Hi reversers.

I have maybe noob question.Can anyone tell me how starforce detect original cd? If he have on cd any digital signature or measure data position?? Thx for reply.

---------
sry for my bad english.

As it says under your signature, you need to start by doing some of your own research. Two search criteria you can try is to put:

starforce detect cd

or

how starforce detects cd

in your favorite search engine and actually read some of the discussions you find. AFTER you have done some of your own research, come back and ask a question about what YOU have found.

Regards,

ok ok

well i have a question too about starforce, after a month i will be able to hide softice to this fucking machine but now i have a problem, when i launch the executable file and she doesn't find softice i put a bpmb getdrivetypea at this exe and then after i trace even an'instruction of getdrivetypea she reset my pc, i think it is the rdtsc method used to know the single step, or i am wrong? Can be in your opinion this trick? Or i have maybe to break in the dll? i have search and i know about rdtsc that checks the time to see if there' s a debugger but i don't know if that can reset pcs? what do you think? i just have the original game but my intension is only to reverse that protection to share my knowledge to others and contribute to made the new crackers generation. if any want to know how to hide sice just tell me and i will be glad to explain you how.
Regards, Fighter_81

fighter_81,

It sounds to me that it's not your SoftICE that's being detected but the tracing. It's really easy to detct when your code is being traced (common ways being to count clock cycle or physical time deltas) and it's not too difficult to crash SoftICE (if you're sure that your debug detection hasn't hit a false positive).
You have two options.

1. Don't trace (over the sensitive spots).
2. Locate the payload responsible for causing the ring0 exception and bypass/neutralise it. This could be anywhere from trivial to extremely tricky, depending on where (as in which process/driver) the payload resides.

Maybe somebody who knows something about Starforce could be more specific.

As long as the problem is within r3, you might try to set CR4.TSD=1...
...better you write an exception handler for catching some way the raised #gp also.
(RDTSC execution can be forced to happen at r0 only)

sf installs during init own int1 and int3 handlers and uses int1 instruction to switch runlevel (int1 in ring3 switches to ring0 and vice versa)

its even using dr regs to setup breakpoints to do this switches