StarForce going down?

[peleon]

Hi Fellas,

Very good those links dynio Didnt know that starforce was going down but the opposite. I agree that drivers are a bad to make protection...though it's true they are harder to crack. So, it's a bit of compromise.

I tried SF3 long time ago but not success. Does anyone know if there are tutorials or papers explaining about this protection and how to break it? I know that russian guys have tried a lot with SF3 but dont know if they broke it.

Regards.

[taos]

I don't understand why device drivers are very hard to break...

I think that it's very hard to unpack "some" device drivers.Only that.

For example:

Any device driver (NT) is a SYS file. If you have the SYS file unpacked, then you can reverse (using IDA or other) when you reboot your SO in safe mode.
You can modify all the protection in the sys file (debugger detection, CRC,etc...). When you disable debugger detection, you can use your ring 0 debug. I know it's a hard job but I think it's not very very hard.

Regards

[dyn!o]

About StarForce reversing.
As far as I know there are two groups which managed to completely reverse StarForce VM. One Spanish and second Russian. Part of their work is available on the Internet (including VM description).

About drivers.
They are harder to protect but easier to reverse. For instance look at Hasp and Xtreme Protector drivers. They are hard to maintain (compatibility) but gives strong anti-debug shield in NT OSes clones (Pace/XProtector). Anyway, that's the endless story because cracker can always use ring0 too.... until the time someone will invent "ring -1" mode .

About debugger detection.
Sometimes it's not enogugh to skip it. If you want to keygen serious protection then, usually, you have to unpack it... althought it's not always necessary (for instance look at ExeShield tutorial).


Regards.

[peleon]

Hello dyn!o,

Thanks for the info.

I've been for a couple of hours trying to find those information about unpacking starforce but no success. Many forums talking about SF3 but they didnt succeed cracking it.

I just found in Yates2K site a small .DOC explaining the format of a VM instruction. Though, that's not help much.

Any help?

Thanks.

hi guys,

for cracking SF in a classic way with the help of Softice or something like that
it's nearly impossible, because SF not only redirects int1/int3 handlers to fool
tracers and debuggers...they use those handlers as part of the protection itself,
like handling the VM and that stuff....

I'm working on a SF protected program right now and it's really a pain though i
have managed to do a clean dump and rebuild nearly all imports...but the
nightmare beginns with the use of the VM "crypted" codeparts

t.

[peleon]

Hi tr1stan!

THanks for the info. Maybe my mistake was trying to crack it with SoftICE (disabling antiSICE detections). I finished in Ring 3 with exception in the following instruction (mov dr7, eax). So, I guess the use also debug register to work (a pain for us )

Which code is mangled with VM? Is it like armadillo replacing the "JMP xxx" to its own code? or maybe it transforms original x86 code into VM code? or is part of the API wrapping?

Regards

I think Starforce is by now the most secure cd protection. It's as good as impossible to write "one click and go" tools to remove starfoce from an executable (like it is possible with safedisc or securom). One of the main problems are really the VM's. The can hold a huge amount of files which are used in realtime. A I had a nice example here, where Starforce had some level files in it's VM, making it impossible to play it (even if you had a perfect dump)

The dark side of the protection really is its compatibility. I've never seen a protection which behaves that different on nearly every computer. I really hope that they fix this issue with SF4 (which is already in development).

As time will go on, nearly every protection will implement VM's making it nearly impossible to put cracked copies out beofre the games hit the stores.

Greetings
Mav