The Cracking Anwser ------------------- Author : Bug Error ------------------ Target : Might & Magic 7 1.0 US (Safedisc) ------------------------------------------- Toolz : ------- - Soft-Ice 3.23 - ProcDump 1.5 - Frog-Sice (To bypass anti-debugging protection) - Sicetool (To patch soft-ice and modify pagein command) - HexWorkshop - ExeScope 1) About ICD Files ------------------- - Run ProcDump - Click on PE Editor and open "mm7.icd" Entry Point => 000CF9AE Image Base => 00400000 - Now, you must calculate EIP : Entry Point + Image Base => 004cf9ae - Click on Sections to get this : Virt. Offset RAW Size RAW Offset .text 00001000 000DA000 00001000 .rdata 000DB000 00007000 000DB000 .data 000E2000 00017000 000E2000 .rsrc 00B99000 00010000 000F9000 - To dump these sections, you'll need the begin address : => Begin address : Image Base + Virtual Offset .text => 401000 .rdata => 4db000 .data => 4e2000 .rsrc => f99000 - Run ExeScope, and open "mm7.icd" - Click on Imports - Choose Kernel, and count how many api are there : here, it's 96, and in hexadecimal : 60h - Now, choose User, and count how many api are there : here, it's 33, and in hexadecimal : 33h - You must convert decimal's number to hexadeciaml, cause soft-ice doesn't like decimal :)) 2) Dump Sections ----------------- - Run the game - Wait for the splash screnn, and press CTRL + D - In Sot-Ice, if you're in DPLAYER.DLL, type BPX FREELIBRARY - Press F11 - After a few seconds, you're back in soft-ice - Type d 4cf9ae to see if the icd's file is decrypted, if not, press f5, and wait :)) - If ICD's file is decrypted, type BC* - Ok, now, you'll dump all sections, except .rdata with pagein command - In soft-ice, type : pagein 401000 da000 c:\text.bin pagein 4e2000 17000 c:\data.bin pagein f99000 10000 c:\rsrc.bin 3) About Safedisc's caller -------------------------- - Type bpx 4cf9ae and press F5 - What do we get ? 0177:004cf9ae push ebp 0177:004cf9af mov ebp, esp 0177:004cf9b1 push ff 0177:004cf9b3 push 004de160 0177:004cf9b8 push 004d311c 0177:004cf9bd mov eax, fs: [00000000] 0177:004cf9c3 push eax 0177:004cf9c4 mov fs: [00000000], esp 0177:004cf9cb sub esp, 58 0177:004cf9ce push ebx 0177:004cf9cf push esi 0177:004cf9d0 push edi 0177:004cf9d1 mov [ebp-18], esp 0177:004cf9d4 call [004db164] => Press F8 here to trace it - Now, you must get this : 0177:012678e7 pushad 0177:012678e8 push 0000004b 0177:012678ed push 00000000 0177:012678f2 call [01267908] => Haha, this is our c-dilla's caller, note this, you'll need :) 0177:012678f8 add esp, 08 0177:012678fb popad 0177:012678fc jump [01267902] 4) Move .RDATA in .DATA ------------------------ - Due to .rdata section is read only, you'll need to move this in another sections with M and L command => M "RAW Size of .rdata + Image Base" L "Raw Size of .rdata" "Virtual Offset of .data + Image Base" - In soft-Ice, type : M 407000 L 7000 4f0000 5) Fix .rdata section for Kernel's API -------------------------------------- - In soft-ice, type : R eip 4cf9ae . a eip - Now, write this call's fixer : 4CF9AE pushad 4CF9AF push ebx 4CF9B0 push 0 => 0 means kernel import 4CF9B2 call [01267908] => The address tha you've found by traccing 4CF9B8 add esp, 8 4CF9BB mov edx, 4F0000 => Where you've moved .rdata 4CF9C0 cmp eax, [edx] 4CF9C2 je 4cf9ce 4CF9C4 inc edx 4CF9C5 cmp edx, 4f7000 4CF9CB jne 4cf9c0 4CF9CD int 03 4CF9CE mov [edx], ecx 4CF9D0 popad 4CF9D1 inc ebx 4CF9D2 cmp ebx, 60 => 60 is kernel's api in hex 4CF9D5 jne 4cf9ae 4CF9D7 int 03 6) Fix .rdata section for User's API ------------------------------------- - In soft-ice, type : R eip 4cf9ae . a eip - Now, write this call's fixer : 4CF9AE pushad 4CF9AF push ebx 4CF9B0 push 01 => 01 means user import 4CF9B2 call [01267908] => The address tha you've found by traccing 4CF9B8 add esp, 8 4CF9BB mov edx, 4F0000 => Where you've moved .rdata 4CF9C0 cmp eax, [edx] 4CF9C2 je 4cf9ce 4CF9C4 inc edx 4CF9C5 cmp edx, 4f7000 4CF9CB jne 4cf9c0 4CF9CD int 03 4CF9CE mov [edx], ecx 4CF9D0 popad 4CF9D1 inc ebx 4CF9D2 cmp ebx, 33 => 33 is user's api in hex 4CF9D5 jne 4cf9ae 4CF9D7 int 03 - Now, you'll be able to dump .rdata section : pagein 4f0000 7000 c:\rdata.bin 7) Rebuild EXE file -------------------- - Now, you have all dumped's cestion, you must rebuild a new "mm7.exe" file - Copy "mm7.exe" into a temp directory with all dumped's section - Rename "mm7.icd" by "mm7.exe" - Run Hexworkshop, and open "mm7.exe" - Open "text.bin" - Focus on "mm7.exe" and press ALT + F5 - Enter the RAW Offset of text's section : 1000 (Select at the beginning) - Go to Edit, and select "Select Block" and type the Raw Size of .text's section : da000 - Focus on "text.bin" and go to Editand click on Select All - Press CTRL + C - Focus on "mm7.exe" and press CTRL + V - Do the same thing for rdata, data and rsrc's section :)) - Save the new "mm7.exe" 8) Rebuild PE ------------- - Run procdump and choose "Rebuild PE" - Choose your new "mm7.exe" and click on OK - OK, your EXE is fixed, and you've cracked Safedisc :)) 9) Final words --------------- - Best Regards to : ł KaB00M.........................úů[ LEADER/CRACKER/CODER ]ůú ł ł Avenger........................úů[ LEADER/CRACKER/CODER ]ůú ł ł ł ł sEVanD02K......................úů[ CO-WEBMASTER ]ůú ł ł SHi............................úů[ WEBMASTER/CODER ]ůú ł ł NADA...........................úů[ HEADCRACKER/CRACKER ]ůú ł ł THE WEB........................úů[ HEADCRACKER/CODER ]ůú ł ł ł ł Black Racer....................úů[ CRACKER/CODER/GFXER ]ůú ł ł Bulletproof....................úů[ CRACKER ]ůú ł ł BugError.......................úů[ CRACKER ]ůú ł ł DaBrain........................úů[ CRACKER ]ůú ł ł fREKAnoiZ......................úů[ CRACKER ]ůú ł ł gZM............................úů[ CRACKER ]ůú ł ł kOBoLd.........................úů[ CRACKER ]ůú ł ł JTK ď99........................úů[ CRACKER ]ůú ł ł LAP............................úů[ CRACKER ]ůú ł ł LongFing.......................úů[ CODER ]ůú ł ł [-Ghost-]......................úů[ GFXER ]ůú ł ł NEMESIS........................úů[ CRACKER ]ůú ł ł TheRage........................úů[ CRACKER ]ůú ł ł Thezor.........................úů[ GFXER/GFXER ]ůú ł ł WeaxWeasel.....................úů[ CRACKER ]ůú - For questions, contact me at bugerror@hotmail.com Bug Error from TCA