in the call table) unfixed in my dump, simply because i dont find them.
And normal pid - runs to splash, forced pid while dumping - runs till loading mainmenu after intro means at least one pid unfixed. I know many people dont like that sort of cracks, but i think it is a good start. |
honestly, it isn't a good start.. take it from me, i've had years of experience in this, im retired now, but most people know my work.. i spent time reversing vm's (of one particular protection mainly) along with some friends, once done we were able to reverse the vm code back to x86.. once you have that its easier to see the 'true picture' of what the protection does..
imagine it like this, what you have done is essentially dumped the vm tables and handlers, fixed them up, but you have no understanding of what the vm scripts are doing.. so lets say the developers marked a particular bit of code to be vm'ed when the exe was wrapped, and that code did some 'nice checks' (which is evident in some of the newer titles).. if you can't understand the vm code, then your dump will execute that vm script which will then fail, and do unexpected things, which you have to find, and fix.. and well, with it being in the vm script, which is not x86 based it is essentially an entirely new language to learn to crack... that, put simply is why the method you're taking is crap.. its a short-cut at best to achieve the desired end result, but its far from perfect, and you' understand very little of how the protection works in detail.. and that is a flaw, because as/when (and its happening now) a new version comes along with new tricks etc.. you're right back at square one... |
I understand all, tippex.
Just want want to have a moment of success with a working Stranglehold 1.1 Crack after the 2 months iam already trying to handle it. What you have written above is my plan for the next years. Learn how Sr vm works and rebuilt code then. Which vm you reversed in the past? |
I have read 2nd part of complete owning now and rebuilding vm (manually) is out of my league.
If someone wants to finish my work, just tell me. I upload dump then and tell you the values when i get the address where to find antidump. btw: In germany, unprotected budget version with patch 1.1 included is available, but - Exe works only with german version (maybe with international when replacing an extra file, too?) - No blood - No ragdoll - Censored cutscenes - Missing special moves are erasing all the fun. |
hmm vm's in the past.. pretty much all the major copy protections :)
most involve finding the handler (or handlers if there is more than one vm), of all, the safedisc one was probably the easiest, securom's one is tricky due to it varying a lot, starforce one is a bit harder due to it being ring 0 and ring 3 when i did it, and debugging it in ring 0 was annoying to say the least due to anti-softice, which then lead to me making my own driver to debug it :) as for things being out of your league.. often it happens in reversing that people run before they can walk, like starting on hard protections without doing the easier ones first, which is a huge mistake, investing the time, seeing how the easier ones work then taking the ideas / methods u learned and using them on the hard ones definately has its benefits.. it all depends on your will and time, all i can recommend is plenty of note taking, making little tools etc.. and research (plenty of it) often if you're lucky some games are released with different protections depending on the country of release, if you can obtain a copy of both, then crack them and compare them it can help immensely, or if you're lucker.. obtaining an unprotected exe.. you could also pick an older target, get the crack for it, attempt to make your own crack and reverse what the cracker did, and understand it.. many people learn that way |
I did things like UPX, Aspack, Pecompact, Asprotect, RLpack, etc in the past.
What should be the next level? I think Themida e.g. is also too hard. Securom Vm got about 256 vm handlers i have read. I just know Uncut Straglehold with Securom and german censored budget version without protection. It helped by confirming that i have the right oep and iat is ok. Also, securom is the best choice when you try to learn a game protection. Safedisc is dead, starforce only used in russia nowadays, and like solidshield 2 also much too hard. About SF and ss2 is nothing public (except reloadeds sf3 insights.) Taking an already cracked securom exe as help concerning antidumps dont help much, i know how to fix them, but i dont find them. Their location is different on every machine, it also depends on how (if you do it at all) you take influence on securoms memory allocations. The 40000h block with tons of cpuids (that i found) got a (slight) different address everytime i start the game. FLT fitted the vm to 15MB in a row, mine is spread through 180 MB, but upxing file results in just 11MB. You will never be able to rebuild the virgin file, revirging is the impossible dream of every reverser. Btw: Is there an unprotected and patched budget version existing outside germany? Can you buy the game at steam? |
if thats all you've done then you need to do more work and research, commercial game protections are hugely different from the 'casual' protections you have mentioned, i also wouldn't call UPX a protection, its a primitive packer, and unpacking it is incredibly basic
i also wouldn't work from any cracks FLT did, they're shit and have been since april 2004 i have on many occasions made a virgin file.. it is NOT impossible, it takes time and effort, don't try to equate your limitations to mine.. the securom vm checking isn't just cpuid based, thats just binding, you still need to decrypt the script data stream and reverse that back to x86 code.. try learning old securom first.. v5 or so, and safedisc 2,3,4 then move on.. you seem to think that you're 'at the level' to do these protections, and really you're not.. you need to research more, debug more, find out how things work in the protections yourself.. not reading some tuts out there (which btw the ones you mentioned are crap).. sometimes you need to actually do your own methods, figure out how things work, experiment, crash, pick yourself up, experiment again, then you might actually see light at the end of the tunnel, instead of chasing your tail and thinking you're learning something when you are really not |
Sorry for insulting you.
With revirging i meant getting back the original file with exactly the same size, sections and code. Can i see such a file from you where you rebuilt code? I know that rebuilding is too hard for me, but i thought that dumping vm and fix antidumps will work:( OpenEvent and Closehandle i didnt found yet, same for tlsgetvalue and rtlgetlastwin32error. I have a script for fixing jump bridges, i modified it for my target. At 2 jmp bridges it fail with access violation when reading from address 000000, a bp on this bridges is never hit... I will check my games for Securom 5 protected ones now. You can recommend my some "easy" targets? Hitman 2 e.g. got just Sr 4, but ugly custom triggers inside. |
now you're pushing things.. 'can i see such a file'.. what interest is it for you? i made many of them, a lot were safedisc ones, which when the game came out on a budget label with no protection allowed me to see how close it was.. the only thing the crack didn't have was the reloc table which was stripped (and not important for an exe anyway) at protection time... rebuilding to the virgin file is entirely possible if you know your asm, and how compilers work..
the api's you mentioned are not protection based either.. rtlgetlastwin32error is also one from ntdll.dll if i remember right.. so thats wrong 'custom triggers'.. nope thats part of the protection too.. script for jump bridges? thats kinda lame too, why is it that the 'new breed' of crackers think using scripts and olly is the best solution? i made my own tools, i debugged when i needed to, just to see what was going on.. |
I have just a lot of interest in cracks and how they are made.
I have written it in bad way, rtlgetlastwin32error is imported from ntdll.dll, but securom uses the result in order to check if it is a dump or not ("RtlGetLastWin32Error: here again we need to return 1, in case there are errors we tell there aren’t any", like getcurrentprocessid. (or is complete owning here wrong ,too?) Automating fixing the jmp bridges is a must, there are simple too many for doing it manually. Respect to you for coding own tools, i cant do that, must use public tools and plugins. Thats the difference between a script kiddie like me and the oldschool leet you belong to:) |
Quote:
ntdll.RtlGetLastWin32Error Code:
64A118000000 mov eax,fs:[000000018]Code:
64A118000000 mov eax,fs:[000000018]securom is calling GetLastError - making it return 1 is (a) fucking stupid (b) really fucking stupid (c) i think i've made the point... yes? error code 1 translation.. [System Translation] -> Incorrect function. Quote:
Quote:
honest advice.. ditch the scripts, ditch the 3rd party tools, learn to code, learn asm (pretty much a must), spend some time, make lots of notes, trace, figure out how each module in the protection works, then figure out how to 'fix' it... otherwise you're really just wasting your own time, and will get nowhere. |
Yeah, i noticed that 1 for getlasterror means error_invalid_handle and 0 is needed for error_success.
Returning 1 is meant as replacement for the whole function where getlasterror is part of it. (Look at page 26 of "incomplete failing" :D in order to see what i mean) I cant locate that one in my dump, in Bioshock (same sr version) some antidumps are Xorred, maybe here too? Tracing takes too much time, crash happens in a function that is executed almost 1000 times before successfully. (Like another one, where crash happened also so late, fixing the one with the ADVAPI32.dll checksum solved that crash.) The funniest thing of that tut is "Here you have binary copy of the patch you can paste in binary format:" with the fixed antidumps from the call table. This can never works, since pid, window version, etc. are part of it. About 200 hours i have worked on it already. Do you know good tuts for coding asm? The ones here by dabhand are about understanding asm, that i can do already. |
Quote:
setting the value to 1 is... [System Translation] -> Incorrect function. put simply the tutorial or whatever it is you're reading is inaccurate... if its the arteam one, i would bin it and do the research myself. Quote:
again, the method you're using from the tut is the wrong method, bin the tuts, do your own research (which will probably be more accurate than the tuts anyway.. ) and build up a clear picture of what the protection id doing.. i don't know how many times i'll say that before i simply stop replying to this thread.. so please, listen and do it.. you'll thank me later. |
| All times are GMT -7. The time now is 00:05. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.
FileForums @ https://fileforums.com