FIFA15 and the new DRM Denuvo

So at first I speculated it had SecuROM, just like FIFA14, but then we(when I say "we" I do mean the internet) find out it has a new DRM called Denuvo and this is why there is no crack yet, it's new and it will take time for it to be studied and bypassed, and maybe the rather low chance of there being no crack at all.
It took me 30 days just to run SecuROM under a debugger, so it's not unlikely the same thing to happen with a new DRM.

I've no idea what Denuvo employs, frankly I do not care, but if it gains traction and remains uncracked, things will get "interesting".

To say this in simple words, there is no crack yet, any crack you do find googling will likely turn out to be a virus.

Addendum: The upcoming GTA V game will also use this DRM. Seems like GTA V will not use Denuvo afterall, http://www.incgamers.com/2014/11/grand-theft-auto-v-will-not-use-denuvo-drm-says-company-co-owner

RtlUserThreadStart modification.

And back to SecuROM folks. Two days ago I stumbled on some stuff by accident. Turns out, SecuROM modifies the IAT of some modules(predetermined I believe) during runtime, and replaces pointers to various kernel routines such as CreateThread,LoadLibraryExA,LoadlibraryExW,LoadLibraryW to its own obfuscated routines, this in several modules.
I wrote my own tool to repatch back to the old routines. It worked fine after I patched back the old pointers, with the exception of RtlUserThreadStart, securom gets the address of this routine(via GetProcAddress, not in IAT of any module), and modifies this jump at RtlUserThreadStart+0x8, to point to a trampoline jump in a codecave in ntdll.dll, and then another jump back into securom code. If this code is not executed, securom cannot continue, it just waits.

SecuROM v8.10 might pack more than I thought.

Once you bypass the anti-debug APIs, you realise that bypassing those is the easy part, now I feel a bit ashamed that it took me 30 days just to bypass them. Oh well.

I've identified a few threads that are started before OEP which are essential, I've only just started to analyse them, they are obfuscated so reading the assembly will be difficult.

A small sidenote unrelated to all of this. There is a method on the internet for finding out the version of securom, searching for the string 'AddD' will show a version number next to it, for Securom v8, this method no longer works, there is a version displayed, but it's not correct.

Some insight about Process Virtual Machines.

So, I understood more about Process VMs, simply last night, I was all of a sudden aware out of the blue of how it works, roughly.

I also found a sample VM implementation, the one which is supposedly used in packers/protectors, albeit probably not as advanced, but still worth the read. Here's the link http://syprog.blogspot.com/2011/12/simple-virtual-machine.html

Anyway, I guess it's sort of a misconception that a VM executes anything, it does not, the VM instructions are simply "interpreted" i.e if  the instruction is MOV REG_DEST, REG_SRC, you are the one that must handle this operation.

I might write my own VM implementation, just to learn more.

IDA is too glorified for x86/x64 RE.

I only mentioned x86 and x64, because while Ollydbg is a better debugger for those(and it's free), it cannot debug other platforms, such as ARM. It also lacks a decompiler.

But anyway, I see people mentioning IDA like it's the go-to tool for RE, it's not. I've had more success in RE-ing SecuROM than IDA ever has let me.

Simply, when it comes to x86/x64 it's only good for static analysis of binaries that are not protected. Once we go into packing,antidebugging and obfuscation, it's useless not as good as Olly.

P.S
Ollydbg x64 is in development.

Found OEP of Crysis 3.

After a few assumptions, mainly from the code of Crysis 2, I've finally arrived at Crysis 3's OEP, the real one. It's exactly like Crysis 2's.

At this point I guess I have to try to rebuild IAT.

EDIT: For anyone wondering, the address to OEP is 0x3863F50A(0x01663F50A without base image), so far it has been static.

SecuROM is a tough beast.

I've been battling the protection of Crysis 3 for 3 days straight, no progress whatsoever. I have olly loaded up with many different anti anti-debug plugins and none of them seem to work against SecuROM.

[8/6/2014] A small edit to clarify if it wasn't clear, I removed the EADRM protection, it was easy as pie, but at the OEP where I would've expected Crysis 3's code to start I ended up with the SecuROM code.

RELOADED/SKiDROW, if you are reading this(and it's very likely that you aren't). Am I to understand that you never managed to beat SecuROM in Crysis 3? Because SecuROM is still there in your cracks and you only exploit the license manager to make the game work.
Sorry, my ego got the best of me.

Regarding EADRM in general.

So while I was writing my Crysis 2 articles, I found out something, the OEP for what I can assume is every game released in the past few years via Origin, is stored in the actual .exe, near the end of the file, just after the four characters IREW(all capital), as in the 4 bytes after IREW is the OEP. So writing those down, adding to them the image base(and working out any relocation that might happen), you are at OEP, you put a HW breakpoint for instance on execution on the OEP, once you break you can just dump, all that's left is to fix imports.

That said, Crysis 2 was easy as pie to unpack, but Crysis 3 after unpacking has another layer of protection, this time much more advanced for the average joe(aka me) to unpack. Robert Yates, the guy who cracked SecuROM a while back told me that Crysis 3 uses an older version of SecuROM, obviously not that old, probably 8.X.
For now, SecuROM is beyond me.

Addendum: Fixed typo, it was IREW and not IWER.

Update 8d/2m/2016. The information above is no longer relevant, Origin have updated their DRM.

Reverse Engineering. Unpacking Crysis 2! The actual stuff.

Before I continue, I want to stress that I legally own both Crysis 2, and Crysis 3 on Origin.

Now, I want to first say that my experience with RE is very limited, I don't really know ASM as well I should, nor do I know anything about the PE(Portable Executable) format. Or anti-debugging techniques and how to bypass them.

The tools used by me:

• Ollydbg 1.10 with the following plugins: HideOD,StrongOD,phant0m,HideDebugger. Can't tell you which combo of options(anti anti-debug options) work, just try them all, until the executable does not crash, gives exceptions, exits etc.
• Ollydbg 2.01 with OllydumpEX for 2.x, no other plugins.
• Hex Editor

Much of our work will be done using Ollydbg 2.01, since Ollydbg 1.10 doesn't seem to like some patches that will be required. And much of our work will be done on the file called awc.dll, located in the Core folder, it's part of EADRM. It's responsible for unpacking and launching Crysis 2.

A few important abbreviations to remember before we begin:

• OEP - Original Entry Point.
• IAT - Import Address Table.
• EP - Entry Point.
• EIP - Extended Instruction Pointer.
• RVA - Relative Virtual Address.
• VA - Virtual Address.
• JMP - Jump Instruction.

When it comes to packing/unpacking, OEP refers to the entry point the way it was BEFORE the executable was packed. Most packers though, also destroy the Import Table and the executable does not know where to find say, the function Sleep, or say CreateProcess. So the unpacker stub basically does a few calls to LoadLibrary and GetProcAddress and rebuilds it, this doesn't mean it's as simple as using Import Reconstructor to fix things. In our case, it might require manual work to fix this.

I highly recommend reading this short article http://dreamofareverseengineer.blogspot.com/2011/10/unpacking-custom-packers.html

[Deleted]

[18/9/2014]
The article was "useless", please read this instead, Regarding EADRM in general.

Reverse Engineering. Unpacking Crysis 2!

It has been a long time since I wrote anything in the blog, thought it might be time to share some experience.

So, what is so special about Crysis 2? Isn't it a really old 2011 game? It's special in my heart, it all started in February of 2011, Crytek had released the DEMO Multiplayer of Crysis 2 and after having tried it for the first time, I fell in love immediately with the multiplayer component. Here came March 21st and March 22nd, the game came out, but I couldn't buy it then, so I patiently waited for a cracked version to appear, astonishingly, it took 2-3 days for somebody to release a crack, meanwhile there was a non-cracked version available.

So, what did I do? Well, I tried to crack it myself, of course! Did I succeed? Absolutely not! I didn't know a thing about RE(Reverse Engineering) or ASM(Assembly), but I still tried for a while.

I played the Singleplayer, after a cracked version was released, I loved how spooky and eerie the story felt, because it was saying the suit was alive and could think for itself. The story was all about the suit. Graphics were as always, pretty good. But the AI was dumb, really dumb.

After I finished the singleplayer, I kept wondering, how do I play the multiplayer? I couldn't. After a while(a month or two?), something amazing was released, something I didn't believe was even possible. A multiplayer crack! However strange as it may seem, it only worked in limited hours, between 16-21PM UTC. I never figured out how it worked.

Did I play? Yes, oh my god yes, the multiplayer was really competitive, it took skill to aim. After a while, I found a website that was selling Crysis 2 serial keys for just $16 dollars, even as low as $11. Should have noticed the signs. The key was legit, it worked fine up to the moment GameSpy shutdown in 2014 May. Yes, from the $11 dollar price of a game not even 2 months old, the sign was obvious, it was dying and sure enough, after about 3 months, Crytek stopped patching it, abruptly, and there was ZERO communication from them TILL the Crysis 3 announcement in the summer of 2012. I must stress the word ZERO.
The game was left unpatched, with various GAMEBREAKING bugs, such as the infamous Scar+Laser bug, which made you strafe faster and was abused a lot. And cheaters, that could bypass the votekick system easily, very easily.
Hint: Same thing happened to Crysis 3.

So, there you have it. Much of 2011 and 2012 was Bitcoin and Crysis 2, mine and play and play and mine. Those were the days!

Actual unpacking bits in next article.