Reverse Engineering - Would you be interested in Safedisc 1.X RE technical papers?

[Luca91]

Ok long story short: recently I started reverse engineering some old school drms, from late 90s.
Safedisc 1.x is an interesting one, as it isn't just regular cd-checks, but it inclusea IAT call redirections, encryption, antidebugging and so on.
I'd like to know if you ppl would like to read some technical papers on how Safedisc 1.x works, and how can an executable be dumped from memory and restored.

Please note: this is not "piracy" as you need original game disc to follow these writups! The main executable (in ICD format) is encrypted with a key that is contained only on original discs (or 1:1 copies, or can be bruteforced in some way ~~ but this is not part of the story here).

Currently I successfully recovered Safedisc games protected from version 1.11 to 1.35, and I'm studying 1.40 & 1.41.

Safedisc 1.x will not works on windows Vista and later due to an exploit in the Sefedisc driver, but following these technical papers, you will be able to remove safedisc and play these games on Windows 11 too (for example: Prince of Persia 3D, once unpacked from Safedisc is working perfectly on Windows11)


Beware: these are technical papers, you need basic x86 assembly knoledge and you should know strucutre of PE.

If there is enough interest, I'll consider to make these technical papers


To mods: Again, this is not to be considered piracy, you need the original protected game disc to follow these technical papers. But if you feel that this content is not welcome here, fell free to let me know and I'll delete this pool.

 

[m00k00]

Of course @Luca91 ... who wouldn't be interested in such a thing?
I can still remember when I used unsafedisc to remove Safedisc from a lot of games ... back in those days ^^

 

[Luca91]

I can still remember when I used unsafedisc to remove Safedisc from a lot of games ... back in those days ^^

Yeah unsafedisc is a 1-click tool, instead I plan to describe every single step that should manually be done to obtain an unprotected executable (bypass the antidebug checks, patch the decrypted buffer so we can break at the OEP, restore IAT, dump and fix the PE etc).
Still, with this knowledge you could write your 1-click tools if you like automation

 

[FAST6191]

I doubt they will be the talk of the town or anything like that but it is well within the scope of the site and things we have done in the past -- if a talk on PC game cheat making/hacking comes up in a conference it would not be strange in the slightest to see it linked up and discussed. Down and dirty with specifics of this era is something of a blind spot in my knowledge as well.

Depending upon the timeline we might also be just about meeting it in consoles (the Switch is possibly the first console to have ASLR to handle, not sure I have yet met anything with serious anti debugging tech on a console and even basic anti cheat* is uncommon) or the simpler takes on it provide an in for those needing an intro course to the sorts of things we see today (I do wonder what it must be like to be thrown into the deep end of modern stuff and have to swim rather than slow build from it making it out of the theoretical computer science world and taking baby steps into reality before cat and mouse refinement for years).

*mirrored values, having a check bit, having inverted values so one counts up while another counts down from max and has to match after relevant operations, some kind of moving pointer to keep the current value/round robin and so forth. Examples do go back as far as you like (don't know if I have C64 but would not bet against it, see various ones like those on the NES happily enough) but still not common.

 

[DinohScene]

Yes please.
This could help with the DRM removal of more obscure and localised games.

 

[Luca91]

@FAST6191 the only interesting drm in console history is libcrypt on ps1 On the other hands, late 90s and ealry 2000s was a very interesting era for DRMs on PC.

Yes please.

Well, if there will be enough interested, I'll do my best to find the time to write something

 

[FAST6191]

I did see that spyro PS1 talk/writeup.
Shorter version for those curious


Some of the handhelds had some interesting things at points -- some obfuscation to cut through, some subtle effects stuff, many things to unpick and one particularly amusing instance where the devs timed the save game process (flash carts being faster). Though I do also look across at the PC and see things like

That being a 2010 presentation. Granted not particularly DRM busting focused but close enough that I include it, also others reading then despite C3 probably being the source of most console hacking talks you have ever seen then for PC stuff you might want to go more for defcon, blackhat, derbycon and the like*.
Most console stuff (assuming there is any that is not knocked out with the baseline hacks) then comparatively being the kiddy pool to the open water night swimming during a storm of the PC.

*also not especially relevant to the down and dirty of PC stuff but fun and source of a few terms to get you started

 

[Luca91]

@FAST6191 yeah Spyro had one of the toughest implementation of libcrypt, IIRC the tough part weren't the libcrypt checks, but the huge amounts of crc checks the game used to alter its behaviour. Long time has passed and I'm not sure if I'm recalling it correclty, but its behaviour was also changing based on the bios version, that tricked crackers of that time since it was working correctly on some consoles (but not in other).

Anyway thanks for the video, I'll make sure to watch it later tonight while in bed ahah

 

[eyeliner]

Give us!

Pretty please, with cherry on top.

 

[Luca91]

Okay, I've started writing something about v1.07.

 

[Luca91]

If some native english speakers can give me an hand to review and fix my english, I'll be more than happy to share my current work (still incomplete) with them. Thanks.

 

[FAST6191]

I was hoping to see the final form and have a review to be getting on with but if you don't find another volunteer I will go it.

 

[Luca91]

I was hoping to see the final form and have a review to be getting on with but if you don't find another volunteer I will go it.

@KiiWii was kind enough to accept to give my an hand with a review

 

[urherenow]

I suppose it would be much more exciting than covering key2audio... go sharpie!

 

[Luca91]

@m00k00 @FAST6191 @DinohScene @eyeliner @urherenow

Finally released here: https://gbatemp.net/threads/safedisc-1-06-1-11-reverse-engineering-technical-paper.611118/

Enjoy

 

[m00k00]

very nice! thanks for the heads-up @Luca91!

 

[eyeliner]

@m00k00 @FAST6191 @DinohScene @eyeliner @urherenow

Finally released here: https://gbatemp.net/threads/safedisc-1-06-1-11-reverse-engineering-technical-paper.611118/

Enjoy

This is divine work!
Thanks!