FADE Protection RCE (Blocker 85% Done)

[argie]

FADE Protection Reversed 80-90%

Hi.

If some of you don't know, FADE is following:

Quote:

http://community.codemasters.com/forum/colin-mcrae-rally-3-news-48/21159-fade-info-new-scientist.html

It is protection technology developed by Codemasters and probably some other coders originally for PS2 and some games back then. It is still not cracked and there is no way to bypass it. Until now. Installments of FADE can now days be seen in games like Operation Flashpoint, Armed Assault, Armed Assault 2, Armed Assault: Operation Arrowhead, etc. All new games and it looks like other games might be going for the solution. Just something overheard. It is extremely effective counter pirate technique. It will drive you mad so you will either stop playing the game or buy it. For example in ArmA2 you get effect like these:

- your accuracy is not good. You won't notice it at first but bullet NEVER lands on the place you intended. It always goes south by few inches or in abyss (literally). It goes all over the place. You will see in Demo.
- During gameplay it annoys you with different stuff like turning you into an animal during play or you just suddenly die
- There are few more effects but biggest one is (and then you know you are fucked) is when all of sudden game displays logo screens from start of the game with some music and after that everything becomes blured and it looks like "seaworld".

Let's just say that if you didn't get latest symptom you probably wouldn't notice it or just disregard it as bug or something else. But eventually you will get latest effect and you will figure something is seriously wrong.

Go search for ArmA 2 or ArmA 2 Expansion (Arrowhead) on the net. Actual patch is 1.57 going near 1.58 and you can only find cracked version of 1.52. Latest patches verify some things and if you don't have them, they won't install. So ArmA 2 and Expansion are currently safe. FADE is blocking all users trying to patch it in any way (copy legit patched copy over pirated for example).

Even in 1.52, users are suffering from FADE. There are some crazy advices on the net to block stuff in firewall, change keys then patch, etc... All crap. FADE is much more deeper than that and if you don't own the original game with valid cd key and ping from dev servers, YOU WILL FADE. Crack that FAIRLIGHT released is good. It deals with SecuROM but it does not block or in any way influence FADE. That is why users have issues.

FADE uses many checks for original game disc. For example 1:1 copy must be in your physical drive to run the game. It is also protected by SecuROM. Then it checks binary form CD-Key from registry. If it is blacklisted or not valid or anomaly is detected, FADE kicks in. But those are OBVIOUS places so crackers WASTE time. I did waste time until I figured out how to punch out all checks and make a emulator/blocker which is loaded by special loader for the game.

This was no easy task and I cannot say for sure that I got it beaten 100% but so far I have no problems in game. I am evaluating all options and improving the code so it covers if I unravel something.

Let me just say that NOT everything is in game executable or DLLs. Stuff is hidden in non PE files (like reg) and it is really difficult to flush it out. It also uses packets from the developers servers. Of this I am not 100% sure, but I got packets and in analysis I found suspicious stuff incoming into the game. Blocking it with firewall won't work in many cases. Best case scenario is completely offline testing until online can be done. That is my current task. Offline is done, I just want to confirm it will work online so game won't regain FADE again.

I first made a detector which timestamped stuff (turning into animal, instant dying and final effect) and then looked into tracered memory what has happened. That is when I figured out that cd key and 1:1 disk were just for show.
Well not just for show, they do their part, but I got so much more info because FADE isn't visible in game EXE. You can reverse it all you want. There are parts of it of course (lite triggers and some ints) but really irrelevant. You need about (I needed it) 20 full memory dumps that weigh around 15-20 megs. Analyze it heh.

If anyone from here is interested in FADE Protection Blocking, please join the discussion so we can exchange ideas and findings to make it better. I already have a working solution but when online option and some other things are 100% done, I will publish the solution. Until then I can of course give pieces of code and all that but project is not ready for release just yet. But since I am writing this, I am very close so I hope I will get the online thing soon as well as dummy emulations of the things that game require... I also need to write extensive documentation about it.

Here are few examples where FADE is active and when FADE is blocked. Using my FADE blocker/emulator. It is actually much more deeper than that. It all looks easy running the emulator. I will write a complete documentation because giving bits and pieces doesn't mean squat.

Quote:

Videos Demonstrating Game WITH FADE and WITHOUT FADE.

There are 2 folders. In one folder is game with FADE active and in another is when launched via my loader/emulator where is FADE free. You will see obvious differences. I couldn't include final effect because it didn't show and I didn't record it before so there is:
- Accuracy (Pistol, Rifle, Tank) - Video
- Screenshot FADE Message that you are running illegal copy and that game will degrade
- Screenshot Random Death

Also, first view the .swf files so you can see how it is when you normally run the game and how it is when it is run by loader. I had dozens of video files so I did my best to include them as few as possible.

Code:

http://www.mediafire.com/?m8owap964832wbu

I repeat, if anyone else is trying to RCE FADE, please join the discussion. Everything can be arranged. PM... even SVN in time.

Regards.

--
Cheers to ZeNiX, ARTeam and all decent ppl who freely exchange knowledge for others.

[evlncrn8]

pc version of fade was bound to the serial key.. nothing magic...

[argie]

Of course if you have a legit key and game you won't get FADE. What is your point? I am talking about FADE without legit CD-Key and game... What then?

[evlncrn8]

point is that in the games i cracked with the supposed fade all checks were based on a key, which mostly broke down to 1 routine returning in a boolean for success / fail...
its not even worth calling it a 'protection'.. on the pc it rarely kicked in, except in bad cracks... and we did test it extensively in fairlight, you're not 100% correct when you say legit key.. other non legit keys worked too.. look closer at the algo .. that, and you're about 8 years late...

[argie]

hmm, okay. I know I am late, but I didn't get enough info on the net about it so I gave it a go. I wouldn't even if I didn't come across Arrowhead. Just wanted a little challenge.
And you say it rarely kicks in? You are telling me that you play 1.57 version and it rarely kicks in? Just curious.

Anyway, are you willing to share the location of that boolean? I think I know what you might be referring (reg opening or similar), but please PM me the location of that disassembled piece just to be sure. If you don't have game exe, just tell me what jz or jnz and where as you remember. I know the PEs of ArmA upside down so I'll know where it is. It would be appreciated.

Thanks.

Wow, I just felt like sitting in a time machine After ages of being to busy to read anything, I come back and the first thing I see is a discussion about FADE. Just WOW On a side note, it feels really good to be back. Hello everybody, drinks are on me today

[argie]

I see that noone cares about this. Understandable after all.

Well, atleast presentation was fun.

Cheers.

[quosego]

Hey it's the only doc around about the subject. Perhaps it's to late and the ISO-groups did it ages ago, but they didn't release anything interesting about it. So perhaps they don't care about it, but others might.

Hi there,


I am interested in this. You can contact me at [email protected] to share ideas.


Regards