The end 2000- GO of year was marked by the output of game the cossacks: European wars - first game, which uses a system of protection Star-Force. By its appearance Star-Force it placed many questions before the researchers of programs. Arrived time it gave on them answers.

The nucleus of protection - this is the interpreter of pseudocode, which by itself strongly hampers its study. The part of the imported functions they are copied from their libraries and are modified. The part of the code is deciphered only with the fulfillment. In addition to this, actively are used the following methods: checking CRC different sections of memory, a constant resetting to zero of the check-out registers DRx, the control of the time of the fulfillment of different sections of the code with the aid of instruction RDTSC, moreover the latter are carried out from ring0 using that intercepted INT 0.

The method of the protection of import in Star-Force they applied where more efficient than in all seen by me pakerakh/protektorakh. In the classical protection this is simple passage to the real function, or passage only is further after the fulfillment of several first instructions of function. Here the functions, imported from libraries kernel32.dll, user32.dll, advapi32.dll, are copied into the memory of protection by pillar (but without podprotsedur). And they are modified according to the following rules: the code razmezhovyvayetsya by the commands

the two-byte passages jxx are substituted by their six-byte analogs, two-byte push 00h - five-byte, passages it saw jmp X (not short!) they are substituted to jmp $+5, and the code from X finishes writing itself with all rules after this instruction.

However, in this version of game similarly was protected only 11 importirumykh functions; therefore I decided to skhalturit' (this problem it was solved subsequently, with study Venom' A) and it reduced by their hands, mentally converting their code to the normal mode, and searching for then their ~y0 of the first bytes in the system libraries directly in Sice' e. by them they proved to be (in the ascending order of their address in the memory of protection): ReadFile, GetUserNameA, FindNextFileA, WriteFile, VirtualFree, GetFileType, VirtualAlloc, CreateFileA, DeleteFileA, FindClose, MessageBoxA.

After disposing thus entire import to the real addresses, we will use my lyubimoy utility for the similar situations ImportList by Boris and I will receive the normal section of import. Pomeshchayem it into our dump. It is already almost ready.

Parameter ID is determined, what precisely block of the code necessarily decoded and carried out, with ID=0 deshifruyetsya program itself. It is remarkable, that the decoded and carried out code is also contained calls _ DllDispatch. But this function - this and there is that very interpreter of the pseudocode, which was mentioned above. However, what it did make? To protrassirovat' each call into the forehead up to the iskomogo code? That zh, you can it attempted. But 4 to predlagayu to you the more interesting method, which allows automatically obtained immediately entire absent code. To us it pridetsya to a little poprogrammirovat' for this.

Budem it proceeded from the fact that once (during the fulfillment) the iskomyy code wakes it find in the memory in that decoded it saw. How possible did catch this moment? It is very simple. Each such function wakes it was turned to the basic code of program. I.e., transferred there control. It is meant, if we will intercept call _ DllDispatch and before returned control in protect.dll let us rewrite the section of the code by value of 0ccCh and stanem it processed INT3, then our trap will wear with the transfer of control to any place for the section of the code. The matter of technology is further. From flowed ring0 it became pregnant the indicator it flowed ring3, and we from there obtain address inside the iskomogo code. The code is found.

For convenience in the conducting with the game of similar manipulations, 4 rekomenduyu it added to its import its own library (deprotect.dll). It is received control after protect.dll; however, at this time the basic code yet does not wake decoded, but wakes it contained at the entrance point only call again into protect.dll. I will correct thus such (see iskhodnik) so that protect.dll after the decoding of code section would return control to our DLL. Now let us scan the code of game and will find all calls _ DllDispatch and their identifiers. I will preserve identifiers into the massif so that in the consequence it would avoid duplicating. Now budem it caused _ DllDispatch alternately with each outstanding identifier, and in processor INT3 let us provide the correct recovery of control to the procedure of look- restoration, and also let us provide the correction of all call' OV inside the obtained code taking into account the future position of additional code section, and let us provide correction call' and, that caused flowing _ DllDispatch. Search must it went into two stages: in the section of the code, and then in the obtained code.

On the completion of the work of program we budem had two files: text.bin - the corrected section of the code and code.bin - the additional section with the obtained code, which necessarily it added to our dump. Now, when new EXE- file is completely arranged, protect.dll possible moved away. It no longer is necessary.

Happiness from it started games without Star-Force it is rapidly changed by disappointment. To face of bagi: a quantity of money it is approached infinity, task for the mission does not show, before the starting of map it is proposed it was connected on TCP/IP and finally it was not generated random map. The reason for first two bagov proved to be the name of dump. They disappeared with pereimenovnii in dmcr.exe. By the reason for rest - error during the restoration of code of one of _ DllDispatch, namely that, which was not rotated to the section of the code, and did not be we have caught. As a result, in the new section was formed one completely stranger call. It is potential, such functions - weak place of this method of study, but not in this case. Via classical reversinga we determine that "excess" call stole in on it addressed (in my case) 0A3Ch to new section. We substitute 5 nop' OV on this it addressed to 13.

Star-Force - very interesting protection. Do not be afraid it spent time on its study - it that stands. I will put on, that my article helped you in its study. If in you any questions arose - you record, 4 with the pleasure to you otvechu.