Hi,

I am interested in opening a project idea on safedisc. At the moment I am trying to fully reverse engineer safedisc to sharpen my skills and to learn the tools. I have already progressed a lot and I am looking if there are more people interested in this to work together. The version I am working on is v2.80.11.

PM me if you are interested and if there are a few people then we kan kick off and elongate this thread a bit.

search button.. use it
i woiuld also recommend that you start from 2.70.30 instead of jumping to 2.80.1x you'll understand more that way

Hi,

I have used the search button . I already reverse engineered the appended sections to the main exe, the ~e5d141.tmp and a great deal of the ~def394b.tmp file, expecially the anti-debugging tricks inside it. I know almost what every function does in those files. The ones I still have to do are ~efe.tmp (shared data), ~defd6a.tmp, drvmgt.dll, secdrv.sys (here I found some dr checks), and a part of ~def394b.tmp. I am looking at this for over 2 months now and it seems interesting to learn about anti-debugging tricks, obfuscationcode, calling dll's, using threads, hidden applicationwindows to call other processes (~e5d141.tmp does that), encrypted string which get decrypted on the fly, strange things in peheaders, calling sys drivers and so on. In the end I am interested in unwrapping this version of safedisc but to get more used to the tools (I use ida, softice and pe explorer) and to safedisc I want to know what every function does and alone it takes a lot of time, I experienced that. But if you think I should remove this project idea, I will do just that and keep on going on my own with a small question on the newbie board once in a while when I am stuck.

Your idea to first look at an older version is interesting, if I can find a target protected with it I will look at it, thanks.

~efe.tmp aka cleanup - only important for invalid opcodes
i didnt say u should remove the project idea, its just i cant see a lot of people helping you (mainly for the same reason that there are no public safedisc tools for 2.80.xx) i'd suggest you work from riscs existing public tools (think they did up to 2.5x.xx), from that you will probably see the same procs in the dlls that you've spotted in your 2.80.xx target.. good luck, oh for finding targets, try looking for game patches.. thats what i usually work from..

Thank you for your reply. And you are right, there are no public tools available protected by my version. I will do what you suggested and start looking at riscs public tools and learn more from there on.

First thing you should do is write something to deobfuscate the code. This is really easy to do (200 lines IDC script) and will save you heaps of time when working in IDA!

At the moment I have met 3 kinds of obfuscationcode.

1) nullsub
2) push parameters onto the stack as follows

push arg4
push arg4
push arg0
call function1(arg0,arg4)
push arg0
call function2(arg0,arg4)

this should be :

push arg4
push arg0
call function1(arg0,arg4)
push arg4
push arg0
call function2(arg0,arg4)

3) The third one is probably the one you are referring about :


0056B5F0 loc_56B5F0: ; CODE XREF: 0056B60Bj
0056B5F0 ; 0056B615j ...
0056B5F0 jg short near ptr loc_56B5FE+3
0056B5F2 mov ds:8B000000h, esp
0056B5F8 rol byte ptr [edi+729090F6h], cl
0056B5FE
0056B5FE loc_56B5FE: ; CODE XREF: :0056B5F0j
0056B5FE sbb eax, 197CC987h
0056B603 nop
0056B604 nop
0056B605
0056B605 loc_56B605: ; CODE REF: :0056B5E6j
0056B605 js short near ptr loc_56B61B+1
0056B607 xchg edx, edx
0056B609 mov esi, esi
0056B60B jg short near ptr loc_56B5F0+1
0056B60D mov ebp, ebp
0056B60F xchg eax, eax
0056B611 xchg eax, eax
0056B613 mov edi, edi
0056B615 jnz short near ptr loc_56B5F0+1
0056B617 mov ebx, ebx
0056B619 jle short near ptr loc_56B5F0+1
0056B61B

which translates to this with some editing

0056B5F0 db 7Fh ; 
0056B5F1 ; --------------------------------------------------------------------
0056B5F1
0056B5F1 loc_56B5F1: ; CODE XREF: :0056B60Bj
0056B5F1 ; 0056B615j ...
0056B5F1 jns loc_56B61C
0056B5F7 mov edx, edx
0056B5F9 xchg esi, esi
0056B5FB nop
0056B5FC nop
0056B5FD jb short loc_56B61C
0056B5FF xchg ecx, ecx
0056B601 jl short loc_56B61C
0056B603 nop
0056B604 nop
0056B605
0056B605 loc_56B605: ; CODE XREF: :0056B5E6j
0056B605 js short loc_56B61C
0056B607 xchg edx, edx
0056B609 mov esi, esi
0056B60B jg short loc_56B5F1
0056B60D mov ebp, ebp
0056B60F xchg eax, eax
0056B611 xchg eax, eax
0056B613 mov edi, edi
0056B615 jnz short loc_56B5F1
0056B617 mov ebx, ebx
0056B619 jle short loc_56B5F1
0056B619 ; ---------------------------------------------------------------------------
stxt371:0056B61B db 0DFh ;

There are a lot of junk functions in here which do nothing and jumps which just lead to obfuscation.

Until now I always did it manually, but I am now trying to follow your advice SiNTaX and write an idc script for this. One script for the conversion to the right code (as seen in the snippets) and one for the extraction of the relevant operations, skipping xchg eax,eax and trivial jumps, and so on.

Is this the obfuscation that you were thinking of SiNTaX or are there more methods of obfuscation I overlooked?

Those are the ones..

The 2nd one you mention, I didn't see in the version I worked on.. so it might be new. The other 2 are easy to deal with.

I would suggest that you mark them as data (MakeArray), instead of replacing them with NOP's (then you don't loose any information, if your script f's up )

Ok, I have a problem with my idc script. I want to make is go through the list of problems and then pick out the problems which say ALREADY, those are the ones where the obfuscation occurs. But I cannot find any idc function that supplies me with a list of problems so I can iterate it and jump to them. Do you know if there is such a function?

The second approach would be to search the file for occurrences of +1, +2 or +3 so I would detect "js short near ptr loc_56B61B+1" and then it is straightforward to fix it.

Well why not start of with a manual action, ie you position over the start of an obfuscated code piece, start your script and it does the actions that you normally would do.

I made a script that should work, but it doesn't.

I have to put the cursor to the instruction "jg short near ptr loc__txt2_10004618+1" and then it should fix the problem. But for some strange reason, the script makes it unknown, but it does not make the code afterwards. And that is strange because I can make the code manually. I checked the address realoperand and that one is ok. Where am I going wrong?


Here is the script :

////////////////////////////////////////

#include <idc.idc>

static main()
{

auto start, jumpoperand,realoperand;

start = ScreenEA();

// calculate the address of the operand of the jump instruction
jumpoperand = Rfirst0(start);

// calculate the address of the beginning of the instruction where the jumpoperand points to
realoperand = NextNotTail(jumpoperand);
realoperand = PrevNotTail(realoperand);
// if these two are not the same we have obfuscation
if(jumpoperand != realoperand)
{
// First make the piece of code unknown
MakeUnkn(realoperand,1);
// Then make code
MakeCode(jumpoperand);
}

}

////////////////////////////////////

////////////////////////////////////////

#include <idc.idc>

static main()
{

auto start, jumpoperand,realoperand;

start = ScreenEA();

// calculate the address of the operand of the jump instruction
jumpoperand = Rfirst0(start);

// calculate the address of the beginning of the instruction where the jumpoperand points to
realoperand = PrevHead(jumpoperand,0);
realoperand = NextNotTail(realoperand);

// if realoperand exists and these two are not the same we have obfuscation
if(realoperand)
{
if(jumpoperand != realoperand)
{
// First make the piece of code unknown
MakeUnkn(realoperand,1);
// Then make code
MakeCode(jumpoperand);
MakeCode(jumpoperand);
}
}
}

////////////////////////////////////

Well I did something like:




My IDC script finds the start and end of the obfuscated code snippet and then marks it all as Unknown, then marks it as an array so it takes up less screen space. The data after the array is set to code.

What are the Wait() calls for?

They w8 till the auto-analysis is done.