【原创】StarForce的背后

op510

【原创】StarForce的背后
现在的游戏的加密是越来越强了，SecureROM，SafeDisc之类的技术比比皆是，现在最强的光盘加密技术要算是俄罗斯的StarForce3技术（一下简称SF3）。很多游戏就是用这个技术加密的，比如仙剑三，仙剑三外传，轩辕剑外传－苍之涛等等，（大多为台湾大宇的作品）。基本上启动游戏时见到如下图所示的界面的就是SF3加密的东西了。



Flying2000 最后编辑于 2005-3-13 23:31

（续）
查阅网上的资料可以得知，SF的保护主要是对输入表的保护，其中有一个重要的步骤就是通过使用驱动切到ring0进行解码，使得软件不会被破解。
本来是没什么问题的，但是由于驱动的优先级实在是太高了，它同windows同时启动，并且是SYSTEM权限的，所以只要掌握了驱动的特有API，就可以在甚至Guest的权限下获得高权限。
（下图是StarForce3的驱动）

（续）
接下来的这个东西就是可以与SF3的驱动进行交互的。
软件原文说明：

. . . .StarForce Professional 3.0 is a powerful multi-level CD-ROM, DVD-ROM copy protection

system designed for hackers and virmakers who wish to grant their applications ultimate,

most powerfull ways against your security.


...Most modern copy protection systems today encrypt only the applications' executable files

and then bind them in some way to the licensed discs. StarForce Professional 3.0 is the

first system that offers a multi-level and fully-functional vulnerabilities,

which granted access to your PC with any privileges (including Guests) to any user.

...With this product, you, the developer, have a unique ability to hack your potential

victim as well!
...The research conducted by StarForce Technologies' specialists reveals that in most

cases the pirate releases don't contain the protected executable files with that pretty

access system.

软件界面如下：

（续）
来看看最重要的东西，我们启动一个注册表编辑器regedit.exe，在任务管理器里我们可以看到，这个注册表编辑器只有我当前用户的权限（flyingsnow权限），并且不能打开只有SYSTEM才能访问的SAM键值。（如图）

（续）
然后我们打开刚才的软件，使用它的“Create system process”功能，打开regedit.exe（注册表编辑器），确定！注册表编辑器打开了，我们惊奇的发现，注册表编辑器是SYSTEM权限的！并且可以打开SAM这个SYSTEM权限才能访问的键！
如图：

（续）
这是从网上的资料上找到的SF3的一些说明：

Since starforce version 3.4.65.09 to prevent old starfuck methods for deactivating
cd drives starforce goes a very hardware incompatible way. StarForce protected game tries
to reset ide channel before it begins to check protected disk. Therefore this can take up
to 2 minutes before starforce begins with its disk check. All users, who have CD
drive on SCSI controller, ATAPI CD Drive on ATA/RAID controller, CD drive on USB controller
and even coming hardware innovation called CD drive on SATA controller, all those users are
involved by this hardware incompability issue of Starfore protection. This hardware
incompability appears even than, if you remove all your drives from IDE channel physically
and deactivate your IDE channels in BIOS to set needed resources free, also you don't even
need to use our program to find it out. That's, what you get with Starforce.
It seems, starforce team doesn't care about its hardware compability and not just that, they
don't care about software compability of their product, for which they want money.
If they try to reset the channel, they "play" with priority system of windows os, therefore don't
wonder if your computer will crash or after few times starting the starforce protected game
in such environment you will not be able to start any windows application more. It happens since
starforce version 3.4.65.09 and above.
On our test systems we were very often able to reproduce this software crash issue.
As you see, all what starforce has done before is useless. What they added to the protection
is just rapidly increased hardware and software incompability, nothing more, nothing less.
It's diffucult to imagine, what will be next hardware/software incompability level, if starforce
tries to prevent methods present in this program. How far they will go with their paranoid
idea to don't care about the hardware and software compability of their protection?
How it will work on coming PCI Express? How it will work with controllers in native mode?
I have already noticed many problems with starforce and native mode controllers.

可以看到SF3目前有很多的问题，而这个问题就是其中非常重大的一个，更糟糕的是，似乎正版的软件在卸载时都不会删除SF3的驱动，更不用说大量的D版了。
建议你在使用完SF3保护的游戏时（或者觉得可能SF3驱动在某个时候会给你带来麻烦时）关闭或卸载SF3的驱动，你只需要删除Starforce protection Environment Driver这个驱动就可以了。
附件是测试时提升权限的软件，没有做任何改动，原版提供给大家，希望不要把它使用在不正当的用途上。
（续完）

看看下面的报道！
星之盾推StarForce professional 3.0升级版

作者： CNET科技资讯网
CNETNews.com.cn 2005-03-08 11:45 AM

CNET科技资讯网3月8日北京报道 今年是中国知识版权局指定的" 反盗版年"。新年伊始，不少行业就积极响应，推出了各种声援活动。

2月2日，星之盾科技公司重拳出击，推出了获得第八届中国软博会金奖，适用于光盘加密的软件保护解决方案StarForce professional 3.0的升级版。星之盾的这一举动再次给了盗版者们致命的一击，令正版软件发行商拍手称快。

多数现代的复制保护系统仅仅将可执行文件加密，并通过某种方式将之捆绑于正版光碟上。星之盾的StarForce professional 3.0首创了多级全功能保护技术，这项技术不仅可对CD/DVD-ROM光盘上的可执行文件加密，而且可以可对应用程序中的非执行文件加密，为开发者商和出版商的本地游戏、娱乐教育软件、电子百科全书及办公应用程序等设置了更牢固的安全屏障，令盗版者望而却步。

但星之盾在市场研究中发现，一些有不良企图的用户经常用黑客提供的各种途径，用IDE 接口锁定通过正版光盘的非法拷贝或镜像来运行应用程序。针对这种现象，星之盾对StarForce professional 3.0做了改进，推出了它的升级版。

这个新版本特意采用了"NewATAPI"技术，这项技术和星之盾的"ISO-protection"技术相结合可以阻止不良用户绕过规则系统的保护使用IDE 接口锁定，从而从根本上杜绝盗版。

据星之盾技术负责人介绍，StarForce professional 3.0升级版和星之盾已推出的"StarForce Nightmare" 一样，是打击盗版的最新利器，全球用户自此日起都可以免费试用。

中国对盗版者的谴责日益严厉，各界人士通过不同方式声援反盗版行动，中国知识版权局更指定2005年为中国" 反盗版年".反盗版专家认为，反盗版要取得最终胜利，采取各种有效措施打击盗版很重要，但更重要的是软件保护技术要比盗版技术发展得更快更好。

中国目前的软件保护技术对遏制盗版起了相当大的作用，但道高一尺，魔高一丈，反盗版战斗亟需更先进的软件保护技术。星之盾适时推出了最新的软加密技术StarForce professional 3.0升级版，为中国的反盗版事业做出了积极贡献。

附件是个不错的东西，收下了

把插队的帖子删除了，楼主的原创介绍不错。学到不少东西，谢谢了～～