Hello boys I have a little problem with the safedisc, the version for the precision is the 2.20.030, but it is the same problem who I have with the 2.7.030, and is following: After to have bypassing some controls antidegugging, which: 1) dr7 check patched the sice 2) int1-int3 offset patched via kmd 3) int 1 dpl from 3 to 0 with kmd 4) ntquerysysteminformation 5) single use bpm in order to avoid controls on the first byte 6) patch the byte unhandledexcepionfilter from cc to 68 7) int 41 patched in sice After all that it does not say more to me than to remove debugger the etc etc, but the program simply exits, now has found the ruotine that close the program with one beautiful push FEEDFACE/jump exitprocess i'm sure that features of a anti-sice control, but I do not succeed myself to find which if I do not make it to load the softice the program runs, and with olly I succeed to find the OEP but what interests to me is if someone knows of that trick features for being able to avoid it, if you can help thanks thousand thanks otherwise equal P.S. the aforesaid ruotine is dimmed

sorry for posting two times, my faults

Have you read this tut?

http://arteam.accessroot.com/tutorials.html?fid=163

It may give you some leads

yes i do, the fact is that it uses olly, and with it i am able to unpack safedisc, i just want to know which anti-sice trick is envolved when it exits with FEEDFACE pushed on the stack, thanks anyway and for your fast reply

hmm u sure it isnt safecast? i dont remember a 2.20 safedisc

you are right, but the problem remain with 2.70, now i am gonna to write a driver that just hook the int1 and call the original handler with SICE unloaded at boot 'cause i've had the suspect that like another italian guy tells me that trick should be and IDT check, done by checking if other idt entry is out of ntoskrnl, then a kernel debugger is present....i let you know...

i wrote the driver tha only hook int1 and pass the control to the original handler, and that isn't the problem, even if the new entry of int1 in IDT is over the ntoskrnl without have SICE loaded (his cpthook.sys, and his bootcfg.sys) the program start without any problem, so this isn't the trick used here.

Shit

i've found out that when the program calls that procedure it's too late, it has just detected my debugger and cleaned the main exe...hope to fid out the trick too...it's a shame to remove from loading my beloved SICE just to play an original game....for which i pay!!!!

A little question:

When i call NtQueryInformationProcess with INFORMATION_CLASS 7 (Debug Port) i found just ring3 debugger or the ring0 even?

Regards, Fighter_81

UnhandledExceptionFilter detecetin maybe? or dr7 or int1/int3 distance? of course, CreateFile on NTIce is there too...

I certainly could not help you in your diving into ring 0 to neutralize all SafeCast anti debug tricks,

But I have found safe and practical to install SoftIce and all my RCE tools in a VMWare virtual machine, and do all the reversing experiments there. No need to be tweeking around your main OS installation, less chances for Apps that refuse to run because Sice is around, and less danger to fuck up your system for good while you are messing around with Ring0 modules.

int 1->3 displacment (this happens if softice is loaded, and it has to be detoured in a specific way)...

theres also ALL the debugging detection methods in the other threads on safedisc, posted by me and yates.. do a little search...

it also has bpm detection...

patching the unhandledexceptionfilter back to the original byte will probably screw up softice a little when catching faults, detour it instead... thats how i did it...

basically i did a ring 0 driver, which handles all those criteria... it was the easiest way

oep hasn't changed since v2... look near the original ep for an e9 jump into the code section (1st section typically).. its hard coded, eb fe that, then do your work

note the debug detection is also built into some of the ccc calls, and some of the other code (invalid opcode->missing bytes style) and some of the vm'd code too...

First of all thank you evlcrn8 for explaing me why i mustn't patch the first byte of UnhandledExceptionFilter, indeed your method is most "efficace" (sorry but i'm italian and after stepping all safedisc loader i am not so mind free to think about the right word in english ), after all i want to thank all of you for your important notes on safedisc, now i found which function call the silent exitrprocess and i am able to bypass it, i don't understand how it detect sice, maybe tomorrow i will trace into that call with more attention than today...and i will know even the trick used, and not only how to bypass it,that is more important for me.

Regards, Fighter_81

Lo,

you should think about using IceExt newest version v0.70 at sourceforge.
It will prepare all necessary things to hide softice sucessfully from safedisc and other gameprotections like securom, etc...

Maybe it seems a bit "complicated" to install IceExt but give it a try

Regards,

OHPen aka PAPiLLiON

just for your information and not to blame you, i just want to tell you that iceext 0.70 doesn't hide softice in all possible ways to detect it like dr7 check, and the other tahat makes safedisc 2.70.30 exits silently

Regards, fighter_81

dr7 check is pretty obvious if you look in the safedisc dlls, theres a little routine in there.. checks for 0x400 (if dr7 = 0x400 then softice is active).. you have 2 options.. patch softice so it doesn't report the drx stuff (yates documented this in a thread if i remember right), or patch the safedisc code so it always returns 0 for the drx checks ... when i was doing safedisc i did both (paranoia heh)

i only patched my SICE against that trick like yates posted some times ago, by the way even if i know how to bypass the trick that makes safedisc exit silently and bypassed it i just can't imagine (i tried to trace back it but with no luck) how i can patch my sice against that or if i have to bypass it manually....why doing this:

TEST DWORD PTR [ECX+4],010000000h
JBE silent exit

when [ecx+4] contains 00040000 detect sice?

well there is other to check that makes th bitch exit silently, one like above with [ebx+4] (the same 00040000) and the first that she check is the content of the stack that in my case witH sice is DIFFERENT to those safedisc checks if there isn't sice, and the difference is equal to 101001(seems to be a bitmask?but i could fail on what it is). By the way i am now happy 'cause i am now able to play my game without remove sice from the memory and that was my gol, but if one of you could explain me why that instuction can detect sice i'll be very glad, otherwise thanks to all of you, i have learned a lot by this essay...like writing drivers to change the export table of kernel32 after softice loaded,hook int1 (int1-int3 offset check fucked),hooked int41(dpl modified to 0), and BPM PROTECTION (thank you YATES for the source).

nah the codes something like a generic proc - 1 param passed = drx index.. 1,4,5,7 or something

mov eax,dr1
jmp storeit
mov eax,dr3
jmp storeit

etc..

storeit:
mov [somestackthing],eax

cmp eax,0400h
jne badboy


just look for code within the ~df394b dll for drx reference, byte pattern isnt that common.. figure out how to fake it (generally eax = 0), patch, continue

im not sure if this will help.. but its safedisc thread..

i never debugged earlier versions of safedisc, only safedisc4

and i came across this peice of code, that CAN exit out with FEEDFACE as exitcode..



those two calls seem to have some effect on letting you debug the exe...
if those longjumps undernieth the calls DO jump then it runs without any debugging error...
if debugger is detected it executes WaitForSingleObject and never retns to code..

not 100% sure but the byte signature for this peice of code is:


ive seen it in 2 safediscv4 exe's
the sub esp,210 might be different tho, that sub esp,210 is basically the sig i have for right now..

I run safecast 2.x with softice and iceext. Iceext will melt out a lot of the
detection methods. But these two i detect fail when debugging.

Protect1:
1000936E 85D2 TEST EDX,EDX
10009370 74 1F JE SHORT ~df394b.10009391
10009372 8B4A 1C MOV ECX,DWORD PTR DS:[EDX+1C]
10009375 8B52 14 MOV EDX,DWORD PTR DS:[EDX+14]
10009378 03C8 ADD ECX,EAX
1000937A 33F6 XOR ESI,ESI
1000937C 85D2 TEST EDX,EDX
1000937E 76 11 JBE SHORT ~df394b.10009391
10009380 53 PUSH EBX
10009381 8B19 MOV EBX,DWORD PTR DS:[ECX]
10009383 803C03 CC CMP BYTE PTR DS:[EBX+EAX],0CC
10009387 75 01 JNZ SHORT ~df394b.1000938A
10009389 46 INC ESI
1000938A 83C1 04 ADD ECX,4
1000938D 4A DEC EDX
1000938E ^75 F1 JNZ SHORT ~df394b.10009381
10009390 5B POP EBX
10009391 33D2 XOR EDX,EDX
10009393 3BD6 CMP EDX,ESI
10009395 5E POP ESI
10009396 1BC0 SBB EAX,EAX
10009398 F7D8 NEG EAX
1000939A 66:85C0 TEST AX,AX
1000939D 75 12 JNZ SHORT ~df394b.faggotjump
1000939F 8B0F MOV ECX,DWORD PTR DS:[EDI]
100093A1 81E1 ED258017 AND ECX,178025ED
100093A7 890F MOV DWORD PTR DS:[EDI],ECX
100093A9 5F POP EDI
100093AA 81C4 94000000 ADD ESP,94
100093B0 C3 RETN


you dont want inc esi to occur

Protect2:
10009203 E8 28100100 CALL ~df394b.1001A230
10009208 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+18]
1000920C 83C4 14 ADD ESP,14
1000920F 33C0 XOR EAX,EAX
10009211 81FA 00040000 CMP EDX,400
10009217 0F95C0 SETNE AL
1000921A 66:85C0 TEST AX,AX
1000921D 75 12 JNZ SHORT ~df394b.faggothold
1000921F 8B0E MOV ECX,DWORD PTR DS:[ESI]
10009221 81E1 DEEB7A67 AND ECX,677AEBDE
10009227 890E MOV DWORD PTR DS:[ESI],ECX
10009229 5E POP ESI
1000922A 81C4 98000000 ADD ESP,98
10009230 C3 RETN

here we want edx == 400. So no jump occurs. If you go to the xref of these, you can see
nearly all of the checks in one row like this..

100043D0 53 PUSH EBX
100043D1 8B5C24 0C MOV EBX,DWORD PTR SS:[ESP+C]
100043D5 33C0 XOR EAX,EAX
100043D7 56 PUSH ESI
100043D8 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
100043DC F7C3 00010000 TEST EBX,100
100043E2 76 12 JBE SHORT ~df394b.100043F6
100043E4 56 PUSH ESI
100043E5 E8 26550000 CALL ~df394b.10009910
100043EA 83C4 04 ADD ESP,4
100043ED 66:85C0 TEST AX,AX
100043F0 0F85 1C010000 JNZ ~df394b.suckershit
100043F6 F6C3 04 TEST BL,4
100043F9 76 12 JBE SHORT ~df394b.1000440D
100043FB 56 PUSH ESI
100043FC E8 0F540000 CALL ~df394b.10009810
10004401 83C4 04 ADD ESP,4
10004404 66:85C0 TEST AX,AX
10004407 0F85 05010000 JNZ ~df394b.suckershit
1000440D F6C3 08 TEST BL,8
10004410 76 12 JBE SHORT ~df394b.10004424
10004412 56 PUSH ESI
10004413 E8 28530000 CALL ~df394b.10009740
10004418 83C4 04 ADD ESP,4
1000441B 66:85C0 TEST AX,AX
1000441E 0F85 EE000000 JNZ ~df394b.suckershit
10004424 F7C3 00080000 TEST EBX,800
1000442A 76 12 JBE SHORT ~df394b.1000443E
1000442C 56 PUSH ESI
1000442D E8 2E520000 CALL ~df394b.10009660
10004432 83C4 04 ADD ESP,4
10004435 66:85C0 TEST AX,AX
10004438 0F85 D4000000 JNZ ~df394b.suckershit
1000443E F7C3 00100000 TEST EBX,1000
10004444 76 12 JBE SHORT ~df394b.10004458
10004446 56 PUSH ESI
10004447 E8 54510000 CALL ~df394b.100095A0
1000444C 83C4 04 ADD ESP,4
1000444F 66:85C0 TEST AX,AX
10004452 0F85 BA000000 JNZ ~df394b.suckershit
10004458 F7C3 00200000 TEST EBX,2000
1000445E 76 12 JBE SHORT ~df394b.10004472
10004460 56 PUSH ESI
10004461 E8 8A500000 CALL ~df394b.100094F0
10004466 83C4 04 ADD ESP,4
10004469 66:85C0 TEST AX,AX
1000446C 0F85 A0000000 JNZ ~df394b.suckershit
10004472 F6C3 01 TEST BL,1
10004475 76 12 JBE SHORT ~df394b.10004489
10004477 56 PUSH ESI
10004478 E8 534F0000 CALL ~df394b.100093D0
1000447D 83C4 04 ADD ESP,4
10004480 66:85C0 TEST AX,AX
10004483 0F85 89000000 JNZ ~df394b.suckershit
10004489 F6C3 02 TEST BL,2
1000448C 76 0E JBE SHORT ~df394b.1000449C
1000448E 56 PUSH ESI
1000448F E8 1C4E0000 CALL ~df394b.100092B0
10004494 83C4 04 ADD ESP,4
10004497 66:85C0 TEST AX,AX
1000449A 75 76 JNZ SHORT ~df394b.suckershit
1000449C F6C3 10 TEST BL,10
1000449F 76 0E JBE SHORT ~df394b.100044AF
100044A1 56 PUSH ESI
100044A2 E8 A94D0000 CALL ~df394b.10009250
100044A7 83C4 04 ADD ESP,4
100044AA 66:85C0 TEST AX,AX
100044AD 75 63 JNZ SHORT ~df394b.suckershit
100044AF F6C3 20 TEST BL,20
100044B2 76 0E JBE SHORT ~df394b.100044C2
100044B4 56 PUSH ESI
100044B5 E8 E64C0000 CALL ~df394b.100091A0
100044BA 83C4 04 ADD ESP,4
100044BD 66:85C0 TEST AX,AX
100044C0 75 50 JNZ SHORT ~df394b.suckershit
100044C2 F6C3 40 TEST BL,40
100044C5 76 0E JBE SHORT ~df394b.100044D5
100044C7 56 PUSH ESI
100044C8 E8 A34B0000 CALL ~df394b.10009070
100044CD 83C4 04 ADD ESP,4
100044D0 66:85C0 TEST AX,AX
100044D3 75 3D JNZ SHORT ~df394b.suckershit
100044D5 F7C3 80000000 TEST EBX,80
100044DB 76 0E JBE SHORT ~df394b.100044EB
100044DD 56 PUSH ESI
100044DE E8 7D4A0000 CALL ~df394b.10008F60
100044E3 83C4 04 ADD ESP,4
100044E6 66:85C0 TEST AX,AX
100044E9 75 27 JNZ SHORT ~df394b.suckershit
100044EB F7C3 00400000 TEST EBX,4000
100044F1 76 0E JBE SHORT ~df394b.10004501
100044F3 56 PUSH ESI
100044F4 E8 97490000 CALL ~df394b.10008E90
100044F9 83C4 04 ADD ESP,4
100044FC 66:85C0 TEST AX,AX
100044FF 75 11 JNZ SHORT ~df394b.suckershit
10004501 F7C3 00040000 TEST EBX,400
10004507 76 09 JBE SHORT ~df394b.suckershit
10004509 56 PUSH ESI
1000450A E8 D1480000 CALL ~df394b.10008DE0
1000450F 83C4 04 ADD ESP,4
suckershit 5E POP ESI
10004513 5B POP EBX
10004514 C3 RETN

above you can see each call is like a seperate debug check technique. After the ret at 4514 your gonna end up at signature safecast of..

10001404 83C4 08 ADD ESP,8
10001407 66:8945 08 MOV WORD PTR SS:[EBP+8],AX
1000140B 58 POP EAX
1000140C 66:8B45 08 MOV AX,WORD PTR SS:[EBP+8]
10001410 66:F7D8 NEG AX
10001413 1BC0 SBB EAX,EAX
10001415 66:25 0040 AND AX,4000
10001419 03C6 ADD EAX,ESI
1000141B 5E POP ESI
1000141C C9 LEAVE
1000141D C3 RETN

and then of course the magic true signature , you want 10000 of course.
10002DBD 59 POP ECX
10002DBE 3D 00200000 CMP EAX,2000
10002DC3 59 POP ECX
10002DC4 74 23 JE SHORT ~df394b.10002DE9
10002DC6 3D 00400000 CMP EAX,4000
10002DCB ^74 D9 JE SHORT ~df394b.10002DA6
10002DCD 33C9 XOR ECX,ECX
10002DCF 3D 00000100 CMP EAX,10000
10002DD4 0F94C1 SETE CL

Try to see if those opcodes match. I will see if those two calls can be patched up in a bit for now im hardcoding it for testing.

Okay, I did not find, but there maybe more than one occurance of those checks. However, it appears in my case they are called everytime it enters ~df but only in the same location it checks. So i just nop'd the inc esi on the unhandledexceptionfilter check(first one), that way it doesnt think a CC is there. And finally, for the next check, dr7, i just placed 0x400 in esp+18 and then moved it to edx to let the call pass. Surely you could patch the actual system driver to return it properly, but in my case after tehset two patches and running iceext with protect mode active, all nanomites and stolen instructinos work fine afterwords without any process termination. I believe the version I have is close enough to yours that it may apply fine.

the FEEDFACE stuff (theres also a DEADBEEF one) has been there since v2.. also it scans pretty much all 'system' exports (kernel32,user32) to see if they have 0xcc as the first byte...
and erm drx register returning 0x400 im pretty sure means softice is active, make it return 0.... and as noted, pretty much all of the anti debug checks are in the ~df394b.dll, also the 'cleanup' exe is the process which handles all the 'stolen instructions'

well um... edx = to 0x400 bypassed it and also allowed me to finish unpacking the application with all protections of nanomites/sbytes, redriected , iat , stolen calls etc. it seems pretty consistent with yates post which is on crackz website,

http://www.woodmann.com/crackz/Tutorials/Protect.htm

and in the implementation i posted, setting edx to 0 will not give you a successful bypassing of the antidebug. in fact anything but 0x400 will fail. as below..

http://www.woodmann.com/crackz/Tutorials/Protect.htm
secdrv.sys, ANDs dr7 with 500, saves the value and checks it for 500.

.text:00010950 mov eax, dr7
.text:0001095C and eax, 500h
.text:00010961 mov [ecx], eax
Normally without SoftICE, DR7 would have a value of 4xx, for example :

450 AND 500 = 400
412 AND 500 = 400

But SoftICE sets all DR7 values in a 7xx range so :

750 AND 500 = 500
712 AND 500 = 500

So what is SoftICE doing? its setting LE & GE (Global/Local Exact) these are bits 9 & 8 i.e. 1100000000 (0x300), a quick scan of NTICE and we find :
--------------
and of course the code snippet i posted
10009208 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+18]
1000920C 83C4 14 ADD ESP,14
1000920F 33C0 XOR EAX,EAX
10009211 81FA 00040000 CMP EDX,400
10009217 0F95C0 SETNE AL
1000921A 66:85C0 TEST AX,AX
1000921D 75 12 JNZ SHORT ~df394b.faggothold

with that being said, i think I would set esp+18 == 0x400... where the jnz takes you to bad codes. And the 0xCC scan will trigger if you do !protect after executing the safecasted/safedisced application. If you do it after its loaded, you must patch the inc esi, so it never recongizes a CC in the table. Again, the results I posted were actual code snippets and bypass methods that work for the version closest to the posters need.

.text:0003BEAC mov ebx, dr7
.text:0003BEC4 or ebx, 30Ch
.text:0003BECD mov dr7, ebx
...
.text:0003BEDD or ebx, 303h
.text:0003BEE6 mov dr7, ebx
..
.text:0003BEF6 or ebx, 330h
.text:0003BEFF mov dr7, ebx
..
.text:0003BF0F or ebx, 3C0h
.text:0003BF18 mov dr7, ebx
Patch the .sys to remove 300h.

.text:0003BEAC mov ebx, dr7
.text:0003BEC4 or ebx, 0Ch
.text:0003BECD mov dr7, ebx
...
.text:0003BEDD or ebx, 03h
.text:0003BEE6 mov dr7, ebx
..
.text:0003BEF6 or ebx, 30h
.text:0003BEFF mov dr7, ebx
..
.text:0003BF0F or ebx, C0h
.text:0003BF18 mov dr7, ebx
I haven't seen any side effects of doing this. Some older versions have an extra OR at the beginning

hi man! who know where in HDD SD save marker and khow detect this place and i need some help, who can redownload this tools RebIAT101 ( http://www.exetools.com/forum/attachment.php?attachmentid=4565 ) and Safecast 2.60.30 OEP Finder + Fix IAT + Fix Stolen Call.txt ( http://www.exetools.com/forum/attachment.php?attachmentid=4330) - i want to try use this tools.

the save part on the hdd is typically sector 3x (on mine its 31), pretty easy to find, just hexedit the sectors, they should all be 00's... make a backup first of the sector before doing anything though...

with hexedit i fill sector( 32) 00's and i found some one sector with the SD marker. when i fill this sector 00's and delete SD register and drivers- trial not reset- who know why?

because you need to also delete the hidden c-dilla (think thats the name) typically located in the root of the c:\ drive (or possibly the os 'boot' drive).. search for it, inside (if i remember is a .dat file, delete it), trial should then reset, im working from memory though, its a long time since i played with safecast but c-dilla usually just bolt on stuff to their existing code, so i doubt its changed much... alternatively, run filemon and see what files it accesses ..

hope that helps

i know about this dat file- C:\Documents and Settings\All Users\Application Data\application\23we5.dat i delete this file first of all- but fuckin safedisc. i uninstall application- 0 day license-press ok-messagebox('fucking cracker')- joke messagebox('(1619) your license to use this product has expired')-and all. may be this tools help me RebIAT101 and Safecast 2.60.30 OEP Finder + Fix IAT + Fix Stolen Call.txt but i have no access to exetools

yeh but theres still the hidden c-dilla or cdilla (or some variation on the name) in the root of the drive.. check for it, as it also contains the license crap.. its 'global', i think the one in documents and settings is 'localised'.. so you probably have to wipe out both