I'm having a problem with Safedisc. The encrypted file I'm working on is Thief 2: The Metal Age. Thing I'm trying to do is unwrap main executable, seeing that I have the game installed from original cd.
The problem lies in fixing the imports: they are ofcourse rerouted to Dplayerx.dll. From what I've read about Safedisc, the reroute normally works something like:
- push # of Api function to call
- push # of import module, i.e. 0 or 1 (as it only reroutes calls to kernel32 and user32
- call main dll routine.
- return with address of Api function
- jump to function


The version I'm working does the first three steps, but instead of returning with the address of the api, it jumps from inside the call. This is ofcourse not a problem, but when I looked inside the routine I found that the Api chosen by the routine didn't depend solely on the function # passed to the routine. It also depends on where the call to the Api came from.
Which leads to the real problem: calls from the main exe can go thru the same reroute, but result in different Api calls (which they do). Thus, trying to use something like Import Reconstructor on the import table will result in the program crashing (I'm guessing the same would happen with Revirgin, but I haven't been able to try since the darn thing doesn't work on my machine - don't know why).
Anybody tried this version of safedisc or had a go at Thief 2? Suggestions would be appreciated. Right now I'm figuring that I'll probably have to rip the code out of Dplayerx.dll and then insert it into the main exe, but if there's an easier way i'd love to go there instead.

Cheers
Fake

rv should work on win98, win_me, and 2000.
the last version manages to rebuild safedisc's imports, they are mangled. one iat entry can lead to several api's, but rv takes care of this by reassining the calls to the right iat's.

Well, first off Revirgin doesn't work on my version of win98. I found that the problem lies in a part of the code, that tries to locate some code in a VxD. Searching for the code that Revirgin does gave me a position in vwin32.vxd, but seeing that I don't have any actual source of revirgin, I'm not sure that that's what Revirgin is looking for (altho my guess would be yes). Revirgin cant't locate this code, coz it starts searching at 0c0290000h, and the code is located at 0c0283d7ah under my version of windows. Fixing Revirgins code searcher made the tracer load, but so far it's just hung on me when I've tried to use it (which is the reason why I'm not sure i found the correct location in mem for revirgin).

Anywho, guess I'll try and dl the latest version of Revirgin and see if it'll fix my safedisc. I'm almost thru unwrapping it, only the hard labour part (ripping data out and inserting it) left.
Btw. how does revirgin fix the problem of one iat leading to several different api's? I'm just going with ripping out the code that figures the right api to choose and then inserting it somewhere. Any other method?

Fake

Tried the latest Revirgin - doesn't have the same problem of loading the tracer. Seems nice.

Cheers
Fake

I've been working on softice inline patching for safedisc like r2's essay describes for vbox 4.5...It seems to be the same for safedisc, but the memory is protected using virtualprotect...You can easily intercept it and change params to leave read_write...I was considering a more universal option in which an inline patch would call an external general routine and create a imports.txt like Rv/importrec generate...Thus, it could be imported and modified further for the tricky APIS. This seems more useful and more practical as crashing is a prob with inline patching =)
lemme know what u guys think of such an idea!

madmax

tell me if it manages to fix your problem.
I've tested on 5 different sd2 programs, but it still can evoluate...who knows ;-)

Thankyou dude, your information has been more than usefull. I wasnt sure entirly about unwraping sd2 but what you said made things suddenly a lot clearly . Hope i can unwrap this red alert2 now

Cheers for the info

well, at least to some degree you're right, Thief 2 is a mighty fun game. Was interesting unpacking it too, tho, never delved much into unpacking. The version of Safedisc on Thief 2 is basically a laff, if you ask me. As soon as I ripped the important code out of the general api reroute, it was easy to figger out what was going on, and then just put in some code of my own.
Anywho, thanx for taking the time to give as much info as you did. You considered wrapping that info up as an essay and dropping it on tsehp's mirror?

Blue skies
- Fake

Im having problems with myst3. Iv extracted the loader and the dplayerx.dll but the loader is aparently not a valid win32 program. Is there a special particular method for extracting these files?

Yes im not entirly sure what dll is what. Iv sorted out the loader for sure. But the names are all shown as what apears as ramdom names?
not dll's either tmp files that are dll's renamed