check it out at :
http://tsehp.cjb.net/what_new.htm

Well, that's a neat place to store the license info and expiry date. Are there many others program that use a similar kind of protection? I've not seen many - most of them seem to rely on random scribblings of text in the registry which are all exposed using something like RegMon.

No it's the first time I saw this personaly. But don't forget that safecast is provided by the same company that built safedisc, and safedisc relies on a place on cd where the format is different, storing some keys to decrypt the executable. They could eventually manage in future versions to modify some portion of your hd to store this kind of info, but I really don't think that users would appreciate this, especially if they do a normal format and that their os reports some r/w errors.
This place is btw a good chosen place because it's not mapped by a normal logical partition, so even if you format your hard disk, the sector 32 will remain untouched.

regards,

+Tsehp

Hey guys, nice essay +Tsehp and r!sc.

Just a side note, so far I worked on 4 safecast apps and all of them were very easy to break because after all the bullshit cdilla puts you through there are a couple small checks that when reversed the entire application is cracked and working 100%

that's my experience with it, I didn't really try too hard to understand the underlaying protection.

goatass

Must say I'm pretty much the opposite, if a new protection system comes out, I like to know as much as possible on how it works, rather than just how to crack the app that uses such a protection. I just find it interesting I suppose.

hi goatass,
but did you unpacked them or process patch ?

Actually I'm not focusing on cracking the app but retrieve back the original program by unpacking it and rebuilding the iat. Did you rebuilt the iat with a personal program ?

later,

+Tsehp

Squidge, I agree with you I'm the same way most of the times, it's just lately I barely have any free time so I just patch

+Tsehp yes I unpacked it, used your revirgin and some other home made tools to create a fully unpacked file.

goatass

Hi all, tsehp, goatass

I have rebuild the reversi proggy (import and code fix)
and need some others SafeCast target to test rebuilder

Please could you post some url ?

Thx SV

I only have the macrovision links, I'll ask r!sc if he knows some more.
Unlike vbox, they don't like to publish info about their customers

Impressive heh

One question though. Wouldn't a good AV scanner be able to pickup the changes made by Safecast to the physical drive ?
I admit I have no clue what sector 32 is used for, but what if malicious code
were put in it by some virus ?
Isn't there AV scanners that protect against stuff like that ?

LS

I'm working in a 16-bit SafeCast target (AUTODATA) 15 days trial, the target verify all license stuff using CDILLA05.dll, no wrapper or IAT stuff here only a lot of call to license manage functions. There is some place where i can get some kind of SafeCast SDF (ala FLexLM SDK) or info?????
Where i can found a DiskMon clone for Win98??? the only version is for NT/2K


Rainr

you can test www.installshield.com
download demoshield I have made a loader for the executable but you can try the new +thelp's safecast essay on it

Hi, there.
AUTODATA was my first experience with C-DILLA.Reading the essay
just got me remembering exactly this software.Back in ~1999 when I
solved it I used DISKEDIT to find/wipe out that sector.Usually after MBR sector 1 there are blank sectors till 63.I think CDILLA uses (nr of sectors+1)/2 to store its data.Mostly sector 32 with all newer HDDs.
Coming from boot virii times (96-99) I managed quite quickly to find that weird data stored in sect 32. It's funny that CDILLA hasn't changed its weird type of modifying HDD from 1999, and that this method still applies.

TOTEU "busy, but still around from time to time".Greets everyone.

I'm afraid there are not, but you can still make sice trigger the kernel function I've described into the essay.

+splaj already tried some antivirus on this : no success.
not only sector 32 is used, but r!sc already saw some higher numbers,
this place is not used by windows and not included in partitions, it's a dead zone, very useful to store some info that you want to remain after a good old format.
only a low level format can get rid of it, or manually erase with an hex editor.

any idea how to found (debug,track) that places with license information to erase it with hex editor?

.. new 2.66 version of Macrovision SafeCast have license file placed in
"C:\Documents and Settings\All Users\Application Data\Autodesk\Software Licenses\*.dat"
- cleaning license data in 0x20 sector and removing license file gives error...
so it have additional license data somwhere else...

will be appreciate for eny help or advice!

nothing like resurrecting a 4 year old thread eh ;p
theres also a hidden c:\cdilla folder if i remember right from the old versions

Yup!,

Even if you defeat the licensing scheme - Cdilla is sneaky, I'm 99.9999% sure that when you start your E-mail client it sends a log to Adesk - as if they have time to review everything they receive, but, keep it in mind.

SiGiNT

Some time ago I coded a little app to remove SafeCast info (the version was 2.20). The info I removed were:

1 - An HD sector, range 30-40, when the sector started with: 0xF5A041DD, 0x00010001
2 - Delete all the content in: C:\\Documents and Settings\\All Users\\Application Data\\Macrovision\\SafeCast
3 - Remove registry key & subkeys in: SOFTWARE\\Macrovision\\Safecast

Hope this helps.

Looks like it hides some license data somewhere else...
I removed:
1 - sector 32 started with 0xF5A041D8,0x00020002
2 - lisence file "C:\Documents and Settings\All Users\Application Data\Autodesk\Software Licenses\B32E6000.dat "
3 - registry keys [HKEY_LOCAL_MACHINE\SOFTWARE\Autodesk\Licenses\Autodesk Licensing Service]

There is no Macrovision\SafeCast folder. There is no Macrovision\Safecast keys...

After removing all that stuff software gives mesage that license is unavailable...

Maybe there is some way to spy for sector access? Or somehow to know what module writes license data on a physical drive to make it write "new" license each time?

Looking at a drive with *no* protected app installed, several of the sectors begin with 'FILE*'. How many of these sectors are unused or reserved, and if so, what data *is* being stored there? It can't be safe to just write data into reserved sectors, right?

Reserved doesn't mean "reserved for use by software protection systems", of course. Indeed, this is a very dangerous practice. Imagine if the FAT or one of the partition superblocks began there. The "general practice" seems to be starting each partition on cylinder boundaries, although it is perphectly possible not to, and free up a few more sectors for storage. In fact, I found this on a site dealing with partitions:


Writing over a vital disk-access driver with licensing info definitely isn't a good idea.

If I understand you correctly, you are assuming removing all traces of safecast will allow you to run the program without a license - this simply won't work, that's like saying removing the Dongle and the dongle driver will allow a program to run without the dongle - there are routines either in the main executable or associated dll's that look for the safecast info, it's built into the software. However if you don't plan to use the software then it's desirable to remove safecast - a couple of years ago a popular Tax program was distributed using safecast - and the result was a disaster, it caused problems for a lot of people, Cdilla does have some attributes that classify it as spyware.

SiGiNT

I'm trying to make software trial(30 days) period much longer with removing all license information saved on physical drive, files and registry. When software is installed on a "clear" system, it writes trial license data. So, main task is simple = make software write NEW trial license data like with first installation.

Question : here was mantioned that tsehp has found some other places on physical drive where license data stored... How to found that places? Or who can tell sometihng about it?

Another way - is to make software work with faked FLEXlm license file. Demon is pathed ok, but client dll is crypted with SafeCast and I it makes me crazy unpacking it... Any advices or help?

One thing you may explore is the use of virtual machines (VMWARE).
As far as I can tell Scast does not know it is being run in a VM.
If you make a clone of the machine before install and after install, then compare all the changes made in the virtual disks, files, registry etc etc, you may locate all the elements that track the licensing process (as long as they are contained in the machine, and not tracked by web connections)

There are other tools that take snapshots of your system before and after install (look for them in a similar thread I started months ago with the same idea in mind) but I doubt they go all the way down to track direct access to individual sectors in the disk.

A simplistic, yet effective method to keep using the protected software and your testing, is to keep a clone of your VM right before the Scast software gets installed. . .
You can start form scratch with a clean, working version as often as you need.

The key to what you are trying to do probably does not reside in the safe cast licensing info, it often is an un-identifiable registry key, (and occaisionally an undeletable one also), or a file in your Documents directory, and sometimes found in the Win or Win32 directory, do a search for a file with the same date and time the soft was installed/ and or the date it expired, in those directories - stay away from anything that looks like a native Win file and re-name the ones you find - better yet get an install monitor/manager and let i log what the app does when installed on a new machine - you may find what you need, but be prepared to wade through a ton of stuff.

SiGiNT

How do you create an 'undeletable' registry key?

I was reading on a site about hard drives, and I was wondering if perhaps some of the 'reserved' sectors could be the ones saved to substitute for bad sectors. Or are these totally hidden by the controller?

if you mean a key that is undeletable by normal apis (advapi exported apis)
then yes its possible take a look at sysinternals site look for reghide some thing that shows how to create such a key by embedding an extra null (uses native apis ZwCreateKey etc)
but if you know how to edit hive offline then i dont think a really undeletable registry can be made

Yes, a key can be made to be undeletable, using normal everyday registry tools, Armadillo does this, and yes if you know how to it can be deleted, many, (or maybe all), of the keys in the security section cannot be deleted using normal means.

SiGiNT

The "normal" APIs (advapi exports) use plain zero-terminated strings, the native APIs use length-indexed strings. That means you can create strings with superfluous zeroes by using the native APIs. These keys cannot be accessed from Tools like RegEdit. You have to use the native APIs to access them.