Page 2 of 4 FirstFirst 1234 LastLast
Showing results 11 to 20 of 33

Thread: Securom FAQ Updated, Big BS

  1. #11
    Experienced User

    Join Date
    27.09.2005
    Posts
    822

    Default

    Quote Originally Posted by Sblade View Post
    Ring 3 detection routines still have to go into Ring 0 if the program is in stealth mode. It already hides itself in the registry in that mode otherwise it would have been easy for DRM's to circumvent the circumvention.

    Securom starts in RING3 and monitors the RING0... otherwise nothing will prevent DT stealth to false registry data and fool Securom.... when I say registry data.... what data CANґT be falsified from RING0 to the naive RING3?

    Ring0 overrule Ring3, thatґs a simple fact no one can deny...
    the only accurate thing about your post is the last bit,, as for the 'monitoring ring 0'.. total nonsense, and 'having to go into ring 0 if the program is in stealth mode'.. that really shows your lack of checking.. have you even tried to enter ring 0 from ring 3?...

    as for 'registry data.. what data cant be falsified from ring 0 to the native ring 3'.. ring 0 is native.. so you got that the wrong way around, and data is data.. data in the registry does not magically turn into ring 0 data or ring 3 data.. its identical...

    so please, do some research, test your theories before you post them and look foolish when the information you claim is right turns out to be wrong..

  2. #12

    Daumen runter Stop the social engineering...

    Quote Originally Posted by evlncrn8 View Post
    the only accurate thing about your post is the last bit,, as for the 'monitoring ring 0'.. total nonsense, and 'having to go into ring 0 if the program is in stealth mode'.. that really shows your lack of checking.. have you even tried to enter ring 0 from ring 3?....
    There´s something called Call Gates....


    Quote Originally Posted by evlncrn8 View Post

    as for 'registry data.. what data cant be falsified from ring 0 to the native ring 3'.. ring 0 is native.. so you got that the wrong way around, and data is data.. data in the registry does not magically turn into ring 0 data or ring 3 data.. its identical...

    so please, do some research, test your theories before you post them and look foolish when the information you claim is right turns out to be wrong..
    I can smell some social engineering here. I said naive, which means innocent. But you understood what you wanted. My sentence is from RING0 to naive Ring3, which is accurate. Honest, I´m not here to be hero or be a candidate for general elections so once again leave the trolling about.

    I´m here looking for LocutusofBorg´s opinion. I´m not interested in a macho demonstration of any type. Computer Science isn´t an exact one... many people say Vista is crap, and we know it has bugs....
    and we don´t see people saying "that´s not scientific"...
    Last edited by Blazkowicz : 10.11.2008 at 13:41

  3. #13
    Experienced User

    Join Date
    27.09.2005
    Posts
    822

    Default

    social engineering? not quite my thing...

    callgates.. sure they exist and sure they're an interface, last time i checked though i didnt see callgate usage in recent safedisc titles, or securom either... callgates are also dependant on the user privileges, if the user wasn't admin or whatever then they probably wouldnt work, which then leads to back to the same question of how do they detect xyz when the user is not a admin (which you'd have found out if you actually checked your theories)...

    as for native - >naive, simple misreading... and i know what it means, but it could also have been a typo, considering you spelt routine wrongly anyway

    proof (especially for a legal case, which you claim you've joined) does need to be scientific, the results do need to be reproduceable.. at least, they did last time i checked...

    regardless however, its entirely possible to detect ring 0 drivers from userland (ring 3) without the need to 'drop down' to ring 0 at all... which was the whole point of this thread i believe.. the 'no way to tell' is simply inaccurate
    my views are 100% personal views..

  4. #14
    Experienced User

    ß's Avatar
    Join Date
    08.10.2005
    Posts
    504

    Rotes Gesicht It's a SONY

    Here is what they say about their own registry entries. It's not exactly about the inner workings as attempted to be discussed here, but still relevant nevertheless. ...or something like that.

    What is the SecuROM entry in the registry?

    The Windows registry is a directory that stores settings and options for the operating system for Microsoft Windows. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. As part of SecuROM, certain license information as well as information used to optimize the authentication of the SecuROM disc signature is stored within the registry keys.
    The SecuROM registry keys can be found in one or both of the following locations:

    • HKEY_CURRENT_USER\Software\SecuROM
    • HKEY_LOCAL_MACHINE\SOFTWARE\SecuROM

    Additionally the similar keys can be found in the following location:

    • HKEY_USERS\"Your SID"\Software\SecuROM

    Example given HKEY_USERS\S-1-5-21-57989841-1220945662-839522115-1003\Software\SecuROM
    Please note that the SID is different on each machine.
    Due to the registry management of Windows, you have separate HKEY_USERS\"SID" keys for each Windows user account. Depending on how many user accounts the protected application was executed, the SecuROM key might be stored in various HKEY_USERS\"SID" keys.
    What is it for?

    SecuROM registry keys are solely used for storage of drive authentication information and license information.
    The purpose of the registry keys labelled "!CAUTION! NEVER DELETE OR CHANGE ANY KEY" and/or "License information" is to enable SecuROM to perform its Digital Rights Management function properly (license data is stored beneath this key) and prevent users from inadvertently deleting keys and or values stored beneath this key. Other than the license data, there is no code, EXE, DLL, or driver stored in the registry key.
    The "WL" registry folder contains drive calibration values and recognition times. This information is used to optimize the authentication of the SecuROM disc signature.
    It is not recommended to remove any of the registry keys. If the "Keys" or "WL" folders are removed, these values will be rebuilt with further SecuROM disc authentications. It is highly recommended to not tamper with the "UserData", " !CAUTION! NEVER DELETE OR CHANGE ANY KEY" or "License Information" registry key folders.
    General Information

    All information stored is solely used by SecuROM, as explained in this statement. No other code, EXE, DLL, service, driver or similar is invoked, neither directly nor indirectly, neither via SecuROM nor via Windows OS or other applications. It simply does not contain any information related to the execution of additional code, except SecuROM's internal Digital Rights Management enforcing functionality.

  5. #15

    Default

    @evlncrn8

    Well, common sense says to me that Ring0 can feed ring3 whatever ir wants, and when the Ring0 stealth device is hidden in the registry how it is possible to detect it from userland?

    I invite you to enlighten me and many others... proof that Iґm wrong. Thanks

    EDIT:
    Quote Originally Posted by Blazkowicz View Post
    There is no need for YASU when mounting into latest DT Lite/Pro. Also game doesn't use any copy protection for starting the game - only the addon for installation.
    Now If you wonґt mind Blazkowicz... if DT has its own Ring0stealth functionality, how Securom detects it? You can give your personal opinion leaving aside the teamґs one...
    Last edited by Blazkowicz : 10.11.2008 at 20:26 Reason: Full post quote

  6. #16

    Default

    I have been seeing interesting conversations about Ring 0 and Run level 3.

    As SBlade has been saying Ring 0 is the super user level, if you like of your entire OS.

    The Virtual Communications Device used by SecuROM Sits in Ring 0 (The more detailed information about this is subject to ongoing class action lawsuit so please do not ask for details at the moment).

    The main parts of SecuROM run in runlevel 3.

    It is a common misconception about which does what. But lets just say their is sufficient evidence to show that SecuROM is not so innocent in Ring 0 and this Virtual Communications device makes Starforce look like something created by somebody in Kindergarten. Anyway enough said about that part.

    Getting back to Ring 0 issues, software run in this area had total control, this means it can feed any DRM or any other software, what ever it needs.

    DT and Ring 0.

    Of course it runs in Ring 0, how the heck do you think the OS see's it as a virtual drive?

    However their is a serious difference between unwanted DRM and a Trusted Application in Ring 0, as I hammered into Security Technologies heads over Starforce.

    Various versions of DT has a stealth mode. Again this a trusted Ring 0 application. Which did warn you about the risks.

    Alcohol 120% does the same. gives you a warning about this.

    Trusted Ring 0 applications/virtual devices that the end user chooses to have on their system is considerably different to a DRM being force upon them.

    A few weeks ago, I was in a conversation with one of the Developers of Starforce. (He now writes mods for various games such as the GTA series).

    His exact words " SecuROM I ***king hate that, it's many times worse than Starforce". "I feel sorry for anybody that let's that near their system".

    Seriously, that was from an Ex Starforce Developer.





    A reminder, something running in Ring 0 can feed anything is likes to programs in runlevel 3. So SecuROM could only find registry keys from Runlevel 3 if DT stealthing was not coded correctly. Simple as that.

    There is no further argument on that point, if people do choose to argue about it. Then it is clear they do not understand what control Ring 0 has.
    Last edited by 13thHouR : 10.11.2008 at 23:31

  7. #17
    Experienced User

    Join Date
    27.09.2005
    Posts
    822

    Default

    wow, was wondering when you'd turn up..

    ring 0 is where the core of the os is at, thats pretty much evident, getting from ring 3 to ring 0 in xp sp2 or higher is pretty tricky, given the new stuff they added in (blocking \\physicalmemory blah etc) and various other things

    i can't see how securom or safedisc could be worse than starforce or tages, simply because starforce and tages are heavily reliant on their ring 0 stuff

    and you're right ring 0 'owns' ring 3, if somethings hidden well in ring 0 then ring 3 shouldn't see it, but thats the main caveat.. if something is hidden yet you can see other evidence to prove that something is hiding it, thats conclusive that something 'fishy' is going on.. and thats what most of the protections do... is it any co-incidence that sptd.sys renamed their driver information etc when its loaded? (done because, if i remember right tages/solidshield looked for it)..

    there's various ways to detect things on the system, one is to look for 'anomalies' (drivers present, but you can not access them by filename - findfirstfile etc returns null and so on..)...
    my views are 100% personal views..

  8. #18

    Default

    Hi dude,

    It depends what you mean about worse than Starforce/Tages. and what is in Ring 0.

    What I can say without scuppering ongoing cases is that SecuROM's Virtual communications device in Ring 0 is not as benign as it first appears.

    Be careful when reading Sony's comments, they do not say We do not use Ring 0. Their verification application is not in Ring 0, but their virtual device is.

    Just a clever bit of wording.

    Also about which is worse, depends on which terms you look at it.

    Being able to play backups on virtual drives, or security of your system.

    In this case the latter is much worse in SecuROM because of the nature of how SecuROM goes about it's business and what it uses.

    Also all of SecuROM has not been enabled, unlike Security Technologies did with Starforce, Sony have made some the Security features dynamic. This basically means Software publishers can increase or decrease the requirements on Demand.

    Which essentially makes it a moving target where on-line gaming is concerned.

    Also makes it a bitch for gamers to say it does this or it does that wrong, as before they know it that has been turned off and they are made to look stupid.

    Hats off to Sony for that, because the biggest threat to any drm is too many gamers getting together and swapping information. Destroy the reputation of those complaining you prevent it gathering momentum.

    Well in theory anyway. With EA's approach of what was enabled. the Weak links where Vista's communications protocols and the Authentication Servers themselves. When that screwed up, too many people got together and talked about it.

    Which got the momentum going.

  9. #19
    Experienced User

    Join Date
    27.09.2005
    Posts
    822

    Default

    ring 0 is ring 0 - kernel land, the place where drivers and the kernel live.. you can't redefine it..

    virtual communications device? what virtual device?.. please explain this one as its totally new to me, i have many securom games installed and i've seen no 'virtual communication devices or virtual devices of any kind' created by it... and 'verification application', whats that too... because none of this i've seen and i've grown quite accustomed to securom since v5 right up to now and know it very very well... and i know bullshit when i smell it...
    Last edited by evlncrn8 : 11.11.2008 at 17:20
    my views are 100% personal views..

  10. #20

    Default

    Quote Originally Posted by 13thHouR View Post
    It depends what you mean about worse than Starforce/Tages. and what is in Ring 0.

    What I can say without scuppering ongoing cases is that SecuROM's Virtual communications device in Ring 0 is not as benign as it first appears.

    Be careful when reading Sony's comments, they do not say We do not use Ring 0. Their verification application is not in Ring 0, but their virtual device is.
    Well dude, I don´t understand entirely what they are saying

    SecuROM

    2.3 Does SecuROM™ install a driver or any other software at the kernel level ("Ring 0") of my PC?
    No, SecuROM™ does not install any components or perform any processes at the kernel or ring 0 level. All SecuROM™ components and processes occur at ring 3, the normal application level.


    Or perform any processes... that would include the virtual device in the definition?

    Quote Originally Posted by evlncrn8 View Post
    virtual communications device? what virtual device?.. please explain this one as its totally new to me, i have many securom games installed and i've seen no 'virtual communication devices or virtual devices of any kind' created by it... and 'verification application', whats that too... because none of this i've seen and i've grown quite accustomed to securom since v5 right up to now and know it very very well... and i know bullshit when i smell it...
    The Virtual communications device is on lawsuit, don´t ask for details... you are the one who take the aggresive path now...

    I´m here to speak about the verification application, not about the virtual communications device used for online authentications, as this device isn´t used in disk checks.....

    Quote Originally Posted by evlncrn8 View Post
    if something is hidden yet you can see other evidence to prove that something is hiding it, thats conclusive that something 'fishy' is going on.. and thats what most of the protections do... is it any co-incidence that sptd.sys renamed their driver information etc when its loaded? (done because, if i remember right tages/solidshield looked for it)..

    there's various ways to detect things on the system, one is to look for 'anomalies' (drivers present, but you can not access them by filename - findfirstfile etc returns null and so on..)...
    Well your theory is fine but it has a weak point....

    When Securom detects something "fishy" you´ll get the 5024 message " A required security module can not be activated. This program can not be executed" That´s what you get when something like Process Explorer is running....


    Now if Securom detects DT or any other emulation you get the Conflict with Emulation Software Detected

    Can you enlighten us how Securom distinguishes between fish A and fish B?
    Last edited by Blazkowicz : 11.11.2008 at 18:04 Reason: Stop quoting full posts

Page 2 of 4 FirstFirst 1234 LastLast

Bookmarks

Posting Rules

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •