Quote:
Originally Posted by Synaesthesia
Okay, "jus cus ur sheep"...
- CreateProcessA -> creates and runs a security module that cycles information back and forth with main app. Uses CreateMutexA and checks the handle to see if it ran properly. Once way to defeat its creation is to fake the mutex or just let it run (assuming you have an original CD/DVD) and reset DebugPort from -1 to 0, either from user-mode or kernel via drivers. Using SoftICE is easier than attempting to have a go at it with Olly. That's why it seems simple to you. There's like 2 or 3 patches you need to perform to debug SD. Either way, you can safely attach to it a regular debugger such as Olly...
|
sigh, its the 'cleanup' process, this process handles exceptions like int 3 and so on in the other process, as well as some vm stuff
Quote:
- SD has the gay habit of placing a JMP to OEP right at its EP, once code is decrypted correctly (and that's what you need the CD for); other stuff I noticed, it emulates APIs to own sections; also, you can easily create a continuous memory space for the allocations it makes, starting with the end of last section; that way, you can make sure once you dump it, you won't have problems with sparsed memory chunks.
|
oh and how are you going to handle the dlls? and the ccc's that do callbacks to the cdcheck, as well as other nasties... safediscs memory allocation is generally for key tables and the int 03h opcodes, and other exception handling/checksumming
Quote:
Back to Doom 3, I'm using Olly (you can sue me for that, I never managed to get SICE to run on XP, and not cuz I dunno how to do it, but cuz of my ATi VGA T_T - no patch ever worked, leaving me always suspended or frozen in its threads...) and so far these are the results:
|
try adding in the softice xp sp2 patch?
Quote:
a) EP, run game with CD in, SD decodes mem and places JMP to OEP right at its EP T_T
|
sd always had a direct jump to the oep, about 129 bytes down from the initial entrypoint in the exe, this is the one you hook... no others...
its easily spottable jmp xxxxxxx (where xxxxxxx is outside of the current section)
yet again you're guessing and bullshitting, you really need to research some, and drop this 'holier than thou' shit rivalry you have with sheep.... learn, research, have concrete facts and information, and try and do your own methods, not some crappy methods you've seen in some tut...
half of reverse engineering is about coming up with countermeasures, new approaches, to make the task easier... your stuff sounds like you just grabbed some lines from the arteam safedisc dumper, made some assumptions, thought everything in the doc was gospel, and ... well we see the results...