Silent-Hill-2-Enhancements icon indicating copy to clipboard operation
Silent-Hill-2-Enhancements copied to clipboard

Published 20 hours ago verified publisher icon elishacloud

Removing CD check in EU version

Open Bigmanjapan opened this issue 6 years ago • 5 comments

@elishacloud

Hello.

Since your d3d8.ini file features a NoCDPatch option I woder if you have knowledge on how to disable a SecuROM protection directly in the default EU (Director's Cut) executable?

I know that there already is a cracked EU executable but there is no knowing if anything else got altered there.

Bigmanjapan avatar Feb 04 '19 13:02 Bigmanjapan

If it helps, here are untouched/unaltered copies of the executables: Untouched Executables.zip

Polymega avatar Feb 07 '19 18:02 Polymega

SH2 PC uses SecuROM 4.83.55 (thanks for confirming version, Bigmanjapan). These tools might be able to assist in any DRM removal in the executable. This is all Greek to me, as usual, from not being a programmer:

SecuROM 4.xx - 4.84.75+ (Main Executables) OEP Finder v1.1 (source)

/*
 SECUROM OEP SCRIPT Version 1.1
 By Nukacola

 This script is using the CreateEventA method to get the OEP of a Securom wrapped file
 it should only work with the main executable. For the other executables maybe protected
 with Securom use my other script.
 You have to run your securom protected file one time in olly before using this script or it
 won't work correctly. If you have the plugin installed, which deleted the udd files from olly directory you
 have to run it each time before you want to use this script.
 I guess it's working with Securom from ??? up to 4.84.75

Exceptions: Check all Exceptions but not "Memory Access Violation" and add
80000004 (SINGLE STEP),
C0000005 (ACCESS VIOLATION
C000008F (FLOAT INEXACT RESULT)
C0000094 (INTEGER DIVIDE BY ZERO). 
*/


gpa "CreateEventA", "kernel32.dll"
bp $RESULT
run // start

run // bp 1

run // bp 2

bc $RESULT

rtr
sti

findop eip,#E9????????#
bp $RESULT
run
sto
findop eip,#E9??????FF#
bp $RESULT
run
sti
sti
sti
sti
cmt eip, "<- SECUROM OEP ->"
Msg "Welcome to the SECUROM OEP >---< Set new origin here make a dump and don't forget to fix the imports"
ret

SecuROM 4.xx - 4.84.75+ (Other Executables) OEP Finder v1.1 (source)

/*
 SECUROM OEP SCRIPT (not main executable Version 1.1)
 By Nukacola

 This script is using the CreateEventA method to get the OEP of a Securom wrapped file
 it should only work with the other executables. For the main executable use my other script.
 You have to run your securom protected file one time in olly before using this script or it
 won't work correctly. If you have the plugin installed, which deleted the udd files from olly directory you
 have to run it each time before you want to use this script.
 I guess it's working with Securom from ??? up to 4.84.75
 
 Exceptions: Check all Exceptions but not "Memory Access Violation" and add
80000004 (SINGLE STEP),
C0000005 (ACCESS VIOLATION
C000008F (FLOAT INEXACT RESULT)
C0000094 (INTEGER DIVIDE BY ZERO).
*/

gpa "CreateEventA", "kernel32.dll"
bp $RESULT
run // start

run // bp 1

run // bp 2

bc $RESULT

rtr
sti

findop eip,#0f84#
bp $RESULT
run
bc $RESULT
sti
sti
sto
sto
sto
sto
sto
sto
sto
sti
cmt eip, "<- SECUROM OEP ->"
Msg "Welcome to the SECUROM OEP >---< Set new origin here make a dump and don't forget to fix the imports"
ret

For the scripts above, it mentions having to run the executable in Olly first before using the aforementioned scripts:

OllyDbg: http://www.ollydbg.de/

Reverse Engineering SecuROM 4.X.X (source): SecuROM 4.xx.pdf

Polymega avatar Feb 09 '19 21:02 Polymega

@Bigmanjapan, I was looking into disabling the SecuROM protection dynamically for all versions of SH2 binaries. I created this branch for the code, but have not had time to finish the work. Actually it is quite complicated and I am not sure how to complete it. Once I have time I will get back to looking at it.

elishacloud avatar Feb 16 '19 23:02 elishacloud

@elishacloud I don't know how feasible it is to reverse engineer such a thing, but I believe the sound patch that converts NA 1.0 to 1.1 (which didn't actually fix the sound looping bug) also removes DRM, I believe.

If it may help any, the download for it can be found here: http://www.igotaletter.com/media/downloads/

Polymega avatar Feb 17 '19 04:02 Polymega

Yes, the v1.1 binary does not have the SecuROM protection. I have a copy of all the different binary files, and have done some analysis. About 20KBs of code is encrypted with the SecuROM protection. I can replace the encrypted code, but the DLLMain entry point is part of the encrypted code. I have not yet figured out how to get the new DLLMain entry point to run properly.

elishacloud avatar Feb 17 '19 06:02 elishacloud

You could also check http://blog.w4kfu.com/post/Diablo_II_part_2 http://ricardonarvaja.info/WEB/CURSO%20NUEVO/TEORIAS%20NUMERADAS/701-800/744-SecuROM%20v4.x.x.x%20-%205.x.x.x%20-%20[SyXe'05].rar.rar

mirh avatar Jan 25 '23 01:01 mirh