[HN Gopher] Breaking SecuROM 7 - A Dissection
___________________________________________________________________
Breaking SecuROM 7 - A Dissection
Author : davikr
Score : 100 points
Date : 2024-01-28 15:03 UTC (7 hours ago)
(HTM) web link (lostfilearchives.github.io)
(TXT) w3m dump (lostfilearchives.github.io)
| farmdve wrote:
| Ah yes, right up my alley. Sort of. I spent many months reverse
| engineering a SC8 executable for fun, yep purely for fun. 10
| years ago now.
|
| I have more experience with SecuROM 8. Did you guys know there is
| a hidden flag that is parsed on executable running that
| initializes a separate application which generates a file you can
| send to the authors of SecuROM that holds the version of SecuROM
| and quite a lot of other details?
|
| Opaque predicates, VM, simple code integrity checks(int 3), xchg
| used as control flow obfuscation? It was all there. It took me a
| while to get the program running under a debugger. Once I did
| there were a bunch of threads running which would detect
| tampering or pausing of the threads and kill the process. After
| suspending those I could do whatever I want.
|
| The DRM used a lot of control flow methods, especially hardware
| breakpoints and UD2 instruction.
|
| At the time of Unicorn engine's popularity I made a custom plugin
| to emulate the zlib code embedded inside to search for hidden API
| calls, unfortunately due to the way QEMU emitted some
| instructions for the helpers some instructon hooks were called a
| few times more e.g those with a rep prefix severely skewing
| instruction counting.
|
| Anyway, VM hunting was difficult. The VM had quite a few single-
| threaded VM contexts so it could run a lot of programs. From then
| on it was a matter of reverse engineering the opcodes. at the
| time I used Olly to trace and log the instruction handlers and
| opcodes and then using Notepad++ magic I could clean it up from
| the control flow in a single coherent picture.
|
| Honestly I've forgotten most of it now.
|
| But a few years ago I did write my own Control flow graph
| generator in Java just to find the 20 or 30 thousand code
| integrity checks and trace them statically and then was going to
| use it on the VM.
|
| The most unusual thing is, I often communicated with one of the
| devs of SecuROM on IRC, of course I did not ask him anything nor
| did he reveal anything, that is of course illegal. I remember
| asking him about the little "Cut my life into pieces" tidbit he
| left just after VMEnter.
|
| Needless to say it is thanks to SecuROM that I gained an interest
| in RE. Yes I was a novice and dived deep down into a commercial
| DRM. Thanks to it I learned a lot and is helping me even today,
| yep as I type this I am working on a SH2 architecture firmware.
|
| But back in the day SecuROM inspired me to write this little ugly
| thing https://github.com/farmdve/TextVM
| markus_zhang wrote:
| Thanks for sharing. I'm not a student of the RE art so just
| curious about what you just said -- by saying VM did you mean
| the whole SC8 is running some core code inside a VM (of course
| within the same executable)? I assume that the intermediate
| code is definitely not public so people like you have to RE all
| those stuffs too?
| farmdve wrote:
| It's called an Obfuscation Virtual Machine running custom
| opcodes. These opcodes were decoded in a special way and a
| single x86 instruction like
|
| mov imm, reg
|
| would get translated in 20-30 instructions most of them junk,
| but they were not laid out contiguously, you would execute
| one junk instruction and then return to the dispatcher to get
| to the next one, if I remember correctly. This made the VM
| and tracing dog slow. Additionally it used a small 256 or
| 1024 byte scratch buffer for the virtual registers that held
| data. I've forgotten now how it was exactly.
|
| The entire VM used only jmp instructions which was how you
| would spot it.
| renegat0x0 wrote:
| It is a nice hollow shell of a page. Some links are already dead.
| Mentions of forums lead to nowhere. Tools were discontinued on
| 2014. Funny how things move, and some parts become history and
| myths.
| userbinator wrote:
| web.archive.org is extremely useful for digging back into
| history.
| nekitamo wrote:
| I'm glad someone preserved these tutorials. I was focused on
| cracking Safedisc games at the time, and even wrote some
| Safedisc/Safecast tutorials myself. I never had the skills to
| crack Securom though, respect to Human and Deroko and the others
| on the ARTeam forums at the time.
|
| Also iirc after this tutorial deroko wrote another one one
| breaking the Securom VM obfuscation. It was great work, one of
| the first public tutorials at the time on breaking such
| obfuscation. I wonder if its also been archived.
|
| Finally, it should be noted that Securom is a predecessor to
| Denuvo. I remember debugging early versions of Denuvo and being
| struck by how similar they are. I wonder how much of the code and
| techniques are in common between the two, especially now in 2024.
|
| The old reversing scene has changed. I guess everyone grew up and
| got families and jobs. But when I see what the kids are up to in
| the multiplayer cheating forums, I see the spirit is still alive
| and well. Cheers and happy debugging.
| jsheard wrote:
| The cracking scene seems to be split between two extremes
| nowadays, on one end most new games are just using the basic
| Steam or Epic DRM, which are trivially defeated with open
| source wrappers so making a pirate release is mostly just
| boring acquisition and packaging work that basically anyone can
| do. The other extreme is Denuvo protected games which are so
| tedious to crack that there's almost no overlap between people
| with the skills to do it and those with the time and patience
| to do it.
| punkybr3wster wrote:
| And seemingly the few that are willing are somewhat insane. I
| know it takes a special type but wowzers.
| jsheard wrote:
| Shout-out to that one guy who has figured out Denuvo but
| only appears once a year to crack the latest Football
| Manager game, refuses to elaborate, and leaves until the
| next Football Manager game comes out. They know what they
| like, and it's Football Manager, exclusively.
| z8 wrote:
| Unfortunately MKDEV announced their retirement last year.
| FIFA 23 was their last release.
| lpcvoid wrote:
| If you're referring to EMPRESS, I still don't know if they
| are just being edgy or truly insane.
| jsheard wrote:
| Are there any public breakdowns of techniques used by Denuvo?
| That's still proving to be a PITA for cracking groups to deal
| with.
| jasondoty wrote:
| Bulgarian cracker Voksi, also alleged to be the man behind
| Empress, made a video for V4 https://youtu.be/suABtb8_2Zk
| atVelocet wrote:
| There was a strange situation when SecuROM came onto the scene:
| The first patch for most games had no SecuROM at all and so it
| was just patching the usual CD checks.
| cf1241290841 wrote:
| If you are going down a DRM search trip, both Widevine key
| dumping and DMCA compliant HDMI / HDCP downgrade hardware are
| quite interesting topics.
| mschuster91 wrote:
| > From what I can see the flag at [EAX+4] is somehow switched on
| when debugged.
|
| I wonder if a look into the leaked Windows kernel source code
| files (I _think_ the most current dump is still old Win2k?) could
| help out to decipher what these two RESERVED flags are used for?
|
| PEB_LDR_DATA still has them named as RESERVED1/2 [1].
|
| [1] https://learn.microsoft.com/de-
| de/windows/win32/api/winternl...
___________________________________________________________________
(page generated 2024-01-28 23:00 UTC)