Page 2 of 2 FirstFirst 12
Results 16 to 23 of 23

Thread: SD2 - Why God ?

  1. #16
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    >A tiny little victory for me this time .... better than nothing....
    >I've finally succeded in getting a good I.T. thanks to SD2 itself (good guy !)...

    super (:

    >I put so much BPM between original ciphered data
    BPMTASTIC! (;

    >Well, I still can't understand when and how the sourcecode is >modified so that different CALLs use only one I.T. vector.... was >it before ciphering or is it done 'on the fly' by SD2 ??? Please, >help !, I'm dying !...

    hmm ahh (:, have you looked at that proc below any more?
    look at some of the dword data refs, maybe theres a kinda
    funky lookup table q:

    >you can see below my litlle victory to get a good (but not >working) I.T.

    yup yup, thats it!


    yates.

  2. #17
    ThrawN
    Guest
    Is anything interesting changed from 2.5 to 2.6?
    iv only got 2.5 as the newest and thats only on loan

    I work on 2.5 in olly in 2k mostly and thats very exciting but attualy suprisingly satsifying and rather easy to reverse.
    Unciphering isnt the hardbit. For me IT fixing is a pain
    TEA isnt very complicated or long for that matter.

    ThrawN
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #18
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    >Is anything interesting changed from 2.5 to 2.6?
    >iv only got 2.5 as the newest and thats only on loan

    yup, in 2.6 theres a range(3 or 4) new types of code protecting
    using at the first glance a complex rva hashing system.
    you wouldnt notice it until you fixed all the I.T thou (:

    yates.

  4. #19
    blackos
    Guest

    Unhappy

    Hi [yATEs] !....

    This time, I'm so close to give up...


    I've read all your advices and try to understand ... but in vain...
    No results anymore, I'm pretty scared...
    I know that SD2 manipulates target's compilated code before creating its new I.T., so, it replaces some calls by its own vectors. But I can't find WHERE .... I put of course many BPM RW all around ... of course on interresting offsets and it's lead me nowhere. There's so much compilcated manipulations.
    I suppose (I said *SUPPOSE*, I'm not sure) that SD2 creates a third buffer containing datas that will be XORed with "sensible" specific data in the 4096 temporary buffer, so that for specific offsets, 'on the fly' modifying will be done during unciphering time (I've noticed that 'sensible' offsets are accessed only *1 time* in the 4096 bytes temp. buffer, so replacements are probably made in '1 time' instead of '1 time + later modifications'.
    BUT .... there's such a huge amount of data to try to understand that I think I'll need a "E.T. maxi-ultra-special brain" and amphetamines to understand.
    You surely know that "E.T. maxi-ultra-special brain" are pretty hard to find nowadays and very expensive. So, will you be kind enough to give me help one more time ? (I don't have enough money to buy this new terrible brain....)


    Yeah, hope to seeya soon !...

    thanx
    blak.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #20
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2

    Exclamation dont panic

    dont panic, u dont need a maxi-ultra-special brain, just have a rethink.

    I know that SD2 manipulates target's compilated code before creating its new I.T., so, it replaces some calls by its own vectors. But I can't find WHERE

    hmm well that doesnt sound right, searching for where it changes the calls? thats done when the sdk is applied, all you need do is
    decrypt the whole I.T and change the calls to point to the correct functions, and as you know the calling address effects what api is called, so with a few ripped functions, a decrypted i.t and a list of va's you can fix it all up. (:

    yates.

  6. #21
    blackos
    Guest

    Talking

    Hello yATEs !....
    yep, yep ... no need of an overboosted E.T. brain ? What a pity, it could be pretty fun to walk down the streets with a huge green head on our shoulders


    So ... I searched for a non-existing routine... bad move....
    But, in fact, with the good IT and the offset of the caller, one could probably rebuild a working stuff.
    *BUT*
    To do so, one absolutely need to hook the SD2 routine which calculates the real API call. That is not a big deal, but the program MUST RUN entirely in order to 'rebuild' our self-made hooked routines by using APIs.

    Am I right ?
    What about this : my application can't execute properly because of missing files. These files are important to run. The only thing my target do is a messagebox with 'xxxxx file cannot be found, so I'm gonna quit'. This isn't enough to fix every call because these calls will never be executed.
    Am I absolutely stuck ?

    But Even If I succeed in forcing the program to run (in fact, it will not work without any sound or graphic files...), I suppose you'll agree with me if I say there's a bunch of different ways to call a function.

    For example,

    CALL [offset]

    or

    MOV EDX, dword ptr [offset]
    CALL EDX

    will not result in the same compiled code, of course. Then, to fix back these calls with the good value of 'offset' could be a bit tricky ? isn't it ?

    Well, I'm gonna code this little stuff and I'll see. But the whole thing isn't done yet, because it stays one funny part to reverse (redirected functions to last 2 sections).... let's get a closer look ...

    : ))

    By the way, thanks once again [yAtEs], you'll the only guy to have taken few minutes to help me on this funny subject.

    seeya.

    blaK.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #22
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    >So ... I searched for a non-existing routine... bad move....
    hah, /me chuckles (:

    >But, in fact, with the good IT and the offset of the caller, one >could probably rebuild a working stuff.
    yup yup

    >To do so, one absolutely need to hook the SD2 routine which >calculates the real API call.
    >Am I right ?

    yup if u wanna do it the hard way i guess so, no need to make
    things so complex, perhapes its a small routine you can rip from ida, perhapes you could rewrite it ur self if you really knew how it all worked (; heh im such a tease eh?

    >What about this : my application can't execute properly because >of missing files. These files are important to run. The only thing >my target do is a messagebox with 'xxxxx file cannot be found, >so I'm gonna quit'. This isn't enough to fix every call because >these calls will never be executed.

    if you can run up to the entrypoint, then just R EIP <type of call offset> and debug from there

    >Am I absolutely stuck ?

    nope

    >I suppose you'll agree with me if I say there's a bunch of >different ways to call a function.

    indeed, this is just one slice of the big tasty safedisc pie, heh.
    dont eat it all at once!

    >will not result in the same compiled code, of course. Then, to fix >back these calls with the good value of 'offset' could be a bit >tricky ? isn't it ?

    nah, concentrate on one thing at a time and it'll come easy [:

    >By the way, thanks once again [yAtEs], you'll the only guy to >have taken few minutes to help me on this funny subject.

    ur welcome.

    yates.

  8. #23
    blackos
    Guest
    Eh eh ... Yates, stay tuned, I work on it, but I actually have less time to try to defeat it ... some news in a few days.

    )

    blak.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •