|
Securom 7 Rebuild
Hey guys, I was fooling around with securom 7 for the past 2 days, and now I am kind of tired, kind of stumped, and have other Real Life things to attend to, so I thought I might pass this off to someone here and he could continue my work into gaining some insights about this protection.
Keep in mind that I am a self-acknowledged noob. A lot of the stuff I say here may or may not be correct. Please correct me if I am wrong, its always nice to learn something. Before I forget, the target is Grand Theft Auto San Andreas 1.1 Oh, and one last thing before I start: I know that I can dump the heaps at the OEP, and fix the GetProcessId check, but there is no challenge in that, is there? And one last thing. Pirates, fuck off. People who are going to use this to crack the game and distribute it illegally, fuck off. Protection developers, keep reading and pay attention :) Oh and if you want to learn something, keep reading. Needless to say, this is only for educational purposes, for fun, and for a way to pass time, not for any illegal shit. Ok, so, let me get you up to date on what I have so far. First thing is to find the OEP. Pretty simple task with this protection. Grab your favorite debugger (for the purposes of this post, I used Olly), and start reading. Securom 7 uses some pretty innovative AntiDebug, but nothing as vast as the Safedisc antidebug arsenal. First thing it does is get the tick count with GetTickCount, and then it causes a gazillion exceptions. Since your debugger needs to process all these exceptions, it is naturally slowed down. After it causes all those exceptions, it uses GetTickCount to check if the time elapse was large. If it was -> Debugger detected. To bypass this check you can either put a BP on GetTickCount(Securom doesn't check API's for 0xCC) and change EAX to 0 each time it is called, or just assemble a xor eax, eax; ret; at the beginning of the GetTickCount API The second trick comes into play right after the large amount of exceptions. Its a simple call to NtQueryInformationProcess (also known as ZwQueryInformationProcess). To bypass it, I put a bp on ZwQueryInformationProcess, and kept running and looking at the top of the stack. This API gets called a lot by kernel32 and other standard dll's, but you will once see it getting called from a place with a much return lower address: Code:
00212128 00EDFE7A /CALL to ZwQueryInformationProcess from gta_sa.00EDFE77Now, before you run the target, put a Memory Breakpoint on the code section. Now run the target, you will break once or twice, and then finally hit the OEP: Code:
00825330 6A 60 PUSH 60Now, I'll go through all the antidumps that I have found so far. The first one that is so blatantly easy to spot is all the JMP DWORD PTR's lying around. What securom does during the protection process is cut and paste some code from the code section, put it into a securom(or another location in the code) section, obfuscate it and do all kinds of other, nasty but cool things to it. After it redirects the code to a new spot, it puts a JMP DWORD PTR to the central securom routine at the place where the the original code was. The central securom routine then redirects it to the correct place. Pretty simple, kind of like IAT redirection, except without the imports, eh? Lets take a look at one of the JMP DWORD PTR's: Code:
0040104A $- FF25 58B04B01 JMP DWORD PTR DS:[14BB058] Code:
0150DEB0 68 CADE5001 PUSH gta_sa.0150DECACode:
00EFB6D0 60 PUSHADCode:
00EFE92E 9D POPFDCode:
0040104A $ /FF25 58B04B01 JMP DWORD PTR DS:[14BB058] ; gta_sa.005EE7DAAnother thing to note is that all JMP DWORD PTR's point to mini routines akin to these: Code:
01510540 68 5A055101 PUSH gta_sa.0151055ACode:
0150A360 68 6AA35001 PUSH gta_sa.0150A36AI coded something on the fly to fix it, no comments since I wasn't expecting anyone to use it at the time. MASM to assemble etc etc... Code:
start:Code:
00EFE92E 9D POPFDThe second antidump I noticed in passing. Its your pretty damn standard on-the-fly code decryption. Take a look: Code:
004012E9 .- FF25 2CB14B01 JMP DWORD PTR DS:[14BB12C]Code:
014C4459 E8 D2C8A1FF CALL cracked1.00EE0D30Code:
014C4459 55 PUSH EBPCode:
_part_two:Code:
01391D20 58 POP EAX The trick however(there's always a trick) is that it always returns to the above code from this code: Code:
00F00AD5 0FA3FD BT EBP,EDI Code:
_part_three:Now, replace: Code:
00F00AD8 8107 04000000 ADD DWORD PTR DS:[EDI],4Ok, with that done, take a look at the next antidump: Code:
014E72F6 68 2F134000 PUSH fixed_1.0040132FCode:
mov eax, _securomDataCode:
00EFEC7B C703 00000000 MOV DWORD PTR DS:[EBX],0with a jump to _good_return, and you need to replace the exit point's of the other antidumps (JMP DWORD redirection and instruction emulation) with JMPs to _ignore_return: JMP dword exit point: Code:
00EFE92E 9D POPFDCode:
00F00461 9D POPFDNow, this is the point I have halted at. I don't have the time for the next month or so, so lets see if anyone can continue in my stead. There are two other types of redirections I have noticed. The first (easy) is the import redirection: Code:
006029F4 . 9C PUSHFDCode:
014E1ED6 9C PUSHFD005D1A0B . 9C PUSHFD 005D1A0C . 817424 08 6996F12C XOR DWORD PTR SS:[ESP+8],2CF19669 005D1A14 . 9D POPFD 005D1A15 . 58 POP EAX 005D1A16 . 870424 XCHG DWORD PTR SS:[ESP],EAX 005D1A19 . EB FF JMP SHORT cracked1.005D1A1A 005D1A1B D0 DB D0 [/code] As you can see, its got a slightly different byte pattern each time, which theoretically makes scanning harder. So, I have decided to blatantly steal Hoodlum's solution to this problem. You will notice that all the import redirections push a pointer to the beginning of the text section right before they go to the Securom routine. These are pointers to the table of DWORDs at the beginning of the code section(you were probably wondering what they are for, now you know): Code:
00401050 8D604B01 DD cracked1.014B608DNow, I'm not going to give you the code for the above, as I have yet to do it, still, its pretty simple, you shouldn't have any troubles. If that doesn't work then you can always scan for CALL EAX's perceded with PUSHFD's and PUSH xxxxxx's that push pointers to the beginning of .text. Do whatever you feel like doing. The last protection has me kind of stumped, and in my opinion is what makes securom so sexy. It replaces single instructions with PUSH/CALLs to the central routine, where they are emulated. I've already figured out that it only emulates certain instructions, and I have a theoretical way of ID'ing each instruction, but its not anything solid enough to warrant me giving you details about. So, this is pretty much what I'm asking you to figure out. Well, thats it for me. I know a lot of you have better things to do, but this post might help some noobies start on this protection, and the way you guys will criticise me will probably help me improve in some way. I'm pretty sure I'll figure out the single instruction emulation eventually, maybe I'll even update this post when I do. Until then, you all take care :) |
old old old.. did you actually check the version of the gta : sa 1.1 update?
Quote:
Quote:
and FF 25 to them from another block of code.. which allows them to make all api's used by the code into E8 xx xx xx xx api calls... saving 1 byte per api call.. optimisation sort of... NOT a securom feature |
Hmmm, why does the original post smell of 'Sunbeam'!!?? ;)
|
have to admit, i did actually think the same grumpy...
|
Hiya guys,
yeah, I bothered to check the version, and I realize that this is fairly old, but hey, you never know. For example, look at Safedisc. A lot of the stuff written about MUPing safedisc 2.7 by Peex still applies to Safedisc 4.6, since they haven't really bothered to update several of their protection features. Also, I've taken a quick peak at the later versions (7.31+), nothing comprehensive mind you, but I think that the structure of securom looks more or less the same, just allocates a lot more memory regions and the exit point is a bit different. But like I said, that was just a cursory glance. Quote:
Quote:
I'm sorry to say, I highly doubt this, because all of the dword's that I have listed are pointers to the Securom section of the game. It is true that they might have originally been VA's pointing to the IAT, but now they have been replaced by securom pointers, and are used for the securom IAT redirection, thus something must be done about them. And finally, about the Sunbeam comment, I was reading this forum when you were having that little chat with him, and I would just like to say I have never spoken to the chap, have never been on the same forum as him, etc etc... If you feel this information is useless, I am sorry to have bothered you and will remove my original post, and be out of your hair. Now, 2 things to learn, FARPROC arrays and how NtQueryInformationProcess is used for debugger detection. I have some reading to do. Please, feel free to continue with the criticism, or tell me to fuck off. I wont be the least bit offended either way. Oh, and in case you are wondering why I am using this nickname, it is because I think this type of information can get me into a sweet bit of legal trouble if I am ever caught. Also, I couldn't think of any fitting nickname while registering, so I just decided to go along with 'anonymous'. |
Quote:
going to the securom section sure.. maybe to the securom iat? Quote:
why not research it fully, spend your time on it, then make a post.. that way its more useful to people later and less full of bullshit and second guessing.. i have to admit though your approach and style, are very similar to sunbeam.. and its clear im not the only one thinking that... |
Very well, from now on all posts I make I will try to make as factually correct as possible, and not include any bullshit theories. I can for certain say that all the solutions that I have presented for all the protection options so far aside from the Import redirection and emulated instructions work on my machine.
Also, this post is more in the way of you guys helping me, and maybe even others in the process. Your criticism helps. I admit, I got the idea for writing this post after reading your comments to Sunbeam. You were a lot more critical of him than people would be to me if I posted this information on other cracker forums. All I would get is a 'Thank you'. Thats nice, but what information would I get? Nothing. Also, for all those interested about the NtQueryInformationProcess check: http://msdn2.microsoft.com/en-us/library/ms684280.aspx Quote:
Oh, and please don't assume that I know everything about this subject. Like I said in the original post, I don't, but I would be happy to learn :) Oh, and about the Sunbeam comment, how can I prove to you that I am not Sunbeam? |
you proved u werent sunbeam by actually going off and researching...
whats the little red text at the top of the page tho? |
It says in red letters in the MSDN page that this API may not be used in future versions of windows. Thus, it could possibly lead to some compatibility problems in the future.
|
caki,
maybe you are right, maybe not. Code:
00EDFE4A FF15 30494901 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; kernel32.GetProcAddressMaybe the securom devs do a GetVersion to check if the OS supports ZwQueryInformationProcess? |
yeh its an 'undocumented' api, but microsoft are usually backwardly compatible with their setups, and some of their code also uses these api's, so if they aren't really going to break their own programs :)..
look at the peb / teb blocks from 9x->xp, even on x64 platform, they are backwardly compatible, and only have new stuff added with each os build.. its like their documentation, often its quite wrong on some api's / structs / params... microsoft = do as we say... not as we do |
Sorry, I was just curious since I was reading an article the other day in which some Microsoft spokesperson said they were considering to cut it out with the backwards compatibility, since its starting to limit the development of the OS. If that truly does come about, then I think a lot more people aside from the securom folks will have something to worry about.
|
| All times are GMT -7. The time now is 22:49. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.
FileForums @ https://fileforums.com