Thrillseeking

[Synaesthesia]

Okay, "jus cus ur sheep"...

I've installed Doom 3 and started some analysis on it. This is like the 2nd time I deal with SafeDisc (first was with Halo, on which SD also emulates the main API calls) and from what I learned and analyzed :

- CreateProcessA -> creates and runs a security module that cycles information back and forth with main app. Uses CreateMutexA and checks the handle to see if it ran properly. Once way to defeat its creation is to fake the mutex or just let it run (assuming you have an original CD/DVD) and reset DebugPort from -1 to 0, either from user-mode or kernel via drivers. Using SoftICE is easier than attempting to have a go at it with Olly. That's why it seems simple to you. There's like 2 or 3 patches you need to perform to debug SD. Either way, you can safely attach to it a regular debugger such as Olly...

- SD has the gay habit of placing a JMP to OEP right at its EP, once code is decrypted correctly (and that's what you need the CD for); other stuff I noticed, it emulates APIs to own sections; also, you can easily create a continuous memory space for the allocations it makes, starting with the end of last section; that way, you can make sure once you dump it, you won't have problems with sparsed memory chunks.

Back to Doom 3, I'm using Olly (you can sue me for that, I never managed to get SICE to run on XP, and not cuz I dunno how to do it, but cuz of my ATi VGA T_T - no patch ever worked, leaving me always suspended or frozen in its threads...) and so far these are the results:

a) EP, run game with CD in, SD decodes mem and places JMP to OEP right at its EP T_T





b) since this is an old version of SD, main API calls weren't virtualized as you can see in the pic above...

c) looking for all intermodular calls, tons lead to allocated memory






- the one above is GetWindowTextA...

d) next step would be either manually stepping through allocations and see what they return or where they jump to in kernel OR step through SD and see where it allocates memory and what it allocates OR make it allocate everything at the end of last section; after which one can simply dump the app, patch in the allocated section and that would be it...

Peace out...

P.S.: We should do this more often. Love it when I get pushed over the "hedge"