首页
论坛
课程
招聘
StarForce 加密小窥
2005-4-7 14:53 26737

StarForce 加密小窥

2005-4-7 14:53
26737
收藏
点赞0
打赏
分享
最新回复 (42)
雪    币: 221
活跃值: 活跃值 (31)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
machoman 活跃值 1 2005-5-3 16:59
26
0
starfuck 的原理比较简单,稍微研究就可以做一个类似的东东。

WKTDebugger是啥呢?
雪    币: 200
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
liuxiaosha 活跃值 2005-5-3 17:02
27
0
有点深。学习!
雪    币: 221
活跃值: 活跃值 (31)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
machoman 活跃值 1 2005-5-4 11:20
28
0
?DT和Alcohol是在呃奄模?RMPS的.但是我?Daemon Tools怎?哕作模?RMPS不是很了解
_______________________________________
请问RMPS 与DPM 之间有关系吗?
雪    币: 200
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
云淡风蒺 活跃值 2005-5-4 14:24
29
0
请问RMPS 与DPM 之间有关系吗?


RPMS是Recordable Media Physical Signature.就是光碟上特有的物理栳?信息.
DPM是Data Position Measurement.就是用?坐取呃些栳?信息的技戌.
至於??是怎?哕作,小弟就不知道了.
雪    币: 221
活跃值: 活跃值 (31)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
machoman 活跃值 1 2005-5-25 16:00
30
0
今天跟StarForce Nightmare的作者去了封信,他给了我一些答复,里边有一些有关starforce 和starfuck 功能实现的介绍,感觉他们研究的确实比较深入,对付starforce 这样的保护不创造性的根到硬件的最低层要破它确实太难了。

Hi, why you did the same fault, as alcohol/dt did too??
Also, you have the same wrong controller position, as Alcohol or Daemon tools.
Look self, in reality there do not exist any SCSI controllers, which
have same node position.
How Starforce checks for it, first it checks so: give me the parent
node of this cd-rom drive, so starforce knows, this cdrom drive belong
to this scsi controller, now after it starforce asks again, give me
the parent node of scsi controller. Also if it were an real SCSI
controller, starforce wouldn't get any parent response, thus in real
scsi controller there is no additional bus belonging to this scsi
controller. So in your case Starforce sees, aha, something like it
doesn't exist in the nature of Scsi controllers and blacklists the
drive belonging to SCSI controller and additional bus.
What i have done with unblacklisting, as you already understood, just
setting the GUID to another id. That is just temporary fix, it doesn't
unblacklist drive in reality. Just starforce sees this additional bus
not so, as it should, but if they want, they could fix it too. So that
way is not the way you should go. Just rewrite your drivers so, that
you get standalone SCSI controller without parent bus over it. Looks
in newer versions of Gamejack, that is the right way you should go.
Than carbon crack of drivers is actual just for older drivers and game
versions, someone maked it public just because they saw already in
newer starforce versions, that the functions are intercepted, so there
was no reason more to hide this crack. So this is not the real help
for you, if it doesn't work with newer versions. Mini image is ok, the
file system blocking can be overrided with such way forever, but it
works just so long the starforce protection doesn't check for sectors
integrity.
In newer starforce version, where is additional content check, you are
not allowed to use mini images, else the protection wouldn't see
cutted and needed content, so you have to use full image, but in this
case the file system blocking works.
There are few ways to override it, anyway the driver has to be
rewritten, but nothing is better, as to make your own sector accesses
to any harddrive, make your own geometrical transformation and use
your own file system implementation, FAT16, FAT32, NTFS and CDFS. So
you can access files on the drive on your way and not ask windows to
do it.
1. Make your own sector accesses, starforce cant disturb it, because
it has sector accesses too.

2. Then geometrical transformation can you get from universal ide
driver, there are free sources, so you can look and extract this
transformation from sources.
http://alter.org.ua/soft/win/uni_ata/index.php?lang=en&

3. Now the important part, file systems, linux contents sources where
you can extract all sources of file systems for reading files in
FAT16, FAT32, NTFS and CDFS.

If you had something like it, you would have the super weapon against
starforce :-)

The another part is the deactivating ide drives, ok, if you can
override starforces high irql, just as example, by forcing to set your
threads in the task planer, then you could go an better way as just
deactivating ide channels or drives separately.
Every time starforce wants to check for atapi on ide and cd check, it
stops all windows ports accesses to ide controller and can do its work
without to be disturbed, if they wouldnt do it, they would crach the
system. So, that is the point, where you can see, aha, fucking
starforce want to check for ide and at this time you can deactivate in
pci space whole ide controller, so starforce wouldnt be able to get
access to ide controller, and when starforce lets again the windows os
to make its ports access to ide controller, there you have quickly to
activate the controller again. This way of deactivating would work for
longer time and you don't need to collect datasheets to know, how to
deactivate any channel separatelly by different vendors, thus the
deactivating of any pci device in pci space is standart for any
device. You could look just for all controllers in pci space with IDE
subclass 01 01 ** and deactivate and reactivate it by changing just
one bit.
PS: you are allowed to use StarForce Nightmare.
But anyway, if you want to fuck starforce in its ass :), you should
do, what i have described. But if you are able to do it.
Bye
threads in the task planer, then you could go an better way as just
deactivating ide channels or drives separately.
Every time starforce wants to check for atapi on ide and cd check, it
stops all windows ports accesses to ide controller and can do its work
without to be disturbed, if they wouldnt do it, they would crach the
system. So, that is the point, where you can see, aha, fucking
starforce want to check for ide and at this time you can deactivate in
pci space whole ide controller, so starforce wouldnt be able to get
access to ide controller, and when starforce lets again the windows os
to make its ports access to ide controller, there you have quickly to
activate the controller again. This way of deactivating would work for
longer time and you don't need to collect datasheets to know, how to
deactivate any channel separatelly by different vendors, thus the
deactivating of any pci device in pci space is standart for any
device. You could look just for all controllers in pci space with IDE
subclass 01 01 ** and deactivate and reactivate it by changing just
one bit.
PS: you are allowed to use StarForce Nightmare.
But anyway, if you want to fuck starforce in its ass :), you should
do, what i have described. But if you are able to do it.
Bye
雪    币: 221
活跃值: 活跃值 (31)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
machoman 活跃值 1 2005-5-25 16:12
31
0
最初由 云淡风蒺 发布


RPMS是Recordable Media Physical Signature.就是光碟上特有的物理栳?信息.
DPM是Data Position Measurement.就是用?坐取呃些栳?信息的技戌.
至於??是怎?哕作,小弟就不知道了.


谢谢云兄的解释。就我的理解DPM 其实就是对光盘上不同的扇区段采取不同的“线密度”的方式存储,这个“线密度”保存在DPM 中成为4字节的值,当检测的时候读不同位置采取不同的“线密度”延迟就可以做到DPM 的模拟。

RPMS 的原理小第目前还没研究出眉目,好象大概也是这个意思,不过是刻在光盘上。但RPMS 有一个好处就是可以支持USB接口,这好象是现在对付新版的唯一方法,StarForce Nightmare作者在上边提到的更好方法实现起来难度太大(自己写文件系统、设备驱动、),非小第所能为。就连Daemon-tools 目前也没有解决
雪    币: 101
活跃值: 活跃值 (54)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
kkx2008 活跃值 2005-5-25 19:37
32
0
最初由 machoman 发布
starfuck 的原理比较简单,稍微研究就可以做一个类似的东东。


WKTDebugger是啥呢?

调试VB Pcode的东东
雪    币: 200
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
TarZan 活跃值 2005-12-18 17:48
33
0
网上的dpm
rpms的资料好少啊。
有没有人能提供一点看看?
多谢
雪    币: 200
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
TarZan 活跃值 2005-12-19 18:24
34
0
最初由 machoman 发布
请问那里有最新的保护游戏mds下载???偶现在可以过starforce 3.3 和Securom New 4但,新游戏偶找不到下载,要不就是速度好慢.急死了!各位大大给点资源好吗?


可以请问一下楼主大侠,你是怎么样过的sf3啊???
雪    币: 200
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
TarZan 活跃值 2005-12-19 18:28
35
0
最初由 云淡风蒺 发布
?主可不可以把你所知晷於starforce driver真得??一?,例如把starforce查Alcohol的代瘁列出?,好?小弟想揠法???程序?Alcohol可以摸似新版starforce光?而不?要用USB-CDROM易?哕行.小弟一向都是想揠法?starforce?,所以?有在starforce driver下咿功夫.著著?主提供?考.


楼主你好。
我也对sf3有点兴趣,
我可以提供一点思路,
就是去做掉sf的三个驱动程序。

或者是采用注入式代码给它来个v-code记录。
就不怕它的代码解释器protect.dll了。
雪    币: 221
活跃值: 活跃值 (31)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
machoman 活跃值 1 2005-12-20 11:09
36
0
只要能做好DPM和RPMS 就能过了.DPM已经没啥问题,RPMS偶现在正准备研究.由于SF对SCSI已经严密控制所以用RPMS模拟DPM成为当前的唯一选择,这方面的资料是很少,连DT 4.0 也没解决好这个问题.前边的讨论已经把DPM原理谈的差不多了.具体的操作还是比较复杂的.耐心研究总有收获.
雪    币: 218
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
JillPal 活跃值 2006-1-14 14:07
37
0
现在用SF加密的游戏很多说明书上都有万一CD-KEY错误如何重新制作的说明,我买的风色幻想3和4都是如此。可见SF加密的弊端已经越来越大了。现在看来SF加密似乎已经对镜象文件和系统文件也开始进行监视了,如此一来可能光靠RPMS模拟DPM也行不通了。
雪    币: 206
活跃值: 活跃值 (27)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
云重 活跃值 1 2006-1-17 16:16
38
0
hehehehe
雪    币: 206
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
fnp902003 活跃值 2006-1-17 16:47
39
0
我现在在玩《细胞分裂:混沌理论》和《三国志10威力加强版》两款游戏都用不同的光盘保护措施,前者用你们说的SF保护,后者用SafeDisk保护。前者可以用SFAFSB驱动配合SFNightmare屏蔽器完美运行,后者只要一个极小镜像用DT4虚拟就可以了~
不过我想知道的是这两者使用的光盘保护有何区别?
顺便询问一下Armadillo 3.00a - 3.61 -> Silicon Realms Toolworks壳用什么工具脱?或者有个提示方法也行。
谢谢~
雪    币: 200
活跃值: 活跃值 (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
arwin 活跃值 2006-1-17 17:19
40
0
手脱
雪    币: 206
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
fnp902003 活跃值 2006-1-17 17:36
41
0
最初由 arwin 发布
手脱


如果楼上是对我说的话,能给点心得否?
雪    币: 200
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
TarZan 活跃值 2006-1-22 17:29
42
0
[QUOTE]最初由 machoman 发布


谢谢云兄的解释。就我的理解DPM 其实就是对光盘上不同的扇区段采取不同的“线密度”的方式存储,这个“线密度”保存在DPM 中成为4字节的值,当检测的时候读不同位置采取不同的“线密度”延迟就可以做到DPM 的模拟。

RPMS 的原理小第目前还没研究出眉目,好象大概也是这个意思,不过是刻在光盘上。但RPMS 有一个好处就是可以支持USB接口,这好象是现在对付新版的唯一方法,StarForce Nightmare作者在上边提到的更好方法实现起来难度太大(自己写文件系统、设备驱动、),非小第所能为。就连Daemon-tools 目前也没有解决
[/QUOT]
通过对sfn和sffuck的研究,我得出一点心得,
就是无论是在哪个操作系统下,如果光驱和硬盘不在一个物理的ide接口上,只要把光驱所在的那个ide channal屏掉,sf3都只有被迫让dt运行。不用sfn和sffuck都可以,只要在设备管理器,把光驱所在的那个ide channel停用(win98,win2ksever,winxp pro下)或者卸载(win2k pro winxp home下)就可以了。
可是,这只是一种无耐的方法。
我在想能不能从根本上重写系统中断服务,如同在dos下重写idt一样,把对ide的,或者光驱的int 21e 服务重写,就能运用dt的虚拟光驱,或者读到sf3的dpm数据,像做模拟狗一样来模拟它。
对了,我在网上找不到光驱底层的资料,如果楼主m-man大侠有的话,能不能给我点参考,因为我想到:按照sf3的产品制作过程,他的母盘也是在普通刻录机上制作的,然后才去压制,这样的话,我们必然也能自己写出一种驱动程序,来运行光驱,读取光盘上的每一个字节的数据,然后重写一张盘,也就是如同硬盘的ghost程序一样。我现在就想写一个这样的程序。
雪    币: 221
活跃值: 活跃值 (31)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
machoman 活跃值 1 2006-1-25 17:33
43
0
呵呵,偶把偶以前做过的屏蔽starforce  3.3以前版本的IDE接口的程序段给post上来。如果楼上的朋友要了解IDE或SCSI的标准你可以去国际标准化委员会的以下两个小组的地址,里边有足够的标准免费供您阅读
http://www.t10.org   这个是SCSI标准小组
http://www.t13.org   这个是ATAPI(IDE)小组

bool CSkinTestDlg::StarFoce_Disable_IDE(HANDLE FileSCSI)
{
  USHORT  Port;
  UCHAR  Value;

  Port = 0x1F7;//IDE端口号
  Value = 0x9F;//ATA命令 ,后边同理,具体命令意义可查标准。
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);//该函数与WRITE_PORT_UCHAR 实际上是一样的,只不过偶用汇编从新实现了它,避免被StarForce所监视。这需要做个很简单的驱动
#else
outportb(Port,Value);
#endif
Port = 0x1F7;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);//同理自己实现在ring0,中
#else
Value = inportb(Port);
#endif

Sleep(100);

  Port = 0x1F6;
  Value = 0x9F;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x1F6;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

  Port = 0x1F7;
  Value = 0xA1;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x1F7;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

  Port = 0x1F6;
  Value = 0xA1;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x1F6;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

  Port = 0x1F7;
  Value = 0xA1;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x1F7;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x1F6;
   Value = 0x9F;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x1F6;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x1F7;
   Value = 0x9F;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x1F7;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x1F7;
   Value = 0xA0;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x1F7;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x177;
   Value = 0x9F;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x177;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x176;
   Value = 0x9F;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x176;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x177;
   Value = 0xA1;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x177;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x176;
   Value = 0xA1;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x176;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x177;
   Value = 0xA1;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x177;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x176;
   Value = 0x9F;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x176;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x177;
   Value = 0x9F;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x177;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
Sleep(100);

   Port = 0x177;
   Value = 0xA0;
#if MINPORT
PS_WRITE_IDE_IDE_PORT_UCHAR(FileSCSI,Port,Value);
#else
outportb(Port,Value);
#endif
Port = 0x177;
#if MINPORT
PS_READ_IDE_IDE_PORT_UCHAR(FileSCSI,Port,&Value);
#else
Value = inportb(Port);
#endif
  Sleep(100);

return TRUE;
}
游客
登录 | 注册 方可回帖
返回