SecuRom v7.35.0007 protected game dump

[emeykey]

Greetings,

Few days ago I got into reverse engineering out of boredom (wasn't really new to this to be honest, but still I'm no pro). First interesting thing to do, which came on my mind, was to patch some old game, some Disney Princess game from 2007 to be exact.

I started by downloading the game, so now I've got two images, .mdf and the .mds one. Then I proceeded to download DaemonTools 10 lite and SPTD driver. I emulated .mds image on a physical drive, with SCSI bus type. Hurray, I can run the game, securom doesn't recognize the disc is being emulated. Not good enough, I want it to not require anything like this at all.

So I downloaded the ProtectionID (by the almighty Tippex), today newest v0.6.9.0 and proceed to scan the executable. Tells me it's SecuRom v7.35.0007, well shit I've only got tutorials from ARTeam on 7.30.0014, still the information in them proved valuable to my cause.

Launched x32dbg with the disc emulated in the background, now it should just run no? No. Security module couldn't get activated, fine. Downloaded newest Scylla-hide and configured it as so:


Reloaded the executable, ran trough all the exceptions (lots of them and some UD2 breakpoits), the game started, great! So I bypassed the anti-debbuging of this SecuRom. Now I can find the OEP.

So, I noticed that after running trough some exceptions the securom checks for the disk and changes mouse coursor to a spinning CD icon, then it lands on UD2 breakpoint. I counted on how many more UD2s it lands just before the last run that really runs the game. Third one after that CD icon UD2 encounter. Okay this is as close I can get to the OEP call, now it is decrypted. I placed a memory breakpoint (on access) on .text region of the executable module. Ran and I hit it. From log I see it broke on this address:

I did a hardware on execute breakpoint on it and ran. Now I am (or at least I think ) on the OEP.

Okay so now to the issue, the dumping. I fire up Scylla, did memory PE dump of the executable module. Got it. Now I click on IAT autosearch (I've got Scylla to use the advanced IAT search). It found the other values. So now I clicked on import, few invalid Thunks and some suspects, I cut them all from it. Fix the dump. Okay so I've got my dump, loaded it up into x32dbg, ran it and found out it crashes because of inaccasseble address, from original executable I found out it's from the .securom region.


So I've only managed to get to the dump part of this cracking process. My question is why wasn't the .securom region dumped too? Rights in memory map seems okay. And also the other regions as ars, est, artem, celare. And many other address ranges (without any region name) to which these .securom code splicing procedures call.
I can manually dump these regions in x32dbg memory map and later add them to the dump with CFF Explorer, but that's just too much fuc*ing work.
Does anyone have a answer to this, why don't those regions dump with Scylla like everything else?

Thank you.