hi
i tried to unpack a game protected with secuROM 5.00.3 first i dumped the exe at the oep and then i coded a callfixer which replaces every secuROM call with the correct api call.when the call fixer had done his job i dumped the .text section with the correct calls and replaced the .text section of my first dump with the fixed .text section.next i started the game and everything worked just fine but when i wanted to load a savegame *bang* i was back on my desktop ... it happened what i had thought would happen.the game tries to call an api which my call fixer couldn't fix cause i didn't try to load a savegame when my callfixer was active.to solve that problem was easy i started my callfixer again and this time i loaded a savegame then dumped the .text section replaced it everything was fine in my new dump.but what can i do if the game wants to call an unresolved api in the middle of the game?? i can't play the whole game with my callfixer any solutions for this !?
thx

code something that scans through the code section for every call patterns that lead to securom's handler.

or spend some hours and reverse common dispatcher where Securom resolve real addr by first value on stack (return address) and big table... and pay attention on WinAPI calls with speacial values in registers - securom handle it...

and watch out for those evil timers
ooo and triggers too

ok thx .. another question:how can i fix my fixed securom calls so that the program is able to run on every pc ? for example call [00800000] and 00800000 holds the address of GetVersion but this will only work on my pc :/ i read that procdump can do this job but when i try to open the exe procdump says "error while accessing the file (READ/WRITE)" is there another tool that can do this ?
thx

thats called rebuilding the imports, code a tool to do it, it isnt that hard or use some import rebuilder, if you're having problems like that at this stage, securom might be slightly out of your league skill wise

ok i coded a call searcher and i found 178 securom calls.then i jumped to every call i had found to see which api the call causes but it seems that it were the wrong apis sometimes so you think that it also depends on the values in the registers at the time the securomcall is called ? i'm not sure what you mean cause my english is not that good sry :/

thx!

Application can call WinAPI functions with special values in CPU registers... SecureRom check is that function "hooked" (by the same table as it get original function addr) and then check (by another table) values of registers. Also the secont table contains value how complete this call (e.g. return constant).

And be aware of API calls which don't start at the beginning
of the API function. Most protections "emulate" stack
handling and stuff like mov ebp,esp right before they
jump into the middle of an API function...

ok they are correct but securom make checks of time to determine if you are rebbuilding the game if it assume you are rebuilding a game they return a random values.

i supossed you hook the return of the wrapper to obtain a correct api
if you hook before of the jump to the api you see the pointer to the iat
and you use it and dont need to use pe rebuilder .

and the securom v5 have more of one wrapper they have a big MainWrapper in this they return the true api and check for the triggers and execute it.

and the rest of the wrappers only return the true api.


if you patch the wrapper to avoid the crc checks and the time checks you should know the mainwrapped is copy to varius locations in memory and the game call to this memory and the code of the memory return to the mainwrapped on the executable to make a jump to the true api
you should locate the mainwrapped advance this is copied to memory apply the patch to avoid the crc checks and time checks and then run your rebuilder routine.

if need more info question here .

regards

PnD.

i discovered the iat in the memory and i saw that it has 3 values that are no apis(00 00 00 00 | 00 00 00 00 | 00 37 10 40).these values were returned to 3 calls when i tried to rebuild the game by running my routine... so the following apis went wrong too.so i think the game assumed that i was rebuilding it.i took a look how securom decides which api is the right for the call and i think it works like this:
00611D8A call [securom]
and then it generates the address of the api in the iat of 00611D8A+2=00611D8C but i couldnt see how it depends on the registers but i might be wrong i'll have another look at it ..
and where does it make the crc checks and the time checks ? is it in the same call that causes the api ?

thx

Yes the crc and time checks are taken in the same call that return to the true api.

you have varius method to avoid the fake api return , you can locate a counter of number of apis rebuilders on the routine and set to 0 and at the time to rebuild a api you can call sleep for a seconds . i hope with this method you can rebuild the entire apis.

but the best method is locate the checksums and the time checks
plz use ida and dissasemble the main wrapper routine and look in it.
you only need apply 2 or 3 patches to the wrapper and the problem is out...

regards

Seems Nobody seen SecuRom5 (eg. a game called HIT.. PART3)
there are no more Timers (haven't seen so far) like in older ver$ or
API address finding on runtime !

Now there were only stolen bytes with API call inside.
The call were like

push staus register
mov status register, address of stolen whatever
push status register
ret

or

push SR
mov SR,ADDRESS
CALL [SR]
ADDRESS_BYTES:00,00,00,00
...

and so on

Well pretty funny, last time i unpacked securom it was the 2 PART of the Game

ok i'm done i found the position where securom fucked up the real addresse of the api in the iat by doing the following:
sub eax,edx ; eax holds the address of the api in the iat and edx = 0000000C
so all apis get shifted .. just a 2 byte patch like SkUaTeR said tnx for all your help !