Log in

View Full Version : Safedisc 2 questions


SpiderVenom
August 23rd, 2004, 23:23
I've got several questions about safedisc 2.

First, from what I've seen, the simple protections like MeltICE are in the code/dlls that are packed on to the executable?

Second, I noticed that the module DrvMgt.dll is loaded then unloaded, then some protections are called. So I gather DrvMgt is used to load SecDrv.sys?

Finally, I'm guessing at this. Is secdrv used to run code in ring 0 to pull off protections such as privileged instructions?

PS. What's the best way to beat the UnhandledExceptionFilter protection?

And JMI, please don't tell me to search

JMI
August 23rd, 2004, 23:30
Sorry SpiderVenom, it's kind of like my job.

Just because you want information about safedisc2 and particularily about "UnhandledExceptionFilter" doesn't mean that you get to get away with being to darn lazy to search this board for information on the subjects. And if you have already done so, it's your own fault for trying to be a smartass and not saying so.

There is some very useful information, particularily about "UnhandledExceptionFilter" already on the board and one of your first stops should be to find it and review it.

And bear in mind that being cutesy only goes so far and doesn't earn you any pass on following the rules.

And just because you have more than one question about safedisc2, doesn't mean you should cross post in several Forums.

Regards,

SpiderVenom
August 23rd, 2004, 23:47
Ok, ok, I'm depressed, I get the picture.

Yes I did search, I didn't really find any clear answers. Thanks for the hints. And I'll stop being a smartass.

doug
August 24th, 2004, 12:06
Just to show you that finding information is not out of your reach:

Searching for 'Safedisc' (since you had a safedisc question) brings 80 results, but in the first page you have the most recent/relevant results:
http://www.woodmann.net/forum/showthread.php?t=4591&highlight=Safedisc
http://www.woodmann.net/forum/showthread.php?t=5022&highlight=Safedisc
http://www.woodmann.net/forum/showthread.php?t=4612&highlight=Safedisc


extra link:
http://www.yates2k.net/cd/safedisc

tips:
- safedisc checks for breakpoints (BPX) by checking if there is a 0xCC at the beginning of each API. If you use BPX <apiname>, it will catch you. There are many ways to work around that.

- If the program terminates without any MsgBox: bpm ExitProcess X DO "dd esp", and do some analysis from there. (hint: You will find a magic value on the stack)

SpiderVenom
August 24th, 2004, 14:30
Ah thanks. I read somewhere else about the bpx thing, thanks for the tip. About that unhandled exception filter post.

Someone talked about grabbing some free kernel space and patching it with a JMP. Why not just patch the first byte of UnhandledExceptionFilter back to the original? Will softice become unstable when this happens?

doug
August 24th, 2004, 16:01
when you !protect on with IceExt, this is what it does. It patches it back to whatever it was before. However, that will also disable some of SoftICE's functionalities (faults on, for instance - I don't know of any other) but it is a perfectly fine solution.

What was suggested as a work-around was to patch Kernel32's export table _after_ softice has initialized. So SoftICE will still have a CC at the start of the UnhandledExceptionFilter, while any application started after the patch will not see the CC because the API was re-routed into a jmp first. By doing that, you keep everyone happy.

SpiderVenom
August 24th, 2004, 17:55
Thanks, that explains. On small detail... being a nub, I'd like to know, what is the best way to patch out the CC in UnhandledExceptionFilter? I know IceExt does this, but it just spits out an error and says it can't do that on my system, perhaps cause I'm running sp2.

Regards

doug
August 24th, 2004, 19:53
well, anything that can write to memory without triggering a copy-on-write. I'm not sure if it will work if you do it directly in SoftICE. (in that case it would be a simple "eb UnhandledExceptionFilter"

I think that for your purposes the easiest way might be to patch SoftICE's driver. Search for "UnhandledExceptionFilter" in ntice.sys and patch it to anything else, ex: "xxhandledExceptionFilter". Rebuild the checksum & save. (though you'll get plenty of warnings in the sice console).

If you search this board (or maybe exetools), you might even find a place where someone explains what to patch in ntice.sys to disable UnhandledExceptionFilter patching by softICE. I remember seeing that somewhere.

You can also wait for IceExt to be updated or update it yourself.

Or, go back to SP1 because the problems you are having right now is just the tip of the iceberg. A lot of cracking-tools might stop working with sp2.

dELTA
August 24th, 2004, 20:38
Quote:
A lot of cracking-tools might stop working with sp2.

Well, let's just say that cracking tools aren't the only ones...

http://support.microsoft.com/default.aspx?kbid=884130&product=windowsxpsp2

The funny thing is that just a week ago or so, this list was several times longer, and even funnier is that it included a big frickin' bunch of high profile MICROSOFT programs... I just wonder how things can be removed from that list, it's not like there still won't be versions of those programs out there that might "experience a loss of functionality", even though they have rushed out patches for them, so it's all very odd I think...

doug
August 24th, 2004, 21:22
hehe yea. I remember seeing the MS office suite in there.

For a lot of programs listed there, it is actually the copy protection mechanism that breaks down with SP2

home-made cracking tools are even more subject to problems because they often rely on undocumented OS structure (just like those stupid short-sighted copy protections) and don't care if it breaks at every OS hotfix/service pack.