Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-02-2004, 20:34
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 387
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 65 Times in 34 Posts
jonwil Reputation: 21
Securom protection

Does anyone have any info on the latest Securom protection?
I have a game protected with it (Rollercoaster Tycoon 3).
My interest is not in cracking the CD protection (I already have a no-cd crack for the game) but in reverse engineering the target to figure out stuff (such as the formats of the data files used by the game)

The game (or the no-cd crack version of it anyway) contains the following segments: (in order)
.text (appears to be valid code)
.idata (appears to be a normal import table)
.rdata (appears to be the usual read-only data like class vtables)
.data (appears to be valid data, strings etc)
.rdklft (seems to contain more code, small fragments mainly including a small code fragement which SoftIce tells me is where the CreateFile call that opens the data file I am interested in is located)
.wpdf (contains data including some strings)
.idata (yes, IDA says there is a second segment called idata, doesnt look like an import table to me though)

It may well be that the .rdklft and .wpdf segments contain some kind of "runtime library" (securom related, connected with some other obfusication or just that way for programming convenience or whatever I dont know) which deals with making API calls and is then called by the main game code in the .text, .rdata and .data segments.

If anyone can give me info/provide links to info about Securom or about anything you can identify from the info I give about (e.g. what the .rdklft segment is for), that would be great.

Connected to this wierd protection/exe is references to a mvvcrt.sys and a mvvcrt.vxd inside the exe file.

I dont see those files as existing anywhere so they may be dynamically created at runtime somehow.
Reply With Quote
  #2  
Old 11-03-2004, 08:08
doug
 
Posts: n/a
.rdklft (aka .cms_t) Securom Code
.wpdf (aka .cms_d) Securom Data
.idata Securom's Import Table
everything else is part of the game.

If you are working on something that's already been cracked and you still see code getting executed in .cms_t, then it's either
- api triggers: fade-kind of checks
- code splitter: code blocks from .text that were moved into gaps in .cms_t

either way you don't have to worry about it too much... just find where it leads back in .text.
Reply With Quote
  #3  
Old 11-03-2004, 10:06
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 387
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 65 Times in 34 Posts
jonwil Reputation: 21
Well what I am seeing is that when I open SoftIce and do bpx CreateFile and wait for the file I care about, I end up somewhere in .rdklft, a function specifically for calling CreateFile with various parameters.
I suspect I just need to keep tracing back into the game code to see what it does with the value in EAX (the file handle) then play from there
Reply With Quote
  #4  
Old 11-03-2004, 12:09
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 387
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 65 Times in 34 Posts
jonwil Reputation: 21
ok, 2 other things:
1.I can see what appear to be embedded PE files inside the main exe file (packed with PETITE it looks like). Are these connected with the securom protection? (some of them look like device drivers because they call ntoskrnl.exe)

Is there a program out there that can "rip" these PE files from inside the binary so I can see what it looks like?

Also, I have both origonal and cracked exes for one version of this game.
I also have a non-cracked exe for another version of this same game.
Is cracing this new version hard or easy? (i.e. is it worth trying myself or should I just wait for some crack group to do it?)
Reply With Quote
  #5  
Old 11-03-2004, 15:39
tr1stan
 
Posts: n/a
>1.I can see what appear to be embedded PE files inside the main exe >file (packed with PETITE it looks like). Are these connected with the >securom protection? (some of them look like device drivers because >they call ntoskrnl.exe)
Securom uses device drivers for checking the cd. In the early days of
Securom these drivers were patched to crack the protection so they packed them and doing CRC calculation on them...

>Is there a program out there that can "rip" these PE files from inside >the binary so I can see what it looks like?
Haven't seen anything like this...but should be too hard coding it yourself.

>I also have a non-cracked exe for another version of this same game.
>Is cracing this new version hard or easy? (i.e. is it worth trying >myself or should I just wait for some crack group to do it?)
Depends on your skills
I think Securom is the easiest cd game protections out there, but
if the game is protected with triggers you have to spend some time
to find all of them which is only time consuming but not hard...
The rest isn't very hard if you compare it with Safedisc or ProtectCD, so no illegal opcodes or p-code...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SecuROM & StarForce hepL3r General Discussion 11 02-21-2011 00:42
Securom 7.x and CreateProcessA Human General Discussion 2 02-26-2007 21:11
New Securom... info about loman General Discussion 1 02-16-2004 09:49


All times are GMT +8. The time now is 19:56.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2023 )