Announcement

Collapse
No announcement yet.

Securom FAQ Updated, Big BS

Collapse
This topic is closed.
X
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • 13thHouR
    replied
    Hi dude,

    It depends what you mean about worse than Starforce/Tages. and what is in Ring 0.

    What I can say without scuppering ongoing cases is that SecuROM's Virtual communications device in Ring 0 is not as benign as it first appears.

    Be careful when reading Sony's comments, they do not say We do not use Ring 0. Their verification application is not in Ring 0, but their virtual device is.

    Just a clever bit of wording.

    Also about which is worse, depends on which terms you look at it.

    Being able to play backups on virtual drives, or security of your system.

    In this case the latter is much worse in SecuROM because of the nature of how SecuROM goes about it's business and what it uses.

    Also all of SecuROM has not been enabled, unlike Security Technologies did with Starforce, Sony have made some the Security features dynamic. This basically means Software publishers can increase or decrease the requirements on Demand.

    Which essentially makes it a moving target where on-line gaming is concerned.

    Also makes it a bitch for gamers to say it does this or it does that wrong, as before they know it that has been turned off and they are made to look stupid.

    Hats off to Sony for that, because the biggest threat to any drm is too many gamers getting together and swapping information. Destroy the reputation of those complaining you prevent it gathering momentum.

    Well in theory anyway. With EA's approach of what was enabled. the Weak links where Vista's communications protocols and the Authentication Servers themselves. When that screwed up, too many people got together and talked about it.

    Which got the momentum going.

    Leave a comment:


  • evlncrn8
    replied
    wow, was wondering when you'd turn up..

    ring 0 is where the core of the os is at, thats pretty much evident, getting from ring 3 to ring 0 in xp sp2 or higher is pretty tricky, given the new stuff they added in (blocking \\physicalmemory blah etc) and various other things

    i can't see how securom or safedisc could be worse than starforce or tages, simply because starforce and tages are heavily reliant on their ring 0 stuff

    and you're right ring 0 'owns' ring 3, if somethings hidden well in ring 0 then ring 3 shouldn't see it, but thats the main caveat.. if something is hidden yet you can see other evidence to prove that something is hiding it, thats conclusive that something 'fishy' is going on.. and thats what most of the protections do... is it any co-incidence that sptd.sys renamed their driver information etc when its loaded? (done because, if i remember right tages/solidshield looked for it)..

    there's various ways to detect things on the system, one is to look for 'anomalies' (drivers present, but you can not access them by filename - findfirstfile etc returns null and so on..)...

    Leave a comment:


  • 13thHouR
    replied
    I have been seeing interesting conversations about Ring 0 and Run level 3.

    As SBlade has been saying Ring 0 is the super user level, if you like of your entire OS.

    The Virtual Communications Device used by SecuROM Sits in Ring 0 (The more detailed information about this is subject to ongoing class action lawsuit so please do not ask for details at the moment).

    The main parts of SecuROM run in runlevel 3.

    It is a common misconception about which does what. But lets just say their is sufficient evidence to show that SecuROM is not so innocent in Ring 0 and this Virtual Communications device makes Starforce look like something created by somebody in Kindergarten. Anyway enough said about that part.

    Getting back to Ring 0 issues, software run in this area had total control, this means it can feed any DRM or any other software, what ever it needs.

    DT and Ring 0.

    Of course it runs in Ring 0, how the heck do you think the OS see's it as a virtual drive?

    However their is a serious difference between unwanted DRM and a Trusted Application in Ring 0, as I hammered into Security Technologies heads over Starforce.

    Various versions of DT has a stealth mode. Again this a trusted Ring 0 application. Which did warn you about the risks.

    Alcohol 120% does the same. gives you a warning about this.

    Trusted Ring 0 applications/virtual devices that the end user chooses to have on their system is considerably different to a DRM being force upon them.

    A few weeks ago, I was in a conversation with one of the Developers of Starforce. (He now writes mods for various games such as the GTA series).

    His exact words " SecuROM I ***king hate that, it's many times worse than Starforce". "I feel sorry for anybody that let's that near their system".

    Seriously, that was from an Ex Starforce Developer.





    A reminder, something running in Ring 0 can feed anything is likes to programs in runlevel 3. So SecuROM could only find registry keys from Runlevel 3 if DT stealthing was not coded correctly. Simple as that.

    There is no further argument on that point, if people do choose to argue about it. Then it is clear they do not understand what control Ring 0 has.
    Last edited by 13thHouR; 11.11.2008, 00:31.

    Leave a comment:


  • Sblade
    replied
    @evlncrn8

    Well, common sense says to me that Ring0 can feed ring3 whatever ir wants, and when the Ring0 stealth device is hidden in the registry how it is possible to detect it from userland?

    I invite you to enlighten me and many others... proof that Iґm wrong. Thanks

    EDIT:
    Originally Posted by Blazkowicz View Post
    There is no need for YASU when mounting into latest DT Lite/Pro. Also game doesn't use any copy protection for starting the game - only the addon for installation.
    Now If you wonґt mind Blazkowicz... if DT has its own Ring0stealth functionality, how Securom detects it? You can give your personal opinion leaving aside the teamґs one...
    Last edited by Blazkowicz; 10.11.2008, 21:26. Reason: Full post quote

    Leave a comment:


  • ß
    replied
    It's a SONY

    Here is what they say about their own registry entries. It's not exactly about the inner workings as attempted to be discussed here, but still relevant nevertheless. ...or something like that.

    What is the SecuROM entry in the registry?

    The Windows registry is a directory that stores settings and options for the operating system for Microsoft Windows. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. As part of SecuROM, certain license information as well as information used to optimize the authentication of the SecuROM disc signature is stored within the registry keys.
    The SecuROM registry keys can be found in one or both of the following locations:
    • HKEY_CURRENT_USER\Software\SecuROM
    • HKEY_LOCAL_MACHINE\SOFTWARE\SecuROM

    Additionally the similar keys can be found in the following location:
    • HKEY_USERS\"Your SID"\Software\SecuROM

    Example given HKEY_USERS\S-1-5-21-57989841-1220945662-839522115-1003\Software\SecuROM
    Please note that the SID is different on each machine.
    Due to the registry management of Windows, you have separate HKEY_USERS\"SID" keys for each Windows user account. Depending on how many user accounts the protected application was executed, the SecuROM key might be stored in various HKEY_USERS\"SID" keys.
    What is it for?

    SecuROM registry keys are solely used for storage of drive authentication information and license information.
    The purpose of the registry keys labelled "!CAUTION! NEVER DELETE OR CHANGE ANY KEY" and/or "License information" is to enable SecuROM to perform its Digital Rights Management function properly (license data is stored beneath this key) and prevent users from inadvertently deleting keys and or values stored beneath this key. Other than the license data, there is no code, EXE, DLL, or driver stored in the registry key.
    The "WL" registry folder contains drive calibration values and recognition times. This information is used to optimize the authentication of the SecuROM disc signature.
    It is not recommended to remove any of the registry keys. If the "Keys" or "WL" folders are removed, these values will be rebuilt with further SecuROM disc authentications. It is highly recommended to not tamper with the "UserData", " !CAUTION! NEVER DELETE OR CHANGE ANY KEY" or "License Information" registry key folders.
    General Information

    All information stored is solely used by SecuROM, as explained in this statement. No other code, EXE, DLL, service, driver or similar is invoked, neither directly nor indirectly, neither via SecuROM nor via Windows OS or other applications. It simply does not contain any information related to the execution of additional code, except SecuROM's internal Digital Rights Management enforcing functionality.

    Leave a comment:


  • evlncrn8
    replied
    social engineering? not quite my thing...

    callgates.. sure they exist and sure they're an interface, last time i checked though i didnt see callgate usage in recent safedisc titles, or securom either... callgates are also dependant on the user privileges, if the user wasn't admin or whatever then they probably wouldnt work, which then leads to back to the same question of how do they detect xyz when the user is not a admin (which you'd have found out if you actually checked your theories)...

    as for native - >naive, simple misreading... and i know what it means, but it could also have been a typo, considering you spelt routine wrongly anyway

    proof (especially for a legal case, which you claim you've joined) does need to be scientific, the results do need to be reproduceable.. at least, they did last time i checked...

    regardless however, its entirely possible to detect ring 0 drivers from userland (ring 3) without the need to 'drop down' to ring 0 at all... which was the whole point of this thread i believe.. the 'no way to tell' is simply inaccurate

    Leave a comment:


  • Sblade
    replied
    Stop the social engineering...

    Originally Posted by evlncrn8 View Post
    the only accurate thing about your post is the last bit,, as for the 'monitoring ring 0'.. total nonsense, and 'having to go into ring 0 if the program is in stealth mode'.. that really shows your lack of checking.. have you even tried to enter ring 0 from ring 3?....
    There´s something called Call Gates....


    Originally Posted by evlncrn8 View Post

    as for 'registry data.. what data cant be falsified from ring 0 to the native ring 3'.. ring 0 is native.. so you got that the wrong way around, and data is data.. data in the registry does not magically turn into ring 0 data or ring 3 data.. its identical...

    so please, do some research, test your theories before you post them and look foolish when the information you claim is right turns out to be wrong..
    I can smell some social engineering here. I said naive, which means innocent. But you understood what you wanted. My sentence is from RING0 to naive Ring3, which is accurate. Honest, I´m not here to be hero or be a candidate for general elections so once again leave the trolling about.

    I´m here looking for LocutusofBorg´s opinion. I´m not interested in a macho demonstration of any type. Computer Science isn´t an exact one... many people say Vista is crap, and we know it has bugs....
    and we don´t see people saying "that´s not scientific"...
    Last edited by Blazkowicz; 10.11.2008, 14:41.

    Leave a comment:


  • evlncrn8
    replied
    Originally Posted by Sblade View Post
    Ring 3 detection routines still have to go into Ring 0 if the program is in stealth mode. It already hides itself in the registry in that mode otherwise it would have been easy for DRM's to circumvent the circumvention.

    Securom starts in RING3 and monitors the RING0... otherwise nothing will prevent DT stealth to false registry data and fool Securom.... when I say registry data.... what data CANґT be falsified from RING0 to the naive RING3?

    Ring0 overrule Ring3, thatґs a simple fact no one can deny...
    the only accurate thing about your post is the last bit,, as for the 'monitoring ring 0'.. total nonsense, and 'having to go into ring 0 if the program is in stealth mode'.. that really shows your lack of checking.. have you even tried to enter ring 0 from ring 3?...

    as for 'registry data.. what data cant be falsified from ring 0 to the native ring 3'.. ring 0 is native.. so you got that the wrong way around, and data is data.. data in the registry does not magically turn into ring 0 data or ring 3 data.. its identical...

    so please, do some research, test your theories before you post them and look foolish when the information you claim is right turns out to be wrong..

    Leave a comment:


  • Sblade
    replied
    Originally Posted by evlncrn8 View Post
    dt agent and other program run in ring r3 (userland), the daemon tools device is handled by the ring 0 drivers (the daemon tools one.. and the sptd one)... there's no 100% way to hide ring 0 from ring 3 because registry keys, interfaces for ioctl and so on have to exist for communication purposes... if a ring 3 program crashes, it doesn't (usually) take out the system with it... if ring 0 crashes its game over.. typically a bugcheck -> bsod...

    as for writing a routine that blocks securom ring 3 access, look again.. what do you think yasu does, curerom does/did , seculauncher and various other utilities out there do/did?...

    We know that the utilities that you have mentioned don´t work with latest Securom version if they aren´t updated....

    Ring 3 detection routines still have to go into Ring 0 if the program is in stealth mode. It already hides itself in the registry in that mode otherwise it would have been easy for DRM's to circumvent the circumvention.

    Securom starts in RING3 and monitors the RING0... otherwise nothing will prevent DT stealth to false registry data and fool Securom.... when I say registry data.... what data CAN´T be falsified from RING0 to the naive RING3?

    Ring0 overrule Ring3, that´s a simple fact no one can deny...
    Last edited by Sblade; 10.11.2008, 00:45. Reason: quoting

    Leave a comment:


  • Sblade
    replied
    I trust DT. I donґt trust Securom using RING 0 countermeasures to flag/stop DT.

    Sony has a history of invading systems. DT not.

    Leave a comment:


  • evlncrn8
    replied
    dt agent and other program run in ring r3 (userland), the daemon tools device is handled by the ring 0 drivers (the daemon tools one.. and the sptd one)... there's no 100% way to hide ring 0 from ring 3 because registry keys, interfaces for ioctl and so on have to exist for communication purposes... if a ring 3 program crashes, it doesn't (usually) take out the system with it... if ring 0 crashes its game over.. typically a bugcheck -> bsod...

    as for writing a routine that blocks securom ring 3 access, look again.. what do you think yasu does, curerom does/did , seculauncher and various other utilities out there do/did?...

    not sure what you mean about the post i don't like.. the one you posted makes no sense or not, if i didn't like daemon tools i wouldn't have the customer tag now would i?

    nor (if i thought it was a rootkit) would i have bought it... sure, it uses some rootkit-like things (api hooking in ring 0 for example) which may make people feel paranoid but that all depends on your trust of the developers..

    Leave a comment:


  • Sblade
    replied
    OK, I found the post you donґt like evlcrn8...



    Foolish Chris. He is paranoid about DT, not paranoid about a Sony DRM similar to XCP...ignorant completely of the risks that implies running Securom games...

    So DT works now in Ring3? if DT virtual drives runs still in RING0, canґt you write a rutine that will always fool Securom RING3 access?

    Leave a comment:


  • evlncrn8
    replied
    sure, theres ways to tell, however your limited (even then you dont admit it) knowledge and experience makes you guess (incorrectly)...

    to 'take on' an enemy, its usually a good idea to understand them first, not make guesses....

    Leave a comment:


  • Sblade
    replied
    How they Distinguish between legit and emulated IDE drives? I mean thereґs no way to tell... since emulating hardware is required to be at RING0 they canґt tell the difference...

    and blacklisting would be a baaaad idea...

    Leave a comment:


  • Blazkowicz
    replied
    They do in latest SecuROM version.

    Leave a comment:

Working...
X