SPR I (SecuROM Profiler I)
----------------------------------
 1.2 (20.04.2014)

() ELF, 2011-2014
https://exelab.ru/f/index.php?action=vthread&forum=13&topic=19719

					==============   (nfo.txt)==============

~  ~
__________

 SPR I        (VM)  DMR SecuROM 7  SecuROM 8.
    ():
*(RED ONE).   VM(struct) +     .     ,     CPU, .. Original_CPU_EFLAGS(+8)   ( SecuROM 8).
*(YELLOW DELTA).   delta-,  VM    (  ,   SecuROM 7).
*(BLUE P-CODE).  p-code ( )
*(WHITE MULTI-MAIN).      (SecuROM 8).     (RED ONE). VM   (not LOCK)  .
  :
- SecuROM Anti-Attach(A.A.).    A.A.      .
- (snapshot)   (CALL VM)      ,     config.ini

~    ~
____________________________

*SecuROM 8
struct SecuRom_Main_Supply
{
////////   VM ///////////
	LPDWORD Supl_15; //+0
	LPDWORD Virutal_ESP; //+4
	DWORD Original_CPU_EFLAGS; //+8
	VOID Enter_to_VM; //+12
	DWORD Control_Byte; //+16
	LPDWORD Enter_Main_Supply; //+20
	LPDWORD Wrapper_V_EBP; //+24
	DWORD Stack_Pointer; //+28
	LPCVOID NEXT_Subprimitive; //+32
	DWORD lock; //+36
	LPDWORD RESERVED_2; //+40
////////////////     (, ) ////////
	DWORD Supply_Save_Area[245]; //(0x400)1024-44=980/4=245
//////////////////
	LPVOID Next_Handle_8; //0x400
////////////  CPU (Outside_call_REG)     ////////
	DWORD Outside_call_REG_EBP; //0x404
	DWORD Outside_call_REG_ESI; //0x408
	DWORD Outside_call_REG_EDI; //0x40C
	DWORD Outside_call_REG_EDX; //0x410
	DWORD Outside_call_REG_ECX; //0x414
	DWORD Outside_call_UNKNOWN_414; //0x414
	DWORD Outside_call_REG_EBX; //0x41C
	DWORD Outside_call_REG_EAX; //0x420
	DWORD Outside_call_UNKNOWN_Area[11];
	DWORD Outside_call_REG_ESP; //0x450 
	
};


*SecuROM 7
struct SecuRom_Main_Supply
{
////////   VM ///////////
	LPDWORD Supl_15; //+0
	LPDWORD Virutal_ESP; //+4
	DWORD Original_CPU_EFLAGS; //+8
	VOID Enter_to_VM; //+12
	DWORD Control_Byte; //+16
	LPDWORD Enter_Main_Supply; //+20
	LPDWORD Wrapper_V_EBP; //+24
	DWORD Stack_Pointer; //+28
	LPDWORD RESERVED_1; //+32
	DWORD lock; //+36
	LPDWORD RESERVED_2; //+40
////////////////     (, ) ////////
	DWORD Supply_Save_Area[245]; //(0x400)1024-44=980/4=245
	
};

~     VM ~
_____________________________

~~    VM (  )~~

[------------       WHITE MULTI-MAIN ( MT )-------------]
01363DAE  |> >B8 FCFFFFFF   /MOV EAX,-4
01363DB3  |. |B9 64000000   |MOV ECX,64
01363DB8  |> |83C0 04       |/ADD EAX,4
01363DBB  |. |8BB8 E471D302 ||MOV EDI,DWORD PTR DS:[EAX+2D371E4] // 0x2D371E4 -  WHITE MULTI-MAIN.   Profiler.cfg,  
01363DC1  |. |817F 24 66666 ||CMP DWORD PTR DS:[EDI+24],66666666
01363DC8  |. |75 06         ||JNE SHORT 01363DD0
01363DCA  |.^|E2 EC         |\LOOP SHORT 01363DB8
01363DCC  |. |F390          |PAUSE
01363DCE  |.^\EB DE         \JMP SHORT 01363DAE

[------------     -------------]
01363DD3  |.  8D53 24       LEA EDX,[EBX+24]
01363DD6  |.  C702 66666666 MOV DWORD PTR DS:[EDX],66666666

[------------      -------------]
01363DDC  |.  B9 00010000   MOV ECX,100
01363DE1  |.  31C0          XOR EAX,EAX
01363DE3  |>  39D7          /CMP EDI,EDX
01363DE5  |.  75 05         |JNE SHORT 01363DEC
01363DE7  |.  8D7F 04       |LEA EDI,[EDI+4]
01363DEA  |.  EB 01         |JMP SHORT 01363DED
01363DEC  |>  AB            |STOS DWORD PTR ES:[EDI]
01363DED  |>^ E2 F4         \LOOP SHORT 01363DE3


[------------   VM    -------------]
01363E27  |.  8903          MOV DWORD PTR DS:[EBX],EAX
01363E29  |.  58            POP EAX
01363E2A  |.  8943 04       MOV DWORD PTR DS:[EBX+4],EAX
01363E2D  |.  8B0424        MOV EAX,DWORD PTR SS:[ESP]
01363E30  |.  8943 08       MOV DWORD PTR DS:[EBX+8],EAX
01363E33  |.  8953 0C       MOV DWORD PTR DS:[EBX+0C],EDX
01363E36  |.  C643 10 95    MOV BYTE PTR DS:[EBX+10],95
01363E3A  |.  895B 14       MOV DWORD PTR DS:[EBX+14],EBX
01363E3D  |.  8963 1C       MOV DWORD PTR DS:[EBX+1C],ESP
01363E40  |.  B8 8478D302   MOV EAX,OFFSET 02D37884
01363E45  |.  8943 20       MOV DWORD PTR DS:[EBX+20],EAX
01363E48  |.  B8 7C73D302   MOV EAX,OFFSET 02D3737C
01363E4D  |.  8943 28       MOV DWORD PTR DS:[EBX+28],EAX

~~     VM,    (     VM)~~

[   DWORD   ( ) ]
MOV ESI,DWORD PTR DS:[EBX+4] //LPDWORD Virutal_ESP; 
ADD ESI,DWORD PTR DS:[EBX+0C]        //Virutal_ESP+Enter_to_VM
MOV EAX, DWORD PTR DS:[ESI] // p-code,   = 0x32EC63B7

[  Control_Byte    ]
PUSH EAX
MOV CL,BYTE PTR DS:[EBX+10] DWORD (IRL - BYTE) Control_Byte
SHR EAX, 0 //eax = 0x32EC63B7 --        Control_Byte
SHR EAX, 18 //eax = 0x00000032 --- ...
XOR AL,29 //eax = 0x0000001B ---   XOR.   ADD  SUB
ADD BYTE PTR DS:[EBX+10],AL //   Control_Byte   
POP EAX

PUSH EAX
....  ,    ( . MOV, XOR  )
POP EAX

...       (  0x400  SecuROM 8;   YELLOW DELTA  SecuROM 7)

// ADD V-esp, 8 - DWORD      (4 -  DWORD, 8 - DWORD +       -     -)
ADD DWORD PTR DS:[EBX+4],8

//    ()
JMP EAX

~~   VM ~~

[  SecuROM 8 ]
03C30060    C743 24 0000000 MOV DWORD PTR DS:[EBX+24],0 //     
03C30067    8B9B 1C040000   MOV EBX,DWORD PTR DS:[EBX+41C] //EBX -  EAX     , .. return EBX
03C3006D    68 DBBD8601     PUSH 186BDDB
03C30072    C3              RETN

~~   MT ~~
[  (VM-switcher)   ]
03C3003C    52              PUSH EDX
03C3003D    9C              PUSHFD
03C3003E    64:8B1D 0400000 MOV EBX,DWORD PTR FS:[4]
03C30045    83EB 04         SUB EBX,4
03C30048    832B 04         SUB DWORD PTR DS:[EBX],4
03C3004B    8B1B            MOV EBX,DWORD PTR DS:[EBX]
03C3004D    83C3 04         ADD EBX,4
03C30050    64:8B15 0400000 MOV EDX,DWORD PTR FS:[4]
03C30057    83EA 04         SUB EDX,4
03C3005A    29DA            SUB EDX,EBX
03C3005C    8B1A            MOV EBX,DWORD PTR DS:[EDX]
03C3005E    9D              POPFD
03C3005F    5A              POP EDX


~   ~
_______________
!!!        VM,           .      2  - JMP EAX !!!
!!!      SPR I !!!

1.    .   (),   (dem2.exe )        (combobox).    Profiler.cfg    MT  (WHITE MULTI-MAIN)
   ,         (SPR_I.exe /DEM2.EXE).

2.   MT     ( SecuROM 7)  ,  SPR I    RED ONE.    ""   "".  - 
    ASCII ,     (: <space for rent>  SecuROM 7    VM   ASCII,   2  "cut my life into pieces (:" )

3.   VM        .

4.           "<"  ">"     .

5.   VM     "<"   " VM/  "

~ ,    ~
__________________________________

SPR_I.exe -   (CheckSum = 0x00048CC4, md5=0xd37f34fd338693687f294807b40b47b1)
olly_disasm.dll -  OllyDbg,   SPR I ((CheckSum = 0x00020DA5, md5 = 0xedcd204e32b2221243027d76d25007d2)
Profiler.cfg -   DRM SecuROM
Config.cfg -   SPR I
olly_disasm.md5, SPR_I.md5 -   (,  Total Commander)

(!)   ,     .          ,    (!)
(!)      WINAPI ReadProcessMemory  WriteProcessMemory (  SecuROM Anti_attach       1.5) (!)

~    Config.cfg ~
__________________________________

 [SecuROM_MT_Options]	 (  SecuROM 8)
	
		Quantity_of_Cells=100  
>>> : DWORD.  : Hex <<<
	   WHITE MULTI-MAIN.  0x100.     0x19

		LOCK_DWORD=66666666
>>> : DWORD.  : Hex <<<
	 ,   VM   . ,    RED ONE        VM .
	  0x66666666.     lock(+0x24)  ,   . ...

		Cell_blocked_if_not_zero=0
>>> : Bool .  : Dec . : 0-false, 1-True <<<
	   ,  lock(+0x24)   .

 [SecuROM_VStack_Options]		(BLUE P-CODE)

		Short_View_Enable=1
>>> : Bool .  : Dec . : 0-false, 1-True <<<
	    p-,    SPR I  .  ,    ,     VM
	     ,   ( Clist)   .     DWORD 
	   LPDWORD Virutal_ESP (+4)   V-EBP ( [Wrapper_V_EBP] )

		Min_Distance_when_Enable=10
>>> : DWORD.  : Dec .<<<
	   DWORD  V-ESP  V-EBP,     . ,     (Short_View_Enable=1)

		Quantity_of_Cells_after_VSPointer=7
>>> : DWORD.  : Dec .<<<
	- DWORD  ,   V-ESP. ..         VM,    ,   . DWORD.

 [SecuROM_Supply15_Options] 	(YELLOW DELTA)

		Use_my_crypt_byte=0
>>> : Bool .  : Dec . : 0-false, 1-True <<<
	 VM     ,   CPUID .     delta- (YELLOW DELTA).

		Manual_CPUID_Crypt_byte=92
>>> : DWORD(byte).  : Hex <<<
	  Control_Byte (+0xC)

 [SPR_I]		(  SPR I)

	HideWindowsCaption=0
>>> : Bool .  : Dec . : 0-false, 1-True <<<
	 SecuROM        SPR I    .   ,   SPR I  -   window text,   .

	SavePath=C:\SPR_Save_VMCALLS\
>>> : String .  : char .  <<<
	,        VM.

~        ~
_______________________________________________

          Executable,   .   :
C (PUSH OFFSET LP | CALL VM): 					[ ] [   p-] [ DWORD ] [ ]
C* (PUSH REG32 | MOV DWORD SS:[EBP-const] | CALL VM): 		[ ]  [-  MOV DWORD PTR SS] [ CPU  ] [ ] 
C? (PUSH REG32 | CALL VM): 					[ ] [ CPU  ] [ ]
J [] (JMP DWORD PTR DS:[adress], [adress] = VM): 			[ ] [-   VM] [ ] 

~ olly_disasm ~
____________

#define DISASM_SIZE    0               // Determine command size only
#define DISASM_DATA    1               // Determine size and analysis data
#define DISASM_FILE    3               // Disassembly, no symbols
#define DISASM_CODE    4               // Full disassembly

#define TEXTLEN        256 
  typedef struct t_disasm {              // Results of disassembling
  DWORD          ip;                   // Instrucion pointer
  char           dump[TEXTLEN];        // Hexadecimal dump of the command
  char           result[TEXTLEN];      // Disassembled command
  char           comment[TEXTLEN];     // Brief comment
  long            cmdtype;              // One of C_xxx
  long            memtype;              // Type of addressed variable in memory
  long            nprefix;              // Number of prefixes
  long            indexed;              // Address contains register(s)
  DWORD          jmpconst;             // Constant jump address
  DWORD          jmptable;             // Possible address of switch table
  DWORD          adrconst;             // Constant part of address
  DWORD          immconst;             // Immediate constant
  long            zeroconst;            // Whether contains zero constant
  long            fixupoffset;          // Possible offset of 32-bit fixups
  long            fixupsize;            // Possible total size of fixups or 0
  long            error;                // Error while disassembling command
  long            warnings;             // Combination of DAW_xxx
} t_disasm;

	ulong Disasm(char *src,ulong srcsize,ulong srcip, t_disasm *disasm,int disasmmode) 

[!]     SPR I:	 
		{
		static t_disasm da;
		Disasm((char*)&Read_Proc_DATA[0],16,VM_Struct.NEXT_Subprimitive,&da,DISASM_CODE);
		::SetWindowText(m_sub_primitive_dissam.m_hWnd,da.result);
		}

~    ,    ~
________________________________________________________
     "EXELAB.RU".       !


~   ~
_________________________
https://youtu.be/U3yZCAnzzVE
https://youtu.be/AcVTF1HfTb8


~ .  diff_trace ~
___________________
diff_trace    SecuROM.  :   -  ,   OllyDbg 2.0
    : 0.74
  !
https://ssl.exelab.ru/f/index.php?action=vthread&forum=3&topic=20942





		
~    ,   VM  ... ~
____________________________________________________
     !     "   ".      ,    /     
!       (CListBox  RED ONE)  7  8 .   ,  SPR   !  SecuROM 8  
      CPU  VM(      )   EFLAGS(+8)-       VM. 
    VM (lock +0x24)    VM-( 8 )           !