|
Another comercial Protection defeated |
 protecting better | |
 Advanced cracking | ||
 |
by fravia+ | |
| fra_00xx 980718 Black Check 0010 AD CD |
Then again look at the following snippet: "Well the game now runs fine with SICE loaded. Let's get to the annoying part... " When I find something like this in an essay I "feel" I will enjoy it. And you will too, dear readers... enjoy! | |
"The SAFEDISC technology is comprised of three key features: (1) an authenticating digital signature (2) encryption that protects the content and (3) anti-hacking software. During premastering, the content is encrypted and carries with it authentication instructions. A unique SAFEDISC digital signature issubsequently added to the title during mastering. When a user plays an original disc, the authentication software reads the digital signature allowing the program to be decrypted and to play normally. SAFEDISC also includes anti-hacking technology that prevents the compromise of its security features. The anti-hacking technology is designed to not only deter casual copying, but also to provide strong resistance to DESTRUCTIVE hackers and commercial pirates. " From the Safedisc homepage (http://www.macrovision.com/scp.html): Hhmm... let's be DESTRUCTIVE.
As you probably know Safedisc is another comercial protection by C-Dilla. Protected CDs always have the files Clokspl. exe and Dplayerx. dll in the root. Our target is Midtown Madness[German]. There is a Generic Crack by Pedro [Laxity], but i don't like inserting CDs in my drive just for playing a game :-) The executables consist of two parts. One is just the loader (Midtown. exe) and then there is always a *.icd file that contains the encrypted original exe. When the game is run the loader decrypts itself and the game Exe using a key on the CD. What we have to do is to dump the decrypted exe to disc and fix it.
-Microsnot Midtown Madness Orginal CD (a 1:1 Copy and the Laxity Crack should do it too) -Softice for W9x -Procdump 1.4 -Adump -Frogsice 0.14 -> www. thepentagon. com/frog_s_print -W32Dasm -knowledge of the PE format -some time, nerves and a brain
++++++++++++++++++ C-Dilla 'Safe'disc Essay by -Black Check- ++++++++++++++++++++++
######################################
1. Eliminating the Anti Softice Code #
######################################
SafeDisc uses two well known SICE detection methods. The first one
is known as 'MeltIce' and has been released by David Eriksson. It
just calls CreateFileA with the SICE Drivers
"\\.\SICE"
"\\.\SIWVID"
"\\.\NTICE" (not important in this case)
First i passed this with a Softice Macro:
macro NOSICE ="d @(esp+4);e @(esp+4) 0;x;"
then
bpx CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' do "nosice"
This works fine, but it's too slow. This crap is called
about a hundred times! Another disadvantage is that you
can't set Breakpoints on CreateFileA anymore. If anyone knows better
please mail.
The solution is much more simple. Just open Midtown. exe and
search for 'ss' (ASCII) you'll find something like that:
\.ss
\.ss
\.ss
Just change 'ss' to 'xx' or whatever. You have to do this with
'DplayerX. dll', too. The CreateFile Checks are now out, but if
you run the game with SICE loaded it just crashes. Seems like
there is another check. I played around with bpint 2f, 41 etc
but nothing. It uses int 68:
425205: xor eax, eax
425207: mov ax, 4300
42520b: int 68
42520d: mov [ebp-9c], eax
425213: cmp eax, 4300
425218: jz blablabla...
Don't try to patch this. There's a tool around called
Frogsice. Once you load it you get a blue screen everytime
it detects Anti Sice ints. Frogsice has an option to fool
the programm but this won't work because int 68
returns 0x4300 in eax when SICE is not loaded.
Frogsice returns 0x0000 , so we'll have to
patch Frogsice...
-Open FrogSice. vxd
-search for 60 80 7d 1d 43
-change the first byte to c3 (ret)
Frogsice will now handle all calls to int 68 correctly
without popping up all the time :-)
Well the game now runs fine with SICE loaded. Let's get to the
annoying part:
########################################
2. Rebuilding the Encrypted Executable #
########################################
The enycrypted EXE contains the following objects:
Object01: .text RVA: 00001000 Offset: 00000400 Size: 0018D800 Flags: 60000020
Object02: .rdata RVA: 0018F000 Offset: 0018DC00 Size: 00014E00 Flags: 40000040
Object03: .data RVA: 001A4000 Offset: 001A2A00 Size: 00030000 Flags: C0000040
Object04: .data1 RVA: 00314000 Offset: 001D2A00 Size: 00000200 Flags: C0000040
Object05: .rsrc RVA: 00315000 Offset: 001D2C00 Size: 00000E00 Flags: 40000040
.text -> encrypted
.rdata -> contains the Import Data. Invalid since it
only points to Safedisc routines
.data -> encrypted
.data1 -> encrypted
.rsrc -> not encrypted (very honest... )
2.1 Dumping the .text section
------------------------------
IMPORTANT!
Be sure to replace that damn Microsoft Avi file, you will
see it some times... :-)
Run the game. Don't forget to load Frogsice and
wait until you get to the main menu. Now minimize it
and run ProcDump. Dump the whole process (Midtown. icd)
with standard options. HexEdit your dump and copy the .text section
to another file. If you don't know how to do this, stop reading and
get some info on the PE File format. You can get the Object Infomation
by disassembling Midtown. icd since the PE header isn't crypted.
Note that the Raw Offsets of the sections aren't the same in the dump.
They're moved by 0x200 bytes. In our dump of Midtown. icd the . code
section begins at 0x600 NOT at 0x400 !!!
2.2 Dumping the .data sections
--------------------------------
As you can guess the .data sections are modified when
the game runs. So we need them in an 'untouched' state.
Set a bpx on the Programm Entrypoint of midtown. icd. (not midtown. exe!)
You can get it out of the PE Header, or with W32Dasm.
You have to be sure that you're in midtown. icd when setting it.
Press Ctrl-D while the avi plays. Make sure that the process string
on the bottom right is MIDTOWN. Now set your bpx (566c10). Run the game
again and wait until Softice pops up. Now halt the Programm by assembling
'EB FE' to current EIP. It should look like this:
566C10: EB FE jmp 566c10
Now press F5 and dump the whole process with standard options
again. Copy the .data and .data1 sections to another file. Remember
the 0x200 bytes. You can kill the tasks now with Procdump.
Now make a copy of Midtown. icd and call it whateverulike. exe.
Paste your dumped sections. What about the .rdata section you're asking?
Read on and cry...
##########################
3. A bitch called .rdata #
##########################
The .rdata section once contained addresses of the
imported dll's used by Midtown. exe. But when Safedisc
messed it up it changed them to point to Safedisc routines
that call the dll functions. Theese Safedisc routines are in
Dplayerx. dll and depend on the correct CD Signature. Since this
crap isn't loaded in our rebuilded exe it just crashes when
it tries to call a dll.
Run the protected exe again. Enable your breakpoint on
the entry point and step into the first API Call.
Call[58f14c]
Now you're not in GetVersion but in the Safedisc routine:
.
.
pushad
push 00000031 --> the number of the imported function
--> if this value is too large the call crashes.
push 00000000 --> number of imported dll
call [9b6146] --> get the real address of the function
add esp, 8
popad
jmp[09b6140] --> and jump there
.
.
.
This code pushes the numbers of the function and the
dll and then calls a routine that returns the real address in
ECX and the wrong reference in the .rdata section in EAX.
Debug a little till you understand. Then come back.
As i figured out only the two first dlls are handled
this way(Kernel & User). The import data for the others is ok.
Now you have to find out how many imported functions there are.
You can count them in W32Dasm. (Please be smarter:).
There are 0x106 Kernel32. dll imports. The number of User32
imports doesn't matter because we can let the programm
crash afterwards.
Now load Adump. With the 'r' command you get the address where
you can start dumping to. For me this is 82abd000. Now start the
exe and stop at the Safedisc function. Copy the .rdata section
to Adump Start Address + 1000:
-m 58f000 l 14e00 82abe000
Set your EIP to 82abd000 and Softice-assemble this:
-a 82abd000
@1: push ebx ----> manually set EBX to 0 !!!!!!
push 00000000 ----> dll number - you have to change this later !
call [9b6146] ----> get values into EAX and ECX
mov edx, 58f000 ----> this is the address of the .rdata section
@2: cmp dword ptr[edx], eax ;search for entry
je @3
inc edx
cmp edx, 5a3dfd -----> | 14e00h + 58f00h - 3 |
| size of .rdata + offset rdata - 3 |
je @4
jmp @2
@3: sub edx, 58f000 -----> rdata adr.
add edx, 82abe000 -----> Adump Start Address +1000h
mov [edx], ecx ;put the real Address into our new .rdata
@4: inc ebx
cmp ebx, 106 -----> number of exports from Kernel32
jnz @1
@5: jmp @5 -----> stop here
Explanation:
-------------
This will call the SafeDisc routine with every function number
as a parameter. The correct Address is returned in ECX. The wrong
index in the .rdata section is in EAX. Now it just searches
the .rdata in Memory for the incorrect reference and puts
the real value from ECX to the .rdata block we copied to
Adump Memory.
The values mentioned above are correct for my version of
Midtown Madness. If you're working on another game you must
compute them yourself.
Now let our little proggie run. Wait a little. If you did
it right nothing should crash. Go back into Softice. The
cursor should be on @5.
Now set EBX back to 0. Set EIP back to @1. And change the
PUSH 00000000 to PUSH 00000001. Run again. The programm will
crash because we pushed a value too large in EBX. That's ok.
We have what we wanted >:)
Now go back to Adump and write our .rdata section to disc.
Paste it into our rebuilded exe. Start it and kiss your
screen! IT WORKS !!!!!!
#######################################
4. Making it a little more compatible #
#######################################
Well our rebuilded exe runs fine. But it's still
not perfect. Just try running it on another Windows
9x Version. It will crash. Why?
The addresses we put in the import table are only
valid for the Windoze version we ran it on. Normally the
OS puts theese values there when the exe is loaded. Since
we put them there by hand other Win9x will crash. Let's fix
that:
-Start Procdump (i really love it!)
-go to Options
-select:
[v]Recompute Object Size
[v]Optmize PE Structure
[. ] Use actual import infos
-click on Rebuild PE
-choose our rebuilded exe
Procdump will now generate a valid import table. Our rebuild
is now perfect. Eject the ugly original CD and enjoy how
fast the game starts :))!
Ha!
You can safely delete theese 'Safe'disc-bullshit files:
00000000407. 0016
00000000407. 256
Clokspl. exe - very nice icon...
dplayerx. dll
Old midtown. exe
midtown. icd
2. 86 MB less crap on your drive :)
-Black Check-
#################################################################################################
This crack is dedicated to Sir Gambit (Ich warte auf dich, du Arsch!)
BIG thanx go to G-RoM, Lorian & Stone for ProcDump, tHeRaiN for Adump, +Frog's Print
for FrogsICE , c0v3rt+ for pointing out the bpx problem and Numega.
I won't excuse for my damn english. If you don't like it, don't read it!
#################################################################################################
Mail INTERESTING stuff to black_check@yahoo. de
homepagelinks search_forms+ORChow to protectacademy database
reality crackinghow to searchjava-script warstoolsanonymity academy cocktailsantismut CGI-scriptsmail_fravia+Is reverse engineering legal?