Using SOM to get a feature in a file

    Crack a game is not an easy thing, especially protected by starforce. Starforce is powerful game protection tool, crack it is a difficult task. It will detect the CD-ROM, and validate the CD is a clone or a genuine legal CD. Virtual CD/DVD-ROM-EMULATOR such as Deamon can’t cheat it. I think maybe there is another way to crack software. Traditional crack method is a logical process, people can explain each step in the process. But nowadays protection tech is better and better, find a logical steps to crack that is more and more complex. Remind using ANN to recognize a human face, its logical process can not be described or explained. It just uses a natural mode to represent its mode. Is it possible to apply this idea to cracking? Regardless of how complex the protection process is, there is always a validating sentence in program such as: “if(starforce.validate() == true);”.  All we need is modifying this to always true or delete this sentence (“else” is not a problem because program never runs it). The problem is how to find it’s location in an exe document? Maybe we can use some AI method but it still has something different. This situation can not be representing by <training example, target> also can not learning by unsupervised learning, because exe is too large (usually 5MB) and environment reflection is undefined (maybe cracked in game at somewhere we don’t know). The target is finding a range in the exe file and that range contains validating sentences with high probability. I guess SOM could use here: mapping examples generated (already knows the range) to a proper dimension and finds out the relationship between the bits in desired range and whole exe.

    Before this, there is one thing need to be sure: supposed relationship indeed exists. Intuitionally there is no relation between quite short string and whole exe string because the information of short string is too few. So detecting “if(starforce.validate() == true);” maybe a impossible mission if its size is too small. Assuring this needs some practices, but let’s assumes its size is enough to do that. How to apply SOM? The source is a exe file’s bits string, it is poor meaningful. However using its hexadecimal representation is flexible to construct a mode to feed SOM. Generally a 32bit computer use 4byte to be a basis store for data. 4byte data convert to hexadecimal representation has 8 blocks, such as: 18A6090F. And view this data as (18A6, 090F). That is, a dot in a two dimensions plane. Then we can use SOM to mapping those data to one dimension and analysis its feature: the position in whole result. Dimensions and data split can be choosing by GA if there really exist desired feature. However splitting way can be analysis easily in first: split 18A6090F to 18 A6 09 0F: a four dimensions space. Each coordinate range from 00 to FF, the number is 15*15 = 225. In this space, number of all dots is 225^4 nearly 2.6*10^9; split 18A6090F to 18A6 090F: a two dimensions space, number of all dots nearly 4.3*10^9. So second splitting is better because it has fewer collisions. A 5MB exe has only 5*10^6 bytes, in first way, it is 5*10^6 dots. In second way, it is 2.5*10^6 dots.

    Finally, maybe computer language is not similar to natural things such as sound and picture. But it indeed has its structure. According to kolmogorov complexity theory, random typing on computer has higher probability generating meaningful string than typing on a typewriter.