safecast

	Reversing cdilla's Safecast Reset the time limit
march 2001	by +Tsehp & r!sc
	Courtesy of Fravia's page of reverse engineering	slightly edited +Tsehp
	There is a crack, a crack in everything That's how the light gets in
Rating	( )Beginner (x)Intermediate (x)Advanced ( )Expert

Safecast is another packer, but here we're dwelling with a lot of interesting features :

1-Packer's code obfuscation
2-Anti softice features
3-License info hidden inside your hard disk
4-Redirected and Mangled IAT's

This essay will only cover the way the license info ius stored and how you can reset the time limit, packer's code obfuscation can be resolved by Imhotep made by Arthaxerxes, and all the Anti-softice features are resolved by frogsice and icedump.

Reversing cdilla's Safecast
Reset the time limit
Written by +Tsehp & r!sc

Introduction

First I have to thank r!sc for his great efforts and kindness, without some ideas he had, I would have spent much more 
time just finding a way to locate the license info.

Tools required

Ida 4.15
Softice 4.05
Frogsice
filemon, regmon, diskmon from www.sysinternals.com

hex workshop 3.x

Target's URL/FTP

www.macrovision.com

Program History

Safecast is the web adaptation of the well know cdilla safedisc.

Essay

On this first essay, I'll only cover how we managed to find where the hidden license info is stored.
You'll have first to play with this target (1.45megs) to figure it out. 


Ok, you've launched it and land on a nag that tells you just 1 remaining day, set your clock ahead with 2 days, run the 
program and set your clock back again, the time limit is reached.

Usually the license info can be stored on registry and (or) inside some files, so you'll use filemon and regmon to locate
the related info, here it is :


Registry :

HKLM/software/cdilla

(win nt) HKLM/Software/C07ft5y

(win nt) HKLM/System/(all control sets)/services/cdilla


File

(win 9x)
%systemroot%/system/cda*****.vxd

(win nt)

%systemroot/system32/drivers/cda*****.sys


Generally, the first move is to delete all this info and reinstall the target to reset its timer. Sorry but this time it

will just not work... You can try to log/fetch everything you want, even scan your internet connection, you'll find nothing.


First I formatted a test hd, then reinstalled the program, still expired.

Then I made a low-level format with this utility, and this time it was successful, the timer was reset.


Well what's the difference between a low-level format and a single one ?

The single format will only follow your partition's track/sectors definition, so lot of places are not formatted on your hd.

The low-level format will format everything on it, just like your hd was when it was out of the factory, btw it's a good way 
to wipe out sensible information on it.

Using diskmon, you'll see some strange activities on your hd's sector 0 and 32, with writes only on sector 32.

Let's see what's happening, all those direct disk activities should be treated by the vxd or sys cdilla's module, analysing 

the win 9x cda*****.vxd we land on this function :

ios_Sendcommand


As it is explained into the win 9x ddk, esi must point to an IOR structure before calling it, here is this structure :

typedef struct _IOR { /* */

ULONG IOR_next; /* client link for BCB's */
/* (MBZ for IORF_VERSION_002) */

USHORT IOR_func; /* function to be performed - see */
/* defines below. */

USHORT IOR_status; /* request status - see defines */
/* below. */
ULONG IOR_flags; /* request control flags - see */
/* defines below. */
CMDCPLT IOR_callback; /* address to call request back to if */
/* IORF_SYNC_COMMAND is not set. */

ULONG IOR_start_addr[2]; /* volume relative starting addr */
/* if IORF_LOGICAL_START_SECTOR is set.*/
/* physical if not set. */

ULONG IOR_xfer_count; /* number of sectors to process if */
/* IORF_CHAR_COMMAND is not set, or # */
/* of bytes if it is set. */
/* MUST be set to zero if no data xfer */

ULONG IOR_buffer_ptr; /* BlockDev client buffer pointer. */
/* Contains pointer to data buffer */
/* or to null terminated list of sgd's */
/* depending on IORF_SCATTER_GATHER */
/* Undefined if no data transfer */

ULONG IOR_private_client; /* BlockDev/IOS client reserved */

ULONG IOR_private_IOS; /* reserved space for IOS */

ULONG IOR_private_port; /* private area for port driver */

union urequestor_usage _ureq;
/* requestor usage area, also used for */
/* IOCTL's */

ULONG IOR_req_req_handle; /* requestor provided request */
/* handle. often is a pointer to */
/* to this ior or its containing */
/* iop. pushed on the stack by IOS */
/* before IOR_callback is called */

ULONG IOR_req_vol_handle; /* requestor provided media handle */
/* designating the media to perform */
/* the function on (VRP). */

ULONG IOR_sgd_lin_phys; /* pointer to first physical sgd, as */
/* contrasted with IOR_buffer_ptr, */
/* which points to the logical sgds. */
/* this is either a linear or phys */
/* address, depending on the needs */
/* of the drivers, as indicated */
/* via the DCB demand bits. */

UCHAR IOR_num_sgds; /* number of phys sgd's pointed to by */
/* IOR_sgd_lin_phys */
UCHAR IOR_vol_designtr; /* numeric representation of the */
/* drive letter designating the */
/* volume to perform the function */
/* on (c: = 2). */

USHORT IOR_ios_private_1; /* reserved by IOS to force alignment */

ULONG IOR_reserved_2[2]; /* reserved for internal use */

} IOR, *PIOR;

to summarize the important info :

esi+0x4 = function (0 = read; 1= write , etc...)

esi+0x10 - 0x14 = volume's relative start address

esi+0x18 = nb sectors to treat

esi+0x1c = buffer to read / write

so before launching the target, we can try into softice the following breakpoint :

bpx ios_sendcommand if esi->4==0 do "d esi->1c" then we'll break on the first read, just look at the buffer it's your boot sector that was read.

Then go a little further while tracing the vxd's code, you'll notice that some boot sectors bytes are treated from offset 0x1c4 then 0x1d4 then 0x1e4 then 0x1f4.

cdilla just tries to locate your hd partitions location info, according to the boot sector format.

Now let's try to be zen : each time the program runs, it will surely need to update it's hidden license info, so let's locate the place where it writes on the hd :

bpx ios_sendcommand if esi->4==1 do "d esi->1c" meaning that the iso command is pointed by esi+4 with 1 = write command.

Just look at esi+0x10 you'll find 0x20 this means that the sector 0x20 or 32 was written.

Lets simply delete all the reg entries and vxd, use hex workshop to open your PHYSICAL drive; go to sector 32 and empty all the bytes, reinstall the target and run it :

the time limit is reset... crack done.

+Tsehp

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside Fravia's page of reverse engineering, choose your way out:

links

mail_Fravia

Is reverse engineering legal?