|
Starforce 3 - The gravestone?
1 Attachment(s)
*Please view the attachement before reading*
Staforce - the most hated protection on the scene (besides XProtector), no doubt. Many rumours and legends say it's uncrackable. Most of us wanted to hear it's NOT A TRUE! Why? Probably because of our nature... Crackers nature. We can't agree and admit that someone better could exist on the second side of the scene - software protection market. Maybe someone undefeated? Furthermore, we don't want even to hear that some well known and respectable russian cracker (I will help you: his nick is composed of three chars) could work for software security related company. How can he did it? Yes, many of us asked this questions. Starfoce effect was always similar: no crack or very complicated cracks including turning off IDE cables and physically unplugging CD/DVD drives. The day came on 15.10.2004 (let's assume info file date). Then, some young team, called Ultima, ravaged the legend by completely cracking Starforce 3.3. The scene has won, again. Personally, I think they choosed this moment perfectly. Who of us didn't asked ourselves: "what if I face the day with Starforce protection inside?". Maybe some of us were just too young to ask this question. Did you saw this relase? If not then I suggest to download it. It's not another 'copy crack' relase. They did fu***ng PERFECT job. I have found myself the following: - java binaries modification - MSI installer script modification - MSI archives modification (including independent InstallShield component fragments - I wonder HOW?) - dlls modificatiion - own autorun application (far better than original) with 3D FXs - own graphics - own music (about 7 minutes track with "ultima" whispers) - and... this something... an "intro" while running the game with an impressive message. Watch yourself, it can't be described. I thought by so many modifications they cracked the protection, but I was wrong. It looks like they did install/art work for fun (?) because Xpand Rally was cracked only by a kind of emulation inside Starforce virtual machine (at least it looks so for a lamer like me). This is probably the first time when Starforce protection was totally fooled and works with the game, thinking it's the original one. So why they did so hard job taking care even of packaging 3 languages into single game and showing appropiate codes on the same screens dedicated to typing them? The game installs in the exactly same way like original does (even easier because of pretyped codes, also inside Starforce). One click relases - is it the future? Hope so... Let's hope it's not the last word from such tallented team. Best regards, dyn!o |
Nice work by Ultima, of course, but there have been working (though completely unpacked) deprotected executables of the latest Starforce 3.3 before, i.e. those done by "Starfuckers".
The inline approach by Ultima your post implied might be the way to go in the future, when 'real' unpacking simply becomes too much puzzle work. Nice to know that someone already went into that direction. :) |
Hey!!! Amazing post, dyn!o! ;)
I still cannot believe it myself. I tried a bit with SF3 but i got a bit tired and no much time to study it. Lets see if we heard sometime about some tricks that team did to successfully crack the whole protection ;) Regards. |
Pyrae: sorry, I didn't know about "Starfuckers" job. But what paid my attention was the way of this relase - the original game files stay untouched. I have loaded original Xpand Rally binaries and it still works with the relase because they cracked Starforce engine, not game. Anyway, they unpacked game files too... for what? I don't know. Maybe for fun, maybe they want to show something...
I also completely agree with your sentence: "he way to go in the future, when 'real' unpacking simply becomes too much puzzle work". It's wise indeed. Unpacking every SF protected software means a lot of work (unless someone develop a generic unpacker) so, it's wiser to find an generic idea like Starforce engine cracking. Then, one crack can work for many StarForce protected games. I even wonder if this one could work? Anyone can try? Peleon: I coldn't believe too. I was testing the game on all the possible combinations. Only to find an hole in this relase. But the only things I found were more silly messages about Techland and Starforce inside the game. |
When will these highly paid copy-protection-coders realize that for all their expertise, they still cant beat the crackers? :)
Is there ANY copy protection that relies on you having an origonal disk that has yet to be broken? (i.e. such that you cant use the software with a copyied disk + a crack or whatever) |
Jonwil: Well, probably never. Guess why? Because it's about money, my friend. Money change. Change many of us.
And if it comes to the second part of your question: no. Uncracked protection so far doesn't exist. |
The real question is whether a game with copy protection makes more total $ than the same game would without protection. (and therefore validating the argument about copy protection actually resulting in more sales)
Bearing in mind that all this fancy protection and anti-debugging stuff probobly costs the publishers a lot of money. |
well even if a copy protection is expensive it will pay out...
most games which are protected by SF3 will be cracked in 2-6 months and some of them will never be cracked. the first 6-8 weeks after a game launch are important because in this time the big money is done... |
Hat off to Ultima, respect, nothing more to say.
|
"most games which are protected by SF3 will be cracked in 2-6 months"
With all respect my friend: discussed relase date is 3 weeks after the game appeared in shops. Why are you saying "will be"? "and some of them will never be cracked. " I have never heard about uncracked software (including game), did you? Sometimes we can find a rare software which stay uncracked - not because of protection strength but specific type (engineering, architect, astro, etc.). Even if for some games cracks don't exist, you can mount MDF images and play this game without crack (like Toca2). "the first 6-8 weeks after a game launch are important because in this time the big money is done..." I thought the same... but in the past :) Why that's wrong? Because the money from first 6-8 weeks are usually about 30% of whole incomings. Do you know what's the title in the first best 15 selling games in my country? Ravenshield 3 - 2 years old game. Look at Amazon or your local stores. How many one year old games did you found? I bet many. Do you think the store keeps them just to make the hall looks better? Nope, they keep them because they sells. Let's take another example: Xpand Rally. Techland didn't relase it yet in the USA, Spain, Holland, Italy, Sweden, Denmark, Greece, etc., etc.... Then how first 6-8 weeks can be critical for them? Just imagine losses in the USA only - the biggest game market on the world. So, when really big money come? They are rendered during whole a so called "game-life time" (my personall opinion). Think about it. |
>With all respect my friend: discussed relase date is 3 weeks after the >game appeared in shops. Why are you saying "will be"?
Ok ok...calm down :) There are some games which were cracked "very" fast, but there are games protected with SF3 which aren't cracked for months, like e.g. D-Day and some other low budget games ( ok for those no one really wants them ;) >Even if for some games cracks don't exist, you can mount MMD >images and play this game without crack (like Toca2). Well i think that's not the point, for most safedisc/securom protected games you will find a clone but you will find a seperate crack too. Ok the need for a crack isn't that big if you can clone a game... >Let's take another example: Xpand Rally. Techland didn't relase it yet >in the USA, Spain, Holland, Italy, Sweden, Denmark, Greece, etc., >etc.... Then how first 6-8 weeks can be critical for them? Just >imagine losses in the USA only - the biggest game market on the >world. >So, when really big money come? >They are rendered during whole a so called "game-life time" (my >personall opinion). good point...make sense...well one other thing why they protecting their games is to prevent videostore-lamers to make simple copies of their products... |
Look here:
hxxp://www.xpandrally.com/en/forumShTh.php?ThID=1999&SeID=1&ref= Really hot discussion about Starforce legality. Serious arguments, hot atmosphere... check it out. |
hehe nice thread...very funny...
but the thread is more about using drivers without the permission of the enduser not why the company really use this kind of protection instead of safedisc & co... i would be more interested in how ultima has done the crack ;) |
Why can't I find the Ultima release? At nforce.nl there isn't any nfo like your Ultima nfo. At GCW there isn't any crack for Xpand Rally.
Where did you get your informations? Have you got any link? Best Regards, DeeYeah |
DeeYeah: Who said every relase must be placed on nforce.nl? Scene has its own, unique rules, which allow anyone to do what he/she want.
Where I found the information? On the moon. Do I have any link? Sure but it is Emule and I don't think ExeTools is a good place to share Emule links. It is rather a kind of university. If you want then type "Xpand Rally Ultima" in Emule. That's all. Regards. |
DeeYeah, if you check the link to the Starforce thread on the official forum, provided by dyn!o you will find links to sources where you can obtain the game/nfo from. Obviously it cannot be divulged here.
Dynio, I have been a member here for a long-time, so very much respect the work you have done for the community, but your original post in this thread almost seemed like an advertising campaign. Perhaps you should get a job doing infomercials :p Only japing you though, old chap ;) It seems the old adages will always apply, 'If it can be run it can be cracked' and 'There is more than one way to skin a cat'. I guess it is just a case of skill and determination. It is an impressive crack though, but in many respects I'd prefer to use the unpacked version so I don't have to have those unpleasant Starforce drivers on my system, modified or not... Regards, Dzg. |
Danzig: infomercials? Hmm... good idea but I'm already working on similar tasks in my real life :). Anyway, thank you for suggestion.
If it comes to the advertisement, then yes - you are right. But history changed, my friend. There were many rumours in the past about strange Starforce cracks working or not working, from demo or beta files, even from leaked unprotected versions. People, like me, wondered if this protection has been really cracked or not. Discussed relase closes all those wonders because it contains cracked Starforce protection - not only unpacked game files. That makes a slight difference and allow us to believe it's a new cure to similar protections based on virtual machines. Every interested person has the opportunity to verify it. What other way could I choose to advertise such progress? Probably only by marketing-like post ;) With respect, guys. |
Does this mean that they actually cracked the generic Starforce engine code and not the game code?
Would it be possible to use the "cracked" engine files from this release with other Starforce games featuring the same origonal engine files as this game? In short, does this crack make cracking other Starforce games (e.g. Race Driver 2) any easier? |
jonwill, I suppose that for the ultima group, they can easily crack other StarForce titles after this crack. I dont say a automatic crack, but they should know how to do it manually and all the steps for that.
If they would share a bit their investigations, that would help us to make faster cracks for SF3 :D Regards. |
If someone can crack such complex protections like Xtreme Protector or/and Starforce then he/she :) can crack probably everything.
Regards. |
It should be nice that we could protect our little programs with SF3 like we do with other protectors, so we can investigate more about SF3 ;) I think that SF has the advantadge over other protectors that we cannot use demo version of it...so, people that have the "privilege" of having a SF game/application are not many ;)
About Ultima...I guess they will stay silent about how they did it :( Regards |
Quote:
the only way to make this possible is to crack the starforce device drivers. if they did this, can you please send windows\system32\drivers\prodrv06.sys and windows\system32\drivers\prohlp02.sys as an attachment to this thread? thxalot |
Peleon: unfortunately we won't. Starforce protection, like all other CD protections, doesn't allow to use it on your own. You have to use server-like wizard and protect your files online. It's a good idea indeed.
Niom: I see you know the structure of Starforce :). That's very good, but prodrv06.sys and prohlp02.sys don't count in this game because they stay untouched (in original form). If you know Starforce basis then you should know that it contains other very important file. Tell me which one? :). Regards. |
hehe some dll come into my mind :)
if they have done it that way they really had to spend a lot of time reversing it and patching it against all this paranoiac checks SF uses... |
Quote:
and you said Quote:
or do i miss something? |
Nice shot.
Every Starforce protected soft contains protect.dll. Last months Starforce freaks are trying to mess a little by changing its name (for instance: protect.dll in Xpand Rally is named xpandrally.bin). I don't know why and I don't know what do they count for. Niom: Let's see what I wrote: "...I have loaded original Xpand Rally binaries and it still works..." I tried to say that the original files (chromeengine2.dll and xpandrally.exe) don't have to be cracked because the modification of xpandrally.bin (protect.dll) was enough. Drivers are the only common Starforce 3 components? For sure, but don't miss protect.dll. Regards. |
Quote:
Quote:
|
Quote:
I have been searching for other solution for some time but without any success.. :( It would be great of Ultima release some info about their method but I think they won't cause it should help the developers to improve SF3.. and this is probably the reason why were stopped some projects like SafeDisc v1 & v2 generic unpackers.. Regards. |
"Then the crack is not as interesting (even though it is still impressive) protect.dll changes from game to game - the same effort that was put into this particular game will have to be repeated on others.��
With all respect, Doug: In some previous post I suggested that maybe we should avoid so brave statements ;). Let��s assume some ExeTools member, who really want to learn Starforce internals, will read that protect.dll ��changes from game to game�� and it��s not interesting. Let��s try to become himself for a while: I would like to learn how to crack Starforce (this is just an example), I also see some team did it without modifying protected game files. I am pretty interested because if it works then, maybe, I will be able to learn the same trick and gain additional knowledge (invaluable if I want to know how the protections works and how they can be defeated). Unfortunately :) I read the following sentence: ��the crack is not as interesting�� ��protect.dll changes from game to game�� and think: ��damn, I just thought it could be what I am searching for, but this guy proved it is not��. What��s next? Ehh, you know. Are we here to learn or get discouraged? I will tell you something: when I was beginning my experience with PC software protections, I was totally out of help. I have been trying to contact some teams and even single crackers with the same kind request: ��please help me and tell me where should I begin, what should I read, what should I try to crack at first����. I have sent tens of emails. Guess how many answered? None. That made me wonder if the scene is really worth such an effect-less effort and if crackers do want to help each other, at least a little. I started to learn myself by completely partisan-like way, without knowing even trivial things like executable compressors (I didn��t know they exists and was wondering long weeks why process memory differs from executable content! He he�� good old times). But let��s go into the details and render some logic estimations. We have a problem called ��protect.dll��. Also we have a sentence: "A driver crack, if it existed, would activate all other games too...��. I will try to prove it was a too brave statement too :). Protect.dll �C you have written that it ��changes from game to game�� - have you wondered why? Tell me. ��A driver crack�� ��would activate all other games���� �C I am sorry to say you are wrong. Have you wondered why Starforce drivers do not have to change on each game? If you don��t know then think about their purposes. Problems? I will help you: tell me which file is the only critical for Starforce security? If you know then tell me if a driver based Starforce crack, in your opinion, really would be able to defeat other games? And now, after those inferences, please tell me if ��the crack is not as interesting��? Really? ;) "It would be great of Ultima release some info about their method but I think they won't cause it should help the developers to improve SF3�� Well said, but Starforce developers are skilled enough to discover this trick by downloading discussed relase. Regards. |
<sigh>
They did modify the protected files, protect.dll has been patched. Where do you think the cd-check is? I don't believe in your psychological argument of "getting discouraged" by a post on a forum. If you really want to crack the protection, that's not the kind of thing that you worry about. Besides, if you really do get discouraged by what I said, then it's probably better this way; you wouldn't have been able to crack it anyway. You don't learn to crack any serious protection overnight. BTW, e-mailing groups for help is never going to work.. that's like e-mailing Microsoft, asking how they programmed feature X,y,z.. they won't tell you.. Groups are competing (against other groups & protections) and keep the knowledge for themselves. You did not understand what I said about the drivers. I am well aware of what they are doing, and they are playing an *ESSENTIAL* part in the protection. For example, they are responsible for (but not limited to): - heavy anti debugging - all ring3 and ring0 hooking (ex: S-F virtual file system, anti-emulation) - ... *From the assumption that the crack was driver-based*, then all games would be unlocked: The drivers are generic and backward compatible. Since a driver must work on gameX & gameY without change, cracking the driver for gameX means gameY also works. That's all I said. You can't just cut what I say in the middle and then draw bogus conclusions. If you really know how the driver works, then tell me how the ring-0 anti- NTice works. Start your reasoning from ring-3 protect.dll all the way to the point the ring-0 check occurs. Btw, Ultima hooked the starforce VM function table.. (largely responsible for the interpreter's behavior) hats off to them for that. They also seem to know pretty damn well the p-code instructions because they know what to do when the script is at particular places... This is not a new idea, but I haven��t seen anyone use it in a crack, because as soon as you do, you let everyone (including star-force) know how you cracked their protection. As I stated above, generally people want to avoid doing this simply because the protection is going to change now that the information is available. |
I don't want to get into brawl, my friend. Also I don't want to get into endless discussion.
"They did modify the protected files, protect.dll has been patched. Where do you think the cd-check is?" And you answered yourself. What for you need to reverse all the drivers if it can be done by reversing single file only? "I don't believe in your psychological argument of "getting discouraged" by a post on a forum." And that's ok for me :). "...if you really do get discouraged by what I said..." Mate, please read my posts carefully. I only asked the question ("Are we here to learn or get discouraged?"). Did I told that you discouraged anyone? Probably you got offended, unnecessarily. "e-mailing groups for help is never going to work.. " I know that, that's why I have written about contacting tasks too. "You did not understand what I said about the drivers. I am well aware of what they are doing, and they are playing an *ESSENTIAL* part in the protection. For example, they are responsible for (but not limited to): - heavy anti debugging - all ring3 and ring0 hooking (ex: S-F virtual file system, anti-emulation) - ..." I just quoted your sentence and analysed your words, not mine - you would notice that if you read carefully instead of getting nervous. Starfoce drivers are pretty essential indeed. But let me tell you one thing pretty straight: reversing them won't allow you to run all Starforce games because it's simply impossible. Why? Because, as you know, the CD check is in protect.dll which changes in every version. You can change all drivers but they are not responsible for our problem (CD check). They are Starforce engine heart but not Starforce CD protection heart. I will make it even more clear: let's take Xtreme Protector as example. Its driver play almost the same role like Starforce drivers. By patching Xtreme Protector driver you can run all Xtreme Protected software? Never. So, general idea of drivers patching is useless (so far). "If you really know how the driver works, then tell me how the ring-0 anti- NTice works." Man, I am just an lamer without serious cracking knowledge. Calm down and realise that even if I would own so cosmic knowledge I don't have any obligation to answer your unkind order. "*From the assumption that the crack was driver-based*" How could you had such assumption if the previous posts made it clear? (protect.dll was modified) "You can't just cut what I say in the middle and then draw bogus conclusions." Did I call any of your post "a bougus conclusion"? Aren't you a little nervous? "the protection is going to change now that the information is available." And it will (if Starforce developers are wise... so far they are). I don't see any problem here. It's endless game, like ASProtect or Armadillo cracking. They are fixing holes and crackers reveal another ones. Regards. |
In my opinion the EXE file isn't an important Starforce file, I think it's only a loader to load the crypted EXE inside the protect.dll. The protect.dll is the real crypted EXE.
You can test this by taking other Starforce files from other games. I think the protect.dll isn't the Starforce driver... Best Regards, DeeYeah |
Yes, protect.dll is heavily protected with Starforce virtual machine but... what's interesting... some game exe/dll files can be protected with virtual machine too, making it really hard to crack. That's why it's wiser to find a generic hole.
Of course, as you said, protect.dll itself is not a driver, but takes hardocore usage of them :). It's the place responisble for the critical task: the CD check. Regards. |
And guys, let's ALL play nice in the sand box or someone is going to have to go stand in the corner. :eek:
Let's keep the conversation about the topic and not about eachother. It should be relatively easy for everyone to talk about their views without mentioning it in comparison to someone else's opinion. All it takes is a simple declarative statement, such as "I believe," followed by the opinion. 1.) Back and forth about the subject at hand is acceptable. 2.) Back and forth about an individual and/or that person's opinions is not acceptable. 3.) This is NOT an option. It is a requirement I WILL enforce, and the penalty will not be pleasant nor temporary. 4.) I hope I have made this very clear to whomever the advise might be appropriate. Regards, |
Quote:
Try to analyze "main" executable of protected app with hiew or any other PE editor. There is code section inside but it is initialized to zero! Moreover, OEP of main EXE points inside zero-initialized section! Actually Windows loads protect.dll before passing control to OEP, protect.dll checks presence of original CD and either terminates application or decrypts code section of main EXE (which stored in protect.dll) and places it in right position in memory. But some part of processor instructions are converted to pseudo-code which interpreted by SF engine (drivers + protect.dll). So, modifying protect.dll does not means patching of SF engine only or application data only. Most probably both SF engine and application data where modified. |
Nice information you gave us :)
I didn't call protect.dll an engine but the critical place responsible for CD check. Furthermore, I suggested that it could be a good idea to crack Starforce that way because it requires the modification of single file only (protect.dll). And if you ask if Starforce engine was modified together with game exe/dlls, then no. Only protect.dll was modified. If you put xpandrally.bin (protect.dll) into original game - it will be cracked :). Regards. |
Backdoor in StarForce driver, really? :confused:
Read more about: h**p://www.freewebs.com/starforcemeat/index.htm |
Quote:
|
Hmm,sounds very suspicious... :mad:
Russians are evil, they will attack us with nuclear bombs! Let's make our own drivers ! with backdoors... Actually , this is not a good information about this kind of backdoor because i've played games protected with StarForce, and now i am filling like an idiot , reading that there is a backdoor... But ok, everyone of us can UnInstall the SF Driver...(after playing the game) |
Quote:
Quote:
Quote:
Probably starforcemeat describes the same vilnerability or its variation. |
| All times are GMT +8. The time now is 21:20. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX