Finally the first technical paper about reverse engineering Safedisc from v.1.06 up to v1.11 is here

You can download it here (English version, thanks to @KiiWii for spelling check!): https://lucadamico.dev/papers/drms/safedisc/MidtownMadness.pdf
or here (Italian version): https://lucadamico.dev/papers/drms/safedisc/MidtownMadness_ITA.pdf

Please note as also stated in the pool thread: you need the original game disc to follow this paper
Please let me know if something isn't clear, as this is the first time that I write this kind of contents.
Have fun, and please share your binary aventures

 

[Luca91]

POST RESERVED FOR FUTURE USE

I'm working on other technical papers, like Laserlock reverse engineering and other very old drms (that are fun to re).

 

[m00k00]

Just read through it. Fantastic stuff there! Thanks for sharing this!

 

[KleinesSinchen]

Super interesting, but goes way above my head. Kudos!

Please forgive me my long text here. This hit a nerve!

From the perspective of an interested user, not a developer or reverse engineer:
Did I understand this correctly: You more or less pull the decrypted game from RAM after SafeDisc decided that the inserted CD is legit?

At the beginning you said that the original CD is needed because of the decryption key. After skimming through your paper and retreating from the monitor in awe, I had to think of the generic SafeDisc decryptors for version 1.x and 2.x up to 2.4 (or was it 2.5?). They look even more impressive than before, now that I've seen your paper. Do you know how do those perform the decryption automatically (and to my knowledge without the CD)?
It would be indeed very clever if SafeDisc itself didn't have access to the key without the CD (can only assume that the distribution/position of the bad sectors could be used to store a decryption key). Later instances definitely do some additional checks that will not deliver a key (looking for ATIP data revealing CD-R)¹.


If my concentration was a little better I'd like to dive into the topic. My oldest SafeDisc are the German versions of You Don't Know Jack 2 and 3. The first one doesn't use a copy protected CD, only simple CD-check. Another interesting part on this is, that those games also support Windows 3.1(1) with installed Win32s (geez, I feel so old for typing out "Win32s"). SafeDisc 1 supported 16-Bit Windows.

This is one of the very few instances were I lost data – before having huge HDDs and implementing a robust backup system. The legit CD of YDKJ3 is damaged beyond belief: The data layer literally flew out of the disc at some points – public library sold it for 10 cent. I was able to back it up when I got it, but I didn't store images back then… and the CD-R is partially unreadable by now. This is why there is a cracked .exe – I could get all files together from the bad original together with the bad copy and the no-cd cracked version runs.
The Jack games are relatively expensive while most games from that era a sold for a few cent.

I will try harder to at least partially understand your paper and hope you'll continue this. A Laserlock disc is currently on my wishlist – not yet in the collection.

Thanks for uploading your work!





___________________
¹ I know, different topic – I'm a user only and dealt with CD based protections in a way that my goal was having them to accept burned CDs. This approach has the advantage that if successful, the game will not do a "Spyro 3" at some point due to anti-crack, checksums, trigger functions… (though a game might load with an insufficient copy and do nonsense then as well – never had that problem myself).
Tearing my hair out since none of my burners was able to write the weak sectors of SafeDisc 3.x correctly in a way that all drives can read them. The burners successfully read them… and fail because of the ATIP check. The read-only drives fail at reading the weak sectors. I cannot get the program accept a burned disc without the help of any emulation program.

 

[Luca91]

Hi @KleinesSinchen thank you for your (indeed good) questions

From the perspective of an interested user, not a developer or reverse engineer:
Did I understand this correctly: You more or less pull the decrypted game from RAM after SafeDisc decided that the inserted CD is legit?

The executable is dumped from ram after it was decrypted (done by safedisc itself) and the IAT was fixed. Your assumption is correct from a logical point of view, yes. This is the standard technique when unpacking binaries.

They look even more impressive than before, now that I've seen your paper. Do you know how do those perform the decryption automatically (and to my knowledge without the CD)?

Because when you use these tools, the key is bruteforced. Safedisc used an algorithm called TEA (Tiny Encryption Algorithm), and bruteforcing the keys, in particular in lower versions, was easy. I don't have covered that in the paper as these methods are "just profit", and something I'm not interested as you basically learn nothing. You also need the loader.exe and dplayerx.dll when using these tools, as they need to fix the IAT too.

It would be indeed very clever if SafeDisc itself didn't have access to the key without the CD

Yeah, safedisc will not have access to the decryption key if it isn't present on the CD. Using some tools you can make a 1:1 copy of that cd including the key.

SafeDisc 1 supported 16-Bit Windows.

Safedisc 1.00.026 supports ONLY win9x kernel, it will NOT run on NT. I know this because I removed this version of safedisc from a game, and I had to do that in a VM with windows 98 and softice (it was FUN!). From version 1.06 safedisc works in NT kernel.

I will try harder to at least partially understand your paper and hope you'll continue this. A Laserlock disc is currently on my wishlist – not yet in the collection.

Feel free to ask any question Laserlock is a bit more complex to patch as it has a lot of crc checks, so you can't just patch the .text section of the executable in memory, otherwise it will compute bad address while solving APIs. From this point of view, this is similar to Safedisc 1.40+, they actually check from where the call to the APIs is performed and just compute a bad/random address if that address is suspicious

EDIT:

the game will not do a "Spyro 3" at some point

I actually know only 1 old school drm that did this on pc, it is called Tages/Fade.

 

[DinohScene]

This is amazing!
Very nicely done, well written!

 

[hippy dave]

Damn, softice...

 

[urherenow]

Heh... back in the day, I used softice to get a "legit" winzip registration code. That was way before 7zip was a thing though. Put in a random serial number, add a break point on the cmp (found using the text of the error message that tells you your code is wrong, iirc), and see in plain text, more or less, the correct serial that it was comparing it to. Easy day... lol

 

[Luca91]

Damn, softice...

couldn't resist, sorry

(I really feel sorry for this OT)

 

[Luca91]

The Laserlock writeup is almost completed. Any (native english speaker) volunter for a spelling/grammar review? Many thanks

 

[m00k00]

The Laserlock writeup is almost completed. Any (native english speaker) volunter for a spelling/grammar review? Many thanks

I'm not a native speaker, but I guess my english is good enough to help you with the proofreading. Just send me a PM, if you want