StarForce - potential vulnerability?

Guys,

A thread here: http://club.cdfreaks.com/showthread.php?s=&threadid=92535

Details that running WMP9 and then the game 1 second after allows StarForce to run…

Now, this is completely untested and based loosely around my knowledge of StarForce - but I know you guys might be able to expand the idea further…

My assumptions:

1. StarForce installs a low level IDE driver for Protection
2. This driver queries the disc to ensure it is original
3. Once satisfied the game launches

Potential Idea: (Untested)

1. If the above comment about WMP9 is true, this would mean that potentially the WMP9 is querying the IDE Channel in a non standard way, or not terminating quickly enough to allow the StarForce IDE Driver to work correctly - in essence the way that WMP9 is handling the IDE channel request - is causing the StarForce IDE Driver to pass back a FALSE - POSITIVE - allowing the game to launch…

If this is indeed true, then surely the IDE Channel noise generated by WMP9 could be emulated and will ensure that the StarForce IDE Driver continues to pass FALSE - POSITIVE statements back - thus allowing for decent emulation - WITHOUT - the need to unplug every IDE Device?

I am no practical expert - this is only theoritical - so please excuse my ignorance if this statement is wholly inaccurate…

If people want to flame me, go ahead - I am only offering a suggestion that seems to work in my mind…

I look forward to your comments.

Cheers,

MuzChap

> If this is indeed true, then surely the IDE
> Channel noise generated by WMP9 could be
> emulated and will ensure that the StarForce
> IDE Driver continues to pass FALSE - POSITIVE
> statements back

If this works, it seems to me that this actually would
cause a false negative (i.e. no IDE drive here) to occur.
Anyway, since Staforce disc protection can be emulated
and that the only remaining problem is this IDE scan,
I don’t understand why still nobody has investigated this
and provided a standalone program to fool it. Note, this
is not a “potential vulnerability” but an obvious and
provable fact that it can be done, but I guess people
are getting lazy these days…

Spath,

Good point - I think thats what I meant to say…

Yeah wish I was more intelligent and I could do some standalone app…

You say it can be succesfully emulated? - Is that still with the removal of all IDE devices?

MC

it is succesfully emulated, the only thing standing in the way is the IDE scan that forces you to put the cd in an ide drive when there’s one (or more).

if this indeed worked, and was put into a standalone solution, this would make an hassle-free solution for starforce3.

What I say is that the specificities of the original
disc can be emulated right now, that’s why
games run with IDE drives unplugged.

I also say that whatever method they use to
search for these IDA drives, one can write a
standalone program to make it fail. This just
comes from the fact that a resource cannot be
completely locked on an x86 machine (except
with SMM mode).

Why this has not been done yet is to be asked
to emulators coders and other protection “experts”.

Spath and do u know that new Starforce is not even working with unpluged cdroms ?

Gangland
Pacman_World_2
Deserts Rats vs Afrika Korps =tengine.dll says 3.3.31.21 starforce protection libery.

These 3 games can be emulated (with the IDE unplug trick) as far as i am aware of…

are these all using the old sf3 version ?

not all drives can make a working image even if Alcohol reports a successful read.
(I tried on a few recent games too)

I had some doubts about the WMP9 thing, I tried it… no luck on 3 images that work if I remove all ide drives. I tried by leaving only 1 drive plugged (I have 2 cdroms), still not working.

Anyone care to explain where the “hiding ide cdroms” problem lies in… I’m sure this has been tried before… there must be something that makes it non-trivial. Spath posted some insights on that, but I’d like to know more.

some questions
is starforce 3 using subchannel data ?
is it possible that an verry old cdrw or cdrom drive can read starforce 3 sectors perhaps an old drive is returning the right information ? i ask this because old cdrom drives can also bypass audio protections…

perphaps i am gonna try with some verry old cdrw drives to backup an Starfoce 3 disc probably its pointless but trying can’t hurt…, Does anybody else here knows more about this
starforce 3 , does it also use twin sectors like Tages ?

lets all work on it , this Starforce 3 is annoying , i want to get rid of it:bigsmile:

yeap, starforce uses both subchannel Q for positioning and at least, P and R. I think it corrects by itself where to begin to look.
More subs must be checked, but i’m sure sf uses a lot of “hidden” info on subs. That could explain the very fast check sf has.

Good luck!

I heard, now, not saying this is true by any means that StarForce does the following:

1. IDE Driver is installed to run the disc check
2. The disc has a physical timing between logical blocks calculated, based on the unique speed information of that disc
3. The key entered actually controls the drive speed to accurately verify the timing between the physical blocks…

This is the area where work is required… I just dont have a clue what to do about it?

To be honest, this is an extremely clever protection system!

Cheers,

MC

Well, that’s “timing” tricks sounds me a lot…xDDDDD

And respecting b) option, well, that’s not true at all. SF measures the timing between certain positions, but that’s not a “unique” speed for every reader. Cause every reader reads at its own, check could be always different…
On that way, could measure at different speeds with same reader, and extrapolate results. Besides every reader could read different, its reads at different speed will match a linear function. That function will always be the same, no matter the reader we used. Maybe SF is using that relations on timing.
That could explain too why original refuses to play when drive is overheated (abnormal reading) or too cooled.

Recently i found the SecuROM “physical” pattern, and am writting an article about. By now, just confirming. Will need to speak with the VSO team about fixing their BWA engine extractor, but i think R!Co told that yet. There is a very interesting relationship between some results that must be cleared. I think SecuROM could be the way to defeat SF, and we can use their own copy protection system against them!..xD

Good luck!

I examined a sF3 disc and i see in every CD a blank file .dat
For me is a dummy file used for timing between first sector CD and last sector CD (sorry for my english).

Yeap, i think so, and told about in a forgotten post time ago. The main purpose of this file is to make the CD size larger, cause a CD with no more than 500 mb in size is relatively easy to check and to “emulate”. If we have more than 600 mB in a CD, then the timing trick is a lot more accurate, and could easily difference between a copy and an original.

The first game i saw that is FrontLine commnad, but i have saw that in a lot more of SF3 protected titles, like Korea forgotten conflict ( both spanish versions).

Now, the main idea is to look for the specified sector that SF uses to begin check and to time the whole thing.

Good luck!

Originally posted by Morglum007
[B]Yeap, i think so, and told about in a forgotten post time ago. The main purpose of this file is to make the CD size larger, cause a CD with no more than 500 mb in size is relatively easy to check and to “emulate”. If we have more than 600 mB in a CD, then the timing trick is a lot more accurate, and could easily difference between a copy and an original.

The first game i saw that is FrontLine commnad, but i have saw that in a lot more of SF3 protected titles, like Korea forgotten conflict ( both spanish versions).

Now, the main idea is to look for the specified sector that SF uses to begin check and to time the whole thing.

Good luck! [/B]

yeah but with many cdrom drive the timing will be different because if you use an 24x cdrom instead of an 52x to play the game,then these sector timming check will also go slower…so i don’t understand how this timming check can work…

This is why Starforce only read at certain speeds ( it uses it owns drivers to access the IDE and to time). Just suppose every check is done at 4x.

And, as exposed in other post, the read speed can be different from reader to reader, but with same reader at different speeds, will obtain a lineal function that is the same for just every reader. Like a pump or a specific fun, every reader has a standart way of working represented on a working graph. This graph is a linear function, and this function is quite close to just every reader, regarding its read speed.

Good luck!

Originally posted by Morglum007
[B]This is why Starforce only read at certain speeds ( it uses it owns drivers to access the IDE and to time). Just suppose every check is done at 4x.

And, as exposed in other post, the read speed can be different from reader to reader, but with same reader at different speeds, will obtain a lineal function that is the same for just every reader. Like a pump or a specific fun, every reader has a standart way of working represented on a working graph. This graph is a linear function, and this function is quite close to just every reader, regarding its read speed.

Good luck! [/B]

ah that clears it up thanks for the info

So If I was to play my backup in a scsi cd-rom would the starforce protection be rendered useless as it doesn’t check the scsi bus?

in a system with SCSI devices only starforce 3 can be emulated without probs man; without unplug nothing

hi all!

Im new here and ignorant.

I want to know if I can make a backupcopy of Splintercell Chaos Theory (australian version),and Harry Potter Pris of Azkaban

Im really pissed off we pay good money for these and I simply want a backup so my son wont ruin the original.

cheers

I have Athlon 64 3500 1Gb Ram 400MHz
winfast 6800 GS
pioneer DVD dual layer burner x2
200 Gb ide harddrives x2