26y4u
March 9th, 2009, 13:21
Hi,All
unfortunately itīs Very hard to get securom related infos and the old tutorials
wonīt help u much because in the End it requires the original cd.
it contains some info needed for A complete unpacking algorithm if the paul.dll is Not found.
two weeks ago i started for my first time in reversing
because it was very unlikely that someone would look into it.
the bad thing it was securom. definitely not for beginners.
I tried my best to get as much knowledge as possible.
actually i have read more tuts about armadillo than securom.
they look very similar and about arteamīs Complete owning it missing a lot of
stuff.
#warning the following infos arenīt verified because i am to unexperienced.
#it comes from trial/Error technics and tuts.
#securom 7.01;winxp-sp3
#olly+hideop
(outputdebugstringa;checkremotedebuggerpresent;hidentdebugbit,method1)
-to get the exact securom version->
open hexeditor like hex workshop and seach for securom->
also it copies some files to ..\securom\userData securom_v7_xx.dat .bak .tmp
-donīt set bp on functions like writeprocessmemory even At the retn it
wonīt break
it erase some bp settings with rep stos/movs dword ptr and if u trace bye.
itīs checking on the first bytes of functions.
so setting bpīs on retn should be fine.
-to attach the nag itīs possible to open olly in olly
dbguidebugactiveprocess till mov esi,eax
new origin mov eax,esi->
f9 but i always end up in sysenter retn since i canīt break
on writeprocessmemory and do an ebfe. although i didnīt test a ring0 debug
ollY advanced plugin kill anti-attach is working too.
attach with olly with option break on thread also works->2 threads->
kill 1st thread
after attaching with olly u can attach with ida too.
-itīs possible to trigger the cd nag in olly->
goto virtualalloc->bp in retn 10->f9->
remove bp,seach binary (c20800),bp->f9->remove bp->F9
-u can even get another nag screen of securom
which will enable the online activation->
f9->nag like welcome...->
back to olly->goto lstrcmpa->bp->just click button on nag->
from here itīs even possible to stop at paul.dll
directly (bp on something like regopenkeyexa)
or function that is called before lstrcmpa.
if u leave your bp on lstcmpa of course u break there
-//reaching securom oep//
start at Sitext oep->
binary search (558bec83ec40)->
u land on the 1st decryption routine->scoll down->
there will be a jb follow by a jmp command->
bp on jmp and the decryption of Stext has finish->
now u can search for the next commands->
not necessary binary search (0f0bff648f05)
conditional bp (dword ptr [esp+0c] == 20)->
binary search (8965e88bf4893e)->
above there should be 2 push following a call->
set bp on first push->f9->securom oep!
here u can dump it without problems.
make sure rebuild import uncheck.test ur dump.
extremly vague:
-once i saw in olly that it checks al value with 1 and strangly enough my al value was the exact number of bp i had set.i removed all bp and did a f9 and it happen exactly what i assumed securom loader leading the way to sysenter and try to terminate. but i canīt reproduce the situation and set al manually to 1. maybe is possible to disable the bp olly termination. it really sucks with one mistake to start all over.
well at least i could dump at the securom oep and making changes.
now i am messing with the obfuscation, page guard, bp detection, create thread, etc. a lot more to learn.
i will update more infoīs when i reaching the original in the data section oep
but for this i need first get rid off the nag. so any additional info, critics, hints, tips, whatsoever is well appreciated but please no thx,lol,etc. it has no info at all.
havefun or get drunk
unfortunately itīs Very hard to get securom related infos and the old tutorials
wonīt help u much because in the End it requires the original cd.
it contains some info needed for A complete unpacking algorithm if the paul.dll is Not found.
two weeks ago i started for my first time in reversing
because it was very unlikely that someone would look into it.
the bad thing it was securom. definitely not for beginners.
I tried my best to get as much knowledge as possible.
actually i have read more tuts about armadillo than securom.
they look very similar and about arteamīs Complete owning it missing a lot of
stuff.
#warning the following infos arenīt verified because i am to unexperienced.
#it comes from trial/Error technics and tuts.
#securom 7.01;winxp-sp3
#olly+hideop
(outputdebugstringa;checkremotedebuggerpresent;hidentdebugbit,method1)
-to get the exact securom version->
open hexeditor like hex workshop and seach for securom->
also it copies some files to ..\securom\userData securom_v7_xx.dat .bak .tmp
-donīt set bp on functions like writeprocessmemory even At the retn it
wonīt break
it erase some bp settings with rep stos/movs dword ptr and if u trace bye.
itīs checking on the first bytes of functions.
so setting bpīs on retn should be fine.
-to attach the nag itīs possible to open olly in olly
dbguidebugactiveprocess till mov esi,eax
new origin mov eax,esi->
f9 but i always end up in sysenter retn since i canīt break
on writeprocessmemory and do an ebfe. although i didnīt test a ring0 debug
ollY advanced plugin kill anti-attach is working too.
attach with olly with option break on thread also works->2 threads->
kill 1st thread
after attaching with olly u can attach with ida too.
-itīs possible to trigger the cd nag in olly->
goto virtualalloc->bp in retn 10->f9->
remove bp,seach binary (c20800),bp->f9->remove bp->F9
-u can even get another nag screen of securom
which will enable the online activation->
f9->nag like welcome...->
back to olly->goto lstrcmpa->bp->just click button on nag->
from here itīs even possible to stop at paul.dll
directly (bp on something like regopenkeyexa)
or function that is called before lstrcmpa.
if u leave your bp on lstcmpa of course u break there
-//reaching securom oep//
start at Sitext oep->
binary search (558bec83ec40)->
u land on the 1st decryption routine->scoll down->
there will be a jb follow by a jmp command->
bp on jmp and the decryption of Stext has finish->
now u can search for the next commands->
not necessary binary search (0f0bff648f05)
conditional bp (dword ptr [esp+0c] == 20)->
binary search (8965e88bf4893e)->
above there should be 2 push following a call->
set bp on first push->f9->securom oep!
here u can dump it without problems.
make sure rebuild import uncheck.test ur dump.
extremly vague:
-once i saw in olly that it checks al value with 1 and strangly enough my al value was the exact number of bp i had set.i removed all bp and did a f9 and it happen exactly what i assumed securom loader leading the way to sysenter and try to terminate. but i canīt reproduce the situation and set al manually to 1. maybe is possible to disable the bp olly termination. it really sucks with one mistake to start all over.
well at least i could dump at the securom oep and making changes.
now i am messing with the obfuscation, page guard, bp detection, create thread, etc. a lot more to learn.
i will update more infoīs when i reaching the original in the data section oep
but for this i need first get rid off the nag. so any additional info, critics, hints, tips, whatsoever is well appreciated but please no thx,lol,etc. it has no info at all.
havefun or get drunk