I’m glad someone preserved these tutorials. I was focused on cracking Safedisc games at the time, and even wrote some Safedisc/Safecast tutorials myself. I never had the skills to crack Securom though, respect to Human and Deroko and the others on the ARTeam forums at the time.<p>Also iirc after this tutorial deroko wrote another one one breaking the Securom VM obfuscation. It was great work, one of the first public tutorials at the time on breaking such obfuscation. I wonder if its also been archived.<p>Finally, it should be noted that Securom is a predecessor to Denuvo. I remember debugging early versions of Denuvo and being struck by how similar they are. I wonder how much of the code and techniques are in common between the two, especially now in 2024.<p>The old reversing scene has changed. I guess everyone grew up and got families and jobs. But when I see what the kids are up to in the multiplayer cheating forums, I see the spirit is still alive and well. Cheers and happy debugging.
If you are going down a DRM search trip, both Widevine key dumping and DMCA compliant HDMI / HDCP downgrade hardware are quite interesting topics.
> From what I can see the flag at [EAX+4] is somehow switched on when debugged.<p>I wonder if a look into the leaked Windows kernel source code files (I _think_ the most current dump is still old Win2k?) could help out to decipher what these two RESERVED flags are used for?<p>PEB_LDR_DATA still has them named as RESERVED1/2 [1].<p>[1] <a href="https://learn.microsoft.com/de-de/windows/win32/api/winternl/ns-winternl-peb_ldr_data" rel="nofollow">https://learn.microsoft.com/de-de/windows/win32/api/winternl...</a>
It is a nice hollow shell of a page. Some links are already dead. Mentions of forums lead to nowhere. Tools were discontinued on 2014.
Funny how things move, and some parts become history and myths.
Ah yes, right up my alley. Sort of. I spent many months reverse engineering a SC8 executable for fun, yep purely for fun. 10 years ago now.<p>I have more experience with SecuROM 8. Did you guys know there is a hidden flag that is parsed on executable running that initializes a separate application which generates a file you can send to the authors of SecuROM that holds the version of SecuROM and quite a lot of other details?<p>Opaque predicates, VM, simple code integrity checks(int 3), xchg used as control flow obfuscation? It was all there. It took me a while to get the program running under a debugger. Once I did there were a bunch of threads running which would detect tampering or pausing of the threads and kill the process. After suspending those I could do whatever I want.<p>The DRM used a lot of control flow methods, especially hardware breakpoints and UD2 instruction.<p>At the time of Unicorn engine's popularity I made a custom plugin to emulate the zlib code embedded inside to search for hidden API calls, unfortunately due to the way QEMU emitted some instructions for the helpers some instructon hooks were called a few times more e.g those with a rep prefix severely skewing instruction counting.<p>Anyway, VM hunting was difficult. The VM had quite a few single-threaded VM contexts so it could run a lot of programs. From then on it was a matter of reverse engineering the opcodes. at the time I used Olly to trace and log the instruction handlers and opcodes and then using Notepad++ magic I could clean it up from the control flow in a single coherent picture.<p>Honestly I've forgotten most of it now.<p>But a few years ago I did write my own Control flow graph generator in Java just to find the 20 or 30 thousand code integrity checks and trace them statically and then was going to use it on the VM.<p>The most unusual thing is, I often communicated with one of the devs of SecuROM on IRC, of course I did not ask him anything nor did he reveal anything, that is of course illegal. I remember asking him about the little "Cut my life into pieces" tidbit he left just after VMEnter.<p>Needless to say it is thanks to SecuROM that I gained an interest in RE. Yes I was a novice and dived deep down into a commercial DRM. Thanks to it I learned a lot and is helping me even today, yep as I type this I am working on a SH2 architecture firmware.<p>But back in the day SecuROM inspired me to write this little ugly thing <a href="https://github.com/farmdve/TextVM">https://github.com/farmdve/TextVM</a>
There was a strange situation when SecuROM came onto the scene: The first patch for most games had no SecuROM at all and so it was just patching the usual CD checks.
> As you can see exe is 97Mb, biohazard exe without securom is Just 6Mb, that’s how protections hurt customers, not my fault then.<p>A 93.8% reduction... That's brutal.