Unpacking Sakura Wars (サクラ大戦) to Remove SafeDisc 4.60 DRM

Broad Overview

Sakura Wars Premium Edition on DVD uses SafeDisc 4.60 which has various features to ensure that a legitimate disc is inserted when the game is run. The problem is that it no longer works as it requires the secdrv.sys driver which has been discontinued in modern windows. Even with secdrv.sys enabled, I was unable to get Sakura Wars 1 to run, even with a legitimate disc. NoCD cracks exists for the games, but these still make use of secdrv.sys. Broadly, what needed to be done was to enable secdrv.sys, patch the games to not check for CDs, and then unpack the executables to not use the SafeDisc code. This wouldn't be possible without the program here which I am immensely grateful for. As far as I can tell, nobody else has done this for Sakura Wars yet.

SafeDisc 4.60 launches a cleanup application ~e5.0001 with temporary files (stuff like ~de9145.tmp) from the %TEMP% folder. The .tmp files contain DLLs and the cleanup application debugs the main application (for Sakura 1, this is ADVcore.exe). Since the cleanup application is debugging the main executable, this stops other debuggers from attaching to it. SafeDisc also uses nanomites where certain instructions in the code have been replaced with INT3 breakpoints which are then replaced with actual instructions by the cleanup application as it runs. Far better explanations for this technology exists elsewhere, so I won't go into detail.

The following steps document how I extracted the executables. If you're looking to just play the games, go here and follow the instructions. This explanation is mainly for if people are interested in the steps it took.

  1. Install the games.
  2. Download this patcher and run it on the main executables for Sakura Wars 1-4. Alternatively download the prepatched NoCD executables.
  3. Download unpack.c
  4. Download MSYS 2.0 if you are on Windows 8.1 or above, otherwise download MinGW and install MSYS 1.0.
  5. If you are using MSYS 2.0, use pacman to install udis86 for the correct version.
  6. If you are using MSYS 1.0, download this repo as a zip and extract it. Using the MSYS console, follow the instructions in INSTALL. You may have to modify lines 553 and 556 in scripts/ud_opcode.py changing (indent, k, e) to (indent, int(k), e)
  7. Compile unpack.c according the command listed at the top of the file. If you are using MSYS 1.0, you will need to specify where the library functions are using -LPATH_TO_LIBRARIES. The the libraries are located in the .libs folder which should appear after running the necessary install scripts.
  8. Now using the MSYS console, run unpack.exe "PATH_TO_EXE" "OUTPUT_EXE", replacing PATH_TO_EXE and _OUTPUT_EXE with the appropriate paths.
  9. If you get a NO_MORE_FILES error, then edit unpack.c to ignore any error where NO_MORE_FILES is referenced.
  10. The program should run, producing a lot of output to the console. It should finish with "writing bytes to ...".
  11. If the program crashes after this point, there's nothing to worry about. It seems to just be a problem with freeing a pointer that has already been freed during cleanup. You can comment out all the free() calls if you want the error to not occur if you really want.
  12. Now place OUTPUT_EXE in the program folder and run. Follow the instructions here for more info.
  13. Note that it doesn't work for Sakura Wars 3. It misses a nanomite, and even if you force it to fix the nanomite, crashes after accessing invalid memory. I'm not sure what causes this, but I'm looking into it. If you have any ideas, let me know.