Recent copy protections

[Muji-FightR]

Well, I started RE a few months ago and now I'm interested reversing real games, as this was my higher target when starting all this.
I've been searching for Tutorials covering topics such as Securom 7 or SafeDisc 4, etc.
First I thought about learning older things like SD 1,2,3... or SR 5 but games with these rather old protections are very rare and I would have to buy them :P
So I prefer starting with the newer and most likely harder stuff, but at least do i own some of these games...
The only thing I found were 2 tutorials on how to crack FEAR and Empire Earth 2, both of em written in ugly Russian language I wouldnt understand properly lol

So, I'm asking (not begging) you for any recommendable tutorials about these topics, in case you do not want to spread them in public, because of legality or to hide them from anybody, I'd be very glad to have some URLs sent to me via PM...

However, thanks in advance for any further hints or even links...

Cheers, Muji

[TippeX]

the best advice is to start re'ing it yourself, make notes, compare your dumps/cracks against working cracks, see the differences, investigate them etc etc... do NOT rely on tuts because they are only meant as guidelines

[caki]

Gotta agree with Tippex on that one. When I was a noob at RE, I tried to crack safedisc right away, and I didn't even know what a JNZ meant :P. Ahh, well I went and got a safedisc tutorial. Well, I read that tut so many times that in the end a learned a big chunk from it. Thats actually pretty much the only tut I have relied on. I read tuts constantly, to get a feel for new ideas, but the only one I ever followed right down to the letter was that safedisc tutorial. Some people may find this bad, but since that tut wasn't written for noobs, I had to figure out a lot of stuff for myself, and in the end, I learned a shitload.

However, now that I have more experience(I'm still noob, but I do have SOME experience), I find MUCH more pleasure in doing things myself, and I only consult tuts when I am out of ideas (which is pretty much never).

So pretty much: If you have no idea what to do, read a tut and understand it, but don't go around following every tut you can get your hands on down to the letter, because then you won't be able to think independently.

PS

Why would anyone write a tut for FEAR? If your antidebug is nice, and you can use a tracer, its a 2 min. job (Get to OEP, dump, dump other sc memory, append it...). I don't see how anyone could learn anytnhing from that tut, and if you can't learn anything, why would you need it? ... But oh well, I don't like criticising tut writers...

[cdkiller]

Quote:

I tried to crack safedisc right away

i did this too after i "cracked" the first cd-check in an old game.
just thought i need to change some jmps etc.... this time i hadn´t any knowledge about commercial protections and about how much effort is needed to remove them. thats the reason i´m mad about ppl asking "how to crack securom/safedisc etc."
wich didn´t even know what a debugger is, lol.

back to topic...
perhaps this securom 7 thread gets updated from time to time... but i doubt it.
http://community.reverse-engineering...pic.php?t=5077

i´ve found a tutorial covering maxpayne 2 (sd 2.30) and nfsu2 (sd 3.20), both written in german.
so i wanted to look at an older safedisc version as a starting point... grabed the Hitman Codename 47 cd, installed, dumped the exe (with cd), fixed the ff15 calls, rebuild pe. when done i compared my unwrapped exe with the flt one to see if it was rebuild the proper way

i prefere to use ollydbg (yeah i know ring3...) wich can handle safedisc till v2 afaik. later versions will use stolen bytes wich will be replaced with the correct ones by the safedisc debugger. you can dump at the oep with olly by noping the call wich executes the sd debugger. but this way you won´t be able to restore the stolen bytes. olly can´t do it cos it conflicts with the sd debugger (both ring3).

newer targets don´t use the int3´s anymore they use SDAPI. olly can handle them. but it´s a lot harder than the stolen bytes.

[caki]

I like SDAPI. Allows me to use Olly on safedisc for the first time I don't understand why everyone else hates it . As long as I can use olly... *very happy*

Quote:

i´ve found a tutorial covering maxpayne 2 (sd 2.30) and nfsu2 (sd 3.20), both written in german.

Can I have `em ?

[caki]

Quote:

Originally Posted by ThePrince

Can I have `em ?

google

Can u please send me the link. Can´t find it by myself.

[caki]

Tis on google matey. Almost everything is on google

try this combo:

"max payne safedisc 2 manual unpacking tutorial"

I just found it with the above combo, so don't try saying it doesn't work, cuz it does :P

[Muji-FightR]

Hey, thanks for that great reply...
Well, first of all, I know what a debugger is (do I ?), I know cracking games isn't changing jumps LOL, and I'm familiar with basic unpacking/dumping/fixing IAT...

My problem is just, cracking games is rather difficult, and w/o any direction it is hard to walk, isnt it...
Thats why I was asking, how should I be able to reverse a SD3/4 game without knowing how to solve special problems (didnt even know that Olly cant handle SD3 lol)...
Only with looking at an engine, it's possible to guess its function and disassemble it, but with the knowledge of a teacher who already knows almost anything, it's WAY easier than without...
Sure, curiosity is important, no doubt, but you can also go too far with it :P

Thanks again, great help and gorgeous SR7 tutorial

@ Mujifighter read more tutorials maybe it helps.


@caki Thank you very, very much for the hint.


@ everybody else keep on writing in this forum.

[cdkiller]

@ muJi.fiGHt3r
start with an old safedisc v1/v2 game. since v2 the OEP is hardcoded wich means you can set a hwbp at it. insert your original cd, bypass antidebug, reach breakpoint, dump. if you use ollydbg ignore all exeptions.

anti debug of sd v2:
- the usual softice checks (no need to bypass when u use olly)
- IsDebuggerPresent
- CheckRemoteDebuggerPresent
- ZwQueryInformationProcess

ImpRec isn´t able to repair the IAT, you have to do this on your own or code a plugin. just step into the ff15 calls and you´ll see the api.

safedisc 2 oep snipped:
----------------------
...
je
mov eax, 00h
jmp
mov eax, dword...
push eax
call <Safedisc Anti-Debug, cd-check, Unpacking>
add esp, 14h
cmp eax, 00h // eax = 0 means no debugger and no unpacking probs
je... // no nasty stuff found, jump over call eax (jmp -> jmp leads to OEP)
mov eax, dword ptr Kernel32.ExitProcessA
call eax
...

[ByteMare]

Really nice thread, keep it up

[caki]

Well I'm willing to help around safedisc so long as people have questions