StarForce going down?

[dyn!o]

About StarForce reversing.
As far as I know there are two groups which managed to completely reverse StarForce VM. One Spanish and second Russian. Part of their work is available on the Internet (including VM description).

About drivers.
They are harder to protect but easier to reverse. For instance look at Hasp and Xtreme Protector drivers. They are hard to maintain (compatibility) but gives strong anti-debug shield in NT OSes clones (Pace/XProtector). Anyway, that's the endless story because cracker can always use ring0 too.... until the time someone will invent "ring -1" mode .

About debugger detection.
Sometimes it's not enogugh to skip it. If you want to keygen serious protection then, usually, you have to unpack it... althought it's not always necessary (for instance look at ExeShield tutorial).


Regards.

[peleon]

Hello dyn!o,

Thanks for the info.

I've been for a couple of hours trying to find those information about unpacking starforce but no success. Many forums talking about SF3 but they didnt succeed cracking it.

I just found in Yates2K site a small .DOC explaining the format of a VM instruction. Though, that's not help much.

Any help?

Thanks.

hi guys,

for cracking SF in a classic way with the help of Softice or something like that
it's nearly impossible, because SF not only redirects int1/int3 handlers to fool
tracers and debuggers...they use those handlers as part of the protection itself,
like handling the VM and that stuff....

I'm working on a SF protected program right now and it's really a pain though i
have managed to do a clean dump and rebuild nearly all imports...but the
nightmare beginns with the use of the VM "crypted" codeparts

t.

[peleon]

Hi tr1stan!

THanks for the info. Maybe my mistake was trying to crack it with SoftICE (disabling antiSICE detections). I finished in Ring 3 with exception in the following instruction (mov dr7, eax). So, I guess the use also debug register to work (a pain for us )

Which code is mangled with VM? Is it like armadillo replacing the "JMP xxx" to its own code? or maybe it transforms original x86 code into VM code? or is part of the API wrapping?

Regards

I think Starforce is by now the most secure cd protection. It's as good as impossible to write "one click and go" tools to remove starfoce from an executable (like it is possible with safedisc or securom). One of the main problems are really the VM's. The can hold a huge amount of files which are used in realtime. A I had a nice example here, where Starforce had some level files in it's VM, making it impossible to play it (even if you had a perfect dump)

The dark side of the protection really is its compatibility. I've never seen a protection which behaves that different on nearly every computer. I really hope that they fix this issue with SF4 (which is already in development).

As time will go on, nearly every protection will implement VM's making it nearly impossible to put cracked copies out beofre the games hit the stores.

Greetings
Mav

right SF is the best but also the slowest protection on the market. Sometimes you loose 50% of speed if protected with SF...so not the best choice for games like Doom3 or HL2

Peleon: SF does not use that "nanomite" lameness they emulate complete routines or part of routines (e.g. around 0x100 bytes) and parse it at runtime...so you have to rebuild this routines to get a good dump...

Maviee: you can get a complete dump of those crypted game files if you open those files and completly read them into the memory (in the context of the protected app of course)...SF will decrypt the complete file for you and you can make a good dump

Quote:

Originally Posted by tr1stan

Maviee: you can get a complete dump of those crypted game files if you open those files and completly read them into the memory (in the context of the protected app of course)...SF will decrypt the complete file for you and you can make a good dump

That's right. the *real* problem is finding what those filenames are. This isn't a problem as big as the p-code stuff though.

Quote:

Originally Posted by Maviee

I think Starforce is by now the most secure cd protection. It's as good as impossible to write "one click and go" tools to remove starfoce from an executable (like it is possible with safedisc or securom). One of the main problems are really the VM's. The can hold a huge amount of files which are used in realtime. A I had a nice example here, where Starforce had some level files in it's VM, making it impossible to play it (even if you had a perfect dump)

The dark side of the protection really is its compatibility. I've never seen a protection which behaves that different on nearly every computer. I really hope that they fix this issue with SF4 (which is already in development).

As time will go on, nearly every protection will implement VM's making it nearly impossible to put cracked copies out beofre the games hit the stores.

Greetings
Mav

Hello,

I have never tried to work on Star Force.

Just have a couple questions about this VM.

What does the SF VM really handles ?

Does it take parts of the application code, ie: rip chunks of code and convert
them to bytecode, that will get emulated by the VM at runtime ?

ie the real code is destroyed for good, and only bytecode remains, that does
the same as old code, but in a VM ?

Also when you say, some levels are in the VM, what do you mean ?

how were the levels translated ? do you mean parts of code is in the VM or whole level code is decrypted / moved into VM memory, and there, the VM emulates it ?

Do the imports get redirected / handled by the VM too ?

Sorry for so much questions, but i have never seen a SF binary yet

Cheers.