Hi guys!
I'm new here...
A guy from the " Cracking France Forum" told me about this forum!
Anyway, I would like to ask your help! =}

This is my problem...
I have a game protected by "Securom *new*" - the protection was detected using "ClonyXL" and I manually checked the existence of the "sintf16.dll", "sintf32.dll" and "sintfnt.dll" files on my C:\WINDOWS\SYSTEM\ directory...

I can run the game with no problems using "Daemon Tools 2.88" (with the bin+cue file) or the "Generic SecuROM crack v6.0" (with the burned CD) or by using "Insektors 1.1"...
But I need to be able do modify the game's main executable to "crack it"(*) and I can only do that by unpacking/unwrapping it first! - I've been collecting some info about this and I already have some basic knowledge about the Securom working scheme!

(*) - Let's just say I need to run the game without the CD, only for "convenience reasons"!

I'm still just a "newbie" in this cracking stuff, although I can already "remove" some simple CD checks!
But these "commercial protections" are way too beyond my actual cracking skills...
So I'm asking for your help!

I found a tutorial on how to *manually* unpack it at http://www.woodmann.net/IDArchive/ID-RIP/database/tornado/notes092000/p09_4.html ... But that's a bit too much for me... (like I said before, I started only some time ago!)
And I was trying to find something that could do that hard/boring unpacking/unwraping part for me..

I already know about "UnSecurom 1.0", but that doesn't work, because it's only compatible with the first version of "Securom"...

And then I found "ProcDump32 1.6.2" which comes included with a plug-in called "Securom Brahma client unwrapper v1.01", and it claims to be able to dump/unpack "Securom > r2" protected executables (although it's rather old - from March 1999)...

But I follow all the instructions in the readme.txt file and I still can't do it!
I start "ProcDump32", load the "Brahma Server", load the game, load the "securom unwrapper plug-in" (loader.exe), select the protected executable, click OK on the alert box, and then it appears a message "Process 0xFFF????? will be dumped." (of course there are other stuff instead of the question marks!) on the "Bhrama server" window, but then nothing appens!
The only button avaliable is still "Abort"...
And if I try the "Unpack" command I get an error message like "This process can't be dumped !!" ...
Or if I try the "Dump" (Full/Parcial) feature, I get "Process is not 32 bit or can't be loaded or is already finished !" ...
Did anyone of you guys already used this tool before?

And that's it...
So, do you guys know how I can pull this off?
How can I unwrap/unpack the executable file?
Is there any other tool that can help me?
Or ProcDump32 works fine but I'm doing something wrong?
Do you know where can I find more info on doing this "easily"?

I hope someone experienced on cracking the Securom protection can give me a hand with this...

P.S.: And sorry for any kind of mistakes on my message... It's because english is not my natural language... =P

XICO2KX:

I'm not a gamer myself, so I haven't looked at this system other than to follow threads here on the subject. Just wanted to direct your attention to a thread on the "General" forum at the bottom of the main page where several members recently discussed this protection scheme. Maybe you will find some useful information there and welcome aboard. Probably someone else who has some direct information about securom will also be of more direct help.

And some would argue that english is not a "natural" language. Too many ways to spell the same sounds. At least we have some of the worst spelling combinations in the whole world, IMHO, and your post was fine.

Regards.

Are you talking DIABLO-2 ??

...If so then the solution is already on hand.

...Have Phun

If you want to crack the game yourself, there's a R!sc tutorial around.
If you can't find it / don't properly understand it, drop a line to the forum.
If you just need the game cracked, you're in the wrong place: search the net and you'll find what you need.
aCaB

No, I just wanted to be able to crack it for myself...

And I'm not trying to crack "Diablo 2"!
But what do you mean by "the solution is already on hand"?
Is there a new tutorial about Securom-cracking for Diablo2 that could help me out a bit?

Anyway, I'm actually trying to crack a rare h-game called "Viper M1"!
I couldn't find any "No-CD crack" for it, so I decided to crack it for myself!
But I'm having a lot of fun learning all these Securom cracking stuff!

And I already know about R!SC's tutorial!
It's on the page I mentioned on my first message - it has 4 tutorials there related to Securom!
I've already read it and it helped me understand more about how to crack the protection, but I think it would be easier to rebuild the IT using ReVirgin instead of coding asm to do that...

But I've been reading a few "manual unpacking" tutorials (about procdump32 and revirgin) these last few days and things are starting to make sense to me!
I think I'll be able to make some progress if I dump the file with Procdump or IceDump and then rebuild the import table with ReVirgin!

I'm currently trying to learn how to work with OllyDbg instead of SoftIce...
I didn't knew it before reading some of your posts on this forum, but I already tried it and I think it's a great tool!
I'll just have to learn how to use all the commands properly now...
But I still don't know how to dump the memory using only OllyDbg (I can't use IceDump with it no more!)...

But when I have some more free time I'll resume trying to crack the game again...
And I'll let you know when I run into any more problems!
Which is meant to happen for sure!

Anyway, thanks for the help guys!
See ya soon!

P.S.: By the way...
What does "IMHO" mean anyway?

XICO2KX:

IMHO is one of the group of abbreviations used in "computer skeak". This one is short for In My Humble Opinion. Others you will see here include AFAIK which is short for As Far As I Know, and the rather rude RTFM which means Read The Fu*king Manual.

Happy New Year and keep Reading.

JMI just to add to your first post talking about the english language and spelling. What's the deal with silent letter??
If they are silent why have them?

Stupid language

just wanted to add my own uselss two cents.

goatass

Goatass:

The use of "*" in place of other letters is usually an indication that the writer does not feel the need or, perhaps feels that it is not appropriate to use common expletives in general conversation. The letters are not "silent," there is just no need to use them because everyone recognizes the word with the missing letters. I have no problem with the words or those who chose to use them, but I grew up at a time when it was not considered polite to use them in general public conversation.

But I assume your comments were intended as ironic and humorous and I only responded more formally for the benefit of those who might not truely understand this "native" tongue. I happen to believe that general civility towards one another is a preferred way to express thought, even if we think that the person to whom we are responding has demonstrated a general lack of good sense or laziness. With this attitude, one can give most questions at least a civil response, even if we add a bit of humor or tease, or prod to "do the right thing" along with it. Certainly one is less likely to be persuasive with a rude remark than a considered reply, and such replies are ofter just a stroking of the writers own ego.

But enough of manners 101. Time to get back to work.

HI,

Having spent tke last few weeks working on securom, the way that the IAT is resolved is different from the likes of asprotect and early versions of Copylok.

All API calls pass through the same routine, and the return address of the API call is used to give the reall call address.

There is no redirected table to resolve.

The only real option for securom, is to find and resolve all the calls yourself.

This is not hard, the calls can even be be found from a dump using hexworkshop, from there you can produce your own table of addresses to resolve.

This method works with everything released up to Dec 2001, though I havn't worked on the newest version that turned up in mid December.

However watch for certain addresses causing the securom routine to crash, and have a look to see why.

Regards,

Kilby...

Yeah!
You're absolutely right!

As a mather a fact, after I posted my message I started thinking about what I wrote and I figure that that couldn't be right...
There is no IAT table to reconstruct (no need for ReVirgin!) because all calls are made to the same... call... as you correctly said!
I think I was too sleepy when I wrote my message...
And I got a bit lazy to write another one correcting what I wrote...

By the way, Kilby...
Didn't you write a Copylok tutorial (featuring ReVirgin) for Tsehp's page?
I think I remember reading something with your name on it!

Anyway, yesterday I've been investigating a little bit more OllyDbg and I reached the conclusion that I can't go nowhere with it...
It doesn't even reach the "JMP EAX" command and it keeps stopping at commands like "HLT", "CALL -1" or "IDIV 00000000" (division by zero)...
Possibly some weird anti-debugging tricks (that I didn't have time to investigate properly)...
It's a pity that this great debugger still isn't able to bypass this anti-debugging tricks...
Or maybe I still don't know how to work with/configure it the right way!
And I can't find any way to dump the memory contents with it either...
I guess I'll have to go back to good old SoftIce (and IceDump)!
And I still have a lot to learn!

I've reinstaled Windows a couple of weeks ago and I still haven't installed SoftIce yet, and I got to study for some exams at school next week, so I won't install it yet because I don't want to waste to much time with this right now...
But I'll start working on it again when I have some more free time!
And I'll let you know when I have some more problems then...

And thanks for the help again guys!
IMHO, you're the best there are!

Hi,

Yeah I did a copylok and also a Bi-Tarts tute.

One of the nice things about saferom in a way is that it's predictable.

You know where certain bits of code will be, and it's great to play with.

However this also brings a disadvantage to the generic dumpers in that even a very small change in the code wqill render the dumpers useless.

As far as I can tell the recent code chain securom (October / November) time where nessicary because Creative DVD drives wouldn't work with the protection checks.

Personally I cannot see any (real) difference in the actual protection routines, but all the dumpers stopped working anyway.

My own dumper is now at the 90% stage and uses a slightly different approach so minor securom code changes should be tolerated

It will not go on public release.

Keep on working at Securom it's nice to work with.

If you however want to start breaking some new ground, in regard to tutorials have a look at laserlok, it's not too hard and theres no essays on it either


Kilby...

Soon to be insearch of a new target (he hopes).

Humm...
I don't want to spoil all your fun breaking on new ground and figuring out out to crack the LaserLok protection ( www.laserlock.com ) all by yourself, but...
As a mather a fact, I already found a tutorial about how to crack Laserlok a couple of days ago!
It's in spanish though...

You can check it out here:
* http://espejo.hypermart.net/tutes/mesiash.htm [ http://gamescrk.cjb.net/ ]

It teaches how to remove this protection from the game Messiah using two different approaches!

I couldn't find any english tutorial, though...
So, have fun cracking it!
And I hope I've helped you a bit!

Hehe,

I was suggesting that you may find it interesting to play with laserlock, as it hasn't been done to death in the tute scene.

I have found that the best method of learning how a protection works is to write a tut about it.

I still have a while till I can move on to a new target, as I have a bit of work to do on my first bit of 80x86 asm coding since 95.

Kilby...

heya

>I don't want to spoil all your fun breaking on new ground and >figuring out out to crack the LaserLok protection ( >www.laserlock.com ) all by yourself, but...
>As a mather a fact, I already found a tutorial about how to crack >Laserlok a couple of days ago!
>It's in spanish though...

>You can check it out here:
>http://espejo.hypermart.net/tutes/mesiash.htm


well, you can use some translator such as :

http://www.freetranslation.com/

this bastard pisses you off if you enter an url ending with htm
and not html..
so save the page source on your hard disk and edit it with notepad
Patch the function isValidURL like this:


function isValidURL(str,blnRequired){

return true;
}


pretty much like cracking eh ? ;-)

now you can translate that tutorial

enjoy!

Frog Hunter.

Thanks froghunter!
I didn't knew www.freetranslation.com yet!
I only knew world.altavista.com ...
But I only use it as a last resort because the translation is not perfect and sometime it even translates words that were'nt supposed to be translated!
And I can understand spanish rather well, so I don't need a translator...
But I forgot to mention it to Kilby!...

And Kirby...
Sorry, I miss understood you!
I understood that you were saying that you were going to start cracking Laserlock and not suggesting me to do it!...
I have to start reading the messages with more attention!
Anyway, I don't think I have any games protected with Laserlock, but if I ever get one, I'll try to crack it for myself to see if I learn a bit more!
Thanks for the tip!