Thrillseeking

[Synaesthesia]

Okay, "jus cus ur sheep"...

I've installed Doom 3 and started some analysis on it. This is like the 2nd time I deal with SafeDisc (first was with Halo, on which SD also emulates the main API calls) and from what I learned and analyzed :

- CreateProcessA -> creates and runs a security module that cycles information back and forth with main app. Uses CreateMutexA and checks the handle to see if it ran properly. Once way to defeat its creation is to fake the mutex or just let it run (assuming you have an original CD/DVD) and reset DebugPort from -1 to 0, either from user-mode or kernel via drivers. Using SoftICE is easier than attempting to have a go at it with Olly. That's why it seems simple to you. There's like 2 or 3 patches you need to perform to debug SD. Either way, you can safely attach to it a regular debugger such as Olly...

- SD has the gay habit of placing a JMP to OEP right at its EP, once code is decrypted correctly (and that's what you need the CD for); other stuff I noticed, it emulates APIs to own sections; also, you can easily create a continuous memory space for the allocations it makes, starting with the end of last section; that way, you can make sure once you dump it, you won't have problems with sparsed memory chunks.

Back to Doom 3, I'm using Olly (you can sue me for that, I never managed to get SICE to run on XP, and not cuz I dunno how to do it, but cuz of my ATi VGA T_T - no patch ever worked, leaving me always suspended or frozen in its threads...) and so far these are the results:

a) EP, run game with CD in, SD decodes mem and places JMP to OEP right at its EP T_T





b) since this is an old version of SD, main API calls weren't virtualized as you can see in the pic above...

c) looking for all intermodular calls, tons lead to allocated memory






- the one above is GetWindowTextA...

d) next step would be either manually stepping through allocations and see what they return or where they jump to in kernel OR step through SD and see where it allocates memory and what it allocates OR make it allocate everything at the end of last section; after which one can simply dump the app, patch in the allocated section and that would be it...

Peace out...

P.S.: We should do this more often. Love it when I get pushed over the "hedge"

[caki]

Quote:

OR make it allocate everything at the end of last section; after which one can simply dump the app, patch in the allocated section and that would be it...

Have fun with that. Seems you have a long way to go

[Synaesthesia]

Lol. I know what you mean - big ass motherf` .exe. Took a break and started training Well of Souls. Trainer in a bit...

[TippeX]

Quote:

Originally Posted by Synaesthesia

Okay, "jus cus ur sheep"...
- CreateProcessA -> creates and runs a security module that cycles information back and forth with main app. Uses CreateMutexA and checks the handle to see if it ran properly. Once way to defeat its creation is to fake the mutex or just let it run (assuming you have an original CD/DVD) and reset DebugPort from -1 to 0, either from user-mode or kernel via drivers. Using SoftICE is easier than attempting to have a go at it with Olly. That's why it seems simple to you. There's like 2 or 3 patches you need to perform to debug SD. Either way, you can safely attach to it a regular debugger such as Olly...

sigh, its the 'cleanup' process, this process handles exceptions like int 3 and so on in the other process, as well as some vm stuff

Quote:

- SD has the gay habit of placing a JMP to OEP right at its EP, once code is decrypted correctly (and that's what you need the CD for); other stuff I noticed, it emulates APIs to own sections; also, you can easily create a continuous memory space for the allocations it makes, starting with the end of last section; that way, you can make sure once you dump it, you won't have problems with sparsed memory chunks.

oh and how are you going to handle the dlls? and the ccc's that do callbacks to the cdcheck, as well as other nasties... safediscs memory allocation is generally for key tables and the int 03h opcodes, and other exception handling/checksumming

Quote:

Back to Doom 3, I'm using Olly (you can sue me for that, I never managed to get SICE to run on XP, and not cuz I dunno how to do it, but cuz of my ATi VGA T_T - no patch ever worked, leaving me always suspended or frozen in its threads...) and so far these are the results:

try adding in the softice xp sp2 patch?

Quote:

a) EP, run game with CD in, SD decodes mem and places JMP to OEP right at its EP T_T

sd always had a direct jump to the oep, about 129 bytes down from the initial entrypoint in the exe, this is the one you hook... no others...
its easily spottable jmp xxxxxxx (where xxxxxxx is outside of the current section)

yet again you're guessing and bullshitting, you really need to research some, and drop this 'holier than thou' shit rivalry you have with sheep.... learn, research, have concrete facts and information, and try and do your own methods, not some crappy methods you've seen in some tut...

half of reverse engineering is about coming up with countermeasures, new approaches, to make the task easier... your stuff sounds like you just grabbed some lines from the arteam safedisc dumper, made some assumptions, thought everything in the doc was gospel, and ... well we see the results...

[caki]

Naww man, seeing his post its obvious that he didn't look at a single safedisc dumper or tutorial, and there are plenty out there. How do I know this? He's heading off in a completely wrong direction, and a lot of his stuff is so wrong you won't find it in a single tuto. Let him bash his head against the wall a bit, see what he comes up with.

[caki]

Quote:

Originally Posted by Synaesthesia

Lol. I know what you mean - big ass motherf` .exe. Took a break and started training Well of Souls. Trainer in a bit...

No, I mean that dumping and appending the memory is just a completely wrong approach when dealing with safedisc.

[TippeX]

Quote:

Originally Posted by caki

Let him bash his head against the wall a bit, see what he comes up with.

heh, a bloody head probably

but yeh, maybe his info isnt from a tut, cos if a tut was that wrong / bad, it would probably have been done by new fairlight ;p

[caki]

So fucking true :P

[Synaesthesia]

Yet another chance for people to show off. Sigh. "I did this and that" - by reading tutorials...

[caki]

Ahh good old safedisc I can't deny that I used a tutorial for safedisc, considering safedisc was the very first thing I ever unpacked (yes, even before upx). Hah, such good memories of me sitting their and comparing with a hex editor the differences in between the original exe and the myth cracked ones (C&C general zero hour). Took me 6 months to finally understand everything in the tutorial (by Peex), but man, once I was done did I understand. Can't emphasize how much I learned from that one simple tutorial... after Safedisc everything back then seemed a breeze.

And all the other tutorials seemed stupid... I mean people fixing Asprotect or execryptor imports by hand? Man, wtf? Its all easily automated, just find a nice hook, inject some code into the process, and fix. Screw ollyscripts and all that other crap.

Yeah, I <3 safedisc.

[Synaesthesia]

Gotta admit these bastards are much more of a thrill-ride than ASPR or eC ever were T_T But yeah, I started with UPX LOL <3

[sheep]

hahah.. crazy little man.. so not only have you proven EXACTLY what i said in the first place, that your reversing skills are a joke and you use complete bullshit to stutter your way through projects but your now back tracking on your ORIGINAL statement that ASPR is some kind of AMAZING protection showing up all the retail protections.. and before you say DONT TWIST MY WORDS.. that is exactly what you were trying to say, i mean.. WHAT OTHER REASON COULD THEY HAVE FOR BUYING IT??

i was hoping you would do something like this.. had trouble to stop laughing. If protections were as easy as your (LITTLE) explanation at the end id fucking fire the coders.. this is why your considered such a lamer, why can you not fathom that
what you put here would be looked over by people that HAVE!!! reversed the protection..

personally ive never read anything from a tutorial about commercial protections.. my motivation was a race with yatez and another guy in "divine" to see who could deprotect securom and safedisc, i won by a bizzare turn of events.. seccy of course has an internal check in its decryptor to make sure ur not pushing too much data through and because my dumper ran chunks of data smaller than the check it worked fine.. unfortunately yatez didnt realise this (none of us did) we were very new.. his dumper ran larger chunks and had his output corrupted.. took him a few days to work out why it was like this.. so i had a huge head start on sd2.. (the sd2 game was WHO WANTS TO BE A MILLIONAIRE) ill never forget it.. as im sure many reversers rarely forget their first big projects.. ( i was such a noob i forgot to readd the dx dlls and when it ran for the first time.. apart from having a little dance around my bedroom i realised my fucking mouse wasnt working hehe) this is how it all started for me.. about 7 years ago or so.. i went onto making trainers (never liked the idea of getting locked up for a hobby).. and yatez became one of the most famous crackers around and now works on the right side of the law for sony(securom).

[caki]

Jeezus christ 7 years ago... I was in 4th grade playing Age of Empires on my Pentium 1 133mhz. Good times man, good times

But you sparked my curiosity in the above post sheep. What do you mean by "pushing data thru the decryptor?". First time I hear of that type of statement... :/

[sheep]

it was the first version of the new securom back then and as basic as it was it still presented lots of problems for a new "reverser" looking to prove his worth( i say basic but it was as good as it got back then even though seccy had a rep for being fairly easy , it certainly kept the lamers at bay.. but of course no such thing as VM's being used back then) it was nothing compared to sd2 but it was a great place to start, one of its main features was (similar to sd) an encrypted iat, which needed to be decrypted and resolved, easiest way to do this was to attach a small dll which basically fed the decryption routine its own iat and collected the nice neat fixed one out the other end, but as i mentioned above the decryptor had a check on it to make sure only a certain amount of apis were being passed.. my dumper worked fine because it only passed a few at a time before capture.. yatez passed the lot through and after "3ch" passes i beleive the results are corrupted. sd worked in much the same way except it had more exits from its decryptor so a little harder to catch the results, plus im sure as anyone who has tackled it knows the way it formulates its api relies on its decryption pipes as i called them (because visually its what they were) using a forumla which included the address its situated at so feeding the iat section to the decrptor was not an option and a more LIVE approach was needed by simply patching the decryptor and running the game, generally this worked for most games, of course people become wise and would put apis at the very end of the game which your decryptor couldnt catch because u hadnt been there but just a good look over what u had was good enuff to spot if you had missed any, then they started adding multiple iat entries .. not sure what else to call them really.. because the formulated apis were now LIVE and relying on position as well as the iat address in memory they started to use the same iat address with a different location to formulate another api.. in the end it wasnt a huge problem.. then they added the BREAK AWAY sections.. again.. not sure what else to call them.. because i dont read tutorials i call things as i see them, this was a section of apis that were not stored with the MAIN set so u couldnt just copy an entire section of iat and hope for the best but again.. as tippex says this is what its all about.. u make new countermeasures to get around such things.. hope that explains a little. Sorry if its a bit sketchy it was actually closer to 9 years.. i looked back at my old code tonight

[TippeX]

sd didnt have more exits from the decryptor
if you patched the right parts it always exited on the jmp [ebp-4]
think it was -4 but it was a constant bounce into anti debug (patch to 33 c0 40 c3) -> decrypt -> another check -> goodboy bounced to the jmp [ebp-4] part

seems we all get rusty over time...