Log in

View Full Version : Serious Sam - new safedisc ???


DakienDX
May 21st, 2001, 05:14
Hello everybody !

I recently came across the game "Serious Sam".
There are many bad sectors on the CD and you need it everytime you start the game.
It has two sections ".icd1", ".icd2" and a third one ".idata".
I don't know which copyprotection was used on it (icd = old/new safedisc ??), but it was quite simple to be bypassed.

It runs fine under Turbo Debugger 5.0, but you can't set any breakpoints or the program will crash.

It checks only one time for SoftICE via CreateFileA(). You can't use BPX or BPM neither, but a BPR on the ".data" section works fine.
Then you are somewhere in a TEA decryption-algo. You can now easy find the password (128-bit) and decrypt the ".code" and ".data" by hand using any TEA(old)-implementation.

The program's idata (not ".idata", it's the copyprotection's idata) is readable without any problems from the original program, only the names of the DLLs and functions are encrypted with a simple algo, which you can find via "BPR AddrOfFirstDLLPointer RW". When you have decypted the idata with this algo, you can insert all the sections in the EXE and delete ".icd1", ".icd2" and ".idata".

The only thing left is to find the correct pointer to the import table, which should be very easy and to find the entrypoint, which is also very easy. Just search for a call to "__set_app_type" and go a few bytes back to the "Push EBP".


I hope I could help someone with this short descrition of the protection.

I would also like to know the name of the protection.

risc
May 21st, 2001, 06:41
its copylok / copylock . they probably have a webpage advertising how strong and unbreakable there protection is, dunno the url though (2 minutes at google.com reveals http://www.panlok.com , but, i only see a protection called codelok, heh, maybe they renamed it!)

new copylok is just as weak, with one extra icd section (they rename original programs idata -> icd0, and encrypt with tea). and after decryption of the code section, they scan it for call dword ptr's (ff 15's) & jmp dword ptr's (ff 25's), and then mangle into call wrapped_api, nop. pretty silly to decrypt a 100% virgin code section, and then mangle it

i think he has a little stronger anti debugging on win9x though, constantly morphs some decrypt keys using debug registers (maybe just dr7, i cant find him abusing any other dr's), so any bpm's screw up decryption.

ive never debugged earlier versions so i cant be sure if this is new or not. but from what you say, not being able to bpx or bpm, its probably not new. just annoying . (i had to run the game under win2k so i could bpm safely :-))

Kilby
May 21st, 2001, 06:57
It sounds a bit like copylok.

DakienDX
May 21st, 2001, 11:19
Hello risc !

Thank you. Now the enemy has been named and can be defeated !

I haven't found any more antidebugging code in it.

Just BPM and BPX don't work and CreateFileA checks for SoftICE.

evil-risc
May 21st, 2001, 11:40
i used icedump to find the debug register key morphs . /protect on , broke on access to idt, first time he was setting dr0..7 to 0, all other times he was reading dr7 ..

ThrawN
May 21st, 2001, 20:32
Dam my serious sam version which i just picked up from EB in aus yesterday has no copylok only a pathetic CD check

DakienDX
May 22nd, 2001, 04:39
Hello ThrawN !

That's bad luck.

My version is 1.00; the 1.00c Update doesn't alter the SeriousSam.exe, so you we've only one encrypted program yet.

I'll check if you can crack the file without an original CD (and without a installation and it's DLLs )

madmax
May 22nd, 2001, 17:48
Im not sure if this is the new safedisc, but I looked at Hitman47 from Eidos recently, and it was pretty straightforward...The antidebugging can be annoying...I modified winice.exe a little (frogsice prone to crashing and another reason) and loaded icedump, cause i noticed IDT access...But still it crashed! I came across a routine that searches high mem (C0000000) for strings like SoftICE, TRW by ..., Frogsice,etc...LAME crap i must say...But its easy to get around, just find a mov dl,[blah] and change to mov dl,xx where xx is a rare opcode...runs fine now under softice.

madmax

DakienDX
May 26th, 2001, 16:51
Hello madmax !

It is not THE new SafeDisc (v2.05.30/v2.10.30) which I've found in "No One Lives Forever" and "Black & White", but I thought it could be a very old version of SafeDisc or a "low budget" version for people who don't have enough money to buy a "full-featured" version.

This game took me about two hours to find a correct TEA-key and one more to decrypt the imports, SafeDisc 2.10.30 took me two days !

EBFE (restored)
May 26th, 2001, 16:52
all you have to do is to hide softice and bpx on __set_app_type or __getmainargs to get into the standard c pe header. the msvcrt imports are not protected by copylok so a bpx wont fuck up the tea key.
patch an endless loop into the .text cave and reset eip to this loop, exit sice and dump the whole process with procdump. scroll some bytes up and you will find 00425996 to be the original entry point.
the api calls do not pass any further check (like safedisk) so your dump will perfectly work :/

DakienDX
May 26th, 2001, 16:53
Hello EBFE !

I don't want to seem aggresive, but your reply seems to be in the wrong place. I'll shortly explain why.

"all you have to do is to hide softice" - Why ? We use SoftICE only ONE time to get the TEA-key and the copyprotection checks only ONE time for SoftICE. BPX MessageBoxA -> everything OK. (Btw, I think most of the people on this board have patched SoftICE against the most common detection methods)

"bpx on __set_app_type or __getmainargs" - How do you know that the game has a "standard c pe header" ? It would be more likely to look for GetVersionA, since it is used in most high-level programming languages in the startupcode.

"msvcrt imports are not protected by copylok so a bpx wont fuck up the tea key" - If we break finally on a msvcrt import, where should we look for the TEA-key ? How do we know that TEA was used when we simply ran the program until it is unpacked ? Or should we try to bruteforce it ? (We've 8 bytes of encrypted and decrypted data, so why not bruteforce a 128-bit password) ?

"patch an endless loop into the .text cave" - well, remember to change it back in the dump.

"reset eip to this loop, exit sice and dump the whole process with procdump" - If we wanted to dump the process and hope that the imports may work I wouldn't have started this post. I had fully unpacked the protection before I posted anything about it.

This is a reversing board, not a dumping board.

dead-sexy ;)
May 28th, 2001, 06:35
hoho, copylok sux!

he uses the cd for verification only, the key is stored internally in the exe and is mophed using "crcs" of his own protection code..

brute force will take forever, but stealing the raw key, and his morph table, and his code, you can create the final key with ease..

i will demonstrate soon

you can find oep by running the app with no cd, bpm messageboxexa x.. hit f12, click ok

search ebp-400 l -1 for the imagebase (useually 00 40 00 00)

you should find his magic morph table, -18h is the beginning of this ..

:s ebp-400 l -1 00 00 40 00
Pattern found at 013F:0098F5DC (000000E0)
:dd 98f5dc - 18 l 100
013F:0098F5C4 00619117 BFF70000 BFF60000 00AB08B0 ..a.............
013F:0098F5D4 00AB0750 00AB0BF0 00400000 00000000 P.........@.....
013F:0098F5E4 001A0400 00018000 001FF000 00000000 ................
013F:0098F5F4 00191000 00010000 001EF000 00000000 ................
013F:0098F604 001B7C00 00002000 00217000 00000000 .|... ...p!.....
013F:0098F614 001B9A00 00034000 00219000 00000000 .....@....!.....
013F:0098F624 001ECC00 00001000 0024D000 00000000 ..........$.....
013F:0098F634 001ECE00 00001000 0024E000 00000000 ..........$.....
013F:0098F644 001EDE00 00008000 0024F000 00000000 ..........$.....
013F:0098F654 001F0A00 00000C00 00257000 00000000 .........p%.....
013F:0098F664 001F1600 00003000 00258000 00000000 .....0....%.....
013F:0098F674 001F3C00 00001000 0025B000 00000000 .<........%.....
013F:0098F684 001F3E00 00002000 0025C000 00000000 .>... ....%.....
013F:0098F694 00000000 00000000 00000000 00000000 ................
013F:0098F6A4 001F5600 00001654 0025E000 001340CA .V..T.....%..@..
013F:0098F6B4 00AB0C50 00AB0910 006190DB 00AB0970 P.........a.p...

this table + 0ech -> OEP , 98f5c4 + ec -> 98f6b0 -> 001340CA, the entrypoint RVA for tropico ..

you can find the import table info searching the process for this encrypted string 'EZDP' .. string -4 = image import descriptors ..

in icd2 section ..

:dd 65b000 l 10
0030:0065B000 001E4000 50445A45 3D20474C 00692520 .@..EZDPLG = %i.

works with all versions ive tried

r!sc

4 days since my first , since my first time debugging copylok, he died :~, hreh

dead-sexy ;)
May 28th, 2001, 06:38
hoho, copylok sux!

he uses the cd for verification only, the key is stored internally in the exe and is mophed using "crcs" of his own protection code..

brute force will take forever, but stealing the raw key, and his morph table, and his code, you can create the final key with ease..

i will demonstrate soon

you can find oep by running the app with no cd, bpm messageboxexa x.. hit f12, click ok

search ebp-400 l -1 for the imagebase (useually 00 40 00 00)

you should find his magic morph table, -18h is the beginning of this ..

:s ebp-400 l -1 00 00 40 00
Pattern found at 013F:0098F5DC (000000E0)
:dd 98f5dc - 18 l 100
013F:0098F5C4 00619117 BFF70000 BFF60000 00AB08B0 ..a.............
013F:0098F5D4 00AB0750 00AB0BF0 00400000 00000000 P.........@.....
013F:0098F5E4 001A0400 00018000 001FF000 00000000 ................
013F:0098F5F4 00191000 00010000 001EF000 00000000 ................
013F:0098F604 001B7C00 00002000 00217000 00000000 .|... ...p!.....
013F:0098F614 001B9A00 00034000 00219000 00000000 .....@....!.....
013F:0098F624 001ECC00 00001000 0024D000 00000000 ..........$.....
013F:0098F634 001ECE00 00001000 0024E000 00000000 ..........$.....
013F:0098F644 001EDE00 00008000 0024F000 00000000 ..........$.....
013F:0098F654 001F0A00 00000C00 00257000 00000000 .........p%.....
013F:0098F664 001F1600 00003000 00258000 00000000 .....0....%.....
013F:0098F674 001F3C00 00001000 0025B000 00000000 .<........%.....
013F:0098F684 001F3E00 00002000 0025C000 00000000 .>... ....%.....
013F:0098F694 00000000 00000000 00000000 00000000 ................
013F:0098F6A4 001F5600 00001654 0025E000 001340CA .V..T.....%..@..
013F:0098F6B4 00AB0C50 00AB0910 006190DB 00AB0970 P.........a.p...

this table + 0ech -> OEP , 98f5c4 + ec -> 98f6b0 -> 001340CA, the entrypoint RVA for tropico ..

you can find the import table info searching the process for this encrypted string 'EZDP' .. string -4 = image import descriptors ..

in icd2 section ..

:dd 65b000 l 10
0030:0065B000 001E4000 50445A45 3D20474C 00692520 .@..EZDPLG = %i.

works with all versions ive tried

r!sc