              ********************************************
              *\    \ \  \ \   \\   \ \  \ \ \\    \\   \*
              * \      \   *
              *    \      \  \     \           *
              *\         \ __ *
              *              \     \       \*
              *\\   \   \ \/\\\*
              ********************************************
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
SAFE_DiSC / [yAtEs] / Best viewed with Edit.com / 11-Feb-00
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
                      --==[ WoRMS ARMAGEDDoN ]==--

Ok Worms Armageddon the game for me which i discovered safedisc :P
now few months later i'm back to kick it`s ass :)

This game has what i call safedisc type 1, it uses jump tables like
in my first tut.

                  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-===-=
                 -          --==[ CON-10-8's ]==-       -
                  =                                    =
                 -     ...   Obtain Information   ...   -
                  =    ...     Obtain Dumps       ...  =
                 -     ... Obtain Api information ...   -
                  =    ...   Stick it together    ...  =
                 -     ...        Rebuild         ...   -
                  =                                     =
                 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Ok i won't go through in super duper detail as you should refer to
my safedisc tut1 for some of the basics


Obtain Information
=-=-=-=-=-=-=-=-=-

Inorder to fix the exe we need to dump all sections at icd entry
so lets get some info from the ICD file using Procdump

Entry Point

4F5E60

-Text: 401000 105200
Rdata: 507000 20C00
-Data: 528000 34A00
-Rsrc: 7B4000 315E00

Note: When using prodump make you exit the information boxes using
cancel or you'll get a procdump copyright notice in your icd which
then shits everything up.


Obtain Dumps
=-=-=-=-=-=-

As you know we must break on the ICD entry point then dump the above,
every safedisc game has anti debugger shit in it and an inital debugger
check, load up FrogICE and turn off BlueScreenOfDeath, now we must break
on the entry point without fux0ring the crc check results.

I've had many bad days by getting bad dumps :/, so heres what i do now
first get to the entry point then exit and let the game load, then rerun
the game and if it runs fine we know we can poke around a bit using whatever
we used to get to the entry point.

Run Worms when the splash picture disappears press ctrl+d until you get
into Dxplayer and then set BPX FREELIBRARY, now exit when softice breaks
again type D 4F5E60 you should see lots of letters not ??'s if its
ok BC* then BPX 4F5E60 and exit, and your at the entry point may
as well dump everything, but first BC * now

Pagein D 401000 105200 c:\WAtext
Pagein D 507000 20C00 c:\WArdata
Pagein D 528000 34A00 c:\WAdata
Pagein D 7B4000 315E00 c:\WArsrc

ok exit softice and let the game run, now rerun the game does it run
ok?,...! gawd, it still runs i swear when i tryed it didn't gah :d
hrmmpf, ok guess thats a good thing,  sure i can adapt :d

Opem procdump and pe edit the WA.ics and you'll see the raw offset of
.text is 400, this means our header is 400 bytes long, exit prodump.


Ok we our dumps still em in a new drawer and create a bat file to
stick them together like so

@echo off
cls
echo.
echo                   Rebuilder SafeDisc EXE
echo.
echo.
copy /b header + WAtext + WArdata + WAdata + WArsrc Rebuild.exe

Load a hex ed and select the first 400 bytes of wa.icd and save as header
in our new drawer.

Run the bat file, you should have a new file called Rebuild.exe with
the orignal WA icon, this means your sections are ok in size etc..


Obatin API Information
=-=-=-=-=-=-=-=-=-=-=-

Ok now we have our dumps we must fix the import table, run worms
again and goto the entry point you should see :-

0167:004F5E60  PUSH      EBP                                                   ^
0167:004F5E61  MOV       EBP,ESP
0167:004F5E63  PUSH      FF
0167:004F5E65  PUSH      005176C0
0167:004F5E6A  PUSH      004F6040
0167:004F5E6F  MOV       EAX,FS:[00000000]
0167:004F5E75  PUSH      EAX
0167:004F5E76  MOV       FS:[00000000],ESP
0167:004F5E7D  ADD       ESP,-68
0167:004F5E80  PUSH      EBX
0167:004F5E81  PUSH      ESI
0167:004F5E82  PUSH      EDI
0167:004F5E83  MOV       [EBP-18],ESP


Ok usally you should find the first API call in the first call from
entry point, but in this case not , so we must trace through all calls
to find the first one, then reboot and come back and dump,

to save you the work the first api is at 004F5F89, trace to there now
and enter the call you will see where the apis are being called from.

Scroll to the top of this list and you will see

0167:00F62B6F  00FF                ADD       BH,BH                             ^
0167:00F62B71  25B029F600          AND       EAX,KERNEL32!GetPrivateProfileStri^
0167:00F62B76  FF25B429F600        JMP       [KERNEL32!GlobalUnlock]
0167:00F62B7C  FF25B829F600        JMP       [KERNEL32!GetPrivateProfileIntA]
0167:00F62B82  FF25BC29F600        JMP       [KERNEL32!GetLocalTime]
0167:00F62B88  FF25C029F600        JMP       [KERNEL32!FindResourceA]
0167:00F62B8E  FF25C429F600        JMP       [KERNEL32!GetComputerNameA]
0167:00F62B94  FF25C829F600        JMP       [KERNEL32!GlobalLock]


first dump the list, your numbers will be different but for me its

Pagein D F62B6F 30000 c:\JMPTAB

now you see the first api is called from above the jumptable so we must
dump from there aswell

first api = 0167:00F62B70  FF25-B029F600  / = 00F629B0 is lower than F62B70

so lets dump from the first api, your values will be different

Pagein D F629B0 30000 c:\APITAB

so exit softice and load both new dumped files into hex workshop

in our jumptable we see

FF25B029F600 FF25B429F600 ...etc ...etc

if we take the first number we can see this jump points to 00F629B0
with is offset 0x0 in our APItab file, go there and extract the api

4478F7BF there it is

if we do the second one, FF25B429F600 which points to 00F629B4 so if
0x0 in our jump table is 00F629B0 , 00F629B4 must be F629B4-F629B0
which is 4 so at 0x4 in our APItab file is

1B6EF7BF <- next api

you see F629B0 is what i call the Api Base and is what we subtract.

Now if you were to do some more in your head you will see that its all
in order and in fact we have a compelete API table sitting in APITAB which
is ready to copy/pasted over the bad refs in our rdata.

So now select all the api's in the APITAB we should have 0xA8 bytes
selected, now open WArdata and find 0xA8 bytes of bad refs in a simpler
form of "xxxx F600" did you find the bad refs in the rdata? well they
start at 0x420 so select all these delete and paste in the ones from
our APITAB and save as WArdata2.

now rebuild the exe using this new rdata section

copy /b header + WAtext + WArdata2 + WAdata + WArsrc Rebuild.exe

You may of noticed that safedisc in this game changes the offset of
where the jump tables are on each load.

=====

ok with the new exe run it in the directory of worms, we get a GPF
turn faults off then click Details on the mircrosoft your app fucked up
box, my says fault at 0084:00f641b6 this look like an old bad rdata ref
this must be the user calls so lets fix em.

at this point we would go to the entry point and take a look at this offset
for our user stuff, but in this game the jump tables seem to move about
so we will have to search for the user table and dump it



Go back to the ICD entry point and enter the Call which has the kernel
apis @ 004F5F89 now if must search for the user stuff manually click
in the code window and use page up/down a few times to find the USER
stuff, i found it below on my first time around but this time i found it
above so it can be either,..when you've got it you'll see

0167:00F641DD  0000                ADD       [EAX],AL
0167:00F641DF  00FF                ADD       BH,BH
0167:00F641E1  250041F600          AND       EAX,USER32!wvsprintfA
0167:00F641E6  FF250441F600        JMP       [USER32!SetCursorPos]
0167:00F641EC  FF250841F600        JMP       [USER32!GetForegroundWindow]
0167:00F641F2  FF250C41F600        JMP       [USER32!LoadCursorA]
0167:00F641F8  FF251041F600        JMP       [USER32!GetDesktopWindow]


we do the same as we did before, dump the jump table

Pagein D 00F641E0 30000 c:\Jtable

then you can see the api is above the table again

first api = FF25 0041F600  / F64100 is less than F641DF

so dump the first user api

Pagein D 00F64100 30000 c:\User

now exit softice and open with hex workshop the two files, if we look in
the User file we can see a list of user api's select them all, we have
0xD4 selected bytes, open the WArdata2 and find the user bad refs , if
you have trouble finding them remember the value from early in the error
message just search for that, 8041F600 ok so the Bad user refs are at
0x934, if you select them all there are exaclty 0xD4 of bytes, :) ,
delete em then paste in our new ones then save as WArdata3 and rebuild the
exe with this

copy /b header + WAtext + WArdata3 + WAdata + WArsrc Rebuild.exe

Copy this exe to the Worms directory and run, w00p the game runs :DD
, ok one more thing or 2 even, load procdump and select Rebuild PE and
select our new exe and its now ready to run on all platforms.

SOOoo now remove the CD and trying running it, eEk! you now have to crack
this standard protection good luck :)

Last note

In this example we had our api's all in a big list which we could paste
in to the rdata, sometime we aren't always this lucky :d and would have
to write a program to extract that value from the jumptable file and
subtract the api base to get an offset to get from the api file
blah blah blah, hmmm do i make sense? anyway if you get stuck email
me and i'll be happy to help, now theres a offer :)

Cya
   [yAtEs]
Jamesluton@hotmail.com
Cdchecks.cjb.net

