Securom 7 on F.E.A.R. or we expected the greater. The author: Ra$cal Kind time of day all reading. I hope, all are familiar with game F.E.A.R. If nevertheless someone not in a rate, very much expected game, one of units in which I would like to play. The schedule it is good (the greater I does not allow Celeron:), ???????? ??????"?????-tightening (??????"?????-delaying) (at night without light with a sound it is better to not play all the same) ?????? at whom the machine more feasibly very much I recommend. Now concerning used protection: in ??????? the program with the name "SR7Stop.exe" lays, and one of ?????? refers to securom, that ??????????? us on an idea on presence of protection from Sony: Securom, and 7 versions are similar. In last my clause(article) about game Emire Earth 2 I considered(examined) Securom 4-th version. Miraculously, we shall look, as this protection has changed. Well, for the beginning we look, that to us speaks PeiD, and it(he) speaks " nothing found ", well and all right, not so that and was necessary. Now we taste to open fear.exe in Olly. The point of an input(entrance) is unfamiliar. All right, last time we caught ??? CreateEvent, we shall try and this time, suddenly ????????, we put ????? and we release(we let off) a program and... Very strange, in the status a bar we see access violation when reading XXXXXXXX. We press a pause and we look, we remove in options of a debugger all tags concerning exceptions and we continue to din. Exception occurs here: 007AEB58 66:813E 4D5A CMP WORD PTR DS:[ESI],5A4D 007AEB5D 75 3E JNZ SHORT FEARR.007AEB9D 007AEB5F 8B46 3C MOV EAX,DWORD PTR DS:[ESI+3C] 007AEB62 03C6 ADD EAX,ESI 007AEB64 8138 50450000 CMP DWORD PTR DS:[EAX],4550 007AEB6A 75 31 JNZ SHORT FEARR.007AEB9D 007AEB6C 0FB758 16 MOVZX EBX,WORD PTR DS:[EAX+16] 007AEB70 33C9 XOR ECX,ECX 007AEB72 F7C3 00200000 TEST EBX,2000 007AEB78 74 20 JE SHORT FEARR.007AEB9A 007AEB7A 8378 78 00 CMP DWORD PTR DS:[EAX+78],0 007AEB7E 74 1A JE SHORT FEARR.007AEB9A 007AEB80 8B58 78 MOV EBX,DWORD PTR DS:[EAX+78] 007AEB83 03DE ADD EBX,ESI 007AEB85 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+C] (the information(inquiry): 5A4D - MZ, 4550 - PE:). We look in a stack and it is seen: 00210E04 0022FFB0 Pointer to next SEH record 00210E08 007AEBC3 SE handler Now we stamp here - 007AEBC3. It ?????????? the exceptions, set ?????????. We put there ????? and we press Shift+F9. 007AEBC3 55 PUSH EBP 007AEBC4 8BEC MOV EBP,ESP 007AEBC6 53 PUSH EBX 007AEBC7 8B5D 10 MOV EBX,DWORD PTR SS:[EBP+10] 007AEBCA 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 007AEBCD A1 A024C400 MOV EAX,DWORD PTR DS:[C424A0] 007AEBD2 8983 B8000000 MOV DWORD PTR DS:[EBX+B8],EAX 007AEBD8 33C0 XOR EAX,EAX 007AEBDA 5B POP EBX 007AEBDB 8BE5 MOV ESP,EBP 007AEBDD 5D POP EBP 007AEBDE C3 RETN It is a little ????????? also we shall pay attention to lines: 007AEBCD A1 A024C400 MOV EAX,DWORD PTR DS:[C424A0] 007AEBD2 8983 B8000000 MOV DWORD PTR DS:[EBX+B8],EAX As it is possible to notice number to the address DWORD PTR DS: [C424A0] lays in a range of addresses of a code ????????. We look, where it(he) specifies - 007AEB9D: 007AEB9D 81E6 0000FFFF AND ESI,FFFF0000 007AEBA3 81C6 00000100 ADD ESI,10000 007AEBA9 81FE 000000C0 CMP ESI,C0000000 007AEBAF ^ 72 A7 JB SHORT FEARR.007AEB58 007AEBB1 64:8F05 00000000 POP DWORD PTR FS:[0] That is nulls 2 younger ?????, then adds 10000 if it is less C0000000 then passes there where usually there is an exception, differently we restore SEH and we bring down. In this block who has not guessed yet, protection searches for the loaded libraries and their addresses of loading (MZ and PE - for the check, an executed file whether or not, that is library). Without ???, plus to this in Olly it borrows(occupies) a lot of time, therefore, when we shall wait the end of this function, us will send. It is possible to substitute addresses necessary, looking on ?????????, but us all the same will break off. There is an idea better - we start to din separately, after start with the maximal speed ????????? to it(her) (that I was easier and faster in PEExplorer'e a little has increased the sizes of a window ?????? in Olly to not waste time on scrolling). Now we put ????? on access on all of section and we press Shift+F9 we shall not reach yet such place: 00535EEA 8B3D 78405400 MOV EDI,DWORD PTR DS:[544078] ; kernel32.GetModuleHandleA 00535EF0 FFD7 CALL NEAR EDI 00535EF2 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D 00535EF7 75 1F JNZ SHORT FEARR.00535F18 00535EF9 8B48 3C MOV ECX,DWORD PTR DS:[EAX+3C] 00535EFC 03C8 ADD ECX,EAX Having scrolled it is possible to learn(find out) the standard beginning of programs on With ++ little bit above. 00535ED8 6A 74 PUSH 74 00535EDA 68 30965500 PUSH FEARR.00559630 00535EDF E8 F0040000 CALL FEARR.005363D4 00535EE4 33DB XOR EBX,EBX 00535EE6 895D E0 MOV DWORD PTR SS:[EBP-20],EBX 00535EE9 53 PUSH EBX 00535EEA 8B3D 78405400 MOV EDI,DWORD PTR DS:[544078] ; kernel32.GetModuleHandleA 00535EF0 FFD7 CALL NEAR EDI 00535EF2 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D We have stopped at some commands later, than it was necessary, therefore we shall not overlook to correct OEP on 135ED8. Now it is necessary ???????? our almost already unpacked ??????. If ?????? in Olly, we do not overlook to clean(remove) a tick " Rebuild Import ", we press Dump and we see a fig. One more feint of a protector. We taste in PETools. Tools'? speak ??, but looking on ???? it you will not tell (2 Mb - the code of a protector certainly takes a place, but not 2.4 meters and where the icon has got to). Then we taste ??????? in parts. To the address 00561000 ???????? we can not. Means some pages are blocked (PAGE_GUARD, prophesy to us Tools). Again we open a debugger with ours ????? and in memorymap in properties of all ?????? we choose Set access-> Full Access. Now ???????? all and without mistakes. At ????? import to reconstruct it is not necessary, as before section of import a place and without damages. ???? it is ready have gone further... We taste to start our fresh ???? and, it is expected, we receive a mistake, there can not be all so simply, it is all ???? a protector. Now we taste to start ???? under a debugger: 007C89E6 8B12 MOV EDX,DWORD PTR DS:[EDX] 007C89E8 891424 MOV DWORD PTR SS:[ESP],EDX 007C89EB 85D5 TEST EBP,EDX Exception in the first line. It is necessary to find, whence it undertakes, and that from itself ?????? represents this mechanism of protection. It is possible to reach on steps, and it is possible to look in a stack, on steps it is more reliable, but I already know, as whence was caused, on this I shall go through a stack: 0012FEE8 018809D8 0012FEEC 00000202 0012FEF0 77E7AD86 kernel32.GetModuleHandleA 0012FEF4 005610A8 ?????_??.005610A8 0012FEF8 0012FFC0 0012FEFC 0012FF10 0012FF00 00000000 0012FF04 7C38B1D8 MSVCR71.7C38B1D8 0012FF08 00562298 ?????_??.00562298 0012FF0C 00537D20 ?????_??.00537D20 0012FF10 00D9608E RETURN to ?????_??.00D9608E from ?????_??.007C86D0 0012FF14 0040A495 ?????_??.0040A495 0012FF18 00537D30 RETURN to ?????_??.00537D30 from ?????_??.0040D940 0012FF1C 7C341CD6 RETURN to MSVCR71.7C341CD6 0012FF20 0012B998 0012FF24 00536007 RETURN to ?????_??.00536007 from Last line () shows, that function _initterm was caused. She(it) is caused usually right at the beginning of work of the program. 0012FF18 00537D30 RETURN to ?????_??.00537D30 from Last a call from section of a code of game. We go there and we come in ????????????????? call. That we see there, a jump in section ????????: 0040D940 $- E9 3F879800 JMP ?????_??.00D96084 0040D945 1750D700 DD ?????_??.00D75017 0040D949 9F51D700 DD ?????_??.00D7519F 0040D94D FF52D700 DD ?????_??.00D752FF 0040D951 9F54D700 DD ?????_??.00D7549F 0040D955 F755D700 DD ?????_??.00D755F7 . ????????? . 0040DA7F . /EB 08 JMP SHORT ?????_??.0040DA89 0040DA81 . |EB 06 JMP SHORT ?????_??.0040DA89 0040DA83 . |EB 04 JMP SHORT ?????_??.0040DA89 0040DA85 |EB DB EB 0040DA86 |00 DB 00 0040DA87 |00 DB 00 0040DA88 |00 DB 00 0040DA89 > \C3 RETN Now we shall look, that there, in section ????????: Look closely(attentively) where conducts a jump from section ????????... On ret in a code of game, that is on the end of procedure. It is very similar on ???????? or code splising in Armadillo, only procedure entirely here is removed(cleaned) and the jump goes in limits of the program, instead of in ?????????? memory. But the mistake somewhere is deeper, means, we dig further. It is possible to look enormous function ???????? (where exception), and it is possible to look the reason, that in my opinion it is more logical. So, ???? addresses to memory which is inaccessible. The reference(manipulation) at me goes to the address 018809D8. Means to me the site of memory, since 01880000 is necessary. The address of the beginning of a site in an open kind is not used, in EDX the number is put, to it(him) another increases, further for access register EAX will be used also. To watch(keep up) all of transformation to me ????, especially and here probably there is a check since not unpacked FEAR after careful slow researches has taken off with a unknown mistake. It was necessary for analysis of a principle of work of this function concerning the allocated piece of memory, that is his(its) addresses whence undertake and as they are processed then to solder it(him) to new last section and to redirect indexes at ????????. Time it does not work, then is done(made) even easier: 1) ?????? a site of memory to the address 01880000 2) In PEEditore ?????? section from a disk, we increase the virtual size of section .securom (that is before added) so that she(it) came to an end on 01880000 address, that is to VS + = 01880000 - (VO+VS) 3) At new section we put Virtual Offset 01880000 4) I did not consider ImageBase, therefore after check have reduced Virtual Offset new section on 400000 and there was it 01480000 Not hoping on a working condition of game I after check of serviceability of addition have released(have let off) to din in searches of other mistakes. What my surprise when all has earned was. The truth the output(exit) was carried out in the sanction 800?600 and the Windows have nobly placed all badges which I placed some days in searches of absolute convenience, in a visibility range, having mixed all in forcemeat. The chesspiece has been still noticed, that if after several ????? to try to cling to game and to leave through F4 ??????? after F9 did not continue performance, with it it is possible to struggle starting FearRun.exe, the truth if at you that DVD, which and at me. Anticipating new distortions above import (recollect clause(article) about Empire Earth 2) and having seen their absence I have been broken strongly off. But it can and to the best, game works without them faster, and from its(her) requirement and my opportunities it ?? as is important. For ??? allow ????????? ??. All claims and other send soap: rascalspb dog mail dot ru