Log in

View Full Version : SD2 - Why God ?


blackos
May 16th, 2002, 22:39
Hi all...
I know great people are all around this forum, so, I ask my question.
Why is there so few information about Safedisc2 all around the web ???
especially concerning version 2.51.xx or better 2.60.xx ???

I'm actually dealing with version 2.60.xx and I got stuck...

I'll hugely appreciate any kind of information about this !!!

thanx to all of you.



blak.

KeopS
May 20th, 2002, 11:27
> I'll hugely appreciate any kind of information about this !!!

hmm ... be more specific please

Pyrae
May 23rd, 2002, 10:46
I think, a kinda little list about the Anti-*.* stuff and crypto routines currently used would come in handy for people not deprotecting games very often. The ways to bypass them should then be obvious most of the time, I guess (surely no need for a 'then-press-F12-65535-times' type of text here).

So, if someone lately dealt with an up to date SD2 version, I'd appreciate some rough info, too...



Pyrae

ThrawN
May 23rd, 2002, 12:53
What sort of information you looking for? additional anti-debug changes?

blackos
May 24th, 2002, 09:06
Hi all, and thank you for your time


So, I need to be more precise, of course, then I'll do :

I'm actually dealing with version 2.60.52 of SD2.
You have to know that I'm neither a system guru nor a little newbie lost in Softice's world.
I first tried to use a classical approach to reverse SD2, that is exe dumping... then I tried to rebuild IT by myself.
By the way, I succeded easily in bypassing the anti-SI trick which quits when a BPM x is set. So, it's not a big deal for me to break when I want now....
But bad news for me because one vector in the table can lead to many different APIs. Ooops... it appears that the offset of the 'caller' is important for SD2. That means that after compilation, the code of the main program has been modified to create this strange Import Table stuff. Am I wrong ? Please, tell me....

Well, it's tricky for me. There could be a simpler solution than coding a sort of 'scanner' which will rebuild every call in the code ??? Have you got any Idea ?

It's not all... apparently, some internal calls of SD protected application are made in one of 2 new sections which are SD2 sections.... so some procedures are replaced by SD ones, Am I wrong ?

Now, I think I used a bad approach to reverse SD2... I'm actually trying to understand how all this stuff is made and how to code a 'generic' dumper or loader or unprotector.

It's really interresting, but I feel it a bit hard for me, so any kind of help will be wonderful ! (informations, sourcecode, or advices for a GOOD and WORKING approach).
I would like to succeed in dumping a working EXE in a first time, then *try* to make a generic tool in a second time.

Thank you all guys.

blak.

[yAtEs]
May 24th, 2002, 15:02
>But bad news for me because one vector in the table can lead >to many different APIs.

indeed, if you're taking the classical approach then you'll need to
build an array of the calls and catch the api then create a new thunk and place the values here and patch the code to use this.


>Ooops... it appears that the offset of the 'caller' is important for >SD2.

however,..if you want to take the reverser approach then here is a good start. you've identified the offset of the caller is important, so try BPM RW this and spend a while following it (:


>That means that after compilation, the code of the main >program has been modified to create this strange Import Table >stuff. Am I wrong ? Please, tell me....
your not wrong, a new strange import table is indeed in place (:
hmm so wheres the real one? looks like you need to take the above approach to find out more.


>Well, it's tricky for me. There could be a simpler solution than >coding a sort of 'scanner' which will rebuild every call in the >code ??? Have you got any Idea ?
it can be done, but there is many different types of ways of calling
apis, and it and be a big task. and even at the end theres
other things that need repairing.



>It's not all... apparently, some internal calls of SD protected >application are made in one of 2 new sections which are SD2 >sections.... so some procedures are replaced by SD ones, Am I >wrong ?
ah, what was i just saying about others that need repairing, ..oh yes now i remember (; yup code is replaced with code in from the
2 stxt sections, you can investigate it quite easily.


>Now, I think I used a bad approach to reverse SD2... I'm >actually trying to understand how all this stuff is made and how >to code a 'generic' dumper or loader or unprotector.
to understand how everything works is never a bad approach to reversing q:


>It's really interresting, but I feel it a bit hard for me, so any kind >of help will be wonderful !
jah, interesting init (:

>I would like to succeed in dumping a working EXE in a first time, >then *try* to make a generic tool in a second time.
good idea.


hope this helps,

yates.

disavowed
May 24th, 2002, 15:48
as for your generic sd2 unwrapper, it looks like it's already been done:

http://www30.brinkster.com/cirkutz/sd/

i haven't tried the program yet, but found this with google. hope it helps.

blackos
May 24th, 2002, 17:25
Hi all... this answer is for you,

First, a big thank to you [yAtEs], your funny answer give me a little piece of hope on how to reverse this tasty protection scheme. I'm just going to "help myself" to go further into this nice stuff. But if I get stuck another time, maybe can I hope you'll help me a little bit more ?


Well.... thank you "disavowed" for your URL, but my goal is not really to unprotect the software with another one's tool...
I prefer trying to understand what is behind SD2 and trying to reverse it by myself. It's so MUCH funny.

By the way, you URL is for SD2 v2.51.xx and I'm actually dealing with a SD2 v2.60.xx, so.... sorry, but it will not work. Yeah, 'C*Dilla - Safe*disc' guys are working a lot and do pretty good things for us !!!.....

Nethertheless, thanks a lot !

By the way... how could you explain there is so few informations about this stuff all around the web ???


seeya.

blak.

[yAtEs]
May 24th, 2002, 18:21
>First, a big thank to you [yAtEs], your funny answer give me a >little piece of hope on how to reverse this tasty protection >scheme.

(; inspiration was the idea, i'll glady help you more if need be if you have more questions, i was just giving you basic information. once you got your focus set we can discuss perticular bits of code.
q:

ThrawN
May 25th, 2002, 02:52
Could you give me a few game titles using this *new* safedisk2?
I'll go buy one and check out


ThrawN

blackos
May 25th, 2002, 10:51
Hi all !

for [yAtEs] :
Well .... I'm a bit further into SD2 and I've found the routine which unciphers program's bytes in a 4096 bytes buffer. It's pretty complicated (obfuscating stuff is not the problem) and long, so I'll try to understand something... I feel like I'm loosing my time with these routines, but in fact I know that's important to understand. Maybe I need a bigger brain ?


for ThrawN :
My target is actually 'Dra*gon' : a Chinese title available to download on Aaron's forum (exe-tools, see link below...) (few executables + a .iso image to burn (around 20 Mbytes)). He said he can provide a personal access to his FTP if someone can crack that.
Of course, this title is not complete, but enough to try to reverse it...
I'm not a Chinese guy and this title doesn't interrest me by itself (who can read that stuff ?), but the protection scheme is pretty cool !!!!
I was also (and I still being) *not* interrested by special access to Aaron's FTP, but I thought that if he asked others to 'crack' this title for him, it was because nothing can actually do it automatically, so it appears to be interresting to me, you know.
Well, in fact it's a new version of SD2 and I find it hard to reverse.
Maybe could you have great fun with it ? For me, it's actually a kind of headache.... woww....

Have fun !
bye !...

blak.

[yAtEs]
May 25th, 2002, 15:20
>I feel like I'm loosing my time with these routines, but in fact I >know that's important to understand. Maybe I need a bigger >brain ?

ok heres some help then

************************************
morph_proc proc

var_10 = dword ptr -10h
new_byte = byte ptr -0Ch
size_of_block2 = dword ptr -8
size_of_block1 = dword ptr -4
data_block1 = byte ptr 8
data_block2 = byte ptr 10h


mov ecx, [ebp+size_of_block1]
push ecx
lea ecx, [ebp+data_block1]
call read_byte

mov [ebp+new_byte], al
mov edx, [ebp+size_of_block2]
push edx
lea ecx, [ebp+data_block2]
call read_byte

mov cl, [ebp+new_byte]
xor cl, al ;*
mov [ebp+new_byte],cl

mov dl, [ebp+new_byte]
push edx ; new_byte
mov eax, [ebp+size_of_block2]
push eax ; counter
lea ecx, [ebp+data_block2]
call write_byte
************************************

so you can see a 4kb data being written into,
things to do are,.. find

what the 4kb data block is
where does it come from
what does it end up as
what is its final outcome used for? (BPM IT, do it now! (; heh


thrawn:

SuperPower
Myth 3
StrongHold update
SOAF
Kohan

yates.

blackos
May 25th, 2002, 15:37
Thanks Yates ... I'm looking into this (IDA has already helped me to understand a little bit....).

))

By the way, I think 'KOHAN' is protected by SD2 v2.51.xx instead of 2.60.xx (I've checked the original CD (provided with my new computer)).

thanx.

blak.

[yAtEs]
May 25th, 2002, 15:45
>By the way, I think 'KOHAN' is protected by SD2 v2.51.xx instead >of 2.60.xx

ah, kohan 1.34 patch then

blackos
May 26th, 2002, 00:57
Hi Yates !

A tiny little victory for me this time .... better than nothing....
I've finally succeded in getting a good I.T. thanks to SD2 itself (good guy !)... but it still not working at all, because of the replacements in sourcecode's CALLs...
I've got tears in my eyes because I've traced and traced this code during hours... I put so much BPM between original ciphered data leading to temporary buffers .... it was horrible... but so good in fact.


Well, I still can't understand when and how the sourcecode is modified so that different CALLs use only one I.T. vector.... was it before ciphering or is it done 'on the fly' by SD2 ??? Please, help !, I'm dying !...

you can see below my litlle victory to get a good (but not working) I.T.

017F:1009545C 8B45EC MOV EAX,[EBP-14]
017F:1009545F 8D8C10FF020000 LEA ECX,[EDX+EAX+000002FF]
017F:10095466 8B55E8 MOV EDX,[EBP-18]
017F:10095469 8B4518 MOV EAX,[EBP+18]
017F:1009546C 890C90 MOV [EDX*4+EAX],ECX <<< HERE ... I.T. vectors are created in temp buffer
017F:1009546F 7809 JS 1009547A
017F:10095471 90 NOP
017F:10095472 87FF XCHG EDI,EDI
017F:10095474 7F09 JG 1009547F
017F:10095476 87F6 XCHG ESI,ESI
017F:10095478 7E05 JLE 1009547F
017F:1009547A 7400 JZ 1009547C
017F:1009547C 78F3 JS 10095471
017F:1009547E 038B4DE88B55 ADD ECX,[EBX+558BE84D]
017F:10095484 248D AND AL,8D
017F:10095486 048A ADD AL,8A
017F:10095488 8B4DE8 MOV ECX,[EBP-18]
017F:1009548B 69C94B030000 IMUL ECX,ECX,0000034B
017F:10095491 8B55EC MOV EDX,[EBP-14]
017F:10095494 89840A32030000 MOV [ECX+EDX+00000332],EAX
017F:1009549B E91FFFFFFF JMP 100953BF
017F:100954A0 8B4D14 MOV ECX,[EBP+14]
017F:100954A3 C1E102 SHL ECX,02
017F:100954A6 33C0 XOR EAX,EAX
017F:100954A8 8B7DD4 MOV EDI,[EBP-2C]
017F:100954AB 8BD1 MOV EDX,ECX
017F:100954AD C1E902 SHR ECX,02
017F:100954B0 F3AB REPZ STOSD
017F:100954B2 8BCA MOV ECX,EDX
017F:100954B4 83E103 AND ECX,03
017F:100954B7 F3AA REPZ STOSB
017F:100954B9 8B45D4 MOV EAX,[EBP-2C]
017F:100954BC 50 PUSH EAX
017F:100954BD 6A00 PUSH 00
017F:100954BF 8B0D84850B10 MOV ECX,[100B8584]
017F:100954C5 51 PUSH ECX
017F:100954C6 FF1590700910 CALL [KERNEL32!HeapFree]
017F:100954CC C745F400000000 MOV DWORD PTR [EBP-0C],00000000
017F:100954D3 EB09 JMP 100954DE
017F:100954D5 8B55F4 MOV EDX,[EBP-0C]
017F:100954D8 83C201 ADD EDX,01
017F:100954DB 8955F4 MOV [EBP-0C],EDX
017F:100954DE 8B45F4 MOV EAX,[EBP-0C]
017F:100954E1 3B4514 CMP EAX,[EBP+14]
017F:100954E4 735A JAE 10095540
017F:100954E6 8B4DF4 MOV ECX,[EBP-0C]
017F:100954E9 C1E903 SHR ECX,03
017F:100954EC 8B55F8 MOV EDX,[EBP-08]
017F:100954EF A110460C10 MOV EAX,[100C4610]
017F:100954F4 8B1490 MOV EDX,[EDX*4+EAX]
017F:100954F7 33C0 XOR EAX,EAX
017F:100954F9 8A040A MOV AL,[ECX+EDX]
017F:100954FC 8B4DF4 MOV ECX,[EBP-0C]
017F:100954FF 83E107 AND ECX,07
017F:10095502 BA01000000 MOV EDX,00000001
017F:10095507 D3E2 SHL EDX,CL
017F:10095509 23C2 AND EAX,EDX
017F:1009550B 85C0 TEST EAX,EAX
017F:1009550D 752F JNZ 1009553E << NOP this call, you get original I.T.
017F:1009550F 8B45F8 MOV EAX,[EBP-08]
017F:10095512 69C08D000000 IMUL EAX,EAX,0000008D
017F:10095518 8B0D14460C10 MOV ECX,[100C4614]
017F:1009551E 8B54014C MOV EDX,[EAX+ECX+4C]
017F:10095522 8B45F4 MOV EAX,[EBP-0C]
017F:10095525 8B0C82 MOV ECX,[EAX*4+EDX]
017F:10095528 51 PUSH ECX
017F:10095529 8B55F8 MOV EDX,[EBP-08]
017F:1009552C 52 PUSH EDX
017F:1009552D E8FE000000 CALL 10095630
017F:10095532 83C408 ADD ESP,08
017F:10095535 8B4DF4 MOV ECX,[EBP-0C]
017F:10095538 8B5518 MOV EDX,[EBP+18]
017F:1009553B 89048A MOV [ECX*4+EDX],EAX <<< here, SD2 overwrite datas in temp buffer by original ones.
==> 1009553E EB95 JMP 100954D5
017F:10095540 EB07 JMP 10095549

thanx.
))

blak.

[yAtEs]
May 27th, 2002, 10:54
>A tiny little victory for me this time .... better than nothing....
>I've finally succeded in getting a good I.T. thanks to SD2 itself (good guy !)...

super (:

>I put so much BPM between original ciphered data
BPMTASTIC! (;

>Well, I still can't understand when and how the sourcecode is >modified so that different CALLs use only one I.T. vector.... was >it before ciphering or is it done 'on the fly' by SD2 ??? Please, >help !, I'm dying !...

hmm ahh (:, have you looked at that proc below any more?
look at some of the dword data refs, maybe theres a kinda
funky lookup table q:

>you can see below my litlle victory to get a good (but not >working) I.T.

yup yup, thats it!


yates.

ThrawN
May 27th, 2002, 12:30
Is anything interesting changed from 2.5 to 2.6?
iv only got 2.5 as the newest and thats only on loan

I work on 2.5 in olly in 2k mostly and thats very exciting but attualy suprisingly satsifying and rather easy to reverse.
Unciphering isnt the hardbit. For me IT fixing is a pain
TEA isnt very complicated or long for that matter.

ThrawN

[yAtEs]
May 27th, 2002, 12:43
>Is anything interesting changed from 2.5 to 2.6?
>iv only got 2.5 as the newest and thats only on loan

yup, in 2.6 theres a range(3 or 4) new types of code protecting
using at the first glance a complex rva hashing system.
you wouldnt notice it until you fixed all the I.T thou (:

yates.

blackos
May 28th, 2002, 11:57
Hi [yATEs] !....

This time, I'm so close to give up...


I've read all your advices and try to understand ... but in vain...
No results anymore, I'm pretty scared...
I know that SD2 manipulates target's compilated code before creating its new I.T., so, it replaces some calls by its own vectors. But I can't find WHERE .... I put of course many BPM RW all around ... of course on interresting offsets and it's lead me nowhere. There's so much compilcated manipulations.
I suppose (I said *SUPPOSE*, I'm not sure) that SD2 creates a third buffer containing datas that will be XORed with "sensible" specific data in the 4096 temporary buffer, so that for specific offsets, 'on the fly' modifying will be done during unciphering time (I've noticed that 'sensible' offsets are accessed only *1 time* in the 4096 bytes temp. buffer, so replacements are probably made in '1 time' instead of '1 time + later modifications'.
BUT .... there's such a huge amount of data to try to understand that I think I'll need a "E.T. maxi-ultra-special brain" and amphetamines to understand.
You surely know that "E.T. maxi-ultra-special brain" are pretty hard to find nowadays and very expensive. So, will you be kind enough to give me help one more time ? (I don't have enough money to buy this new terrible brain....)


Yeah, hope to seeya soon !...

thanx
blak.

[yAtEs]
May 29th, 2002, 22:20
dont panic, u dont need a maxi-ultra-special brain, just have a rethink.

Quote:

I know that SD2 manipulates target's compilated code before creating its new I.T., so, it replaces some calls by its own vectors. But I can't find WHERE



hmm well that doesnt sound right, searching for where it changes the calls? thats done when the sdk is applied, all you need do is
decrypt the whole I.T and change the calls to point to the correct functions, and as you know the calling address effects what api is called, so with a few ripped functions, a decrypted i.t and a list of va's you can fix it all up. (:

yates.

blackos
May 30th, 2002, 00:19
Hello yATEs !....
yep, yep ... no need of an overboosted E.T. brain ? What a pity, it could be pretty fun to walk down the streets with a huge green head on our shoulders


So ... I searched for a non-existing routine... bad move....
But, in fact, with the good IT and the offset of the caller, one could probably rebuild a working stuff.
*BUT*
To do so, one absolutely need to hook the SD2 routine which calculates the real API call. That is not a big deal, but the program MUST RUN entirely in order to 'rebuild' our self-made hooked routines by using APIs.

Am I right ?
What about this : my application can't execute properly because of missing files. These files are important to run. The only thing my target do is a messagebox with 'xxxxx file cannot be found, so I'm gonna quit'. This isn't enough to fix every call because these calls will never be executed.
Am I absolutely stuck ?

But Even If I succeed in forcing the program to run (in fact, it will not work without any sound or graphic files...), I suppose you'll agree with me if I say there's a bunch of different ways to call a function.

For example,

CALL [offset]

or

MOV EDX, dword ptr [offset]
CALL EDX

will not result in the same compiled code, of course. Then, to fix back these calls with the good value of 'offset' could be a bit tricky ? isn't it ?

Well, I'm gonna code this little stuff and I'll see. But the whole thing isn't done yet, because it stays one funny part to reverse (redirected functions to last 2 sections).... let's get a closer look ...

: ))

By the way, thanks once again [yAtEs], you'll the only guy to have taken few minutes to help me on this funny subject.

seeya.

blaK.

[yAtEs]
May 30th, 2002, 01:42
>So ... I searched for a non-existing routine... bad move....
hah, /me chuckles (:

>But, in fact, with the good IT and the offset of the caller, one >could probably rebuild a working stuff.
yup yup

>To do so, one absolutely need to hook the SD2 routine which >calculates the real API call.
>Am I right ?

yup if u wanna do it the hard way i guess so, no need to make
things so complex, perhapes its a small routine you can rip from ida, perhapes you could rewrite it ur self if you really knew how it all worked (; heh im such a tease eh?

>What about this : my application can't execute properly because >of missing files. These files are important to run. The only thing >my target do is a messagebox with 'xxxxx file cannot be found, >so I'm gonna quit'. This isn't enough to fix every call because >these calls will never be executed.

if you can run up to the entrypoint, then just R EIP <type of call offset> and debug from there

>Am I absolutely stuck ?

nope

>I suppose you'll agree with me if I say there's a bunch of >different ways to call a function.

indeed, this is just one slice of the big tasty safedisc pie, heh.
dont eat it all at once!

>will not result in the same compiled code, of course. Then, to fix >back these calls with the good value of 'offset' could be a bit >tricky ? isn't it ?

nah, concentrate on one thing at a time and it'll come easy [:

>By the way, thanks once again [yAtEs], you'll the only guy to >have taken few minutes to help me on this funny subject.

ur welcome.

yates.

blackos
May 31st, 2002, 22:20
Eh eh ... Yates, stay tuned, I work on it, but I actually have less time to try to defeat it ... some news in a few days.

)

blak.