#1
|
|||
|
|||
Securom 7 Antidumps
Hello,
i am trying to deal with Securom 7.34 for a while now. Now i have encountered problems with the antidumps. The ones inside the "antidump call table" are already fixed, but threre are some other ones left i cant find. Normally, my fixed dump crashes after splashscreen, but when i patch kernel32.dll in memory so it returns the the pid while dumping, it always crashes after intro. Conclusion: At least one pid and more antidumps are unfixed. I searched and patched all pids, no success, the ones in the memory i dumped i have also fixed, but they are not executed during startup neither. Bad thing is, that many antidumps are also as "normal" function there, e.g. rtlgetlastwin32error as check if cfgs are already there. Does someone have experience with Securom antidumps here? (I know complete owing already.) My target is V1.1 and uncracked, V1.0 was done by Fairlight. Securom only uses disc check, no pa. |
Sponsored Links |
#2
|
||||
|
||||
you've only done about 1/2 the job.. the vm has more checks than just the pid.. try looking a bit deeper.. there's a lot more involved than just a dump and patching kernel32 to return the right pid (which is a bad idea to begin with btw)
__________________
bleh DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you... |
#3
|
|||
|
|||
I know, openevent, closehandle, maybe mutex, user and system name, tlsgetvalue, rtlgetlastwin32error, resetevent, cpuid, crc of some system dlls...
There is call table with many calls to antidumps, all there are already fixed. My problem is finding the other ones. Some of them i find, but patching them dont help and they are also untouched in crack for V1.0 =>They belong to the game and not to securom. I patched every pid and it crashes after splashscreen, but with kernel mod after intro. How can i find the unresolved pid check and the other antidumps? Can i name the target here? |
#4
|
||||
|
||||
some aren't api stuff.. and yeh u can name the target.. considering its a 7.34 it doesn't really matter anyway as 7.40 is the current version, so you've got a lot of work ahead of you..
put simply the method you are using is the flaw... if you put some time in and figured out how the vm worked, then you could remove securom entirely.. as, with your method if the vm is doing something you won't see it (because you blindly dumped it), so if the code has checks in it they will fail and you're doomed..
__________________
bleh DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you... |
#5
|
|||
|
|||
It is Stranglehold V1.1.
One antidump e.g. returns its own address, that one is fixed. This method is described in Complete Owing and there are lot of cracks (also for higher sr versions) that there made with exactly the same method. |
#6
|
||||
|
||||
yeh i know the complete owning document, and its far from complete owning, they missed a lot of things, some of the anti dump functions do different things when called with different parameters, i think its the vm thats causing your crash.. so you really should investigate that.. it will take some time, but its definately worth it as then you can convert the vm code back to x86 code and then you might see some of the checks you've missed which were 'embedded' in the vm 'script'...
in all honesty, the method you're using was the 'typical' method used by some of the crackers in the time, but its out of date now and isn't exactly 'clean' (by this i mean the cracked executable should be about the size of the protected one or slightly smaller.. i've seen some of the cracks using this method being 50mb+ bigger than the protected exe, and thats bad in my book)..
__________________
bleh DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you... |
#7
|
|||
|
|||
If the document was called "Chocolate Sauce and Banana's" I may consider reading it :P
But "Complete Owning" is a bit elitist and no doubt is full of flaws. |
#8
|
|||
|
|||
Complete Owning is wrong, but there are mentioned antidumps (the ones that are not in the call table) unfixed in my dump, simply because i dont find them.
And normal pid - runs to splash, forced pid while dumping - runs till loading mainmenu after intro means at least one pid unfixed. I know many people dont like that sort of cracks, but i think it is a good start. |
#9
|
||||
|
||||
honestly, it isn't a good start.. take it from me, i've had years of experience in this, im retired now, but most people know my work.. i spent time reversing vm's (of one particular protection mainly) along with some friends, once done we were able to reverse the vm code back to x86.. once you have that its easier to see the 'true picture' of what the protection does..
imagine it like this, what you have done is essentially dumped the vm tables and handlers, fixed them up, but you have no understanding of what the vm scripts are doing.. so lets say the developers marked a particular bit of code to be vm'ed when the exe was wrapped, and that code did some 'nice checks' (which is evident in some of the newer titles).. if you can't understand the vm code, then your dump will execute that vm script which will then fail, and do unexpected things, which you have to find, and fix.. and well, with it being in the vm script, which is not x86 based it is essentially an entirely new language to learn to crack... that, put simply is why the method you're taking is crap.. its a short-cut at best to achieve the desired end result, but its far from perfect, and you' understand very little of how the protection works in detail.. and that is a flaw, because as/when (and its happening now) a new version comes along with new tricks etc.. you're right back at square one...
__________________
bleh DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you... |
#10
|
|||
|
|||
I understand all, tippex.
Just want want to have a moment of success with a working Stranglehold 1.1 Crack after the 2 months iam already trying to handle it. What you have written above is my plan for the next years. Learn how Sr vm works and rebuilt code then. Which vm you reversed in the past? |
#11
|
|||
|
|||
I have read 2nd part of complete owning now and rebuilding vm (manually) is out of my league.
If someone wants to finish my work, just tell me. I upload dump then and tell you the values when i get the address where to find antidump. btw: In germany, unprotected budget version with patch 1.1 included is available, but - Exe works only with german version (maybe with international when replacing an extra file, too?) - No blood - No ragdoll - Censored cutscenes - Missing special moves are erasing all the fun. |
#12
|
||||
|
||||
hmm vm's in the past.. pretty much all the major copy protections
most involve finding the handler (or handlers if there is more than one vm), of all, the safedisc one was probably the easiest, securom's one is tricky due to it varying a lot, starforce one is a bit harder due to it being ring 0 and ring 3 when i did it, and debugging it in ring 0 was annoying to say the least due to anti-softice, which then lead to me making my own driver to debug it as for things being out of your league.. often it happens in reversing that people run before they can walk, like starting on hard protections without doing the easier ones first, which is a huge mistake, investing the time, seeing how the easier ones work then taking the ideas / methods u learned and using them on the hard ones definately has its benefits.. it all depends on your will and time, all i can recommend is plenty of note taking, making little tools etc.. and research (plenty of it) often if you're lucky some games are released with different protections depending on the country of release, if you can obtain a copy of both, then crack them and compare them it can help immensely, or if you're lucker.. obtaining an unprotected exe.. you could also pick an older target, get the crack for it, attempt to make your own crack and reverse what the cracker did, and understand it.. many people learn that way
__________________
bleh DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you... |
#13
|
|||
|
|||
I did things like UPX, Aspack, Pecompact, Asprotect, RLpack, etc in the past.
What should be the next level? I think Themida e.g. is also too hard. Securom Vm got about 256 vm handlers i have read. I just know Uncut Straglehold with Securom and german censored budget version without protection. It helped by confirming that i have the right oep and iat is ok. Also, securom is the best choice when you try to learn a game protection. Safedisc is dead, starforce only used in russia nowadays, and like solidshield 2 also much too hard. About SF and ss2 is nothing public (except reloadeds sf3 insights.) Taking an already cracked securom exe as help concerning antidumps dont help much, i know how to fix them, but i dont find them. Their location is different on every machine, it also depends on how (if you do it at all) you take influence on securoms memory allocations. The 40000h block with tons of cpuids (that i found) got a (slight) different address everytime i start the game. FLT fitted the vm to 15MB in a row, mine is spread through 180 MB, but upxing file results in just 11MB. You will never be able to rebuild the virgin file, revirging is the impossible dream of every reverser. Btw: Is there an unprotected and patched budget version existing outside germany? Can you buy the game at steam? |
#14
|
||||
|
||||
if thats all you've done then you need to do more work and research, commercial game protections are hugely different from the 'casual' protections you have mentioned, i also wouldn't call UPX a protection, its a primitive packer, and unpacking it is incredibly basic
i also wouldn't work from any cracks FLT did, they're shit and have been since april 2004 i have on many occasions made a virgin file.. it is NOT impossible, it takes time and effort, don't try to equate your limitations to mine.. the securom vm checking isn't just cpuid based, thats just binding, you still need to decrypt the script data stream and reverse that back to x86 code.. try learning old securom first.. v5 or so, and safedisc 2,3,4 then move on.. you seem to think that you're 'at the level' to do these protections, and really you're not.. you need to research more, debug more, find out how things work in the protections yourself.. not reading some tuts out there (which btw the ones you mentioned are crap).. sometimes you need to actually do your own methods, figure out how things work, experiment, crash, pick yourself up, experiment again, then you might actually see light at the end of the tunnel, instead of chasing your tail and thinking you're learning something when you are really not
__________________
bleh DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you... |
#15
|
|||
|
|||
Sorry for insulting you.
With revirging i meant getting back the original file with exactly the same size, sections and code. Can i see such a file from you where you rebuilt code? I know that rebuilding is too hard for me, but i thought that dumping vm and fix antidumps will work OpenEvent and Closehandle i didnt found yet, same for tlsgetvalue and rtlgetlastwin32error. I have a script for fixing jump bridges, i modified it for my target. At 2 jmp bridges it fail with access violation when reading from address 000000, a bp on this bridges is never hit... I will check my games for Securom 5 protected ones now. You can recommend my some "easy" targets? Hitman 2 e.g. got just Sr 4, but ugly custom triggers inside. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Neverwinter Nights 2 | Peise78 | PC Games - Protection List | 9 | 25-08-2009 04:54 |
Playing The Sims without securom? | irishguy08 | PC Games | 5 | 01-10-2008 05:17 |
Securom 7 Rebuild | anonymous1381 | Game Coders | 11 | 15-05-2007 16:48 |
dreamfall tricky securom | Mperor | PC Games | 1 | 02-10-2006 06:57 |
[Help! - Removing the Securom protection...] | XICO2KX | CD/DVD Copy Protections & Utilities | 1 | 19-12-2001 19:16 |