View Full Version : Need info on safedisc v3.20.022, please!
nina77
April 5th, 2006, 18:38
i have searched for 2 weeks for info on safedisc 3.20.022 but found nothing.
All i found was some old tuts for safedisc 2.70 and down, nothing new.
i have done my best to figure out what to do but i'm missing something,
so now i ask for help.
i would like info on safedisc v3.20.022.
btw, i've read all the old tuts.
wtbw
April 5th, 2006, 20:49
Why not tell us what you've found so far, and what's different/not working compared to previous versions?
Will
nina77
April 6th, 2006, 01:34
okey, you want to test me a little, maybe, no problem.
-it still uses tea algorithm
-no icd file
-game/program code crypted
-kernel32.dll and user32.dll function names mangled
-kernel32.dll and user32.dll import table crypted
-exe file unpacks 1 exe, 2 dlls, 1 .pfd and 1 tmp file
-tea key not found near the magic string, magic string not found
i'm sure i've forgot something.
i've been searching for the tea key with no luck and ida can't decompile the function that creates and unpacks the files into temp dir
evlncrn8
April 6th, 2006, 11:42
-it still uses tea algorithm << only for a few things
-no icd file << sigh, u didnt research shit, icd file hasnt been used since safedisc 2.x appeared!
-game/program code crypted << obvious
-kernel32.dll and user32.dll function names mangled << and others
-kernel32.dll and user32.dll import table crypted << entire import table is crypted, look harder
-exe file unpacks 1 exe, 2 dlls, 1 .pfd and 1 tmp file << unpacks a lot more, shells another process too
-tea key not found near the magic string, magic string not found << sigh, another tut user.. do some debugging
tested? you failed, miserably, do some debugging, report the info YOU find, then maybe someone will help 2.x -> 3.x isnt that huge a jump
nina77
April 6th, 2006, 17:16
i'll just skip over the "going to be censured" part.
this is my first one, get it?
"-it still uses tea algorithm << only for a few things", i havn't looked through all the code, because i like to do step by step.
"-no icd file << sigh, u didnt research shit, icd file hasnt been used since safedisc 2.x appeared!", well if you read my first post you'll see what i've read.
"-kernel32.dll and user32.dll import table crypted << entire import table is crypted, look harder", that's details and those come later. first find out how it's crypted, second find out what to decrypt. is it okey to think that way? or do you have a better way?
"... do some debugging, report the info YOU find...", debugging i've done alot, first time it's hard second time...., i ask as a last resort because i knew THIS would happen.
"...2.x -> 3.x isnt that huge a jump", i say it again: this is my first time!, i can't "jump" from anything, i just started! and i started with v3.22.022 because it's old but not forgotten, and dont even think to say that i should start with an older one. because i dont have a game/program the uses an older version..
[JMI: unnecessary presonal remarks deleted]
this is what i know, without going into details that is.
i've asked a simple question, info on safedisc v3.22.022, and you all do know what i mean, is it so hard for you to help?, i can keep secrets very well, if you want your info to be secret, pm me, e-mail maybe, i will not tell a soul.
nina77
April 6th, 2006, 21:19
you don't need to write a tutorial or something like that, only point me in the right direction.
i do like clues.
Woodmann
April 6th, 2006, 22:06
Howdy,
Safedisc is a great protection. It cannot be broken until
you unpack/unencrypt it and start to think outside of a tutorial.
Instead of being all pissed off, think about your target and decide if you have the ability to beat it.
First unpack/unencrypt it and then come back and tell us what you see.
Regards, Woodmann
squidge
April 10th, 2006, 17:29
nina77, you are probably going to hate me for this, but my advice is to ignore all the tutorials on safedisc and look at it from your *own* perspective. Tuts are excellent for describing how certain things can be broken, but there's a lot out there that only say things like "do this, do this, do this, and your done", and not why they do each thing in detail.
So, since you have not done Safedisc before, start from scratch with debugger and learn. Only use tuts for hints and clues if you get stuck. You will learn far more this way, and then when a new version comes out, you will be able to handle it far easier, as you'll know exactly why you did the things you did, and be able to apply them to the new versions.
nina77
April 12th, 2006, 10:55
squidge, no i don't hate you, i actually realised that myself, few weeks ago, but thanks for your advice.
I'm still working on the task ( debugging and learning ), since my last post i've found and learned alot of things, ex. 2 very simple algorithms, if you can call them that...some structs with some useful info.
R3v3nG3
April 14th, 2006, 09:52
Hi nina77,
Have you already seen this tut?
http://cip.prag165.server4you.de/?page=tutorials_show&id=73&cat=Unpacking&order=tutdate&rev=true ("hxxp://cip.prag165.server4you.de/?page=tutorials_show&id=73&cat=Unpacking&order=tutdate&rev=true")
nina77
April 16th, 2006, 19:47
R3v3nG3, yes i think so, it looks familiar.
thanks for helping.
btw, i'm still debugging this thing but i have some problems: ( little off topic )
as you know it unpacks and loads ex a dll file, my problem is how do i debugg this dll file with ida pro v4.9 ?
i have disassembled them, and sometimes ida gets it wrong and you need to debug...or maybe i can fix the code another way...i don't know..
please help.
nina77
April 18th, 2006, 13:30
hi all,
the thing i thought would be the hardest was the decryption but so far it has been the easest.
Oh and i haven't figured out how to debug the dlls yet, well i have... but not how i wanted it anyway, one ida for exe, one ida for dll...
that way i could save the comments, etc in the dlls too.
right now i just follow the path right into the dlls but when the exe exits, the comments in the dlls get lost.
ok, to the point, i've hit the wall and this time i realy mean it, you might thing it's simple but i don't, it's the debugger check(s), a nice little msgbox popup
"A debugger has been detected Unload the debugger and try again".
-i've found one plugin the hides ida, didn't work.
-i have tried manual, i think you can call it patching, through the debugger check(s), didn't work, well it did but something got busted along the way
apparently that i haven't found. i can not keep an eye on every little memory/stack change.
so now i ask for help again, how do i hide ida from safedisc?
evlncrn8
April 18th, 2006, 19:11
Quote:
[Originally Posted by nina77]hi all,
the thing i thought would be the hardest was the decryption but so far it has been the easest.
|
something tells me you've just seen the file decryption.. of the appended crap at the end of the exe.. which contains the dlls and so on..
Quote:
[Originally Posted by nina77]
ok, to the point, i've hit the wall and this time i realy mean it, you might thing it's simple but i don't, it's the debugger check(s), a nice little msgbox popup
"A debugger has been detected Unload the debugger and try again".
so now i ask for help again, how do i hide ida from safedisc? |
heh, definately you have barely scratched the surface, read the faq and use the search button... hiding softice (and other debuggers) from safedisc (and other protections) has already been covered in various threads... the detection methods still have not changed.. and to be honest you are probably better off using softice and debugging, making notes in ida etc..
nina77
April 19th, 2006, 07:58
1. my computer don't like softice, it craches alot when it's installed.
2. i use ida because:
a. it's not in a dos window. yes i know that softice is a kernel mode debugger and why it's using dos, but still....
b. it's easier to use.
c. it's easier to "get started"
d. ...
aahh, why do i even bother answering this...
btw. isn't softice project dead?
and soon not going to be updated any more?
so, should i learn how to use it again, when it's dead and not going to be updated?
i love the program and plugins for it, you can do so much in it, but it's going to be outdated soon.
if it's true that it's dead and not someones joke...
oh and don't take this the wrong way, i know some of you want to.
is there another program that is as good as softice?
/ nina77
Admiral
April 19th, 2006, 09:55
Well the general consensus on user mode debuggers is that OllyDbg gives the best balance between power, stability, ease-of-use and suppport. However, if you're working on SafeDisc, you'll need a kernel mode debugger.
SoftICE is the industry standard, but like you say, it is dying. There is little in the way of a widely used alternative, but you have a couple of options: The first one you should take a look at is WinDbg. A lot of people don't like it for a few reasons I'm sure you'll find out if you use it for any length of time.
Another option is Syser Debugger. I have no experience with this one.
By the way, although there are similarities, SoftICE doesn't run in a DOS window or anything like it. It just has an equally ugly interface.
Regards
Admiral
rendari
April 20th, 2006, 14:32
Since he is working on Safedisc 3, he will need a Kernel-Mode debugger. However, I thought that you guys should know that some newer games don't use stolen bytes, so therefore you can use OllyDBG to crack those games.
At this game here, you may use OllyDBG/IDA to get to the OEP and fix everything aside from the Stolen Bytes, and finally use Softice to fix the stolen bytes, although I would strongly recommend against that method

nina77
May 1st, 2006, 20:21
hi all,
it's sounds realy easy when you put it like that, and for you it might be, but thanks for the info, i take all the help i can get.
i'm still stuck.
i have tried OllyDBG with some plugins but it is detected too.
the program was released year 2004 in october i think, i don't remember.
i i've said before, i'm missing something, maybe some brain power,
i havn't installed softice yet, don't know if i want to risk a computer breakdown again... with windows xp pro installed.
well i guess no one wants to leave little more details in there posts.
i realy realy want to solve this myself, you know the satisfaction that comes when you solve something, i think you know what i'm taking about.
to get the solution from someone is just depressing...
i've found some programs with the same protection and version that i'm going to take a look at.
i havn't found any that uses a older version yet.
...maybe someone can tell my whats missing, a hit in the head?
/ nina77
Admiral
May 2nd, 2006, 07:15
I haven't ventured beyond SafeDisc 2, but it took me the longest time to work out how Olly was being detected (without any intervention from secdrv.sys). In retrospect, it really wasn't anything special, but you should (if you haven't already) look out for any calls to ZwQueryInformationProcess with info parameter 7 (DebugPort). Although the return value is useless to user-mode applications, it seems that its existence is enough to incriminate the wouldbe attacker.
Regards
Admiral
nina77
May 4th, 2006, 14:26
Hi all,
i've gone through all functions and rechecked and
as far as i know, is that this function isn't used to detect debugger.
it is used but not for debugger detection.
maybe they don't use it anymore?
--------
exe file loads this dll file, "~df394b.tmp", unpacked from exe file, and
calls this function "0x12121212" and in this function is the debugger detection code.
i don't know if i should post the debugger detection functions or a part of, it might not be generic enough.
/ nina77
Kayaker
May 4th, 2006, 14:54
Quote:
[Originally Posted by nina77]i don't know if i should post the debugger detection functions or a part of, it might not be generic enough. |
It should be OK to post a general debugger detection function here. It has applications on both sides of the fence..
Kayaker
nina77
May 8th, 2006, 16:32
i may post some debugger detection function soon.
i'm going through the functions before the debugger detection code right now,
and i've found something that i didn't thought about until now...well what can i say, wops, i guess i shouldn't work on this when i'm tired.
so i have a simple question: is all the debugger detection code in the secdrv.sys file?
/ nina77
0xf001
May 8th, 2006, 17:50
howdy,
i saw your notes to softice. it can be configured to run on top of your windows, in an incredible biig text "window" - if you mean it breaks into an 80x25 textmode or so.
you may want to try out a windows version, in wich you have less problems in a vmware, to not have your crashes. on winxp i remember it also took me a little to get it working, my problem was the video driver.
this way you can work in your own environment, document etc ... while having SI and your target independently running in the vm. and a breakpoint does not break your other apps. which i find just cool personally
i wondered myself that running those 2 (or more) OSs is still that fast btw - speed should not be a problem. also you can work from linux this way hehe.
oh and then there is also a command to restore the windows screen behind the SI window, which is also nice - but i somehow guess you might know that allreay

just in case i wanted to point it out.
my 50 cent,
0xf001
evlncrn8
May 9th, 2006, 01:56
int 1 -> 3 displacment check and drx check is in the secdrv.sys, but there is PLENTY more in the dlls
keep working

SunBeam
May 15th, 2006, 07:50
Wouldn't a breakpoint in CreateToolhelpSnapshot32 be enough to pass over the debugger detection ? Just wondering.
Also, someone please recommend me a good detection tool that would tell me a precise version of the used protection. If you don't mind
*EDIT* Found PiD (Protection ID) but it's not accurate -> v3.xx
Admiral
May 15th, 2006, 13:37
I'm not sure if they are still doing it, but as of v3.40 you could find out SafeDisc's exact version by examining the end of the (packed) PE header. The details are all over the web, but IIRC you only need look at the last three or four DWORDs in the header.
SunBeam
May 15th, 2006, 19:09
You were kinda right. From what I know on how a software version looks like, for example, for SecuROM I found this :
Quote:
MajorLinkerVersion=7
MinorLinkerVersion = A (10) |
Which tells me I'm dealing with a SecuROM v7.10. ProtectionID says 7.xx

Was just an example. Moving on to SafeDisc.
My suggestion to nina77 :
- translate the german tutorial so you get to understand the process involved, apply it to NFS-MW (practice is the mother of all things), then see what changed when applying a same method to your game...
evlncrn8
May 16th, 2006, 06:03
erm, the linker version is something completely different
in the pe header...
that is if you mean..
byte @ PE + 01ah
byte @ PE + 01bh
dont assume things
oh look calc.exe in xp32 is securom 7.00 according to your theory...
SunBeam
May 16th, 2006, 12:01
Umm, I don't judge programs randomly. Judging from the obvious ".securom" section and the specific aspects, yeah, it's SECUROM

Believe it or not (scan Desperados 2's main .exe

). You're funny

Oh, and you could've pointed out my mistake, rather than commenting on the side. What I found out there, was the linker's version. Which is a VC++ 7.0

Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.