PDA

View Full Version : Safecast


rimmy
June 18th, 2001, 00:43
Hi everybody !

I'm trying to crack an eval program which is protected with the C-dilla SafeCast v.3.21.040. Besides, the program is protected with the Flexlm. The program consists of several protected executables and dll's. So, if I get to unwrap them and to find the license keys I'll get the full version of it.
Well, when I started working on it I didn't have any experience in Safecast,
I only could find some tutorials on Safedisc cracking. But I succeeded in unwrapping 3 exe's and finding the flex-keys to all of the exe's. While looking for the keys I had to replace the protected lic-files by the real flex-licenses and broke the Safecast licenses. Now I have stuck and can't unwrap the other exe's because the Safecast displays "Your license to use this product has become temporarily broken etc." and it asks me to enter the Response Code to run the application. I tried to reinstall the program but the Safecast remembers all.

Does anyone know how to root out the Safecast "memory" in order to reinstall the program ?
Are there any tutorials or info on Safecast cracking ?
Did anyone succeed in getting "Response Code" in order to run the application under the Safecast protection ?

Best regards.

IcyDee
June 18th, 2001, 17:52
I read a message thread somewhere on this board about how they put information into low numbered sector on the HDD (above sector 32) which can only be removed with a low level format.

Lord Crass
June 18th, 2001, 22:39
You can also use HexWorks to directly edit the disk sectors. I believe it's sector 32 on your root drive that contains the safecast data.

evil-risc
June 19th, 2001, 07:02
sector 32 - 63 can contain license data, see fravia's homepage, tsehp wrote sth about it ..

you have to null the first couple of bytes of license data in whichever sector it lies in, and delete the license off your hd (c:\c_dilla\blah)

rimmy
June 19th, 2001, 18:03
Yeaah, the Safecast writes its data into the hdd space between Cylinder 0 Side 0 Sector 1 and Cylinder 0 Side 1 Sector 1, that is between the MBR and the logical C:\-boot sector. Using HWS it could be found beginning with physical sector 32. Eeach time the Safecast setups it makes a new record in that space increasing the sector number (33,34 and so on). Yes, it's sufficient to zero the first word of the record, delete all the C-dilla regs and bdxxxxxx.dat-files and the Safecast starts from the zero countup.

Thanx !

karakochev
June 22nd, 2001, 21:13
3 mounths ago I put a proggy on my site that automaticly removes C_dilla safecast system
http://karakochev.search.bg

rimmy
June 26th, 2001, 03:05
Well, I did it. I mean unwrapping 13 exe's and 10 associated dll's of the above-mentioned program. Now I have some experience in safecast cracking and can say that the newfangled Icedump and Revirgin turned out to be rather useless for solving the task, moreover, they made me waste lots of time. So, I had to use the classical scheme for unwrapping both the exe's and dll's, that is pep+jmp_eip+F5+external_dumping. Procdump (v1.6.2) coped with dumping the exe's, but failed with the dll's. PEditor (v1.7) nicely dumped the dll's stopped at "pep". The only operation I had to do after dumping was changing the image base of the dumped dll's (with PEditor, of course), and no redirection, no IAT resolving. That's all.

Good luck !

goatass
June 26th, 2001, 22:29
How about you write a tutorial on how you did it so the rest of the scene could benefit from your findings.

goatass

rimmy
June 27th, 2001, 14:13
I don't think I found something of interest to the rest of the scene while cracking the program. I just did some routine work. I recommend to read the tutorials written by Predator, BlackB and Kilby. They can be found at http://tsehp.cjb.net. Those tutorials helped me very much. I think anyone will be able to unwrap anything after reading them.