I am just trying to unpack safedisc2 (Morrowind,German). I read 3 tutorials about Safedisc 2 (from Peex, quake2, ...). I fixed all APis except 4 which are not really api-functions. Is it this API Stuff how r!sc it called? How can I fix them?
I would be happy if somebody can help me

not really api functions? so they're safedisc api right? aka crypted code chunks, trace into the call, and watch what it does.. quite simple

Do you know the Routine how it comes to the "real" api?
it makes the same way but the api which comes out is no API from Kernel32.dll, User32.dll, Ole32.dll, Msvcrt.dll,... and so on. But I downloaded a Crack to compare the IAT and this API must be called from Kernel32.dll

then its a normal api, not sd2 api (crypted code chunks).. trace into the call using e8's, you'll see where he does the api resolve ..

what you're describing is the safedisc api wrapper, where it goes to a memory area, then into the handler, and eventually (after a while) ends up at the right api va to do the api call.. trace into it, pay attention to the registers..

but its not a normal api. This Api doesn´t exist, what I sometimes get.

...where it goes to a memory area, then into the handler, and eventually (after a while) ends up at the right api rva to do the api call.. trace into it...

yeah I already know this. At the end is a ret. And this ret brings me to the real rva. But at 6 or 7 calls the rva doesn´t exist! but what exactly is API STuff how r!sc it called?

sd2/3 api-> 'Crypted Code Chunks' usually starts with a call, which goes into the sd routine, basically it then decrypts the bytes, sets eip to the start, executes it, then when it rets it gets crypted back up again

as for the api not existing, try tracing it again, this time only probe the api u couldnt before when u reach oep, note down the code flow, then repeat again, you'll see where he's catching you.. also remember theres anti bpm code, so be careful

I don´t really understand it. Which Bytes will be decrypted and when? Peex wrote in his tutorial that he changed the address in esp and then he got the right address. I tryed a different way I downloaded an API spytool and tryed to find out which address will be called but I only found HeapAlloc Api´s and but not what I searched

r eip to one, trace into it, watch what happens

and 'which bytes'.. the ones were the call is.. like i said, ditch the tuts
and do some tracing, make your own notes, it'll all fall into place easier then

It seems that 'Crypted Code Chunks' are only in SAfedisc 2.60 and above. (But why doesn´t Safedisc2Cleaner unwrapp Morrowind?)

nope, ccc's existed even in the days of sd1, theres different variations tho if i remember correctly morrowind didnt have any, keep debugging or rebuild the exe, play the game, and have faults on in sice, that way you should catch where it crashes, backtrace, see whats going on etc

Okay, I did it
After debugging about an hour I found the real calls and so on.