StarForce checking

Hi all again, maybe software developers ( like Alcohol, BlindWrite or CloneCD) at this time, knows a bit about starforce.
I have been testing for a time, and finally, obtained a final conclusion for starforce v3 that it’s not the one and maybe can change the way the protection can be defeated.
After testing a lot of games with this copy-protection, and having success with some testing (hehe) discovered that CDs with less data are more easily burned that those with more than 600 mB.
It seems that with more data, more precission can be done in the angular checking, and more difficult is to copy such CD.
The way i’m working is by modifying the image, so lengh changes: with same amount of REAL data at CERTAIN POSITION, the checking point changes its position, and data takes more or less space at certain radium of the CD----> Angle is changing to position till the correct one.

To help more testers to do that, by modyfying BlackCheck’s program, can obtain certain success.( By now, most own development are under secret)

NOTE: To help finding the correct check point, after burning in a CDRW, launch the protected exe and then, after failure, go to report. Cancel after a seconds and see what info it reports to you.
Should appear some info like that:
C,1A,9,1A,9,1A,0,0,0,0,0,0… with a new key. This key is not important to us AT THIS MOMENT(but very interesting for cracking purposes).Obviously, this new key does not launch the application.
We need to check, for different CDs, that values.
i’m working in two ways at this point:
1.- Trying all of them become 0.
2.- Trying all of them to take a “syncronous” sequence.
Original CD does not shows that info, but it checks the CD when measuring with a progress bar. Usually, only first checking reports success and the application launchs. With a copy, that first checking is passed quite fast, and progress bar continues…so a wrong way.
The more time this first checking is stopped, the more near we are from the espected angle.

Hope, some people could investigate too. Repeat: WWII FrontLine Command have a nice “xploit” in its image estructure. Will not say anymore, but with that game and an hex edit, this can be easyly found.

Good luck everybody.

TIP: Wersachi, we are waiting a best way to copy that protection.

An interesting post as always Morglum007. Because of its technical nature, I’m going to copy the thread to the Optical storage Technical Discussions forum where I suspect that you’ll get greater input and feedback than in this forum.

[Note to all admins/mods: This is not an example of cross-posting.]

hi morglum i ran some test myself. I’m playing with ‘Pure Pinbal’ German version, supposed to be starforce 3. You said you got working results easier with smaller discs (that does make sense of course) However my target seems to check the angle between sectors 0x23 and 0x3b5, wich is very close to the beginning…The disc is about 600mb. I created a simple test app that reads the same sectors and i can tell the original cd from the copy like that. Could you explain in detail where yo u inserted twinsectors and why ?

If there is a way to determine the ‘sector set’ ( wich seems to be the same on different runs / machines) one could automate the twinsector injection by bruteforcing with a cdrw ( would probably take quite some time, hehe )