C-Dilla Safedisc
Another comercial Protection defeated
protec
protecting better
18 July 1999
by Black Check
advanced
Advanced cracking
Courtesy of Reverser's page of reverse engineering
slightly edited
by reverser+
fra_00xx
980718
Black Check
0010
AD
CD
First of all, I must say that Frog has really left some deep prints behind :-)
Then again look at the following snippet: "Well the game now runs fine with SICE loaded. Let's get to the annoying part... " When I find something like this in an essay I "feel" I will enjoy it.
And you will too, dear readers... enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner ( )Intermediate (X)Advanced ( )Expert

"The SAFEDISC technology is comprised of three key features: 

(1) an authenticating digital signature 
(2) encryption that protects the content and 
(3) anti-hacking software.  

During premastering,  the content is encrypted and carries with it
authentication instructions.  A unique SAFEDISC digital signature
issubsequently added to the title during mastering.  When a user plays an
original disc,  the authentication software reads the digital signature
allowing the program to be decrypted and to play normally. 
SAFEDISC also includes anti-hacking technology that prevents the 
compromise of its security features.  The anti-hacking technology 
is designed to not only deter casual copying,  but also to provide 
strong resistance to DESTRUCTIVE hackers and commercial pirates. "

From the Safedisc homepage (http://www.macrovision.com/scp.html): 

Hhmm... let's be DESTRUCTIVE. 

C-Dilla Safedisc
Another comercial protection defeated
Written by Black Check


Introduction

As you probably know Safedisc is another comercial protection by C-Dilla. Protected 
CDs always have the files Clokspl. exe and Dplayerx. dll in the root. Our target is 
Midtown Madness[German]. There is a Generic Crack by Pedro [Laxity], but i don't like 
inserting CDs in my drive just for playing a game :-)
 
The executables consist of two parts. One is just the loader (Midtown. exe) and then 
there is always a *.icd file that contains the encrypted original exe. When the game 
is run the loader decrypts itself and the game Exe using a key on the CD. What we have 
to do is to dump the decrypted exe to disc and fix it.  


Tools required
-Microsnot Midtown Madness Orginal CD  (a 1:1 Copy and the Laxity Crack should do it too)
-Softice for W9x
-Procdump 1.4 		
-Adump    
-Frogsice 0.14        ->   www. thepentagon. com/frog_s_print
-W32Dasm
-knowledge of the PE format
-some time, nerves and a brain
  


Essay
++++++++++++++++++ C-Dilla 'Safe'disc Essay by -Black Check- ++++++++++++++++++++++



######################################
1. Eliminating the Anti Softice Code #
######################################


SafeDisc uses two well known SICE detection methods. The first one 
is known as 'MeltIce' and has been released by David Eriksson. It
just calls CreateFileA with the SICE Drivers

"\\.\SICE"
"\\.\SIWVID"
"\\.\NTICE" (not important in this case)

First i passed this with a Softice Macro:

macro NOSICE ="d @(esp+4);e @(esp+4) 0;x;"

then

bpx CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' do "nosice"

This works fine, but it's too slow. This crap is called 
about a hundred times! Another disadvantage is that you 
can't set Breakpoints on CreateFileA anymore. If anyone knows better
please mail. 

The solution is much more simple. Just open Midtown. exe and 
search for 'ss' (ASCII) you'll find something like that:

\.ss
\.ss
\.ss

Just change 'ss' to 'xx' or whatever. You have to do this with
'DplayerX. dll', too. The CreateFile Checks are now out, but if
you run the game with SICE loaded it just crashes. Seems like
there is another check. I played around with bpint 2f, 41 etc
but nothing. It uses int 68:

425205:  xor eax, eax
425207:  mov ax, 4300
42520b:  int 68
42520d:  mov [ebp-9c], eax
425213:  cmp eax, 4300
425218:  jz blablabla... 

Don't try to patch this. There's a tool around called
Frogsice. Once you load it you get a blue screen everytime 
it detects Anti Sice ints. Frogsice has an option to fool 
the programm but this won't work because int 68 
returns 0x4300 in eax when SICE is not loaded. 
Frogsice returns 0x0000 , so we'll have to 
patch Frogsice... 

-Open FrogSice. vxd
-search for 60 80 7d 1d 43
-change the first byte to c3 (ret)

Frogsice will now handle all calls to int 68 correctly
without popping up all the time :-)

Well the game now runs fine with SICE loaded. Let's get to the
annoying part:


########################################
2. Rebuilding the Encrypted Executable #
########################################
   
The enycrypted EXE contains the following objects:

   Object01: .text    RVA: 00001000 Offset: 00000400 Size: 0018D800 Flags: 60000020
   Object02: .rdata   RVA: 0018F000 Offset: 0018DC00 Size: 00014E00 Flags: 40000040
   Object03: .data    RVA: 001A4000 Offset: 001A2A00 Size: 00030000 Flags: C0000040
   Object04: .data1   RVA: 00314000 Offset: 001D2A00 Size: 00000200 Flags: C0000040
   Object05: .rsrc    RVA: 00315000 Offset: 001D2C00 Size: 00000E00 Flags: 40000040

   .text       -> encrypted
   .rdata      -> contains the Import Data. Invalid since it 
                  only points to Safedisc routines
   .data       -> encrypted
   .data1      -> encrypted
   .rsrc       -> not encrypted (very honest... )  


2.1 Dumping the .text section
------------------------------

IMPORTANT!
Be sure to replace that damn Microsoft Avi file, you will
see it some times...  :-)

Run the game. Don't forget to load Frogsice and 
wait until you get to the main menu. Now minimize it
and run ProcDump. Dump the whole process (Midtown. icd)
with standard options. HexEdit your dump and copy the .text section
to another file. If you don't know how to do this, stop reading and
get some info on the PE File format. You can get the Object Infomation 
by disassembling Midtown. icd since the PE header isn't crypted. 
Note that the Raw Offsets of the sections aren't the same in the dump. 
They're moved by 0x200 bytes. In our dump of Midtown. icd the . code 
section begins at 0x600 NOT at 0x400 !!! 

2.2 Dumping the .data sections
--------------------------------

As you can guess the .data sections are modified when
the game runs. So we need them in an 'untouched' state. 
Set a bpx on the Programm Entrypoint of midtown. icd.  (not midtown. exe!)
You can get it out of the PE Header, or with W32Dasm. 
You have to be sure that you're in midtown. icd when setting it. 
Press Ctrl-D while the avi plays. Make sure that the process string 
on the bottom right is MIDTOWN. Now set your bpx (566c10). Run the game 
again and wait until Softice pops up. Now halt the Programm by assembling 
'EB FE' to current EIP. It should look like this:

566C10: EB FE      jmp 566c10


Now press F5 and dump the whole process with standard options
again. Copy the .data and .data1 sections to another file. Remember
the 0x200 bytes. You can kill the tasks now with Procdump. 

Now make a copy of Midtown. icd and call it whateverulike. exe. 
Paste your dumped sections. What about the .rdata section you're asking?
Read on and cry... 



##########################
3. A bitch called .rdata #
##########################

The .rdata section once contained addresses of the
imported dll's used by Midtown. exe. But when Safedisc
messed it up it changed them to point to Safedisc routines
that call the dll functions. Theese Safedisc routines are in 
Dplayerx. dll and depend on the correct CD Signature. Since this
crap isn't loaded in our rebuilded exe it just crashes when
it tries to call a dll. 

Run the protected exe again. Enable your breakpoint on 
the entry point and step into the first API Call. 

Call[58f14c]
 
Now you're not in GetVersion but in the Safedisc routine:

. 
. 
pushad
push 00000031               --> the number of the imported function
                            --> if this value is too large the call crashes. 

push 00000000               --> number of imported dll  
call [9b6146]               --> get the real address of the function
add esp, 8
popad
jmp[09b6140]                --> and jump there
. 
. 
. 

This code pushes the numbers of the function and the
dll and then calls a routine that returns the real address in
ECX and the wrong reference in the .rdata section in EAX. 
Debug a little till you understand. Then come back. 




As i figured out only the two first dlls are handled
this way(Kernel & User). The import data for the others is ok. 
Now you have to find out how many imported functions there are. 
You can count them in W32Dasm. (Please be smarter:). 
There are 0x106 Kernel32. dll imports. The number of User32
imports doesn't matter because we can let the programm
crash afterwards. 


Now load Adump. With the 'r' command you get the address where
you can start dumping to. For me this is 82abd000. Now start the
exe and stop at the Safedisc function. Copy the .rdata section
to Adump Start Address + 1000:
-m 58f000 l 14e00 82abe000



Set your EIP to 82abd000 and Softice-assemble this:

-a 82abd000

@1:   push ebx           ----> manually set EBX to 0 !!!!!!
      push 00000000      ----> dll number - you have to change this later !
      call [9b6146]      ----> get values into EAX and ECX
      mov  edx, 58f000    ----> this is the address of the .rdata section

@2:   cmp dword ptr[edx], eax   ;search for entry
      je @3
      inc edx
      cmp edx, 5a3dfd     -----> |    14e00h       + 58f00h        - 3 |
                                | size of .rdata  + offset rdata  - 3 |
      je  @4                   
      jmp @2
@3:   sub edx, 58f000    -----> rdata adr. 
      add edx, 82abe000  -----> Adump Start Address +1000h
      mov [edx], ecx           ;put the real Address into our new .rdata     
@4:   inc ebx
      cmp ebx, 106       -----> number of exports from Kernel32 
      jnz @1
@5:   jmp @5            -----> stop here


Explanation:
-------------

This will call the SafeDisc routine with every function number
as a parameter. The correct Address is returned in ECX. The wrong
index in the .rdata section is in EAX. Now it just searches
the .rdata in Memory for the incorrect reference and puts
the real value from ECX to the .rdata block we copied to
Adump Memory. 

The values mentioned above are correct for my version of 
Midtown Madness. If you're working on another game you must 
compute them yourself. 


Now let our little proggie run. Wait a little. If you did 
it right nothing should crash. Go back into Softice. The
cursor should be on @5. 

Now set EBX back to 0. Set EIP back to @1. And change the 
PUSH 00000000 to PUSH 00000001. Run again. The programm will
crash because we pushed a value too large in EBX. That's ok. 
We have what we wanted >:)

Now go back to Adump and write our .rdata section to disc. 
Paste it into our rebuilded exe. Start it and kiss your
screen! IT WORKS !!!!!!
 

#######################################
4.  Making it a little more compatible #
#######################################
 
Well our rebuilded exe runs fine. But it's still
not perfect. Just try running it on another Windows
9x Version. It will crash. Why?
The addresses we put in the import table are only
valid for the Windoze version we ran it on. Normally the
OS puts theese values there when the exe is loaded. Since
we put them there by hand other Win9x will crash. Let's fix
that:


-Start Procdump (i really love it!)
-go to Options
-select:

[v]Recompute Object Size
[v]Optmize PE Structure

[. ] Use actual import infos

-click on Rebuild PE
-choose our rebuilded exe

Procdump will now generate a valid import table. Our rebuild
is now perfect. Eject the ugly original CD and enjoy how
fast the game starts :))!

Ha!

You can safely delete theese 'Safe'disc-bullshit files:

00000000407. 0016
00000000407. 256
Clokspl. exe     - very nice icon... 
dplayerx. dll
Old midtown. exe
midtown. icd

2. 86 MB less crap on your drive :)




                      -Black Check-









Final Notes


#################################################################################################
    

         This crack is dedicated to Sir Gambit (Ich warte auf dich, du Arsch!)


 BIG thanx go to G-RoM,  Lorian & Stone for ProcDump, tHeRaiN for Adump, +Frog's Print
                 for FrogsICE , c0v3rt+ for pointing out the bpx problem and Numega. 

I won't excuse for my damn english. If you don't like it, don't read it!
#################################################################################################

Mail INTERESTING stuff to black_check@yahoo. de


Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside reverser's page of reverse engineering, choose your way out:


redhomepageredlinks redsearch_formsred+ORCredhow to protectredacademy database
red reality crackingredhow to searchredjava-script wars
redtoolsredanonymity academy redcocktailsredantismut CGI-scriptsredmail_reverser
redIs reverse engineering legal?