Page 1 of 2 12 LastLast
Results 1 to 15 of 23

Thread: SD2 - Why God ?

Hybrid View

  1. #1
    blackos
    Guest

    Smile SD2 - Why God ?

    Hi all...
    I know great people are all around this forum, so, I ask my question.
    Why is there so few information about Safedisc2 all around the web ???
    especially concerning version 2.51.xx or better 2.60.xx ???

    I'm actually dealing with version 2.60.xx and I got stuck...

    I'll hugely appreciate any kind of information about this !!!

    thanx to all of you.



    blak.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    KeopS
    Guest

    Question

    > I'll hugely appreciate any kind of information about this !!!

    hmm ... be more specific please
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    I think, a kinda little list about the Anti-*.* stuff and crypto routines currently used would come in handy for people not deprotecting games very often. The ways to bypass them should then be obvious most of the time, I guess (surely no need for a 'then-press-F12-65535-times' type of text here).

    So, if someone lately dealt with an up to date SD2 version, I'd appreciate some rough info, too...



    Pyrae

  4. #4
    ThrawN
    Guest
    What sort of information you looking for? additional anti-debug changes?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    blackos
    Guest
    Hi all, and thank you for your time


    So, I need to be more precise, of course, then I'll do :

    I'm actually dealing with version 2.60.52 of SD2.
    You have to know that I'm neither a system guru nor a little newbie lost in Softice's world.
    I first tried to use a classical approach to reverse SD2, that is exe dumping... then I tried to rebuild IT by myself.
    By the way, I succeded easily in bypassing the anti-SI trick which quits when a BPM x is set. So, it's not a big deal for me to break when I want now....
    But bad news for me because one vector in the table can lead to many different APIs. Ooops... it appears that the offset of the 'caller' is important for SD2. That means that after compilation, the code of the main program has been modified to create this strange Import Table stuff. Am I wrong ? Please, tell me....

    Well, it's tricky for me. There could be a simpler solution than coding a sort of 'scanner' which will rebuild every call in the code ??? Have you got any Idea ?

    It's not all... apparently, some internal calls of SD protected application are made in one of 2 new sections which are SD2 sections.... so some procedures are replaced by SD ones, Am I wrong ?

    Now, I think I used a bad approach to reverse SD2... I'm actually trying to understand how all this stuff is made and how to code a 'generic' dumper or loader or unprotector.

    It's really interresting, but I feel it a bit hard for me, so any kind of help will be wonderful ! (informations, sourcecode, or advices for a GOOD and WORKING approach).
    I would like to succeed in dumping a working EXE in a first time, then *try* to make a generic tool in a second time.

    Thank you all guys.

    blak.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    >But bad news for me because one vector in the table can lead >to many different APIs.

    indeed, if you're taking the classical approach then you'll need to
    build an array of the calls and catch the api then create a new thunk and place the values here and patch the code to use this.


    >Ooops... it appears that the offset of the 'caller' is important for >SD2.

    however,..if you want to take the reverser approach then here is a good start. you've identified the offset of the caller is important, so try BPM RW this and spend a while following it (:


    >That means that after compilation, the code of the main >program has been modified to create this strange Import Table >stuff. Am I wrong ? Please, tell me....
    your not wrong, a new strange import table is indeed in place (:
    hmm so wheres the real one? looks like you need to take the above approach to find out more.


    >Well, it's tricky for me. There could be a simpler solution than >coding a sort of 'scanner' which will rebuild every call in the >code ??? Have you got any Idea ?
    it can be done, but there is many different types of ways of calling
    apis, and it and be a big task. and even at the end theres
    other things that need repairing.



    >It's not all... apparently, some internal calls of SD protected >application are made in one of 2 new sections which are SD2 >sections.... so some procedures are replaced by SD ones, Am I >wrong ?
    ah, what was i just saying about others that need repairing, ..oh yes now i remember (; yup code is replaced with code in from the
    2 stxt sections, you can investigate it quite easily.


    >Now, I think I used a bad approach to reverse SD2... I'm >actually trying to understand how all this stuff is made and how >to code a 'generic' dumper or loader or unprotector.
    to understand how everything works is never a bad approach to reversing q:


    >It's really interresting, but I feel it a bit hard for me, so any kind >of help will be wonderful !
    jah, interesting init (:

    >I would like to succeed in dumping a working EXE in a first time, >then *try* to make a generic tool in a second time.
    good idea.


    hope this helps,

    yates.

  7. #7
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    as for your generic sd2 unwrapper, it looks like it's already been done:

    http://www30.brinkster.com/cirkutz/sd/

    i haven't tried the program yet, but found this with google. hope it helps.

  8. #8
    blackos
    Guest
    Hi all... this answer is for you,

    First, a big thank to you [yAtEs], your funny answer give me a little piece of hope on how to reverse this tasty protection scheme. I'm just going to "help myself" to go further into this nice stuff. But if I get stuck another time, maybe can I hope you'll help me a little bit more ?


    Well.... thank you "disavowed" for your URL, but my goal is not really to unprotect the software with another one's tool...
    I prefer trying to understand what is behind SD2 and trying to reverse it by myself. It's so MUCH funny.

    By the way, you URL is for SD2 v2.51.xx and I'm actually dealing with a SD2 v2.60.xx, so.... sorry, but it will not work. Yeah, 'C*Dilla - Safe*disc' guys are working a lot and do pretty good things for us !!!.....

    Nethertheless, thanks a lot !

    By the way... how could you explain there is so few informations about this stuff all around the web ???


    seeya.

    blak.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    >First, a big thank to you [yAtEs], your funny answer give me a >little piece of hope on how to reverse this tasty protection >scheme.

    (; inspiration was the idea, i'll glady help you more if need be if you have more questions, i was just giving you basic information. once you got your focus set we can discuss perticular bits of code.
    q:

  10. #10
    ThrawN
    Guest
    Could you give me a few game titles using this *new* safedisk2?
    I'll go buy one and check out


    ThrawN
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    blackos
    Guest

    Unhappy

    Hi all !

    for [yAtEs] :
    Well .... I'm a bit further into SD2 and I've found the routine which unciphers program's bytes in a 4096 bytes buffer. It's pretty complicated (obfuscating stuff is not the problem) and long, so I'll try to understand something... I feel like I'm loosing my time with these routines, but in fact I know that's important to understand. Maybe I need a bigger brain ?


    for ThrawN :
    My target is actually 'Dra*gon' : a Chinese title available to download on Aaron's forum (exe-tools, see link below...) (few executables + a .iso image to burn (around 20 Mbytes)). He said he can provide a personal access to his FTP if someone can crack that.
    Of course, this title is not complete, but enough to try to reverse it...
    I'm not a Chinese guy and this title doesn't interrest me by itself (who can read that stuff ?), but the protection scheme is pretty cool !!!!
    I was also (and I still being) *not* interrested by special access to Aaron's FTP, but I thought that if he asked others to 'crack' this title for him, it was because nothing can actually do it automatically, so it appears to be interresting to me, you know.
    Well, in fact it's a new version of SD2 and I find it hard to reverse.
    Maybe could you have great fun with it ? For me, it's actually a kind of headache.... woww....

    Have fun !
    bye !...

    blak.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    >I feel like I'm loosing my time with these routines, but in fact I >know that's important to understand. Maybe I need a bigger >brain ?

    ok heres some help then

    ************************************
    morph_proc proc

    var_10 = dword ptr -10h
    new_byte = byte ptr -0Ch
    size_of_block2 = dword ptr -8
    size_of_block1 = dword ptr -4
    data_block1 = byte ptr 8
    data_block2 = byte ptr 10h


    mov ecx, [ebp+size_of_block1]
    push ecx
    lea ecx, [ebp+data_block1]
    call read_byte

    mov [ebp+new_byte], al
    mov edx, [ebp+size_of_block2]
    push edx
    lea ecx, [ebp+data_block2]
    call read_byte

    mov cl, [ebp+new_byte]
    xor cl, al ;*
    mov [ebp+new_byte],cl

    mov dl, [ebp+new_byte]
    push edx ; new_byte
    mov eax, [ebp+size_of_block2]
    push eax ; counter
    lea ecx, [ebp+data_block2]
    call write_byte
    ************************************

    so you can see a 4kb data being written into,
    things to do are,.. find

    what the 4kb data block is
    where does it come from
    what does it end up as
    what is its final outcome used for? (BPM IT, do it now! (; heh


    thrawn:

    SuperPower
    Myth 3
    StrongHold update
    SOAF
    Kohan

    yates.

  13. #13
    blackos
    Guest

    Talking

    Thanks Yates ... I'm looking into this (IDA has already helped me to understand a little bit....).

    ))

    By the way, I think 'KOHAN' is protected by SD2 v2.51.xx instead of 2.60.xx (I've checked the original CD (provided with my new computer)).

    thanx.

    blak.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    >By the way, I think 'KOHAN' is protected by SD2 v2.51.xx instead >of 2.60.xx

    ah, kohan 1.34 patch then

  15. #15
    blackos
    Guest

    Wink

    Hi Yates !

    A tiny little victory for me this time .... better than nothing....
    I've finally succeded in getting a good I.T. thanks to SD2 itself (good guy !)... but it still not working at all, because of the replacements in sourcecode's CALLs...
    I've got tears in my eyes because I've traced and traced this code during hours... I put so much BPM between original ciphered data leading to temporary buffers .... it was horrible... but so good in fact.


    Well, I still can't understand when and how the sourcecode is modified so that different CALLs use only one I.T. vector.... was it before ciphering or is it done 'on the fly' by SD2 ??? Please, help !, I'm dying !...

    you can see below my litlle victory to get a good (but not working) I.T.

    017F:1009545C 8B45EC MOV EAX,[EBP-14]
    017F:1009545F 8D8C10FF020000 LEA ECX,[EDX+EAX+000002FF]
    017F:10095466 8B55E8 MOV EDX,[EBP-18]
    017F:10095469 8B4518 MOV EAX,[EBP+18]
    017F:1009546C 890C90 MOV [EDX*4+EAX],ECX <<< HERE ... I.T. vectors are created in temp buffer
    017F:1009546F 7809 JS 1009547A
    017F:10095471 90 NOP
    017F:10095472 87FF XCHG EDI,EDI
    017F:10095474 7F09 JG 1009547F
    017F:10095476 87F6 XCHG ESI,ESI
    017F:10095478 7E05 JLE 1009547F
    017F:1009547A 7400 JZ 1009547C
    017F:1009547C 78F3 JS 10095471
    017F:1009547E 038B4DE88B55 ADD ECX,[EBX+558BE84D]
    017F:10095484 248D AND AL,8D
    017F:10095486 048A ADD AL,8A
    017F:10095488 8B4DE8 MOV ECX,[EBP-18]
    017F:1009548B 69C94B030000 IMUL ECX,ECX,0000034B
    017F:10095491 8B55EC MOV EDX,[EBP-14]
    017F:10095494 89840A32030000 MOV [ECX+EDX+00000332],EAX
    017F:1009549B E91FFFFFFF JMP 100953BF
    017F:100954A0 8B4D14 MOV ECX,[EBP+14]
    017F:100954A3 C1E102 SHL ECX,02
    017F:100954A6 33C0 XOR EAX,EAX
    017F:100954A8 8B7DD4 MOV EDI,[EBP-2C]
    017F:100954AB 8BD1 MOV EDX,ECX
    017F:100954AD C1E902 SHR ECX,02
    017F:100954B0 F3AB REPZ STOSD
    017F:100954B2 8BCA MOV ECX,EDX
    017F:100954B4 83E103 AND ECX,03
    017F:100954B7 F3AA REPZ STOSB
    017F:100954B9 8B45D4 MOV EAX,[EBP-2C]
    017F:100954BC 50 PUSH EAX
    017F:100954BD 6A00 PUSH 00
    017F:100954BF 8B0D84850B10 MOV ECX,[100B8584]
    017F:100954C5 51 PUSH ECX
    017F:100954C6 FF1590700910 CALL [KERNEL32!HeapFree]
    017F:100954CC C745F400000000 MOV DWORD PTR [EBP-0C],00000000
    017F:100954D3 EB09 JMP 100954DE
    017F:100954D5 8B55F4 MOV EDX,[EBP-0C]
    017F:100954D8 83C201 ADD EDX,01
    017F:100954DB 8955F4 MOV [EBP-0C],EDX
    017F:100954DE 8B45F4 MOV EAX,[EBP-0C]
    017F:100954E1 3B4514 CMP EAX,[EBP+14]
    017F:100954E4 735A JAE 10095540
    017F:100954E6 8B4DF4 MOV ECX,[EBP-0C]
    017F:100954E9 C1E903 SHR ECX,03
    017F:100954EC 8B55F8 MOV EDX,[EBP-08]
    017F:100954EF A110460C10 MOV EAX,[100C4610]
    017F:100954F4 8B1490 MOV EDX,[EDX*4+EAX]
    017F:100954F7 33C0 XOR EAX,EAX
    017F:100954F9 8A040A MOV AL,[ECX+EDX]
    017F:100954FC 8B4DF4 MOV ECX,[EBP-0C]
    017F:100954FF 83E107 AND ECX,07
    017F:10095502 BA01000000 MOV EDX,00000001
    017F:10095507 D3E2 SHL EDX,CL
    017F:10095509 23C2 AND EAX,EDX
    017F:1009550B 85C0 TEST EAX,EAX
    017F:1009550D 752F JNZ 1009553E << NOP this call, you get original I.T.
    017F:1009550F 8B45F8 MOV EAX,[EBP-08]
    017F:10095512 69C08D000000 IMUL EAX,EAX,0000008D
    017F:10095518 8B0D14460C10 MOV ECX,[100C4614]
    017F:1009551E 8B54014C MOV EDX,[EAX+ECX+4C]
    017F:10095522 8B45F4 MOV EAX,[EBP-0C]
    017F:10095525 8B0C82 MOV ECX,[EAX*4+EDX]
    017F:10095528 51 PUSH ECX
    017F:10095529 8B55F8 MOV EDX,[EBP-08]
    017F:1009552C 52 PUSH EDX
    017F:1009552D E8FE000000 CALL 10095630
    017F:10095532 83C408 ADD ESP,08
    017F:10095535 8B4DF4 MOV ECX,[EBP-0C]
    017F:10095538 8B5518 MOV EDX,[EBP+18]
    017F:1009553B 89048A MOV [ECX*4+EDX],EAX <<< here, SD2 overwrite datas in temp buffer by original ones.
    ==> 1009553E EB95 JMP 100954D5
    017F:10095540 EB07 JMP 10095549

    thanx.
    ))

    blak.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •