I m tryin to dump app wich is protected by sd 2.70.030

All debugger checks : OK
[
checks wich look like:
call ref
test ax,ax
jnz byebye
]
After this i just remove my breakpoints and type F5 and so i see a picture and BOOM > exitprocess without any messages.

bpm exitprocess x do "dd esp" didnt help me coz i break in ~fe...tmp wich i think is needed to free the safedisc memory.

When i reboot, without softice the game works so ...
Maybe other checks ... ?

thx .

Tell US what YOU have done to try to solve YOUR problem. That is required by our Rules, which YOU would know if you actually READ THE FAQ!

Regards,

First i use iceext with !protect on and set the firs byte of unhandledexceptionfilter to other than CCh (68h)
Ok, so i tested theses things:

1.bpx createfileA and DeviceIoControl to see if the secdrv.sys driver wich contain some debugger checks is called after checks mentioned above.
result : it's called but when i trace i don't understand why the result is,in the safedisc protected app ,exitprocess.

2.bpm exitprocess x do "dd esp" as suggested in a post on this forum. It breaks on fe[numbers].tmp wich is the module to free memory and exit,i didnt suceed in findin when this file had been called.

thx .

I am not an expert on this field,
but check this tut:

http://omega.intechhosting.com/~access/ARTeam/tutorials/file_info/download1.php?file=Unpacking_Safecast_by_anonymous.rar

part of the ARTeam site, referenced below.

See if you find some inspiration. . .

Nice tut but i already have followed the same way : bypassin antidbg by settin ax to 0 in the proc where sd check anti dbg or set eax to 10000 before the cmp.
But when i press F5 after, in the tut there is the screen of the game and after the game start, for me after the screen > exitprocess :'(

Well the snag is that in the tut they have a breakpoint AT THE JUMP to the .text segment and possibly to the OEP of the packed app.

Nowhere in what you have posted you denote something similar. once the application takes off, some/each/every/ API call that is redirected to Scast code may detect the debugger and call it quits inside the ~.tmp module.

In your strategy you only trapped the exitprocess call API at the safecast ~.tmp module: tracing back to your app original codr from this point may be impossible, becasue Scast can seamlessly erase the tracks by changing the call stack using SEH and other simple tricks.

SO my guess is you need to find a way to stop at the OEP or at least at the .text module of your app instead of blindly letting the program (F5) run after the Scast nag screen.

Justasuggestium

Here's an idea:

Instead of screwing around with all those debug checks, why don't you just code a loader to replace the jmp_oep with a jmp_eip? Then, when the application pauses, just attatch with Sice and then set the EIP to the OEP.

Just an idea...

after setting eax to 10000, more debug checks are in the cdcheck,
they are ntqueryinformation, hm code 0x0B i think and maybe others.

/y.

already covered in other threads, int1->3 displacment, ntquerysysteminformation, debugport via peb and so on.. search button is a good friend :P