StarForce going down?

[dyn!o]

Well, please look what I just found:

hxxp://www.broadbandreports.com/shownews/48427
hxxp://www.boycottstarforce.org/

Maybe not a hot info but pretty interesting. It looks like StarForce developers took wrong way... similar to Xtreme Protector. Also I have been told that Star Force developers drastically lowered their prices (to $0.085 per CD). Both of these developers owns far the best protection but also both of them owns weak compatibility... Is there really no cure? Cannot anyone develop strong and stable protection? Is it a rule that strong = uncompatible?

My own suggestion is that developing software protection based on a driver is very bad idea. Comments?

Regards.

While I'm very concerned with the copy-protection compatibility issue and find star-force's driver to be intrusive; this whole story is bit exaggerated.

The article in the first link is a bit funny, you don't hear many comments on safedisc's driver, even though it was just under his nose! (SECDRV on the screenshot). BTW: All cd copy protections install device drivers now - none of them warn the user about it.

something to add to your link collection:
http://www.firingsquad.com/features/starforce_interview/

I've tried to crack some SF protected cdrom from a company called Emme productions but i failed I guess many new protection products like SF and CDCOPS3 use the DPM (Data Position Measurement) method which is physically impossible to crack but one may attack the software driver/ lock checking code. Anyone has played with this? I'm also interested in how these DPM kind of locks work (Alcohol 120% can measure and make images of theses protected cdroms).

[dyn!o]

Doug: Well... I have to negotiate . First of all you are right about SafeDisc, but... this thread discuss StarForce malfunctions. Besides, as far as I know, SafeDisc is the most compatible CD protection on the market.

"All CD copy protections install device drivers now - none of them warn the user about it."

I would rather say: almost all CD protections use device drivers nowadays (for instance: look at hxxp://www.softlock.net - they don't use device drivers, also there are two other which don't use) - none of them warn the user about it - that's right.

Seyedorf: DPM? I am not in any way CD protection specialist but I thought it was emulated already... like twin sectors did. Please attach some more informations if you can.


Regards.

Yes, it is emulated , like Alocohol 120% can make images of such cds and mount them on a virtual cdrom and emulate the DPM so the lock checking is fooled as it is the original cd, but this is only an image file, you can not duplicate the locked cd this way. Any attempt to copy these kind of protected cds will cause the physically change in DPM so the copies won't simply pass the lock check. I have not seen also anyone cracked the lock checking routines, this can give us a generic patch for the lock.

still waiting...

[dyn!o]

Ahh... that's right but who cares about physical CD? It's not about physical copy but rather cracking the protection in general - no matter what way. The game protected by a CD check only always carry the highest risk - much higher than other software protections because it can be attacked from both sides: CD cloning and/or executable cracking.

The last solution, not implemented yet, is to calculate CD access and sectors read speed timings. At the moment it will fool all virtual drives but if someone will implement such a protection then very quickly Aclohol/CloneCD/DaemonTools will contain anti-timing features... and so on... and so on...

The question is if someone will invent a stable CD protection technology which force cracker to break each title manually (like Armadillo and ACProtect do). Then, in some countries, games piracy rate would be lowered - noticeably lowered.

Regards.

[taos]

Perhaps the solution could be that Armadillo uses a CD API protection like Krypton 0.5 but with a strong EXE packed with nanomites...

[peleon]

Hi Fellas,

Very good those links dynio Didnt know that starforce was going down but the opposite. I agree that drivers are a bad to make protection...though it's true they are harder to crack. So, it's a bit of compromise.

I tried SF3 long time ago but not success. Does anyone know if there are tutorials or papers explaining about this protection and how to break it? I know that russian guys have tried a lot with SF3 but dont know if they broke it.

Regards.

[taos]

I don't understand why device drivers are very hard to break...

I think that it's very hard to unpack "some" device drivers.Only that.

For example:

Any device driver (NT) is a SYS file. If you have the SYS file unpacked, then you can reverse (using IDA or other) when you reboot your SO in safe mode.
You can modify all the protection in the sys file (debugger detection, CRC,etc...). When you disable debugger detection, you can use your ring 0 debug. I know it's a hard job but I think it's not very very hard.

Regards

[dyn!o]

About StarForce reversing.
As far as I know there are two groups which managed to completely reverse StarForce VM. One Spanish and second Russian. Part of their work is available on the Internet (including VM description).

About drivers.
They are harder to protect but easier to reverse. For instance look at Hasp and Xtreme Protector drivers. They are hard to maintain (compatibility) but gives strong anti-debug shield in NT OSes clones (Pace/XProtector). Anyway, that's the endless story because cracker can always use ring0 too.... until the time someone will invent "ring -1" mode .

About debugger detection.
Sometimes it's not enogugh to skip it. If you want to keygen serious protection then, usually, you have to unpack it... althought it's not always necessary (for instance look at ExeShield tutorial).


Regards.

[peleon]

Hello dyn!o,

Thanks for the info.

I've been for a couple of hours trying to find those information about unpacking starforce but no success. Many forums talking about SF3 but they didnt succeed cracking it.

I just found in Yates2K site a small .DOC explaining the format of a VM instruction. Though, that's not help much.

Any help?

Thanks.

hi guys,

for cracking SF in a classic way with the help of Softice or something like that
it's nearly impossible, because SF not only redirects int1/int3 handlers to fool
tracers and debuggers...they use those handlers as part of the protection itself,
like handling the VM and that stuff....

I'm working on a SF protected program right now and it's really a pain though i
have managed to do a clean dump and rebuild nearly all imports...but the
nightmare beginns with the use of the VM "crypted" codeparts

t.

[peleon]

Hi tr1stan!

THanks for the info. Maybe my mistake was trying to crack it with SoftICE (disabling antiSICE detections). I finished in Ring 3 with exception in the following instruction (mov dr7, eax). So, I guess the use also debug register to work (a pain for us )

Which code is mangled with VM? Is it like armadillo replacing the "JMP xxx" to its own code? or maybe it transforms original x86 code into VM code? or is part of the API wrapping?

Regards

I think Starforce is by now the most secure cd protection. It's as good as impossible to write "one click and go" tools to remove starfoce from an executable (like it is possible with safedisc or securom). One of the main problems are really the VM's. The can hold a huge amount of files which are used in realtime. A I had a nice example here, where Starforce had some level files in it's VM, making it impossible to play it (even if you had a perfect dump)

The dark side of the protection really is its compatibility. I've never seen a protection which behaves that different on nearly every computer. I really hope that they fix this issue with SF4 (which is already in development).

As time will go on, nearly every protection will implement VM's making it nearly impossible to put cracked copies out beofre the games hit the stores.

Greetings
Mav

right SF is the best but also the slowest protection on the market. Sometimes you loose 50% of speed if protected with SF...so not the best choice for games like Doom3 or HL2

Peleon: SF does not use that "nanomite" lameness they emulate complete routines or part of routines (e.g. around 0x100 bytes) and parse it at runtime...so you have to rebuild this routines to get a good dump...

Maviee: you can get a complete dump of those crypted game files if you open those files and completly read them into the memory (in the context of the protected app of course)...SF will decrypt the complete file for you and you can make a good dump