Protection by Emulation

[SiNTAX]

If I'm not mistaken, Starforce3 uses emulation (interpreter).. but then.. having never had a starforce3 exe in my hands, I can't be certain.

Quote:

protecting an exe by completly emulating some part of the protected code

In principle that is an interesting approach. It makes the analysis/cracking the code much more and in some cases the cracker just gives up because of the long time needed to analyze the program. However, this does not mean that this approach is cracker-proof! Think of it, programs written in p-codes, like old QuickBasic programs or even VB are much similar in concept to the emulation idea. And we all know though difficult, they CAN be cracked/patched. The basic problem is that the emulated/p-coded/VMed/anything program is yet a PROGRAM: a sequence of bytes that do something logical. Each one or few bytes represents an operation or some data and together, they form a routine or logical sequence of operations. Now, one your x86 computer you may execute/interpret/emulate the bytecode sequences of x86, Z80, QuickBasic p-code, Java VM, ... but theoritically you are doing the same thing and the cracker using a generic approach can analyze and crack/patch your program. This methology, relies one hiding the information and once you know the meaning of the byte-code, you can read and understand it with no problem. So there is no surprize that such methods, however complex in first look, will be finally cracked. Well, only if the cracker is really motivated to do so...

Quote:

Originally Posted by SiNTAX

If I'm not mistaken, Starforce3 uses emulation (interpreter).. but then.. having never had a starforce3 exe in my hands, I can't be certain.

yes, it has been using a VM for quite some time (not just for v3)

You are right, Star Force 3 does use its own Pcode.

Quote:

Originally Posted by SiNTAX

If I'm not mistaken, Starforce3 uses emulation (interpreter).. but then.. having never had a starforce3 exe in my hands, I can't be certain.

[peleon]

Hi H3Xenoic,

My scarce intelligent tells me that you are a ASProtected developer??? Maybe everybody here knows that but me

If yes, any public version or keep it only for customers?

Thanks.

[dyn!o]

Hello folks,

Please think twice before posting "impossible". Star Force uses own VM too (I have been playing with it several times) and is each time cracked. What would I do if AsProtect would use VM? Simply, I would spend 3-5 days to write IDA plugin which would be the PCode emulation of new AsProtect. I really don't understand why someone believe that using VM makes impossible to patch/reverse the application. I would be more than happy if AsProtect author would set an serious reward for cracking its VM and gives me some money for furthcomming vacations

Again, with all respect to your knowledge, please think twice before posting.

Greetings,
dyn!o

[dedificator]

This same "impossiblity" level, that, says, JAVA, VB or FOXPRO p-codes ... . Every of them simply takes some worktime to understand bytecode structure.
Of course, high level languages are much better documented, as protectors.
One good method - create simple code, compile it to needed p-code (or, in our case, protect it) and examine result. After some similar cycles you will see, how this VM works and how commands are translated to p-code.

[peleon]

hello dyn!o,

Looks very interesting your reply. I *must* learn IDA pluggins cos they look very powerful what you can do with them

Btw, do you also know how to crack the SF3 VM? I tried long time ago but not success...I also remember long posts talking about Starforce but with no success in the end It would be perfect if you could direct some of us a bit of how to attack that monster

thanks

[dyn!o]

Well, there are two known private decompilers but I don't own them. Also I'm not authorized to say who made them

Good luck,
dyn!o