Log in

View Full Version : First safedisc 1 cracked with revirgin


tsehp
January 23rd, 2001, 20:54
hi,
just to report about the current state of the revirgin's (iat rebuilder)
beta.
I just did this :
-dumped the icd file with icedump
-generated the iat resolved files with revirgin, pasted them into the
dumped target and it works, spent 5 minutes on this.

Now, I've got to port it to safedisc 2 , which seems to use pretty much complicated iat based encryption, just like alexey (asprotect)
did into his latest asprotect version you can find on commview 2.4
(btw thanks alexey to keep me busy with your upgrades, if you just could put some info about your new versions on this board, I could react much more quickly

So I need a working target protected with safedisc 2 and don't want
to buy a cd for this, so if someone manages to build a working one,
without the cd, and with iat untouched, that could ease a lot my work
on this case.

Thanks in advance, regards.

+Tsehp

IcyDee
January 24th, 2001, 08:19
It might be helpful if you explained more exactly what you wanted. From what I understand revirgin is able to take the IAT of a working exe file (such as a SafeDisc 1 title running from and original CD) and re-generate it avoiding all the IAT re-direction etc.
When you say you want an exe file that runs without the CD I assume that you mean an exe that has been patched but otherwise has retained all of the IAT re-direction as in the original?
I assume that exe files with modified IAT tables are of no use to you.
I would like to discuss with you some-time how your revirgin works, some work I have been doing sounds like it might use a similar approach.

risc
January 24th, 2001, 10:27
erm it creates a dumped file with idata intact (not dumped, doesnt dump idata from memory, is exactly the same as virgin exe's idata..), not very useful ..

also safedisc v2 (and the recent versions of v1) needed .code modifying to fully rebuild imports, call dword ptr [api_x] calls wrong api on 50% of imports.. safedisc v2 also has jmp _api_wrapper embedded into the .code section of wrapped exe.. more crap to rebuild!

theres this guy with a safedisc v2 'key injector patcher' type thing, which adds code to the exe to inject the key, kill cd check, and allow it to run with no cd.. i'll point him towards these post's!

tsehp
January 24th, 2001, 17:25
Quote:
IcyDee (01-23-2001 21:19):
It might be helpful if you explained more exactly what you wanted. From what I understand revirgin is able to take the IAT of a working exe file (such as a SafeDisc 1 title running from and original CD) and re-generate it avoiding all the IAT re-direction etc.
When you say you want an exe file that runs without the CD I assume that you mean an exe that has been patched but otherwise has retained all of the IAT re-direction as in the original?
I assume that exe files with modified IAT tables are of no use to you.
I would like to discuss with you some-time how your revirgin works, some work I have been doing sounds like it might use a similar approach.


Yes exactly, I just need an exe working in mem but without anything
modified considering the iat's.

considering revirgin's under the hood, just write to my email I will explain you, thanks in advance if you can provide me a working exe.
regards,

+Tsehp

tsehp
January 24th, 2001, 17:30
to answer artha and risc at the same time :

Owl told me that the new safedisc 2, uses the esp to decode correctly
the encrypted iat, so several code locations could call the same iat
and give dirrent addresses

But I'll only have to create some kind of table to locate all the combinations and load my tracer with all the possible esp's, then a one-to-one it table will be built.
It's easy to say, much harder to code but if the protection sounds like
this I have to make some tests. Thanks if you have a ready made exe,
this will save me some time (such lazy I am those days

best regards,

+Tsehp

The Owl
January 25th, 2001, 04:59
Quote:

Owl told me that the new safedisc 2, uses the esp to decode correctly
the encrypted iat, so several code locations could call the same iat
and give dirrent addresses


uhm, i didn't exactly (want to) say that ;-). what i was told is that kernel32/user32 API calls originating from the wrapped exe will/can end up at different APIs even if they seemingly go through the same IAT slot. this obviously means that 1. such APIs go through a wrapper, 2. the wrapper decodes the real intended API address based on the caller's address (which is on the stack). this was happenning for quite some time now, maybe not in the first releases of SD1 i looked at 2 years ago, but last year definitely. from what i see on the various forums this scheme hasn't changed that much for SD2, only that perhaps now other DLL APIs are wrapped the same way as well, and perhaps more kinds of API calling methods are detected and handled by the wrapper (i think originally they handled call/jmp [iat slot], maybe now it's more, i can't tell).

tsehp
January 25th, 2001, 19:49
thanks Owl to make it more precise.
a reverser called tippex will send me what I asked for, I'll get on this
pretty soon, I think that the only solution is to look for every iat,
all the references and try to trace them, impersonating the different
esp on the stack, then a one to one (iat/api) could be generated
and the caller's offset corrected into the code itself. Not done in one day I think
(modified 4/2/2001)
tippex/portia wasn't able to send a serious working app to reverse,
I still need a safedisc 2 app/game with iat still mangled just to test
revirgin on it, does someone have a working one ?
TIA,

+Tsehp