Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


DRM

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Sat Jul 08, 2017 3:46 pm    Post subject: DRM Reply with quote

wondering, how to identify DRM in assembly code.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Sun Jul 09, 2017 12:49 pm    Post subject: Reply with quote

for example denuvo drm.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Jul 09, 2017 2:45 pm    Post subject: Reply with quote

There are detection tools available. Sometimes, certain strings or modules are identifiable or you might see patterns and behavior in code that are recognizable if you are familiar. Sometimes, the information is publicly disclosed etc..
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Sun Jul 09, 2017 3:22 pm    Post subject: Reply with quote

never heard about detection tools of denuvo or drm in general.

about modules, yes theres certain modules. but honestly idk what modules they communicate with.

strings, this remains the only one and best possible way.
and the best tool i have ever used to look at strings is Cheat Engine !
some disassemblers cant scan protected string or cant even identify them as a strings. while CE can !

also string map generator is awesome.

the problem is here, when strings are compressed or encrypted using an unknown cryptography method (custom).

for compressed strings (of course theres different compression ways) some tools also can identify compressed strings.

++METHOS wrote:
the information is publicly disclosed

lets hope i find something, thanks.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Jul 09, 2017 4:03 pm    Post subject: Reply with quote

Not sure about Denuvo. Regarding DRM, I suppose that would depend on your definition.

Typically, Denuvo stuff eventually leaks to the public, so a simple google search will work.

I wouldn't use CE for this kind of thing, personally.

You do not usually have to worry about arbitrary strings being encrypted. Generally, you're dealing with some kind of wrapper or packer that renders those things unreadable, if anything, and important data that gets encrypted or is obfuscated/polymorphic code etc., is executed and handled at run-time.

I am no expert, to be honest.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Jul 10, 2017 12:18 am    Post subject: Reply with quote

++METHOS wrote:
I wouldn't use CE for this kind of thing, personally.

why? comparing to other tools ce string map can show up.lot of things.
i wish if someone work on CE strings map more and ref' strings function more.

++METHOS wrote:
if anything, and important data that gets encrypted or is obfuscated/polymorphic code etc., is executed and handled at run-time.


ehm, during runtime. you sure about this?
i do know runtime, but i dont understand it in such good way (i mean technically). i do try to expand my knowledge about related things and systems.

so does it mean they will use some windows functions to handle the execution of these things and its going to be on the very top lines of the program?

so if its true (and if my understand true too) it will setup a stack frame as usual push these string on the stack.
a key is required to bring back these letters to their original states.

so maybe keeping an eye on the stack and run some useful things to watch the current stack frame and pointer, and what value and functions passed there.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Mon Jul 10, 2017 1:07 am    Post subject: Reply with quote

OldCheatEngineUser wrote:
why?
-Because there are better tools available for RE and code analysis.

OldCheatEngineUser wrote:
ehm, during runtime. you sure about this?
-No. But generally speaking, most of the important stuff occurs within temporary memory, not within hard-coded data. Wouldn't you agree?

Regarding the other stuff, it all depends on what is being used and how it's being used. There are no set rules for everything. There are different detection, protection and encryption schemes -- some, better than others.

Anyway, if you want to learn more about it, you'd be better off asking via an RE forum, not a game-hacking forum.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Jul 10, 2017 1:29 am    Post subject: Reply with quote

++METHOS wrote:
-Because there are better tools available for RE and code analysis.

maybe ida

++METHOS wrote:
-No. But generally speaking, most of the important stuff occurs within temporary memory, not within hard-coded data. Wouldn't you agree?

of course, thats true.



and i know i shouldnt ask here, due the rules and things happened.
i already tell people if they ask for related things to not post.
but it was only a question that came in my mind.
anyway, thank you.

i do believe its better to delete this topic dark byte. or any other admin / mod.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
STN
I post too much
Reputation: 42

Joined: 09 Nov 2005
Posts: 2672

PostPosted: Mon Jul 10, 2017 2:42 am    Post subject: Reply with quote

Protection ID by CDKiLLER & TippeX can detect if its using denuvo - you can get it from https://pid.gamecopyworld.com/ - It's very up to date and can detect a wide range of stuff.

Methos explained how its found, through signatures. It's the same way antiviruses function, they have a database of signatures for packers, malwares and as soon as they're matched, they screams virus. This is why trainers are treated as malware if you dare pack it with upx.

Denuvo uses VMProtect and its virtualization features, the strength of denuvo is Vmprotect. VMP virtualization works by "virtualizing/encrypting" asm instructions to it's own instructions that are run in a virtual machine that VMP can understand and execute. So something like mov instruction is converted to blabla and VMP can understand what blabla means Very Happy (funny example but that's how it feels when you look at the instructions, they all look jibberish). Some really smart people have attempted to understand and devirtualize these instructions and devirtualizer tools are made but it's a battle because VMP can push new update and introduce/omit/change it again and reversers have to figure it out again.

This is why denuvo is really hard to deal with and it takes sometime to crack these games and why 3dm pussied out (their statement of why was just bullshit to save face). Some of the best people give up when they encounter virtualization. If you remember the recent controversy regarding denuvo using unlicensed vmprotect versions...it was sorted out very quickly because denuvo can't make their own protection or it would be a waste of their time i guess when they can use one of the best ones available of VMP.

What you are looking at when CE looks for strings is AFTER the data is decrypted, you can dump the memory even and then analyze it. Reconstructing it to an exe however is another matter.

_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Jul 10, 2017 3:16 am    Post subject: Reply with quote

useful info's, thank you STN.

also thanks for the tool, its probably "a good thing" to have and download.

its funny example, but i got your point. << and thanks for this, i didnt know about it.

ehm, VMP is really interesting. << i've lost the hope.

i didnt know that denuvo using vmp, neither using unlicensed version.

maybe its better to me to learn how vmp works lol.

dammit STN, you made me like " Shocked ", what a damn protection.

lol, i should never ask about this thing, im laughing on myself.

this topic must be CLOSED

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Tue Jul 11, 2017 1:43 am    Post subject: Reply with quote

The entire drama/story around Denuvo using an unlicensed copy of VMP was nothing more than someone stirring up drama. VMP was quick to debunk that and issued an official statement that Denuvo was indeed allowed to use VMP and was using a valid licensed copy. The issue people tried to bring up during the story was old news that was completely unrelated to the time and topic. (This was all happening when Rime was being cracked.)

As for how DRM's are detected, it's all done through signature detection or heuristics based on the DRMs characteristics. For example, some less intensive DRM's will use a common codebase that generally injects some method of detection for a legit copy, CD key, CD presence, etc. When this is done, that code that handles this detection is generally the same for most versions of that DRM or at least minor revisions for that specific build release of the DRM. (ie. 2.x.x vs. 3.x.x) With that, you can find functions that are common between titles that the DRM uses to make its checks and create patterns from them. The same way you would pattern scan for a cheat in a game, you can pattern scan for DRM functionality.

For instance, with my Steamless project, I use pattern scanning to detect the version of SteamStub DRM being used on games released on the Steam platform. SteamStub injects a full section into a game, generally named .bind, which contains a number of different things such as a decryptor for the original code section, some Steam validation checks and extra layer of protection via the SteamDRMP.dll that is embedded, etc. The layout of the injected stub that is set as the new OEP of the binary is common across all games that use the DRM protection so it can be detected via pattern matching.

In v2.x of the DRM, the known signature is:
53 51 52 56 57 55 8B EC 81 EC 00 10 00 00 C7

In v3.x of the DRM, the known signature is:
E8 00 00 00 00 50 53 51 52 56 57 55 8B 44 24 1C 2D 05 00 00 00 8B CC 83 E4 F0 51 51 51 50

For v3.1 of the DRM and newer, the signature is:
55 8B EC 81 EC ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? 68
or
55 8B EC 81 EC ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? 8D 83

and so on. If one of these patterns is found and the .bind section is present, it is generally enough to determine that a game is packed with the SteamStub DRM in this case.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
STN
I post too much
Reputation: 42

Joined: 09 Nov 2005
Posts: 2672

PostPosted: Tue Jul 11, 2017 4:39 am    Post subject: Reply with quote

heh - damage control
_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites