View Full Version : Reversing Safecast - The Solution

November 20th, 2001, 15:07
After posting a question about unpacking Safecast, and seeing that anybody had replied me, I have seen that not a lot of people are able to unpack something packed with safecast.
I have unpacked all the new Autodesk Releases, all of them are protected with safecast.
The first problem I had was that I thougth that it was the main exe the one that was packed, simillar to VBox, but I was wrong.
Lets resume a bit how the protection works.
There is a main executable that calls some functions of a dll (adlmbase.dll) this dll is the one used to display the dialogbox of the evaluation period and the one who calls the cdilla driver that will be used to unpack de things that are crypted.
I haven't studied how to make an expired evaluation to work again but anyway Tsehp & R!sc wrote a nice tutorial about how to do it (Hi Guys!! :P)
So I'll asume you are still in evaluation period. what I did was execute the program,when de dialogbox appears, put a bpx on -CreateFileA, and then click on next, to start evaluating the program. Then saftice will break, F12 and you probably are in CdillaXX.dll code. Now disable the bpx and put a new bpx on getversion. F5 to continue, program should break on some diferent files, those files maybe are crypted take a note of some of them, and when you are bored disable the bpx to let the program finish loading. Now using HexWorkshop open those noted files to see if they are cryped just looking it you will know if they are crypted or not. take note of the crypted files.
I'll give you a day to try those things and maybe you will be able to finish unpacking by yourself, this should be the goal of any cracker, be able to make things by your own, whitout help.
Why I'm doing this instead of writing a tutorial? Cause by this way I make you think a bit and you don't crack anything without knowing what you are doing.
I hope you like this new way of teaching.

P.S. If you think you can continue the Forum Tutorial DO IT, or if you do it in a diferent way, please post it here.

P.S.2: Sorry for my really poor english level.


Limits were make to be broken, PROTECTIONS TOO.

November 21st, 2001, 11:03
New Day, New part of the tutorial. If you have tryed what I explaned you yesterday you probably have fond the crypted files.
This is a good beggining. Not a lot of things remaind to finish with the tutorial.
Lets continue.

The files are Crypted, not packed. What I want to tell you is that no changes will be needed after dumping the files.
Lets continue with the procedure.
We will start again. Execute the program. When the dialogbox appears, put a Bpx on CreateFileA, click on Next Button to start the evaluation. Softice Will break then F12, you should be in Cdilla dll code, F12 2 or 3 times, until you exit from cdilla dll. Now put a bpx on GetVersion. F5 to continue. when softice break, press F12 to see if we are in the right place (taking a look at the green line you will see what file is being traced, as soon as this green line displays the name of the crypted dll stop doing anything. disable the bpx (BC*) and go back with Ctrl+Up Arrow until you see the begining of the routine.
Normally you can identify the begining of a routine by searching a

int 3 // or nop
int 3 // or nop
push EBP
Take not of the RVA that corresponds to that begining of the function.
then put a bpx on that Push EBP. now press F5 Again.
if the Sice break again on that push EBP, now press a, then return. Then write, jmp eip, press return again, F5 to exit. now the program stops loading.
Get Peditor and dump the dll that you want to decrypt. (i'm not going to explane how to do it, i hope you have enough level to know it).
Now the only thing that reminds is to fix those two modified bytes. just open hiew and go to the ofset where you assemble a jmp eip. and correct it with the right values, normally it should be 558B.
You have decrypted the dll. Repeat those steps for every crypted file.
Now the only thing that reminds is to fix the adlmbase to stop displaying the dialogbox and fix all the checks on the license that are done.
I wont comment how to do this but setting a bpx on DialogBoxParamA and doing a bit of trace you will find it.

The functions that i patched (adlmbase.dll) were:
XXXX CheckClientLicenseXXXXXXX
All those functions must return eax=0.

That's all, if you have do it right you should have a full working version of the program.
The only programs that I have crakced are the ones from Autodesk, if you know any other program protected with SafeCast Let me know it.

I hope you have learned how to do it.
Now if you think you can write a nice tutorial would be great for everyone who don't know about this forum.

Any questions will be answered here, don't mail me cause I don't respond any mail.


November 21st, 2001, 12:38
Maybe no one was really interested in your target ?

You assumed because none have answered they can't
unpack it. Maybe they couldn't get their hands on that
target ??
maybe they dont give a flying f**k ??


November 21st, 2001, 14:50
Maybe, anyway after finding the way to do what I was trying to do i thought it would be nice to let the people know how I did it. I know there are people that can unpack SafeCast. r!sc already wrote an unpacker for an older version. If my litle explanation helps at least one person i'll already be happy.
Don't know why are you so rude with me, I don't know if i have said something wrong, if this is the case I'm sorry.

November 21st, 2001, 18:19
I dont think I was too rude. If i was, you have my apology.
This happens sometimes. Ppl post something and nobody
replies. From the first words in your post it was annoying
to see that you *assumed* not many can unpack it.

anyways, enough said. Why don't you make an essay
out of it ?


November 22nd, 2001, 06:20
I was trying to see if anybody have a diferent way to unpack safecast. My way works fine in almost all aplications but for example, for unpacking 3D Studio Max 4 I had a lot of problems to find the OEP cause GetVersion wasn't called at tge begining. In this case what I did was trying to make the program to call one of those decrypted files to se what was the imagebase, then after breaking on Cdilla code I pressed F12 until all the cdilla code was executed and then with Icedump loaded I used the \tracex function using the Imagebase I had found before. So finally I could find a good place to dump the file.
If anybody else have any other way to do it would be very helpful if you post it here, so I can make a better tutorial.
Thank you in Advance