Hiya guys,
yeah, I bothered to check the version, and I realize that this is fairly old, but hey, you never know. For example, look at Safedisc. A lot of the stuff written about MUPing safedisc 2.7 by Peex still applies to Safedisc 4.6, since they haven't really bothered to update several of their protection features. Also, I've taken a quick peak at the later versions (7.31+), nothing comprehensive mind you, but I think that the structure of securom looks more or less the same, just allocates a lot more memory regions and the exit point is a bit different. But like I said, that was just a cursory glance.
Well, since it performs more than one protection function, I'd just like to say that it would seem quite a bit incorrect to call it a VM. However, a VM is one of its many features (single instruction emulation), so I guess thats how the terms has come about.
Quote:
thats compiler dependant, some compilers put a FARPROC array of va's at the start of the code section
and FF 25 to them from another block of code.. which allows them to make all api's used by the code
into E8 xx xx xx xx api calls... saving 1 byte per api call.. optimisation sort of...
NOT a securom feature
|
I'll have to admit that I have no idea what a FARPROC array is, and will look into it, but from what I understand you are referring to JMP DWORD PTRs that point to an API in the IAT? And then there are Calls to those JMP DWORD PTRs, so instead of wasting 6 bytes on a call dword ptr[pointer to api in iat] (FF 15 xx xx xx xx), the compiler will generate a normal call (E8 xx xx xx xx), and thus waste less space in the final program?
I'm sorry to say, I highly doubt this, because all of the dword's that I have listed are pointers to the Securom section of the game. It is true that they might have originally been VA's pointing to the IAT, but now they have been replaced by securom pointers, and are used for the securom IAT redirection, thus something must be done about them.
And finally, about the Sunbeam comment, I was reading this forum when you were having that little chat with him, and I would just like to say I have never spoken to the chap, have never been on the same forum as him, etc etc... If you feel this information is useless, I am sorry to have bothered you and will remove my original post, and be out of your hair.
Now, 2 things to learn, FARPROC arrays and how NtQueryInformationProcess is used for debugger detection. I have some reading to do. Please, feel free to continue with the criticism, or tell me to fuck off. I wont be the least bit offended either way.
Oh, and in case you are wondering why I am using this nickname, it is because I think this type of information can get me into a sweet bit of legal trouble if I am ever caught. Also, I couldn't think of any fitting nickname while registering, so I just decided to go along with 'anonymous'.