I think we need a topic about Starforce

vbimport

#1

So we can share information about Starforce’s inner workings, and work out a strategy for making working copies.

We seem to know that it measures angles (using seeks - how else could it do this?) and compares the resulting data with a “key” - either provided with the package, or in the case of the latest titles, hard coded somewhere on the CD itself.

If it’s OK with the moderators, I would like others to share any knowledge. Here would be a good place.


#2

Fine by me. :slight_smile:


#3

yes plz…

i wanna now how to burn gangland or have a working copy

it uses this damn starforce that some ppl calls the death of warez

some ppl syas it can be cracked but takes so much time they no ones wanna touch it

and making a working image of a starforce disc should be impossible to ?


#4

Well, don’t know if this is the place, but i can also include something about gangland.

I’m really stranged that Jackass were missed here (and really a lot after the spath’s tool colaboration…hehehe please correct me if i’m wrong)

Well, first i will show everybody what i have discover after a lot of tests, and something about the code itself.

I know this is not quite tech, but this is my point of view behind a future mining engineer…XDDDD

Well, first, SF uses searchs at some sectors at the beginning of the CD and at the end. I think this ones are not so special, but could look at a “ramdom” ones and then makes a simple checking operation.

Here we can doubt about some things:

IS really that sectors a fixed ones? or Can they be anyone?

Well, we must think now in the provided key. Now we know Starforce uses RSA ( a pretty well known encryption algorithm) and some people ( i will not say who provided such info but it is not from one source) says it could use a 128 bit key coding (128 key coding = 24 character key = starforce key) but i think this is false cause it can be coded in 64 base (for example), so it’s key will not be 24.
Furthermore, i know starforce uses a couple of things to make its key effective, and just not only the angular measure.
We also know starforce checks the original Windows key as a part of the general proccess, so this way, trying to decrypt all the thing will be almost suicide.
In that way, the proccess is always the same.
The measure checks from one initial sector to another, and this could be not exactly the final one. The info about where to check is contained into the provided program key. This key will say starforce in which sector must begin and when must finish; then looks for certain sector, and finally looks for the last, counting the elapsed time in the process. Then codify such result in another key that, checked with the provided one, will decrypt the program, will ask you another valid key, or will refuse to play the copy. It’s something like a public and a valid private key.

Then , we can say there is no special sector where we could look. Considering that a silver original CD lasts about 150 mS in searching for certain positions, we can cover a lot of positions with the starforce system. A burned CD always have a higher timing, even with same original positions, so checks always fails (and in a expected way cause there is “unexpected ways” that shows info that shouldn’t appear).
When burning with BlindWrite and a usefull BWA at low speeds, we can “emulate” the physical track of the original CD, and checks will pass sometimes ( thats depends of the drive state when trying to launch (ie: a ripping process in a DVD drive will make our drive to be “overheated” and will give us an error in a SF game if we try to launch after that proccess, even with a good BWA)). In this way we have the same problems as we know with twinsectors and some drives.

Well, this is the first part of the physical part of the prot.
When trying to “reverse” we find a lot of problems.
@Mods:
Please, if anything here is forbidden, just clean it, cause i just only want to explain.

Well, at this point, it seems that a NEW version of Starforce have been released. The game that have this version is Gangland, and as some people found, it is quite more difficult not only to backup, but for reversing too. I think major changes is for anti-cracking issue (today there isn’t any crack for this game, for now this game is uncrackeable, even for some people that had done it with previosly versions(…))

Don’t know if this can be publish, but:

1.- Starforce uses int1 and int3, so softice is neutralized ( cause starforce uses in its proccess and sice cannot use it(any ring1/ring3 debbugger will not work).
2.- We must trace for a valid oep, and we cannot use the typical tracing, but home made ones.
3.- We cannot use some tools (Import rec for example) to find a correct IAT, we must made special ones.
4.- There is a big ramdom trigguers that makes sf to be a time strong protection (SecuROM is like the Safedisc Silent Alarm, and like a child comparing sf)
5.- The SF VM is strong enough to avoid home made tools to fix the resulting “dump”.

Well, i don’t know if i missed something, but i think i cover most important aspects. Well, i don’t have more time so expect replies to that.
@Philamber, as you can see i have minimal tech knowledge, so this is the main reason i do not post here so much.

Well, sorry for my porr english again, and hope it can be understood.

Good luck!


#5

I want to inform you something in case in you didn’t knew this yet ,

there is in the scene an released 1:1 gangland ,but it seems its not 100% ok ,because you have to unplug youre IDE cdrom/dvdrom drives to let it work…

and there is indeed not yet an crack out ,but probably that is because its take a verry long time to crack this starforce3 ,

for Dead to rights (starforce3) it took Immersion 6 weeks or so to create an crack for it and the crack is huge ,its an whole CD! on that cd you can find a lot of files that are all unencrypted i quess. ,
If you normal install the game(without the crack) you don’t even see these game files verry weird…

So i don’t think Gangland uses an new starforce protection method but i think a lot of game files are encrypted ,
with starforce 3 the developer can choose themself how many files and wich part they want to encrypt…

if this information is illigal just remove it ,i only want to give you some information in case you didn’t knew.this yet.,

greetz,
cobrar22


#6

Yeap, i know. But what i’m trying to say is that imm***** knows how proceeding, and now they are lost. It will be released, but these “new” version is not as “easy” as earlier.

Please, this is not the place to speak about the scene. Let’s discuss about starforce working, and not in such w***z. Just clarifying how is the protections state right now.

Let’s go!

Good luck!


#7

The key with starforce is not with copying cds it is with the drivers it installs. Stopping or removing its drivers is the key. How can someone install there program with driver access? Just write a driver that blacklists or stops there driver from scanning for known cd drive emulation tools. drivers remind me of why I hate windows. Rootkits and all kinds of crap embedded into the OS kernel is the stupidest thing I can imagine.


#8

I would love to see some work and information on these “problem” drivers myself. I cannot afford to have my system down and I just spent $40 to get a seperate HD to clone my system just so I can play Silent Hunter 3 without being paranoid.


#9

It was long overdue (StarForce) the only way around now is to check the torrent sites(none listed for legal purposes)

Is this end of warez for the PC, after all it was warez that killed the Amiga.


#10

I partly agree, but regarding the AMIGA Computer Commodores Management was the stab of death for the Amiga. :sad: