View Full Version : SecuRom 7.30.0012
personmans
October 19th, 2008, 16:27
I was wondering if anyone had tutorials or information relating to SecuRom. I've searched all over and I managed to find ARTeam's Securom 7.3 writeup, but it does not explain anything about the protection, simply how to remove that specific version.
So far I've been able to bypass the initial checks made by the target (ie serial key and internet validation) as they were in an external DLL. I also managed to have that DLL unload itself from memory, but the main CD check is still in place after it has been unloaded. I don't quite understand what SecuRom is doing to check for the CD, so I figured unpacking it would be my next logical step.
My unpacking adventure so far consists of getting nowhere. I have tried to manually unpack it, but with such little information about the security I don't fully understand how. I found a couple of scripts written by members of ARTeam and some from our chinese friends, but they do not seem to help me find the OEP.
Side note: I do not have the origioal CD (which seems to be an integral part in the other SecuRom tutorials I have found).
evlncrn8
October 20th, 2008, 04:50
no paul.dll -> perform cd/dvd check..
personmans
October 20th, 2008, 08:55
The way I interpreted it was that one of the modifications I made to paul.dll was causing:
CD Check in paul.dll -> unloading of paul.dll (Through unhandled exception?) -> second check/check somewhere else
So are you saying that when paul.dll unloads itself, it still gets called by the main (dat) and doesn't pass the check because the function call fails? If so, I can keep tearing apart paul.dll.
personmans
October 20th, 2008, 16:30
Ok, so small update here, I 'repaired' the paul.dll to get it to stop unloading itself. Put a BPX on everything to see where I end up after the CD not found screen comes up. Then I hit retry to get a break.
I run into a loop that allocates memory (LocalAlloc) then does:
EnterCriticalSection
TlsGetValue
LeaveCriticalSection
It does this three times.
During this time it is allocating space to store tables of values, which I assume are later compared to do the check. I am still getting there.
Also, it would have been so much easier if I knew it was a loop putting tables into values. I'm definitely publishing a breakdown of the SecuRom system when I'm done.
evlncrn8
October 21st, 2008, 00:59
erm, paul.dll doesn't do the cd check.. you're totally wrong...
as for 'definately publishing a breakdown of the securom system when im done'.. might be a good idea to have correct information before you do that...
..
1. paul.dll does not do the cd/dvd check
2. paul.dll does not unload via an exception...
you need to do a bit more work, and pay attention to whats going on instead of guessing...
personmans
October 21st, 2008, 01:11
Quote:
[Originally Posted by evlncrn8;77443]erm, paul.dll doesn't do the cd check.. you're totally wrong...
as for 'definately publishing a breakdown of the securom system when im done'.. might be a good idea to have correct information before you do that...
..
1. paul.dll does not do the cd/dvd check
2. paul.dll does not unload via an exception...
you need to do a bit more work, and pay attention to whats going on instead of guessing... |
Well that [1] explains why the tables got me nowhere, but it DOES unload itself via an exception that I created. I can show you if you like.
What is the point of criticizing my observations? I never said they were absolute or correct, I said I have no documentation for a protection and that I am trying to figure out what it is doing. I asked for any material to read, I would gladly read about it and understand what is going on.
For now, I have reversed 2/3 of the protections without any help which is not too bad for me. Though as I thought the 3rd part will likely be the toughest.Also, when I said I will publish a breakdown when I'm done, I mean when I'm actually done.
evlncrn8
October 23rd, 2008, 02:22
unloads via an exception that you created.. well thats a bit different.. i was talking about normal conditions...
as for critizing your observations i simply mentioned where you were wrong, because other people may read it and believe your theories,
it was not a personal attack, i would mention it in any post where the information was inaccurate...
and the only public information on securom is the ar-team stuff, which isn't complete but its about the best you can get at this current time.. also bear in mind that things change protection wise with each new version that comes out...
the unloading via an exception you create is a bit strange though...
what would be the reasons for doing that? and sure, i'd like to see
also, what do you mean by 'tables got me nowhere'.. what tables?
personmans
October 23rd, 2008, 09:24
Well in that case, thanks for your input. I was actually going off your first post. I thought you meant that paul.dll being unloaded was causing the CD check to fail later on.
Quote:
[Originally Posted by evlncrn8;77457]unloads via an exception that you created.. well thats a bit different.. i was talking about normal conditions...
and the only public information on securom is the ar-team stuff, which isn't complete but its about the best you can get
at this current time.. also bear in mind that things change protection wise with each new version that comes out...
the unloading via an exception you create is a bit strange though...
what would be the reasons for doing that? and sure, i'd like to see
also, what do you mean by 'tables got me nowhere'.. what tables? |
The unloading through exception was a strange phenomenon to me, basically I was patching the internet check part of paul.dll and I used RETN to end the function early, it worked, but when I went to close the program the correct way it would crash when unloading the dll.
I left it and went searching for the elusive CD check -> BPX on every intermodular call in paul.dll. A bunch of TLS get and set functions, here is where I (accidentally) made the DLL cause an exception, and it unloads itself from memory without giving an error (but you see the error in the debugger).
As for tables, at the point where paul.dll has the TLSGet and Set functions, it is loading tables into memory. It looks almost like a linked list where it allocates memory, writes info, then writes the address of the next block of memory that is going to be allocated. It does this every time you press "Retry" on the CD check dialogue.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.