Results 1 to 6 of 6

Thread: Reversing Safecast - The Solution

  1. #1
    TheBlock
    Guest

    Reversing Safecast - The Solution

    After posting a question about unpacking Safecast, and seeing that anybody had replied me, I have seen that not a lot of people are able to unpack something packed with safecast.
    I have unpacked all the new Autodesk Releases, all of them are protected with safecast.
    The first problem I had was that I thougth that it was the main exe the one that was packed, simillar to VBox, but I was wrong.
    Lets resume a bit how the protection works.
    There is a main executable that calls some functions of a dll (adlmbase.dll) this dll is the one used to display the dialogbox of the evaluation period and the one who calls the cdilla driver that will be used to unpack de things that are crypted.
    I haven't studied how to make an expired evaluation to work again but anyway Tsehp & R!sc wrote a nice tutorial about how to do it (Hi Guys!! :P)
    So I'll asume you are still in evaluation period. what I did was execute the program,when de dialogbox appears, put a bpx on -CreateFileA, and then click on next, to start evaluating the program. Then saftice will break, F12 and you probably are in CdillaXX.dll code. Now disable the bpx and put a new bpx on getversion. F5 to continue, program should break on some diferent files, those files maybe are crypted take a note of some of them, and when you are bored disable the bpx to let the program finish loading. Now using HexWorkshop open those noted files to see if they are cryped just looking it you will know if they are crypted or not. take note of the crypted files.
    ....
    ....
    ....
    I'll give you a day to try those things and maybe you will be able to finish unpacking by yourself, this should be the goal of any cracker, be able to make things by your own, whitout help.
    Why I'm doing this instead of writing a tutorial? Cause by this way I make you think a bit and you don't crack anything without knowing what you are doing.
    I hope you like this new way of teaching.

    P.S. If you think you can continue the Forum Tutorial DO IT, or if you do it in a diferent way, please post it here.

    P.S.2: Sorry for my really poor english level.

    TheBlock.

    Limits were make to be broken, PROTECTIONS TOO.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    TheBlock
    Guest

    PART 2 OF THE TUTORIAL

    New Day, New part of the tutorial. If you have tryed what I explaned you yesterday you probably have fond the crypted files.
    This is a good beggining. Not a lot of things remaind to finish with the tutorial.
    Lets continue.

    The files are Crypted, not packed. What I want to tell you is that no changes will be needed after dumping the files.
    Lets continue with the procedure.
    We will start again. Execute the program. When the dialogbox appears, put a Bpx on CreateFileA, click on Next Button to start the evaluation. Softice Will break then F12, you should be in Cdilla dll code, F12 2 or 3 times, until you exit from cdilla dll. Now put a bpx on GetVersion. F5 to continue. when softice break, press F12 to see if we are in the right place (taking a look at the green line you will see what file is being traced, as soon as this green line displays the name of the crypted dll stop doing anything. disable the bpx (BC*) and go back with Ctrl+Up Arrow until you see the begining of the routine.
    Normally you can identify the begining of a routine by searching a


    int 3 // or nop
    int 3 // or nop
    push EBP
    mov EBP,ESP
    ....
    ...
    ...
    Take not of the RVA that corresponds to that begining of the function.
    then put a bpx on that Push EBP. now press F5 Again.
    if the Sice break again on that push EBP, now press a, then return. Then write, jmp eip, press return again, F5 to exit. now the program stops loading.
    Get Peditor and dump the dll that you want to decrypt. (i'm not going to explane how to do it, i hope you have enough level to know it).
    Now the only thing that reminds is to fix those two modified bytes. just open hiew and go to the ofset where you assemble a jmp eip. and correct it with the right values, normally it should be 558B.
    You have decrypted the dll. Repeat those steps for every crypted file.
    Now the only thing that reminds is to fix the adlmbase to stop displaying the dialogbox and fix all the checks on the license that are done.
    I wont comment how to do this but setting a bpx on DialogBoxParamA and doing a bit of trace you will find it.

    The functions that i patched (adlmbase.dll) were:
    XXXX Authorize XXXXXXXX
    XXXXCheckLicenseXXXXXXX
    XXXX CheckClientLicenseXXXXXXX
    All those functions must return eax=0.

    That's all, if you have do it right you should have a full working version of the program.
    The only programs that I have crakced are the ones from Autodesk, if you know any other program protected with SafeCast Let me know it.

    I hope you have learned how to do it.
    Now if you think you can write a nice tutorial would be great for everyone who don't know about this forum.

    Any questions will be answered here, don't mail me cause I don't respond any mail.

    TheBlock
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Lord_Soth
    Guest
    Maybe no one was really interested in your target ?

    You assumed because none have answered they can't
    unpack it. Maybe they couldn't get their hands on that
    target ??
    maybe they dont give a flying f**k ??

    LS
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    TheBlock
    Guest
    Maybe, anyway after finding the way to do what I was trying to do i thought it would be nice to let the people know how I did it. I know there are people that can unpack SafeCast. r!sc already wrote an unpacker for an older version. If my litle explanation helps at least one person i'll already be happy.
    Don't know why are you so rude with me, I don't know if i have said something wrong, if this is the case I'm sorry.
    Sincerely
    TheBlock
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Lord_Soth
    Guest
    I dont think I was too rude. If i was, you have my apology.
    This happens sometimes. Ppl post something and nobody
    replies. From the first words in your post it was annoying
    to see that you *assumed* not many can unpack it.

    anyways, enough said. Why don't you make an essay
    out of it ?

    LS
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    TheBlock
    Guest
    I was trying to see if anybody have a diferent way to unpack safecast. My way works fine in almost all aplications but for example, for unpacking 3D Studio Max 4 I had a lot of problems to find the OEP cause GetVersion wasn't called at tge begining. In this case what I did was trying to make the program to call one of those decrypted files to se what was the imagebase, then after breaking on Cdilla code I pressed F12 until all the cdilla code was executed and then with Icedump loaded I used the \tracex function using the Imagebase I had found before. So finally I could find a good place to dump the file.
    If anybody else have any other way to do it would be very helpful if you post it here, so I can make a better tutorial.
    Thank you in Advance
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. The Xenocode Solution v2.0
    By LibX in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: August 6th, 2007, 02:11
  2. The Xenocode Solution v1.2
    By LibX in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: April 27th, 2007, 19:22
  3. Safecast is driving me crazy Help needed
    By eclipse2k2 in forum Malware Analysis and Unpacking Forum
    Replies: 15
    Last Post: January 29th, 2004, 03:33
  4. 3D Studio 4.2 and Safecast
    By Silent in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: October 5th, 2001, 06:01
  5. Safecast
    By rimmy in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: June 27th, 2001, 14:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •