FADE Protection RCE (Blocker 85% Done)

[argie]

FADE Protection Reversed 80-90%

Hi.

If some of you don't know, FADE is following:

Quote:

http://community.codemasters.com/forum/colin-mcrae-rally-3-news-48/21159-fade-info-new-scientist.html

It is protection technology developed by Codemasters and probably some other coders originally for PS2 and some games back then. It is still not cracked and there is no way to bypass it. Until now. Installments of FADE can now days be seen in games like Operation Flashpoint, Armed Assault, Armed Assault 2, Armed Assault: Operation Arrowhead, etc. All new games and it looks like other games might be going for the solution. Just something overheard. It is extremely effective counter pirate technique. It will drive you mad so you will either stop playing the game or buy it. For example in ArmA2 you get effect like these:

- your accuracy is not good. You won't notice it at first but bullet NEVER lands on the place you intended. It always goes south by few inches or in abyss (literally). It goes all over the place. You will see in Demo.
- During gameplay it annoys you with different stuff like turning you into an animal during play or you just suddenly die
- There are few more effects but biggest one is (and then you know you are fucked) is when all of sudden game displays logo screens from start of the game with some music and after that everything becomes blured and it looks like "seaworld".

Let's just say that if you didn't get latest symptom you probably wouldn't notice it or just disregard it as bug or something else. But eventually you will get latest effect and you will figure something is seriously wrong.

Go search for ArmA 2 or ArmA 2 Expansion (Arrowhead) on the net. Actual patch is 1.57 going near 1.58 and you can only find cracked version of 1.52. Latest patches verify some things and if you don't have them, they won't install. So ArmA 2 and Expansion are currently safe. FADE is blocking all users trying to patch it in any way (copy legit patched copy over pirated for example).

Even in 1.52, users are suffering from FADE. There are some crazy advices on the net to block stuff in firewall, change keys then patch, etc... All crap. FADE is much more deeper than that and if you don't own the original game with valid cd key and ping from dev servers, YOU WILL FADE. Crack that FAIRLIGHT released is good. It deals with SecuROM but it does not block or in any way influence FADE. That is why users have issues.

FADE uses many checks for original game disc. For example 1:1 copy must be in your physical drive to run the game. It is also protected by SecuROM. Then it checks binary form CD-Key from registry. If it is blacklisted or not valid or anomaly is detected, FADE kicks in. But those are OBVIOUS places so crackers WASTE time. I did waste time until I figured out how to punch out all checks and make a emulator/blocker which is loaded by special loader for the game.

This was no easy task and I cannot say for sure that I got it beaten 100% but so far I have no problems in game. I am evaluating all options and improving the code so it covers if I unravel something.

Let me just say that NOT everything is in game executable or DLLs. Stuff is hidden in non PE files (like reg) and it is really difficult to flush it out. It also uses packets from the developers servers. Of this I am not 100% sure, but I got packets and in analysis I found suspicious stuff incoming into the game. Blocking it with firewall won't work in many cases. Best case scenario is completely offline testing until online can be done. That is my current task. Offline is done, I just want to confirm it will work online so game won't regain FADE again.

I first made a detector which timestamped stuff (turning into animal, instant dying and final effect) and then looked into tracered memory what has happened. That is when I figured out that cd key and 1:1 disk were just for show.
Well not just for show, they do their part, but I got so much more info because FADE isn't visible in game EXE. You can reverse it all you want. There are parts of it of course (lite triggers and some ints) but really irrelevant. You need about (I needed it) 20 full memory dumps that weigh around 15-20 megs. Analyze it heh.

If anyone from here is interested in FADE Protection Blocking, please join the discussion so we can exchange ideas and findings to make it better. I already have a working solution but when online option and some other things are 100% done, I will publish the solution. Until then I can of course give pieces of code and all that but project is not ready for release just yet. But since I am writing this, I am very close so I hope I will get the online thing soon as well as dummy emulations of the things that game require... I also need to write extensive documentation about it.

Here are few examples where FADE is active and when FADE is blocked. Using my FADE blocker/emulator. It is actually much more deeper than that. It all looks easy running the emulator. I will write a complete documentation because giving bits and pieces doesn't mean squat.

Quote:

Videos Demonstrating Game WITH FADE and WITHOUT FADE.

There are 2 folders. In one folder is game with FADE active and in another is when launched via my loader/emulator where is FADE free. You will see obvious differences. I couldn't include final effect because it didn't show and I didn't record it before so there is:
- Accuracy (Pistol, Rifle, Tank) - Video
- Screenshot FADE Message that you are running illegal copy and that game will degrade
- Screenshot Random Death

Also, first view the .swf files so you can see how it is when you normally run the game and how it is when it is run by loader. I had dozens of video files so I did my best to include them as few as possible.

Code:

http://www.mediafire.com/?m8owap964832wbu

I repeat, if anyone else is trying to RCE FADE, please join the discussion. Everything can be arranged. PM... even SVN in time.

Regards.

--
Cheers to ZeNiX, ARTeam and all decent ppl who freely exchange knowledge for others.