|
|
|
#1
|
|||
|
|||
|
Cold Zeroīs new Protection (encryption) ???
i browsed through the ColdZero.exe and found something
interesting. the executable is protected by SecuROM but it must be packed / encrypted with another tool. there is a section called "chirpy". anybody know wich packer / encrypter was used ??? here is the PE-Header: ---------------------- MZ...................... @....................... .....................!.. L.!This program cannot b e run in DOS mode....$.. ....&..^b...b...b....... a.......h.......D....... ....b...j.......`....... l.......f.......c...b... ........a...6...S....... c...Richb...........PE.. L...A..=..............SR ..............0.. 0.. 2. ..@..................... ......N................. ........................ .....q2.P.... H......... ........................ ........................ ..................... 2. ........................ .....text....p.......... ................ .. `.rdata..^^............. -> RData ............@[email protected]... <....................... [email protected].........$. -> ntsc (?) .................... ..` .chirpy.......(......... -> chirpy section ??? [email protected].. -> idata .3..../................. ....@[email protected]....... 0.-> text .................... ..` .data1....... 2..`... .. -> data [email protected].. -> pdata ..... 4................. [email protected] -> Ressource section please no newbie posts about this, i need help from people who are skilled...
__________________
http://pid.gamecopyworld.com home of Protection ID the ultimate Protection Scanner. |
| Sponsored Links |
|
#2
|
|||
|
|||
|
i know itīs securom but the Addd string with the version number isnīt there. so it must be encrypted.
(securom 4.8x can be viewed in win32dasm, this file not)
__________________
http://pid.gamecopyworld.com home of Protection ID the ultimate Protection Scanner. |
|
#3
|
||||
|
||||
|
theres multiple variants, what you're seeing is the cms_* sections renamed, the AddD missing well... look harder
search the exe for the AddD string, you'll find it the data after it is indeed encrypted, also theres less appended data, the securom dlls are now stored within the image itself sometimes.. like i said.. variants .. securom 4.84.7x now has 'variations' incl. diff api wrappers
__________________
bleh DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you... |
|
#4
|
|||
|
|||
|
ok, but bad for my filescanner
__________________
http://pid.gamecopyworld.com home of Protection ID the ultimate Protection Scanner. |
|
#5
|
||||
|
||||
|
nope, just some more coding to do isnt it? mine works fine heheh
__________________
bleh DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you... |
|
#6
|
|||
|
|||
|
ok iīll first do a search for Addd + version at the end of the file.
then i know itīs securom.
__________________
http://pid.gamecopyworld.com home of Protection ID the ultimate Protection Scanner. |
|
#7
|
||||
|
||||
|
the AddD tag +Version aint at the end of the file now is it? ;p
if you looked at the end of the file and then thought about the number stored there you might get an idea of how to do away with a byte scan for 'AddD', and theres other methods to detect the variations in the securom itself, try section size matching, byte pattern matching import usage.. its all there, just start comparing exes
__________________
bleh DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you... |
![]() |
|
|