Tages.5.5.Generic.Unpacker-iND
 

Somebody tried this tool or knows where I can get it?

Hehe, isn't that a hoax? :)

Its sizzling through some p2p and ftp boards. And its on some pre bots < not nuked until now.

I can't keep the pace with modern copy protection but, from what I read from you people here, the greatest advantage Tagés is that cracking a software, protected by it, doesn't mean that cracking another software, also protected by it, will be easier. Now then, how come there's a general unpacker for it?!

Actually, there _must_ be a generic way to unpack one specific version (!) of a protector as every protector has to protect programs in a special way, otherwise it wouldn't work, huh ?
Afaik you cannot create random protection, well you can but it will eventually all be the same, even tho you have 10 special api redirections, vm entries, opcode interpreters, whatever ;)

If you know all the 10 'random' ways of protection, it should be possible...

agreed, especially if you use a sandbox style technique, then resolving api's and creating loggers for their api handlers and so on is pretty damned simple...

Maybe it patches CD check? New Safedisc API can be a bitch (but still generally resolveable with a sandbox-like technique that TippeX mentioned) but patching the CD check is a much nicer way to deal with Safedisc, because that is mostly general, no matter what the protection options on Safedisc are...

Excuse me but what is "sandbox-style technique"?

all api's from a dll are rerouted (with care taken into effect for forwarded exports etc..).. new rerouted api has a 'pre' and 'after' portion, between it is the 'live' portion...

like this

pre code -> output param info, stack, whatever (if its an api you're interested in and you've coded the handler for it)
real code -> simply pushes the params again (if any) and calls api
after code -> api has been called, log info or run handler etc.. (preserving registers), code then returns (fixing up stack and cleaning up)

problems -> multi threading.. your handler must handle the case of multi threading, so use locals on the stack, also generally needs to be done in asm (so its clean and tidy.. and small)..

after you've got it all working, its pretty damned nice

every export should have its own unique address, making import table fixing etc a doddle

once you've then 'targeted' the api's you're after you can then code record/playback portions, making the call do whatever you like...

simple in theory, hard to get done, once done its probably the most powerful system you can handle- requires no anti debugging and pretty much has complete control of the process (code wont use debug api's for example.. in 2k or higher all the handlers and rerouting is local, ie: not global on the system, so it wont be 'seen' by anti debug code and so on.. provided its coded well of course...)

the record/playback does work for some protections...

many methods to get it done...

1. dll injection (can get very messy)
2. 'fixing' windows file protection, and patching dlls and so on.. and using events/flags to enable/disable handler code.. tons of work but pretty damned safe.. generally if you're doing this, you've got to be good.., and if you want to be safe use vmware :)
3. both of the above

only shit thing is when you have it done, lots of lamers ask you for it..... (and none should get it) :)

yeh i´ve also heard about this tool, but i don´t know if it´s real...
why releasing such a tool? so developers can have an eye into it and check how...?

but a generic tages 5.5 unwrapper can be done (like Muji-FightR said) because the Tages Basic executable wrapper is the same in every version of 5.5

Actually, I was thinking of something a bit different TippeX... like logging all access in between protection API and game, and then figuring stuff out from there :)

well release it and it'll be heavily blacklisted.. keep it to yourself and you have a tool that will probably last a lot longer..

that and the effort involved.. giving it to someone (who didnt work with u etc).. doesnt seem 'fair'.. and it can (and most likely will be abused)...

oh and its real :) (sandboxing that is, not the tagés tool.. haven't come across it yet...)

well if you have the beginning, the middle and the end all recorded in a nice log file, you can see the instruction 'flow' and what its actually doing...

example :

[p] Probable. Sf3 Protect.dll as -> c:\Program Files\Breed\Run\PROTECT.DLL
... Analysing ***
[!] Protect.dll Found @ va : .000DA0000h -> Profiling.. please wait
... Export Table : 0014F1200h | Size : 00000008Eh
... IAT : 0014F02D4h | Size : 000000078h
... Import Table : 0014F0000h | Size : 0000002D4h
[i] StarForce Version : 3.03 | Build : 3.03.033.006, 19.02.04

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : GetProcAddress
-> Retp .000DA4038h
. . Module : 077E60000h -> IsDebuggerPresent
. VA Returned : .001B868A4h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : IsDebuggerPresent
-> Retp .000DA403Eh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : GetModuleFileNameA
-> Retp .000DA41A4h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : GetSystemDirectoryA
-> Retp .000DA41C5h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CompareStringA
-> Retp .000DA5644h
. . String #1 : (00000001Bh) -> c:\Program Files\Breed\Run\
. . String #2 : (000000014h) -> C:\WINDOWS\System32\
. . Result (01) : String #1 < String #2

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : GetWindowsDirectoryA
-> Retp .000DA41EEh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CompareStringA
-> Retp .000DA5644h
. . String #1 : (00000001Bh) -> c:\Program Files\Breed\Run\
. . String #2 : (00000000Bh) -> C:\WINDOWS\
. . Result (01) : String #1 < String #2

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CreateFileA
-> Retp .000DA21AEh
. FileName : \\.\PROSYNC1 | Axs : Read/Write
. . File Handle : 0000000A0h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : DeviceIoControl
-> Retp .000DA22B9h
. . File Handle : 0000000A0h | Control Code : 092002400h
In : .000000000h | Size : 000000000h
Out : .00012F9BCh | Size : 000000004h

*** Before DIoC ***

--- DIoC [OUTPUT] DataGram Start ---

.00012F9BCh: 01 00 00 00 | ....

--- DIoC [OUTPUT] DataGram Finish ---

*** After DIoC ***

--- DIoC [OUTPUT] DataGram Start ---

.00012F9BCh: 05 00 00 00 | ....

--- DIoC [OUTPUT] DataGram Finish ---

. DIoC Return Code : 000000001h

APi -> tID : 0000000E0h -> cs:0001Bh -> ADVAPI32.dll : RegOpenKeyA
-> Retp .000DA8022h
. . Key : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NTice
.x. Return Error -> Eax : 000000002h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CreateFileA
-> Retp .000DA3F80h
. FileName : \\.\NTICE0000 | Axs : Read
. . File Handle : 0FFFFFFFFh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CreateFileA
-> Retp .000DA3F80h
. FileName : \\.\NTICE | Axs : Read
. . File Handle : 0FFFFFFFFh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CreateFileA
-> Retp .000DA3F80h
. FileName : \\.\WINICE | Axs : Read
. . File Handle : 0FFFFFFFFh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : CreateFileA
-> Retp .000DA3F80h
. FileName : \\.\SICE | Axs : Read
. . File Handle : 0FFFFFFFFh

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : GetProcAddress
-> Retp .000DA4038h
. . Module : 077E60000h -> IsDebuggerPresent
. VA Returned : .001B868A4h

APi -> tID : 0000000E0h -> cs:0001Bh -> KERNEL32.dll : IsDebuggerPresent
-> Retp .000DA403Eh

APi -> tID : 0000000E0h -> cs:0001Bh -> msvcrt.dll : __set_app_type
-> Retp .0004EDC07h

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

*** First Api Hit @ VA : .0004EDC07h -> True Ep Nearby... Profiling

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

[S] Sf3 Hooked Api Scan Report

[s] -> Scanning d3d8thk.dll
[s] -> Scanning d3d9.dll
[s] -> Scanning protect.dll

r .0004EE048h -> Unknown.. Attempting Calculation
... Sf3 Api Reroute . 001D50D4Ah -> .000DA9000h
.001D50D4A 6883FF9DB3 push B39DFF83 ô¿
Ø
.001D50D4F E9AC8205FF jmp 00DA9000 ô¿
Ø
.000DA9000 EB14 jmp short 00DA9016 ô¿
Ø
.000DA9002 EB04 jmp short 00DA9008 ô¿
Ø

r .0004EE04Ch -> Unknown.. Attempting Calculation
... E9 Reroute .001D6043Ah -> 001D603C0h .. Analysing
... Looks like a copier.. -> KERNEL32.dll -> Ord : 00327h -> SetThreadPriority

r .0004EE050h -> Virgin -> KERNEL32.dll -> Ord : 00138h -> GetCurrentThreadId

r .0004EE054h -> Unknown.. Attempting Calculation
... Looks like a copier.. -> ntdll.dll -> Ord : 0023Eh -> RtlFreeHeap
forwarded -> KERNEL32.dll -> Ord : 00202h -> HeapFree

just some examples (from starforce)...

and so on...

I have no starforce experience to brag about, but with the Safedisc API, its actually a developer library integrated into the protected game exe. The devs then encrypt some game values, and pass them on to the library, which then decrypts them.

Example:

mov eax, 0FBA70441h
mov edx, 059013221h
push eax
push edx
call SDAPI_routine

...goes into safedisc dlls, calculations....

Return values:

EAX = 0173B49Bh <- pointer to some string in .data
ECX & EDX have junk values that are discarded.... but EAX is later used in the game to load string and stuff like that.

Problems arise when its called 100's of time repeatedly :P And when its badly integrated it can come to a major slowdown in the game I imagine.

However, its very easy to crack these days since the devs sometimes forget to remove the original library from the exe... so all you have to do is decrypt some tables, reroute execution to the original library code, and you have a nice little unwrapped exe :)

Other times its a bitch to crack. /me points to Black & White 2 v1.0

wasnt bragging, it was just an example post... and the sd api is just 'magic' crap, and tables... nothing 'super interesting'... and rerouting to the library code isnt exactly 'clean'... and could well screw things later on...