Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page starforce 4.7 emulation detection tricks explained
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 03-13-2007, 19:48
niom niom is offline
Friend
  
Join Date: Jul 2004
Posts: 21
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
niom Reputation: 0
starforce 4.7 emulation detection tricks explained
sf uses atleast 2 checks to figure out if its real deal or mounted.

check 1 - device stack:

basically, it checks if the topleveldeviceobjects of 2 devices are identically.
are they identically, its a real dvdrom, arent they, its daemontools. why this works
can be easily seen in tools like DeviceTree.

the code goes like this:

Code:
first it queries the toplevel deviceobject for the current drive:
	UNICODE_STRING driveName;
	RtlInitUnicodeString(&driveName, L"\\DosDevices\\d:");
	FILE_OBJECT *driveFO;
	DEVICE_OBJECT *driveDO;
	IoGetDeviceObjectPointer(&driveName, STANDARD_RIGHTS_READ, &driveFO, &driveDO);

then it loops over all attached cdrom devices:
	wchar_t *deviceNames;
	IoGetDeviceInterfaces(&GUID_DEVINTERFACE_CDROM, NULL, 0, &deviceNames);
	for (wchar_t *deviceNamesPos = deviceNames; *deviceNamesPos; deviceNamesPos += wcslen(deviceNamesPos) + 1)
	{

and queries the matching deviceobject for each device:
		UNICODE_STRING deviceName;
		RtlInitUnicodeString(&deviceName, deviceNamesPos);

		OBJECT_ATTRIBUTES attributes;
		InitializeObjectAttributes(&attributes, &deviceName, OBJ_CASE_INSENSITIVE, NULL, NULL);

		HANDLE device;
		IO_STATUS_BLOCK status;
		ZwCreateFile(&device, SYNCHRONIZE | FILE_READ_DATA, &attributes, &status, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);

		FILE_OBJECT *deviceFileObject;
		ObReferenceObjectByHandle(device, FILE_READ_DATA, *IoFileObjectType, KernelMode, (void **)&deviceFileObject, NULL);

then it gets the stack top of that deviceobject
		DEVICE_OBJECT *deviceTop = IoGetAttachedDeviceReference(deviceFileObject->DeviceObject);

and compares it to the drive toplevel devobj, if they are identically, its a real cdrom
		if (deviceTop == driveDO)
			DbgPrint("hi, im a real cdrom\n");
		else
			DbgPrint("hi, im fake actually\n");
	}

check 2 - DPC:
starforce raises the IRQL to super high, then it queues a DPC. the DPC proc is pretty simple: it just writes 1
to some memoryaddr. then starforce starts an atapi read command. the trick is: the IRQL gets never lowered
when its a real cdrom and without lowering the IRQL, the DPC gets never executed, so the 1 gets never written.
but if daemontools was used, the IRQL drops sooner or later and the DPC gets executed, so the 1 gets written...
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
The Legend of Zelda Ultimate Glitch Explained [Arbitrary Code Execution] mcp General Discussion 1 09-20-2016 16:48
starforce - again... etienne General Discussion 13 02-26-2007 18:16
StarForce going down? dyn!o General Discussion 16 09-08-2004 07:37


All times are GMT +8. The time now is 20:18.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )