Subversion 41


No this is post will not be about SVN (a software versioning).
We will just see a litlle difference in the subversion 41 of safedisc 1.
I invite you to read this post about version 1, before reading this.

Anti debug

It is the same stuff than before, you have to use EBFE tricks too.
This part is exactly the same than the previous post.

Call redirection

Each call to Kernel32 or User32 api, are done through dplayerx.dll as usual :

013E5BD5    68 6712EABF     PUSH BFEA1267
013E5BDA    9C              PUSHFD
013E5BDB    60              PUSHAD
013E5BDC    54              PUSH ESP
013E5BDD    68 1B000000     PUSH 1B
013E5BE2    68 00000000     PUSH 0
013E5BE7    FF15 F75B3E01   CALL DWORD PTR DS:[13E5BF7]                 ; dplayerx.00E75310
013E5BED    83C4 0C         ADD ESP,0C
013E5BF0    6A 00           PUSH 0
013E5BF2    58              POP EAX
013E5BF3    61              POPAD
013E5BF4    9D              POPFD
013E5BF5    C3              RET

But in this revision for each api you will have to push a predefined value (random?) like 0xBFEA1267 in this example.
We can see the number of the api to call, and 0 or 1 for kernel32 or user32.
But ! after the call, we haven't got a jmp dword for jumping to the resolved address api
Because now the routine dplayerx.00E75310, will GetProcAddress() and then ret to this address, code at 0x013E5BED will never be executed.
So we must fix the previous code for fixing the iat :

013E36C5    33DB            XOR EBX,EBX
013E36C7    BA 50F04C00     MOV EDX,OFFSET SC3U.__imp__GetStartupInfoA@4 ; MOV EDX,4CF050 start rdata kernel32 redirection
013E36CC    8B02            MOV EAX,DWORD PTR DS:[EDX]
013E36CE    8B40 01         MOV EAX,DWORD PTR DS:[EAX+1]	; Retrive the (random) value
013E36D1    50              PUSH EAX
013E36D2    9C              PUSHFD
013E36D3    60              PUSHAD
013E36D4    54              PUSH ESP
013E36D5    6A 10           PUSH EBX			; Numero api
013E36D7    6A 00           PUSH 0				; 0 (Kernel32)
013E36D9    FF15 AB363E01   CALL DWORD PTR DS:[13E36AB]     ; dplayerx.00E35310
013E36DF    8B4424 14       MOV EAX,DWORD PTR SS:[ESP+14]	; Addr of api
013E36E3    A3 F0BF4F00     MOV DWORD PTR DS:[4FBFF0],EAX	; Save it
013E36E8    61              POPAD
013E36E9    9D              POPFD
013E36EA    A1 F0BF4F00     MOV EAX,DWORD PTR DS:[4FBFF0]
013E36EF    8902            MOV DWORD PTR DS:[EDX],EAX	; Fix
013E36F1    43              INC EBX	      			; Next api
013E36F2    83FB 50         CMP EBX,50			; No more api ?
013E36F5    74 06           JE SHORT 013E36FD
013E36F7    83C2 04         ADD EDX,4
013E36FA  ^ EB D0           JMP SHORT 013E36CC
013E36FA    CC              INT3

Don't forget to set full access(write) to your rdata section.
And now let's patch in dplayerx.dll :

00E33B13    8B65 0C         MOV ESP,DWORD PTR SS:[EBP+C]
00E33B16    61              POPAD
00E33B17    9D              POPFD
00E33B18    C3              RET

We will nop the popad and popfd instruction and replace ret by a jmp to our code (just after call instruction) :

00E33B13    8B65 0C         MOV ESP,DWORD PTR SS:[EBP+C]
00E33B16    90              NOP
00E33B17    90              NOP
00E33B18  - E9 C2FB5A00     JMP 013E36DF

Now set new origin, run it,then do the same thing with user32 api, change edx start value,push 0 by push 1, and 50 by 29. Now you can dump fix the iat with ImportRec and enjoy your game :]


This post is not very important but just to see a little difference, and how to fix it.
Btw today is Saturday, girlz go shopping for new shoes, guyz buy their alcohol for saturday night party, and me I wrote a list of fun (protection) games and buy some of them :


I just need time for beeing able to publish my research about this new stuff.