|
|
| Page 1 of 1 |
SycoShaman
VIP Master Jedi
Posts: 24468
Location: Toronto, Canada
|
 Posted: Tue, 12th Apr 2005 19:55 Post subject: Splinter Cell: Chaos Theory - Scan of EXE Entry Point |
|
 |
;------------------------------------------------------------------------------
EntryPoint:
push ebp
mov ebp,esp
sub esp,00000044h
push esi
call [KERNEL32.dll!GetCommandLineA]
mov esi,eax
test esi,esi
jnz L0040C831
push FFFFFFFFh
call [KERNEL32.dll!ExitProcess]
L0040C831:
mov al,[esi]
push edi
mov edi,[USER32.dll!CharNextA]
cmp al,22h
jnz L0040C859
L0040C83E:
push esi
call edi
mov esi,eax
mov al,[esi]
cmp al,22h
jz L0040C84D
test al,al
jnz L0040C83E
L0040C84D:
cmp byte ptr [esi],22h
jnz L0040C867
L0040C852:
push esi
call edi
mov esi,eax
jmp L0040C867
L0040C859:
cmp al,20h
jle L0040C867
L0040C85D:
push esi
call edi
mov esi,eax
cmp byte ptr [esi],20h
jg L0040C85D
L0040C867:
mov al,[esi]
test al,al
jz L0040C871
cmp al,20h
jle L0040C852
L0040C871:
and dword ptr [ebp-18h],00000000h
lea eax,[ebp-44h]
push eax
call [KERNEL32.dll!GetStartupInfoA]
test byte ptr [ebp-18h],01h
pop edi
jz L0040C88C
movzx eax,[ebp-14h]
jmp L0040C88F
L0040C88C:
push 0000000Ah
pop eax
L0040C88F:
push eax
push esi
push 00000000h
push 00000000h
call [KERNEL32.dll!GetModuleHandleA]
push eax
call SUB_L004071EE
push eax
call [KERNEL32.dll!ExitProcess]
L0040C8A8:
call [KERNEL32.dll!DebugBreak]
xor eax,eax
retn
;------------------------------------------------------------------------------
I scanned this with PE Explorer (nice lil app). Its from the Multi-Lang SC3 Clone Dvd retail release. Used the disassembler
Now, I have a question(s). I take it this the function that is the entry point for the exe (ie loads into starforce? or beginning sequences of game)? Most of it, is beyond my knowledge as of now. The function name/reference is 0040C816: EntryPoint.
Couldnt u just edit the exe to reference another entry point, after sf3 check and all that, bypassing protection? like say the entry point would be the main game screen (new game, load game etc)? I dunno if its a "real" crack, but if it would work, fuck, i'll take it 
Can anyone use this info for some practical use? or are we all gunna just read it and imagine? if someone needs more info lemme know
or u can just get pe explorer 
|
|
| Back to top |
|
|
|
|
| Posted: Tue, 12th Apr 2005 20:57 Post subject: |
|
|
Heh, NFOrce becomes reversing place....
| Quote: | | Couldnt u just edit the exe to reference another entry point, after sf3 check and all that, bypassing protection? |
Now it's clear that you were dealing with cracking stufz in the past. Good idea but the problem is that most actual protections use a so called LAYERS which represent different part of the code being decrypted at different stage so if you want to change anything important, first you have to deal with few thousands (sometimes more) of layers composing entire protection code. Even if you would be able to find the place of check(s) then you will find many other problems like: virtual machine, compression, polymorph code, obfuscation, code checksum and so on. In Starforce cd-checks are executed in different way on each runtime. There's no static route.
You've good idea but software protection developers know it too. Let's count on the great crackers.
|
|
| Back to top |
|
|
SycoShaman
VIP Master Jedi
Posts: 24468
Location: Toronto, Canada
|
| Posted: Tue, 12th Apr 2005 21:28 Post subject: |
|
|
ah damn, i thought maybe i had something...lol
i knew it was gunna be more indepth but damn....so short of being a fuckin genius, a person couldnt crack it eh? well, i got a goal now lol j/j
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Tue, 12th Apr 2005 21:38 Post subject: |
|
|
Sure, but to decrypt the code you have to deal with ring0 anti-debugger protection (IDT control) and then write a decompiler and tracer to search for the details of cd-check mess.
NFOrce isn't the right place to talk about it. Let's close this thread.
(BTW, to all da young crackers: I don't search for any friends and I won't reply ANY message regarding above posts. Save your time and play Nintendo)
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Tue, 12th Apr 2005 21:59 Post subject: |
|
|
If I'll be someday then I help you.
| Quote: | | SF3's driver level anti-debugging isn't the order of the day here. Plenty other places on the web these things are discussed. |
You are smart. Knowing I'll not responds PMs you used sneaky public posts to get me into flow.
Know how to listen, and you'll profit even from those who talk badly.
|
|
| Back to top |
|
|
DVQ
Posts: 87
Location: Mexico
|
| Posted: Tue, 12th Apr 2005 22:21 Post subject: |
|
|
remember those copies i ordered last week?, well they are here. trust me, i have seen the protection in action OMFG thats some annonying shit... btw: the great is more than excellent.
|
|
| Back to top |
|
|
|
|
| Posted: Tue, 12th Apr 2005 23:00 Post subject: |
|
|
| kachain wrote: | If I'll be someday then I help you.
| Quote: | | SF3's driver level anti-debugging isn't the order of the day here. Plenty other places on the web these things are discussed. |
You are smart. Knowing I'll not responds PMs you used sneaky public posts to get me into flow.
Know how to listen, and you'll profit even from those who talk badly. |
Not at all, was joking but yes getting you into flow was a side-effect of discussion.
Thanks for your input, appreciated. Feel free to PM me at your convenience.
Listening is something I've always done well. Ignorance gets you nowhere I've found especially from the outside looking inwards into something you don't really understand.
|
|
| Back to top |
|
|
|
|
| Posted: Tue, 12th Apr 2005 23:10 Post subject: |
|
|
Thanks, it was my pleasure.
We'll meet, you can bet on it. If not here then in another dimension... but we will.
|
|
| Back to top |
|
|
|
|
| Posted: Wed, 13th Apr 2005 05:30 Post subject: |
|
|
hey, i just noticed that SCCT is out on direct2drive... maybe we could use that version?
|
|
| Back to top |
|
|
|
|
| Posted: Wed, 13th Apr 2005 06:26 Post subject: |
|
|
I might be recapping, but there are indeed plenty of other places to discuss this, and to learn to be "1337", as you put it.
a simple google search for "reverse engineering" (remove quotes if you wish) will yield hundreds of relevant search results to get you into the mode, so to speak. Though, if you're really into it, you may want to get an understanding for assembly, the structure of .exe files, etc. before you actually attempt to learn RE.
"reverse engineering cracking" (once again, no quotes) will yield more, ahem, relevant search results.
Slaggering around NFOrce begging for help (subtly or otherwise) as I have often done will yield nothing but disapproving glances and statements of "suck ass". Google it.
Astalavista, kiddies...
|
|
| Back to top |
|
|
SycoShaman
VIP Master Jedi
Posts: 24468
Location: Toronto, Canada
|
| Posted: Wed, 13th Apr 2005 06:28 Post subject: |
|
|
lol didnt mean to start something, i was just wondering if someone could explain
|
|
| Back to top |
|
|
|
|
| Posted: Thu, 14th Apr 2005 09:10 Post subject: |
|
|
| dojomann wrote: | | hey, i just noticed that SCCT is out on direct2drive... maybe we could use that version? |
nope....starforce encryption there too.
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Thu, 14th Apr 2005 09:50 Post subject: |
|
|
| xAiTheHitman wrote: | | Quote: |
In Starforce cd-checks are executed in different way on each runtime. There's no static route. |
True. Dont forget the SF3 protection has constant updates.
| Quote: |
a simple google search for "reverse engineering" (remove quotes if you wish) will yield hundreds of relevant search results to get you into the mode, so to speak. Though, if you're really into it, you may want to get an understanding for assembly, the structure of .exe files, etc. before you actually attempt to learn RE. |
Somewhat true. You have to remember this threads dedicated to talking about the protections. I guess the majority here want to get in depth about SF3 
Also, it takes more than ASM to do reverse engineering. I see why its illegal to talk about it here (havent seen any mods say anything about it yet though). Explaining and going in depth of reverse engineering of copy wrighted material would warrant more than just bans 
Anyway, it takes time. I doubt the crackers do this 24/7... gotta take breaks. You'd go insane doing this every day, all day. Its probably one of the reasons why its taking so long to crack it to. |
1. There's a static route but it looks like there isn't because there are so many possibilities that it's very BIG route...
2. You 100% right... It takes more effort + more time + and more knowledge... You take out just one thing out of it, and the cracking stops... Crackers are ppl, not machines, they have real life problems, and they don't crack games 24/7... If there was a program to remove SF3 protection, or go around it, than maybe we would see releases much quicker. Until such program is written patience is the most important when it comes to SF3 protected games...
|
|
| Back to top |
|
|
|
|
| Posted: Thu, 14th Apr 2005 09:56 Post subject: |
|
|
| bigboy177 wrote: | | xAiTheHitman wrote: | | Quote: |
In Starforce cd-checks are executed in different way on each runtime. There's no static route. |
True. Dont forget the SF3 protection has constant updates.
| Quote: |
a simple google search for "reverse engineering" (remove quotes if you wish) will yield hundreds of relevant search results to get you into the mode, so to speak. Though, if you're really into it, you may want to get an understanding for assembly, the structure of .exe files, etc. before you actually attempt to learn RE. |
Somewhat true. You have to remember this threads dedicated to talking about the protections. I guess the majority here want to get in depth about SF3
Also, it takes more than ASM to do reverse engineering. I see why its illegal to talk about it here (havent seen any mods say anything about it yet though). Explaining and going in depth of reverse engineering of copy wrighted material would warrant more than just bans
Anyway, it takes time. I doubt the crackers do this 24/7... gotta take breaks. You'd go insane doing this every day, all day. Its probably one of the reasons why its taking so long to crack it to. |
1. There's a static route but it looks like there isn't because there are so many possibilities that it's very BIG route...
2. You 100% right... It takes more effort + more time + and more knowledge... You take out just one thing out of it, and the cracking stops... Crackers are ppl, not machines, they have real life problems, and they don't crack games 24/7... If there was a program to remove SF3 protection, or go around it, than maybe we would see releases much quicker. Until such program is written patience is the most important when it comes to SF3 protected games... |
Yea, thats true. I'm just not totally 100% on the route of SF3 protection. I believe that with the constant updates they may switch the patterns around alittle bit as to avoid crackers noticing a certain pattern or route.
|
|
| Back to top |
|
|
|
|
| Posted: Thu, 14th Apr 2005 10:44 Post subject: |
|
|
| bigboy177 wrote: |
1. There's a static route but it looks like there isn't because there are so many possibilities that it's very BIG route...
2. You 100% right... It takes more effort + more time + and more knowledge... You take out just one thing out of it, and the cracking stops... Crackers are ppl, not machines, they have real life problems, and they don't crack games 24/7... If there was a program to remove SF3 protection, or go around it, than maybe we would see releases much quicker. Until such program is written patience is the most important when it comes to SF3 protected games... |
SF code is polymorphic (bit like the old polymorphic DOS viruses), code changes itself on each execution cycle, if it were static life would be easier for those interested in taking it down.
|
|
| Back to top |
|
|
|
|
| Posted: Thu, 14th Apr 2005 19:38 Post subject: |
|
|
| CableMunkeh wrote: | | bigboy177 wrote: |
1. There's a static route but it looks like there isn't because there are so many possibilities that it's very BIG route...
2. You 100% right... It takes more effort + more time + and more knowledge... You take out just one thing out of it, and the cracking stops... Crackers are ppl, not machines, they have real life problems, and they don't crack games 24/7... If there was a program to remove SF3 protection, or go around it, than maybe we would see releases much quicker. Until such program is written patience is the most important when it comes to SF3 protected games... |
SF code is polymorphic (bit like the old polymorphic DOS viruses), code changes itself on each execution cycle, if it were static life would be easier for those interested in taking it down. |
Yeah it changes for sure... but there must be a patern to it other wise even devs wouldn't know how to remove it... And I'm sure they have a tool to do it... If somehow they screw up few titles (while adding protection), they must have a way to remove it and repeat the process... So there must be some sort of patern... maybe it's not even a patern as we know it... maybe it's encoded or some other shit... Only SF3 devs know that...:]
And these polymorph DOS viruses were sure a pain in the ass... but antyvirus soft removed them with no problems... cause they were able to find them... In everything you can find a patern even in human DNA...
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Thu, 14th Apr 2005 22:40 Post subject: |
|
|
OK... guess you're right with the Backup of unprotected soft... but still they might have a SF3 removal tool... just in case...
About the patern... I don't know if I understand it right, cause not much info regarding the actual way SF3 working can be found... but...
SF3 drivers are responsible for the decoding of all encrypted files...
Not every file and not whole files are encrypted... just few files and just few of their functions... So SF3 drivers must know how the encrypted data looks like... otherwise it would not know what to decrypt... and cause errors... So there must be a patern which is used to recognize encrypted data and then decrypt it using a unique key, which is read from the physical structer of the CD (time needed to access certain sectors of the CD)... I don't know if that's exactly how it works... But that's all I could figure out from some files and few texts... :]
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 16th Apr 2005 18:33 Post subject: |
|
|
| bludragn wrote: | | dojomann wrote: | | hey, i just noticed that SCCT is out on direct2drive... maybe we could use that version? |
nope....starforce encryption there too. |
but, what dvd would it be checking for??
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 16th Apr 2005 18:46 Post subject: |
|
|
| dojomann wrote: | | bludragn wrote: | | dojomann wrote: | | hey, i just noticed that SCCT is out on direct2drive... maybe we could use that version? |
nope....starforce encryption there too. |
but, what dvd would it be checking for?? |
No disc checking... just encryption...
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 16th Apr 2005 18:46 Post subject: |
|
|
| dojomann wrote: | | bludragn wrote: | | dojomann wrote: | | hey, i just noticed that SCCT is out on direct2drive... maybe we could use that version? |
nope....starforce encryption there too. |
but, what dvd would it be checking for?? |
It's using Starforce Proactive - check out the SF website, http://www.star-force.com for more info on this.
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 30th Apr 2005 03:22 Post subject: |
|
|
| CableMunkeh wrote: | | bigboy177 wrote: |
1. There's a static route but it looks like there isn't because there are so many possibilities that it's very BIG route...
2. You 100% right... It takes more effort + more time + and more knowledge... You take out just one thing out of it, and the cracking stops... Crackers are ppl, not machines, they have real life problems, and they don't crack games 24/7... If there was a program to remove SF3 protection, or go around it, than maybe we would see releases much quicker. Until such program is written patience is the most important when it comes to SF3 protected games... |
SF code is polymorphic (bit like the old polymorphic DOS viruses), code changes itself on each execution cycle, if it were static life would be easier for those interested in taking it down. |
There is still a static function on some level. The code itself is not polymorphic in the way you seem to think. That's computationally impossible with a modern computer. Because they're not universal Turing machines. It has a finite number of possible routes, and only a finite number of code variations will do the job. How it picks them may seem random, but it can't be. How many there are is obfuscated, but there is a certain number. When a function doesn't seem stable, go to the derivative. The rate at which it seems to change. Or the derivative of that, if it is still too complex.
A backup can be played on a USB2.0 device. Ask yourself why. Now emulate this functionality in software. SF uses special drivers. Write drivers that counter them. Fuck the exe.
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
|
|
| Posted: Sat, 30th Apr 2005 11:46 Post subject: |
|
|
| Quote: | | safe'n'sec is a computer security program. probably ranked in the top 5. |
computer security program with a lot of drivers coming with itself? thanks for such a "security program"...
ranked in the top 5? i guess u're joking because i've never heard about this tool and i know no one using it
|
|
| Back to top |
|
|
|
|
|
| Back to top |
|
|
| Page 1 of 1 |
All times are GMT + 1 Hour |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB 2.0.8 © 2001, 2002 phpBB Group
|
|
 |
|
