Hi, dear reverser's. I have big problem
I have CD game, protected with "star force protection" (http://star-force.com).
It uses big protect.dll, where implemented all protection functions. Entry Point of program is in ind of .text section and contains only one call of dll function.
As I know, after all test, dll must return to OEP of program, but I cant fint OEP: in dll function is very strange cycles - i can't find, where is it's end (?!?!). I try some another cnown methods (e.g. /tracex function) - but no result - just BSoD

Plz, if You know somethig about unwrapping these shit, give me answer.

/tracex is tracing your actual thread, if you're inside the protec.dll it will normally not find the main exe's OEP if there's is a context change.

look if there are several threads when the dll is working and look if it's the same thread that is calling the main exe OEP, if not you must /tracex the correct thread if you want it to trigger.

looks like another russian group trying to walk the other side of the road ;-). if you can make available all the files needed to successfully start (unwrap) your game, then i can look into the /tracex issue at least, although don't expect much, it's trivial to fool it in win9x. as a sidenote, did you notice if this scheme installs/uses any kernel mode component (vxd/sys)? if it does and you can isolate the file, i'd be especially interested in it/them.

I'm upload main exe and dll to http://members.nbci.com/a0101010101/shit.zip
Certainly, it does not work correctly without the resources, but who knows
As I can see - game does not use CD in gameplay - just test (read some random(?) data from it). Main exe is emty and filled by decrypted/unpacked data from dll after dll inicialization. All my attempts to trace it manually were finished by failure - progz just lock, or I get BSoD
If I set some useful breackpoints (e.g GetModuleHandle, LoadLibrary) - program just lockup and not work at all.
May be it use some data from CD for decrypting/unpacking, but I can't upload 200mb of game, and I don't find any another target protected by this sheme. sorry.

I'm upload main exe and dll to http://members.nbci.com/a0101010101/shit.zip
Certainly, it does not work correctly without the resources, but who knows
As I can see - game does not use CD in gameplay - just test (read some random(?) data from it). Main exe is emty and filled by decrypted/unpacked data from dll after dll inicialization. As I can see, it not use any vxd/sys drivers - only protect.dll. All my attempts to trace it manually were finished by failure - progz just lock, or I get BSoD
If I set some useful breackpoints (e.g GetModuleHandle, LoadLibrary) - program just lockup and not work at all.
May be it use some data from CD for decrypting/unpacking, but I can't upload 200mb of game, and I don't find any another target protected by this sheme. sorry.

is this supposed to run under w2k? all i get is an 'not a valid win32 app' message and i see some PE header editing by PEditor 1.7. is this really the original exe?

Sorry, it is my mistake - I made some changes in header, but I run it on WinME and it works fine:
1) I decrease virtual size of .data section - this is only buffers for game sprites, but without chenging IDA use too much RAM, and sometimes lock my system.
2) I kill "debug information present" flag in header, because these data actually are absent in a file, and IDA crashed on the "reading outside a file".
3) I change in protect.dll names of SoftICE drivers (//./SICE, //./WINICE, ...) and name of IsDebuggerPresent function for fool stupid debugger detection routines.

Original section size:
.data VS: 18095C8h

Original Debug Info:
RVA: 165000h, Size: 1Ch

I'm upload original header from main exe to:
http://members.nbci.com/a0101010101/header.zip

I'm very sorry, that I have sent not original files, and I take away your precious time.