SafeDisc 4.00.003 -> Macrovision [Overlay]

[crackee]

Does anyone have any ideas on how to unpack this packer "SafeDisc 4.00.003 -> Macrovision [Overlay]". I'm trying to unpack a target which has some sort of Debugger detection that I cannot by pass with well known Olly plugins (Hide Debugger, IsDebug, .etc..) Also, I've tried IsDebuggerPresent, OutputDebugStringA, CreateToolhelp32Snapshot API's but non prevailed.
By the way, I've loaded the target here if anyone interested. Sorry, it's about 10MB, lol.

http://rapidshare.de/files/15683089/AM2006.rar.html

As usual, thanks in advance.

[SKiLLa]

When I try to run the .exe it fails with the message that it needs FILEIO.DLL,
you might wanna upload that one too ?

[crackee]

Sorry mate... I had just re-edited the post and replaced the files with the complete version. Thanks!

[SKiLLa]

Download the 'Advanced Olly beta 15' plugin from http://omega.intechhosting.com/~access/forums/index.php?showtopic=2542&st=40

and check all the anti-anti-debugging except NtGlobalFlag ... Olly won't be detected anymore and you'll get a 'missing CD' message

Good luck !

[crackee]

Thank you Skilla. Would you mine pm the plugin to me 'cause the link is dead... I got this message:

"Sorry, the link that brought you to this page seems to be out of date or broken.''

By the way, do you know what method does it use to detect debugger here?

Thanks,

[SKiLLa]

The link above is working fine for me, were you logged on ?

Anyways, I sent the PM

I'm not sure which tricks are used to detect Olly, it detected my ShadowOlly with lots of plugins from my Virtual Machine without the ant-anti turned on. You can try & see which options are necessary by checking them one by one, I haven't tried yet ...

[crackee]

Yike.... this is a tough one. I was able to by passed the debugger check, however, unpacking this so called "SafeDisc" isn't easy at all. Does anyone out there have any ideas on how to unpacked this baby? Man, I should not pick this target for pracetice- Bad choice! But, I hate to give up...

Thanks in advance!

[thorpe]

safedisc is quite difficult for beginners. As for many things, looking at prior research by others may help you on your quest. I suggest you look at tutorials by Tola, yAtEs, or others which can easily be found on google. Good luck.

[Soul12]

indeed, not very usefull for a first target, also checking out Old tuts wont help you..since they added/changed a few things..thou basics are the same..but id recommend looking allot into the PE structure and Reading up on Loaders and that sort of stuff.... also a good knowledge of ASM and Decompiling would be usefull but try to unpack orther stuff first..then if you start to get a hang of it...dedicate some time for SafeDisk and start mapping it..

[crackee]

Thank you... I'll see if I can sink anymore information into my head. I hope I won't overheat my brain...

[Soul12]

66703017 E8 E6+ call CheckForDebugger ; //if Eax != 10000 then Debugger is present
.txt2:6670301C 3D 00+ cmp eax, 2000h
.txt2:66703021 59 pop ecx
.txt2:66703022 59 pop ecx
.txt2:66703023 74 26 jz short loc_6670304B
.txt2:66703025 3D 00+ cmp eax, 4000h
.txt2:6670302A 74 D9 jz short loc_66703005
.txt2:6670302C 33 C9 xor ecx, ecx
.txt2:6670302E 3D 00+ cmp eax, 10000h


your magic DebugCheck ... can be identified by looking for the unicode string
represitantion of 00010000 which should look like this CMP EAX,10000 ; UNICODE "=::=::\"