Securom 7 Antidumps

[TippeX]

now you're pushing things.. 'can i see such a file'.. what interest is it for you? i made many of them, a lot were safedisc ones, which when the game came out on a budget label with no protection allowed me to see how close it was.. the only thing the crack didn't have was the reloc table which was stripped (and not important for an exe anyway) at protection time... rebuilding to the virgin file is entirely possible if you know your asm, and how compilers work..

the api's you mentioned are not protection based either.. rtlgetlastwin32error is also one from ntdll.dll if i remember right.. so thats wrong

'custom triggers'.. nope thats part of the protection too..

script for jump bridges? thats kinda lame too, why is it that the 'new breed' of crackers think using scripts and olly is the best solution? i made my own tools, i debugged when i needed to, just to see what was going on..

[Cowsheep]

I have just a lot of interest in cracks and how they are made.

I have written it in bad way, rtlgetlastwin32error is imported from ntdll.dll, but securom uses the result in order to check if it is a dump or not ("RtlGetLastWin32Error: here again we need to return 1, in case there are errors we tell there aren’t any", like getcurrentprocessid. (or is complete owning here wrong ,too?)

Automating fixing the jmp bridges is a must, there are simple too many for doing it manually.

Respect to you for coding own tools, i cant do that, must use public tools and plugins.
Thats the difference between a script kiddie like me and the oldschool leet you belong to

[TippeX]

Quote:

Originally Posted by Cowsheep

I have written it in bad way, rtlgetlastwin32error is imported from ntdll.dll, but securom uses the result in order to check if it is a dump or not ("RtlGetLastWin32Error: here again we need to return 1, in case there are errors we tell there aren’t any", like getcurrentprocessid. (or is complete owning here wrong ,too?)

its wrong... and you'd see that if you actually traced it..

ntdll.RtlGetLastWin32Error

Code:

64A118000000                   mov         eax,fs:[000000018]
8B4034                         mov         eax,[eax][034]

kernel32.GetLastError

Code:

64A118000000                   mov         eax,fs:[000000018]
8B4034                         mov         eax,[eax][034]

notice something? yes THEY ARE BOTH THE SAME
securom is calling GetLastError - making it return 1 is

(a) fucking stupid
(b) really fucking stupid
(c) i think i've made the point... yes?

error code 1 translation..

[System Translation] -> Incorrect function.

Quote:

Automating fixing the jmp bridges is a must, there are simple too many for doing it manually.

wrong.. you're using the wrong method.. haven't you realised that?

Quote:

Respect to you for coding own tools, i cant do that, must use public tools and plugins.
Thats the difference between a script kiddie like me and the oldschool leet you belong to

well, im not after respect..

honest advice..

ditch the scripts, ditch the 3rd party tools, learn to code, learn asm (pretty much a must), spend some time, make lots of notes, trace, figure out how each module in the protection works, then figure out how to 'fix' it...
otherwise you're really just wasting your own time, and will get nowhere.

[Cowsheep]

Yeah, i noticed that 1 for getlasterror means error_invalid_handle and 0 is needed for error_success.
Returning 1 is meant as replacement for the whole function where getlasterror is part of it. (Look at page 26 of "incomplete failing" in order to see what i mean)
I cant locate that one in my dump, in Bioshock (same sr version) some antidumps are Xorred, maybe here too?

Tracing takes too much time, crash happens in a function that is executed almost 1000 times before successfully. (Like another one, where crash happened also so late, fixing the one with the ADVAPI32.dll checksum solved that crash.)


The funniest thing of that tut is "Here you have binary copy of the patch you can paste in binary format:" with the fixed antidumps from the call table.
This can never works, since pid, window version, etc. are part of it.

About 200 hours i have worked on it already.
Do you know good tuts for coding asm?
The ones here by dabhand are about understanding asm, that i can do already.

[TippeX]

Quote:

Originally Posted by Cowsheep

Yeah, i noticed that 1 for getlasterror means error_invalid_handle and 0 is needed for error_success.

Returning 1 is meant as replacement for the whole function where getlasterror is part of it. (Look at page 26 of "incomplete failing" in order to see what i mean)
I cant locate that one in my dump, in Bioshock (same sr version) some antidumps are Xorred, maybe here too?

no it doesnt.. invalid handle is a totally different code..
setting the value to 1 is... [System Translation] -> Incorrect function.

put simply the tutorial or whatever it is you're reading is inaccurate... if its the arteam one, i would bin it and do the research myself.

Quote:

Tracing takes too much time, crash happens in a function that is executed almost 1000 times before successfully. (Like another one, where crash happened also so late, fixing the one with the ADVAPI32.dll checksum solved that crash.)

The funniest thing of that tut is "Here you have binary copy of the patch you can paste in binary format:" with the fixed antidumps from the call table.
This can never works, since pid, window version, etc. are part of it.

About 200 hours i have worked on it already.
Do you know good tuts for coding asm?
The ones here by dabhand are about understanding asm, that i can do already.

to learn asm get masm32 (google for masm32), inside it are some sample code, help files etc, and there's also a good link on the main site to the forum where you can ask questions (read the rules of the forum first though..)

again, the method you're using from the tut is the wrong method, bin the tuts, do your own research (which will probably be more accurate than the tuts anyway.. ) and build up a clear picture of what the protection id doing.. i don't know how many times i'll say that before i simply stop replying to this thread.. so please, listen and do it.. you'll thank me later.