Announcement

Collapse
No announcement yet.

Securom FAQ Updated, Big BS

Collapse
This topic is closed.
X
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    I have been seeing interesting conversations about Ring 0 and Run level 3.

    As SBlade has been saying Ring 0 is the super user level, if you like of your entire OS.

    The Virtual Communications Device used by SecuROM Sits in Ring 0 (The more detailed information about this is subject to ongoing class action lawsuit so please do not ask for details at the moment).

    The main parts of SecuROM run in runlevel 3.

    It is a common misconception about which does what. But lets just say their is sufficient evidence to show that SecuROM is not so innocent in Ring 0 and this Virtual Communications device makes Starforce look like something created by somebody in Kindergarten. Anyway enough said about that part.

    Getting back to Ring 0 issues, software run in this area had total control, this means it can feed any DRM or any other software, what ever it needs.

    DT and Ring 0.

    Of course it runs in Ring 0, how the heck do you think the OS see's it as a virtual drive?

    However their is a serious difference between unwanted DRM and a Trusted Application in Ring 0, as I hammered into Security Technologies heads over Starforce.

    Various versions of DT has a stealth mode. Again this a trusted Ring 0 application. Which did warn you about the risks.

    Alcohol 120% does the same. gives you a warning about this.

    Trusted Ring 0 applications/virtual devices that the end user chooses to have on their system is considerably different to a DRM being force upon them.

    A few weeks ago, I was in a conversation with one of the Developers of Starforce. (He now writes mods for various games such as the GTA series).

    His exact words " SecuROM I ***king hate that, it's many times worse than Starforce". "I feel sorry for anybody that let's that near their system".

    Seriously, that was from an Ex Starforce Developer.





    A reminder, something running in Ring 0 can feed anything is likes to programs in runlevel 3. So SecuROM could only find registry keys from Runlevel 3 if DT stealthing was not coded correctly. Simple as that.

    There is no further argument on that point, if people do choose to argue about it. Then it is clear they do not understand what control Ring 0 has.
    Last edited by 13thHouR; 11.11.2008, 00:31.

    Comment


    • #17
      wow, was wondering when you'd turn up..

      ring 0 is where the core of the os is at, thats pretty much evident, getting from ring 3 to ring 0 in xp sp2 or higher is pretty tricky, given the new stuff they added in (blocking \\physicalmemory blah etc) and various other things

      i can't see how securom or safedisc could be worse than starforce or tages, simply because starforce and tages are heavily reliant on their ring 0 stuff

      and you're right ring 0 'owns' ring 3, if somethings hidden well in ring 0 then ring 3 shouldn't see it, but thats the main caveat.. if something is hidden yet you can see other evidence to prove that something is hiding it, thats conclusive that something 'fishy' is going on.. and thats what most of the protections do... is it any co-incidence that sptd.sys renamed their driver information etc when its loaded? (done because, if i remember right tages/solidshield looked for it)..

      there's various ways to detect things on the system, one is to look for 'anomalies' (drivers present, but you can not access them by filename - findfirstfile etc returns null and so on..)...
      my views are 100% personal views..

      Comment


      • #18
        Hi dude,

        It depends what you mean about worse than Starforce/Tages. and what is in Ring 0.

        What I can say without scuppering ongoing cases is that SecuROM's Virtual communications device in Ring 0 is not as benign as it first appears.

        Be careful when reading Sony's comments, they do not say We do not use Ring 0. Their verification application is not in Ring 0, but their virtual device is.

        Just a clever bit of wording.

        Also about which is worse, depends on which terms you look at it.

        Being able to play backups on virtual drives, or security of your system.

        In this case the latter is much worse in SecuROM because of the nature of how SecuROM goes about it's business and what it uses.

        Also all of SecuROM has not been enabled, unlike Security Technologies did with Starforce, Sony have made some the Security features dynamic. This basically means Software publishers can increase or decrease the requirements on Demand.

        Which essentially makes it a moving target where on-line gaming is concerned.

        Also makes it a bitch for gamers to say it does this or it does that wrong, as before they know it that has been turned off and they are made to look stupid.

        Hats off to Sony for that, because the biggest threat to any drm is too many gamers getting together and swapping information. Destroy the reputation of those complaining you prevent it gathering momentum.

        Well in theory anyway. With EA's approach of what was enabled. the Weak links where Vista's communications protocols and the Authentication Servers themselves. When that screwed up, too many people got together and talked about it.

        Which got the momentum going.

        Comment


        • #19
          ring 0 is ring 0 - kernel land, the place where drivers and the kernel live.. you can't redefine it..

          virtual communications device? what virtual device?.. please explain this one as its totally new to me, i have many securom games installed and i've seen no 'virtual communication devices or virtual devices of any kind' created by it... and 'verification application', whats that too... because none of this i've seen and i've grown quite accustomed to securom since v5 right up to now and know it very very well... and i know bullshit when i smell it...
          Last edited by evlncrn8; 11.11.2008, 18:20.
          my views are 100% personal views..

          Comment


          • #20
            Originally Posted by 13thHouR View Post
            It depends what you mean about worse than Starforce/Tages. and what is in Ring 0.

            What I can say without scuppering ongoing cases is that SecuROM's Virtual communications device in Ring 0 is not as benign as it first appears.

            Be careful when reading Sony's comments, they do not say We do not use Ring 0. Their verification application is not in Ring 0, but their virtual device is.
            Well dude, I don´t understand entirely what they are saying

            SecuROM

            2.3 Does SecuROM™ install a driver or any other software at the kernel level ("Ring 0") of my PC?
            No, SecuROM™ does not install any components or perform any processes at the kernel or ring 0 level. All SecuROM™ components and processes occur at ring 3, the normal application level.


            Or perform any processes... that would include the virtual device in the definition?

            Originally Posted by evlncrn8 View Post
            virtual communications device? what virtual device?.. please explain this one as its totally new to me, i have many securom games installed and i've seen no 'virtual communication devices or virtual devices of any kind' created by it... and 'verification application', whats that too... because none of this i've seen and i've grown quite accustomed to securom since v5 right up to now and know it very very well... and i know bullshit when i smell it...
            The Virtual communications device is on lawsuit, don´t ask for details... you are the one who take the aggresive path now...

            I´m here to speak about the verification application, not about the virtual communications device used for online authentications, as this device isn´t used in disk checks.....

            Originally Posted by evlncrn8 View Post
            if something is hidden yet you can see other evidence to prove that something is hiding it, thats conclusive that something 'fishy' is going on.. and thats what most of the protections do... is it any co-incidence that sptd.sys renamed their driver information etc when its loaded? (done because, if i remember right tages/solidshield looked for it)..

            there's various ways to detect things on the system, one is to look for 'anomalies' (drivers present, but you can not access them by filename - findfirstfile etc returns null and so on..)...
            Well your theory is fine but it has a weak point....

            When Securom detects something "fishy" you´ll get the 5024 message " A required security module can not be activated. This program can not be executed" That´s what you get when something like Process Explorer is running....


            Now if Securom detects DT or any other emulation you get the Conflict with Emulation Software Detected

            Can you enlighten us how Securom distinguishes between fish A and fish B?
            Last edited by Blazkowicz; 11.11.2008, 19:04. Reason: Stop quoting full posts

            Comment


            • #21
              Originally Posted by evlncrn8 View Post

              i can't see how securom or safedisc could be worse than starforce or tages, simply because starforce and tages are heavily reliant on their ring 0 stuff
              and so on..)...
              In 3 years of my forum DRM activity, I´ve never ever criticized Safedisc. I personally consider this DRM so harmless its not worth my time discussing it...

              Aside from my previous post question. I would like some kind of justification, proof and documentation why you have put Starforce and Tages in the same sack...

              Its like comparing a minidevil with Diablo....

              Comment


              • #22
                Originally Posted by Sblade View Post
                Or perform any processes... that would include the virtual device in the definition?

                The Virtual communications device is on lawsuit, donґt ask for details... you are the one who take the aggresive path now...

                Iґm here to speak about the verification application, not about the virtual communications device used for online authentications, as this device isnґt used in disk checks.....

                Well your theory is fine but it has a weak point....

                When Securom detects something "fishy" youґll get the 5024 message " A required security module can not be activated. This program can not be executed" Thatґs what you get when something like Process Explorer is running....

                Now if Securom detects DT or any other emulation you get the Conflict with Emulation Software Detected

                Can you enlighten us how Securom distinguishes between fish A and fish B?
                erm, well perhaps you explain about this virtual device, then maybe i'll talk about distinguising about fish a and fish b...

                the security module needed has many many more error codes, simply scan the site here and you'll see some of them or click the securom url part and play with the numbers.. hardly rocket science..

                some are debugger detected, some emulation, some loader, if you actually bothered to research this you'd have known about it.. which further makes me believe that you don't know what you're talking about and are relying on people believing your comments (most people on this board are pretty experienced and not that stupid)..

                as for distinguishing things, its all about coding.. and how much you know the system...

                i saw nothing about the 'virtual communications device' in the lawsuit, i saw the lawsuit was about product activation, no virtual anything... unless this is some lawsuit i havent seen..

                as for being defensive/agressive or whatever.. thats simply explained.. i hate misinformation, i hate people who build up a reputation on misinformation and gossip.. im one of those people who prefer to see truthful information...

                so please, 'virtual device / virtual communication device'... explain..

                also 'application verifier', too

                because last time i checked securom wrapped the executable, there are no other 'verifiers' or whatnot there... also no drivers loaded...

                comparing starforce and tages in the same sack was simply because both use drivers, which the vast majority of the public don't like too much..

                3 years of discussing / studying drm stuff should have gotten you more information than what you're citing now (which is mostly inaccurate and pure guesswork with no foundation).. i've been doing it ~20 years easily, so i do actually know what im talking about...
                my views are 100% personal views..

                Comment


                • #23
                  Originally Posted by evlncrn8 View Post
                  erm, well perhaps you explain about this virtual device, then maybe i'll talk about distinguising about fish a and fish b...
                  .
                  We have a Non-Disclosure Agreement, we canґt speak about the virtual communications device, Iґll be able to speak about it only after Spore lawsuit, not before.... I canґt risk to jeopardize it...

                  Iґve used the search button, only to find more support to my point of view....



                  Alert: fear.exe wants to elevate its privileges to include Debug permission.


                  *cough *cough* Ring0 *cough*

                  Iґm open minded, and I donґt presume of being perfect... I would like to know how Securom distinguishes between fish A and fish B. All from userland...

                  Securom Messages as in my TECH FAQ:

                  "Emulation Found"

                  "Disc not found"

                  "Original disc could not be authenticated in the required time"

                  "A required security module could not be activated, this program cannot be run" (5024)

                  latest message "Conflict with emulation Software Detected"

                  The DMA/Stepdown message... I donґt remember the exact one...

                  SecuROM

                  Am I missing something?

                  Comment


                  • #24
                    non disclosure agreement with virtual communications device.. great, i can't wait until i see this information come to light when the court case happens, because i've checked through some recent securom games, it doesnt make any devices... i think you're talking crap to be honest... non disclosure with who? the court people?

                    elevating privileges is nothing new other programs do it too, the main problem you're going to have is proving malicious intent.. what happens if the privileges are not granted for example...

                    debug privileges do NOT mean ring 0 access, just means other things like accessing other processes, could even be a debugger detection... you're making a lot of assumptions about things like i said before.. but im glad you now see there's plenty other message codes than the ones you're citing...
                    my views are 100% personal views..

                    Comment


                    • #25
                      Originally Posted by evlncrn8 View Post
                      non disclosure agreement with virtual communications device.. great, i can't wait until i see this information come to light when the court case happens, because i've checked through some recent securom games, it doesnt make any devices... i think you're talking crap to be honest... non disclosure with who? the court people?
                      You haven´t checked neither Mass Effect, Spore, or Farcry 2 retail versions...

                      You can provoke all you want, but we´ll speak no more about this device sorry


                      Originally Posted by evlncrn8 View Post
                      elevating privileges is nothing new other programs do it too, the main problem you're going to have is proving malicious intent.. what happens if the privileges are not granted for example...

                      debug privileges do NOT mean ring 0 access, just means other things like accessing other processes, could even be a debugger detection... you're making a lot of assumptions about things like i said before.. but im glad you now see there's plenty other message codes than the ones you're citing...
                      Alert: fear.exe wants to access the service control manager.
                      Comment: This is a high-level privilege that lets the process or user to stop, start, and delete services. Obviously something a game wouldn't need to do but something maybe a dynamically loaded service might want to do, like a copy protection program trying to get itself started.
                      Action: Allow (temporary)


                      Still no ring0? uff tell me which program allow to stop and delete process from userland, I´ll buy it

                      I then retested the above but denied Debug privilege to the game. I also blocked its access to one alert about trying to access one of the instances of svchost.exe and then later blocked its access to services.exe and service control manager. All the alerts about the game trying to gain access to System and all the running processes did not appear. Now there were alerts about the game trying to access the Internet. I chose to block those. The game started much faster (I only bothered to get past the intro movies and to the menu inside the game).

                      So no malicious intent if you are using a program that blocks it? but if you are the Average Joe basically fear.exe can get whatever it wants from your system? nice

                      About the messages... This Securom TECH FAQ has around 2-3 years old.. So I knew from start that Securom has lot of variety of messages....

                      So you make fun of me like if I didn´t knew this messages... well.. that´s just mean... but I don´t care... I´m used to it..

                      This thread seems more like a TV show... and to be honest, if I wanted a show, I´ll join the World Wrestling Entertainment


                      I call Securom the Chameleon, because it changes forms, and processes.

                      Well, this so many messages aside from the Service Control Manager.... if this access comes from userland it is time you to enlighten us and show us how...

                      Or are you going to play cat & mouse all the time? Because in common sense, my friend, you are the one talking crap. Ring0 owns ring3..

                      I´m open minded, but so far I´ve only seen social engineering criticize to me and weakly discussing my points without exposing your owns aka detecting DT from userland...
                      Last edited by Sblade; 12.11.2008, 20:25.

                      Comment


                      • #26
                        SBlade, don't get drawn into disclosing matters which are not for disclosure at the moment.

                        That said, my belief was that this discussion is really about DT tools and SecuROM.

                        The VCD is related to authentication (and other issues) which in about 98% of the case does not directly relate to DT.

                        Just out of interest, how to people think SecuROM communicates with the outside world?

                        If you think it uses Windows own protocols. Then I suggest you go read the hidden readme file in your user accounts securom directory on your drive. As well as Sony's own promotional material about SecuROM.

                        It's not supposed to be hidden, but that is a legal argument between Sony and the OpenSSL team concerning their apache style license and it's requirements of open disclosure for usage of their code.



                        What puzzles me about all this is that both DT and Alcohol 120% use Ring 0. if you use the capabilities available to you within Ring 0, for personal backup or Virtual Drive usage SecuROM is remarkably easy to defeat . So where exactly is the problem here ? In respect of DT I mean.

                        Or am I attributing too much working knowledge of Ring 0 and SecuROM to DT's development team?


                        Maybe it is time that R-Force release our DRM onto the market. A DRM for this transition between Draconian intervention and that of full push technology of Web 2.0

                        Electronic Analog Tracing Multilevel Elements

                        Unlike conventional DRM's it requires no modification of the media and in fact it can be applied to existing media already in the market place.

                        The application need only be run for verification of the disc and then it can be 100% removed from the end users system.

                        The application just creates a simple image value based upon information that is unique in every single disk.

                        So No draconian DRM's, you can make backups but each backup will have to be verified and you will have to transfer your previous verification for usage to the backup. This is at the publishers discretion, but we will insist upon more flexibility on this, than seen in the Usage of SecuROM and EA games.

                        Verification, gives you access to online content, updates, patches, online gaming etc. Basically anything the the publisher wishes to offer.

                        You can even buy a game online, burn it to disk as the full version, then verify that disc (Make as many copies as you like, but only the amount of licenses/verified that are allowed will have access to the other content).

                        In this way, the full offline game can be offered for free, if you want the extended online game. You can buy it and have unique key which does not require re-verification unless it starts turning up from multiple IP's on an online gaming server.

                        SecuROM is trying this with n-CD but we go even further, we do not require you to have a complex draconian DRM. The unique nature of our DRM is that any disk is the Key, a key which can be updated or revoked at any time, but if the game and DRM is abandoned by the company. You can still install and use it in 20 years time if you want (That's assuming you still have the hardware and an independent gaming server still exists).

                        btw, you did read correctly, our DRM is called E.A.T.M.E

                        E.A.T.M.E can also be used as a unique key system for anything from financial transactions to website login's.

                        Use an Eat me supported site and any pre verified disk, and you have a unique key that you can take anywhere with you.

                        So let the Internet E.A.T.M.E

                        Comment


                        • #27
                          accessing the service control manager is another form of anti debug, other protections do it (not just the iso game protection based ones), unless you can prove it turns off drivers / services then its actions would be passive, this is also a ring 3 api level, no ring 0..

                          pretty much all programs communicate with the system, or have to in some way.. (this is what im guessing you meant by 'outside world').. even daemon tools does - how else would the images get mounted...

                          oh, and i did actually check spore, i have the digital download version ,saw 0 drivers in it...

                          some of your arguments seem based from the 'information' from some firewall / process monitoring software, and from the looks of it it was on paranoid level.. which explains many false alarms..

                          Alert: fear.exe wants to access the service control manager.
                          Comment: This is a high-level privilege that lets the process or user to stop, start, and delete services. Obviously something a game wouldn't need to do but something maybe a dynamically loaded service might want to do, like a copy protection program trying to get itself started.
                          Action: Allow (temporary)
                          and what happens if its denied.. securom still goes on doesn't it? therefore its not critical and its definately no proof that securom is trying to start a driver, the api can also be used to LIST current drivers loaded.. like oh, lets take for example ntice.sys (softice driver) which would be an 'innocent' anti debug check...

                          you can't just rely on some program reporting *possible* risks, if it shows one you must investigate it and see whats actually happening...

                          if this is the sort of information you're going to supply for the court case, it'll be laughed out of court...
                          my views are 100% personal views..

                          Comment


                          • #28
                            Ring 0 devices can be passive as well, being passive is not proof of runlevel. However.

                            Let's be clear here, the Current version of SecuROM exists both in Ring 0 and Runlevel 3.

                            As I keep saying, most people make the mistake of monitoring the runlevel 3 program, which is relatively passive as you say.

                            It is the the Ring 0 virtual communications device you should be looking at (That is all I can really say about that, as the serious issues it raises are part of litigation matters and the security issues still remain unpatched).

                            There is one simple fact though, DT in stealth mode could bypass SecuROM (offline usage) with very little effort on the part of the DT Team. If it only did as claimed.

                            No amount of squabbling over specifics if which where and when will change that issue.

                            The matter concerning the court specific items in which SecuROM places the end users systems at risk will not be announced until due process within the proceedings. Even then it may not be made public as the issues still remain un-patched.

                            This is a SecuROM FAQ, not a place to prove the case to all comers.

                            Sorry guys..

                            Comment


                            • #29
                              Securom aka the Chameleon

                              Originally Posted by evlncrn8 View Post
                              accessing the service control manager is another form of anti debug, other protections do it (not just the iso game protection based ones), unless you can prove it turns off drivers / services then its actions would be passive, this is also a ring 3 api level, no ring 0..
                              A ring3 application that stop, pauses, deletes processes and services? yeah right....

                              Originally Posted by evlncrn8 View Post
                              oh, and i did actually check spore, i have the digital download version ,saw 0 drivers in it...

                              ...
                              Yes, we come to the main Securom trick now... the Chameleon trick (copyright Sbladeґs industries :P)

                              All those Securom messages/checks all not always available. Securom switches triggers ON/OFF at will, sometimes depending on the region it will do one thing or another...

                              One of Securom reasons of existence is to track the code if it has been cracked to tell where it was patched, if the pirate didnґt patch it on a low level....

                              They put features ON/OFF at demand. Those features arenґt critical, as Comodo reports, because Securom tries his nasty things and continues to do its job like nothing has happened...

                              Well that is like if I go to a store and I stole a book or DVD and I get caught and I put in on the shelf. Did I stole? no. Did I have the intention of stealing? YES



                              Originally Posted by evlncrn8 View Post

                              and what happens if its denied.. securom still goes on doesn't it? therefore its not critical and its definately no proof that securom is trying to start a driver, the api can also be used to LIST current drivers loaded.. like oh, lets take for example ntice.sys (softice driver) which would be an 'innocent' anti debug check....
                              The Chameleon for be effective must be not critical. I donґt have to proof that Securom STARTS a driver, I have to proof that Securom CAN start a driver.. therefore the Ring0 risk if some coder finds an exploit....


                              Originally Posted by evlncrn8 View Post
                              you can't just rely on some program reporting *possible* risks, if it shows one you must investigate it and see whats actually happening...

                              if this is the sort of information you're going to supply for the court case, it'll be laughed out of court...

                              Perhaps you can show some examples of whats actually happening... and enlighten us...


                              Originally Posted by evlncrn8 View Post
                              if this is the sort of information you're going to supply for the court case, it'll be laughed out of court...
                              No, maybe I can laugh at your ignorance... did you know about the Securom Chameleon trick? Iґm sure you didnґt...

                              Chameleon trick has some purposes...

                              a)locate where Securom has been cracked

                              b)Keep the Antiґs divided, because Securom does things in some countries and it doesnґt do in another.... and yes speaking of the same game.

                              c)Gives ammo for Blackhats/DRM supporters to accuse both groups of b) of being foolish, pirates and ignorants. See Mr, John Ritticello for this

                              I would like to point one final lie from the Securom FAQ: They are going to fire someone

                              SecuROM

                              Collect valuable customer data for 1 : 1 marketing activities

                              SecuROM

                              Is Securom Spying on me?

                              See message above, fools

                              Comment


                              • #30
                                Originally Posted by Sblade View Post
                                A ring3 application that stop, pauses, deletes processes and services? yeah right....
                                again, no proof that it stops, pauses, deletes, whatever, infact what i saw was that it listed it, then again i actually debugged it.. did you?

                                Yes, we come to the main Securom trick now... the Chameleon trick (copyright Sblade´s industries :P)

                                All those Securom messages/checks all not always available. Securom switches triggers ON/OFF at will, sometimes depending on the region it will do one thing or another...

                                One of Securom reasons of existence is to track the code if it has been cracked to tell where it was patched, if the pirate didn´t patch it on a low level....

                                They put features ON/OFF at demand. Those features aren´t critical, as Comodo reports, because Securom tries his nasty things and continues to do its job like nothing has happened...

                                Well that is like if I go to a store and I stole a book or DVD and I get caught and I put in on the shelf. Did I stole? no. Did I have the intention of stealing? YES
                                again.. proof? oh yeah the non disclosure agreement, funny, it doesnt stop you posting your theory, but it stops you posting your proof/research... odd

                                The Chameleon for be effective must be not critical. I don´t have to proof that Securom STARTS a driver, I have to proof that Securom CAN start a driver.. therefore the Ring0 risk if some coder finds an exploit....
                                ah, so now 'if some coder finds an exploit', thats TOTALLY different than your previous claim that securom runs at ring 0 (thus it has to load a driver if your theory is right... which it isnt)..

                                Perhaps you can show some examples of whats actually happening... and enlighten us...
                                erm, how about you show your work/research then i might give examples, i'm not doing your work for you...

                                No, maybe I can laugh at your ignorance... did you know about the Securom Chameleon trick? I´m sure you didn´t...
                                obviously not, because i don't live in a dreamworld... as for ignorance i don't think you know me at all thus you can't make second guesses about me, what i can say is i know CONSIERABLY more about securom (and other protections) than you... and other people on this board know that too...

                                Chameleon trick has some purposes...

                                a)locate where Securom has been cracked

                                b)Keep the Anti´s divided, because Securom does things in some countries and it doesn´t do in another.... and yes speaking of the same game.

                                c)Gives ammo for Blackhats/DRM supporters to accuse both groups of b) of being foolish, pirates and ignorants. See Mr, John Ritticello for this
                                total nonsense... cite your proof... coming up with catchy names is all fair and good, but its nothing.. you will be laughed out of court with such 'evidence' and conjecture.. i know the legal system a fair bit..

                                I would like to point one final lie from the Securom FAQ: They are going to fire someone

                                SecuROM

                                Collect valuable customer data for 1 : 1 marketing activities

                                SecuROM

                                Is Securom Spying on me?

                                See message above, fools
                                name ONE securom game that was an n-cd...
                                my views are 100% personal views..

                                Comment

                                Working...
                                X