CD Protection techniques
1. Introduction
Since the approaching of commercial software, which are sold in the form of packages containing (CDs and DVDs), many methods have been used to prevent copying software from the original storage media. In this report, some of CD protection methods will be discussed in terms of how it works and if there is any workaround that can be used to avoid such protection. CD protection ranges from simple checkers that just check whether the software is running from the original CD to more sophisticated techniques.
CD checkers are known to be the simplest methods used to prevent running the software form a copied CD. One method is just to use the GetDriveTypeA AN call to find the CD drive letter then the checker can act accordingly for example, the label of the CD would be checked and if it was not the right label the program will not run, though this sounds trivial but this technique was used by many software. Another technique that was widely used that is performing some checks for some files that exist in the original copy. Also it was common for some programs to refuse running if the CD they run from is a CD writer.
Due to the prevalence of professional CD burners and the widespread of CD blanks in a reasonable price, overriding such techniques no longer requires any effort or professional skills; also, this leads to the development of much sophisticated techniques that can somehow deter pirating copyrighted software.
2. Common CD Protection Techniques
In the following sections, some of the widely used CD protection techniques will be discussed.
2.1. CD Cops
CD Cops is a commercial CD protection developed by link data security; it could detect original CDs from copied ones. When running a CD protected by CD Cops, a window titled 'CD Cops' will appear on the screen also the file CDCOPS.DLL and some other files with GZ and W -X extensions will exist on the CD. The protection mechanism is embedded into the executable file, when this file is executed, it checks to see whether the CD is original, this is done by verifying the physical angle between the first and the last accessible logical block on the CD.
The original CD contains an 8-byte code that holds the angle information and a checking routine that verifies the angle on the CD and then compares it with the encoded value. The angle between the first and the last accessible blocks differs from one CD to another based on the CD-R type; this means no special mastering machine is required to produce CDs protected with CD Cops.
The testing routine is known to be complicated, also it sets a timer to check if the testing routine takes much time which usually means it is being traced ( a debugger is being used). If it takes much time to perform the check, an error in the program will be produced.
Though CD Cops seems to be tricky it is possible to decrypt the executable file without the original CD this is because the correct code is stored in the program though it is encrypted but this did not prevent crackers to produce tools to decrypt the program without the original CD.
2.2. DiscGuard
DiscGuard was developed by TTR technologies, it stores the protection routine along with the executables on the CD and then encrypts them, a digital code on the original CD is used for the decryption, and this digital code is not reproducible by re- mastering or disc copying. When the program runs from the original copy that contains the digital code, the program will be executed normally. If the program runs from a copied CD then the digital code does not exist, then it might work as a demo version or any other program could be executed at the developer's choice.
In order to store the digital code, a special machine, DG- Author, is required to perform this task. CDs protected by DiscGuard could be identified by the existence of IOSLINK.VXD and IOSLINK.SYS files. However, there is no universal decoder for DiscGuards but there exist a number of patches that could be used to crack it.
2.3. LaserLock
LaserLock was developed by MLS LaserLock international. It could be detected by a hidden directory that contains unreadable errors. A combination of encryption routine and unique laser marking on the CD surface are used to make it impossible to copy the CD.
Though it is practically impossible to copy files from CDs protected by LaserLock, there exists work around for it, the simple way to go is to set the CD burning program to ignore the errors and copy the CD, also there exist public decoder for this protection.
2.4. SafeDisc
SafeDisc was developed by C-Dilla (Macrovision now) and is considered the most commonly used CD protection. SafeDisc is used by famous game producers like Ubi soft, interplay Entertainment, GT interactive and Microsoft. Despite the propaganda that precedes the release of SafeDisc claiming that it cannot be removed, it took just about one week to break the first game protected by safeDisc, but generally it still the main choice of many software distributors.
The existence of SafeDisc is denoted by the presence of those files 00000001.tmp, clcdl6.dll, clcd32.dll, clokspl.exe and dplayerx.dll. On the CD, there exist two files (game_name).exe and (game name.icd) the exe file contains the SafeDisc protection whereas the .icd file contains the original game executable but in an encrypted form also it includes some anti-disassembling tricks which makes it difficult to trace the code.
SafeDisc divides the exe file into two parts, the first one stores only the decrypting information that are used to decrypt the second part, other than the decrypting information it contains no important code.
The second part is encrypted using the first part, which makes it impossible to change anything in the first part; this method is used to deter some anti-debugging programs like soft-ice in particular. Also the exe file contains a simple detection routine that checks whether soft-ice is running, this is done by using the CreateFileA AN call to check the existence of (siwvidstart) driver which is needed by soft-ice, if this driver is detected then a warning message will appear indicating that soft-ice was detected and should be unloaded from the memory. Another trick that is used to detect soft-ice known as INT 68 in which the AH register must contains the value 43h before calling INT 68, if soft-ice is loaded the return value in AX will be F386h, this trick to detect soft-ice works only under Windows 9x.
The second part of the exe file contains a routine to calculate the code required to decrypt the original executable file, it executes first CLOKSPLEXE, which views a picture during the loading process, then the routine will calculate the decryption key based on number of conditions. CD errors are read and according to the existence or lack of errors, conditions are either true or false.
The calculation result is then XORed with the current date, which means that the code is not the same everyday. Eventually the second part of the exe file decrypts a small routine in the memory that contains the address for calling DPLAYERX.DLL and the correct decryption key.
The DPLAYERX.DLL file works as the previously mentioned exe file the _DIIMain@12 function is called then it decrypts the second part of the DLL, and then the Ox77FO52CC function is called with the key to decrypt the original EXE file. The key is XORed once again with the date to produce the key that will be used for decryption; the original EXE file is decrypted in the memory then executed afterwards.
Some workarounds were used to overcome the SafeDisc protection such as 1: 1 copy that involves copying the original CDs as is and simply ignore the errors and usually reading the CD at a low speed (1X) is required, also there exists generic patches that could be used along with the 1: 1 copy to run the game without protection. In addition, there exist un wrappers / decryptors like unSafeDisc that can extract the original exe file from the .icd file then the extracted file could be burned along with the other files or simply replace the original one with the extracted one after software installation.
2.5. SecuROM
SecuROM was developed by Sony DADC. It could be detected from the existence of one or more of the following files CMS16.DLL, CMS 95.DLL or CCMS_NT.DLL, also the main exe file contains the string 'CMS' two times. There exist some similarities between SecuROM and SafeDisc, some SecuROM data are encrypted in an EXE file and this file could only be decrypted if the original CD is present. Memory dumper (ProcDump) could be used to save the EXE file to the harddisk after the file is correctly decrypted.
2.6. VOB
VOB is considered to be the lastest commercial protection in the SecuROM and SafeDisc family. The new thing regarding VOB is that it uses antidisassembling routines that makes the debugging takes considerable amount of time, other than this it works the same way as SecuROM and SafeDis.
3. Other CD Protection methods
In addition to the above-mentioned commercial CD protection products, some universal tricks were also used, those tricks were based on some assumptions as soon as they become invalid those tricks no longer works. In the following sections, some of those methods will be discussed.
3.1. Oversizing / Overburning
The classic CD-R (74-minutes) can hold up to 660MB whereas the actual surface of most CD-Rs can hold up to 690MB. This extra space is usually used by the lead-out area (the area at the end of the session that indicates the end of this session); if this area is shortened then extra data could be written. Some games (commandos) make use of this idea to prevent the original CD from being copied. This trick shows some success but this was because the 80-minutes CDRs were not available at that time also not all CD burners could oversize the classic 74-minutes CD-Rs, but today the 80-minutes CD-Rs are available at a normal price also there exist many professional CD burners that can even oversize the 80-minutes CD-Rs.
3.2. Damaged table of contents (TOC)
Usually the CD burners will give an error message if they try to make a copy of a CD with a damaged TOC. Usually damaged TOC could be detected by the existence of a second data track after the some audio tracks, which is not consistent with the ISO standard. Again this trick is no longer useful because most of today's burners, nero for example, have an option to ignore illegal TOC when burning the CD.
3.3. Dummy files
When trying to copy a CD protected that contains dummy files to the hard disk, the total size occupied by this CD contents can exceeds 2GB which means it could not be burned again to the classic 74-minutes CD-R. Those dummy files points to different parts of the CD that are in use by other files. This type of protection is usually combined by the damaged TOC protection. Again, this protection is useless with the modern CD burner software.
3.4. Physical error
In this type of protection, a real physical damage to the CD is applied. This leads to that the CD burner will not be able to read the damaged tracks so the original CD cannot be copied. Anyway, some CD readers (TEAC) that were able to read those damaged tracks though usually it takes much time. In addition, there exist tools that can accelerate this process.
3.5. One or more huge files
This technique was used to prevent producing a ripped version of the game in which some big, but not important, files (videos and sound tracks) are replaced or removed from the original copy in order to shrink the total size of the game. Simply all the files are combined in one single huge file then this file is encrypted or compressed. Using this technique makes it very difficult for the cracker to study the structure of such huge file and accordingly makes it hard to change its content. To make best use of this technique, it could be combined with some checks to detect any changes done to this file.
4. Non-Pc CD protection techniques
All the previous mentioned techniques are tied to the PC platform; there exist also some techniques that are used in other non PC platforms like Sony playstation and Sega dreamcast. In the following sections, a brief discussion about CD protection techniques used in those platforms will be conducted.
4.1. Sony playstation
Bad blocks and country code lock were used in protecting the playstation CDs. Usually a modified chip (ModChip) is installed into the console in order to invalidate the check of the bad blocks and country code. also it is possible to use some cartridge that is attached to the expansion slot, this also will make it possible to run the copied CDs and has an advantage over the ModChip that is no changes to the internal hardware is required.
A recent protection called LibCrypt is used by some games. In LibCypt a 16-bit key which is stored in the SubChannel is used. The protection consists of two parts. The first part tests the ModChip and whether the game is played from
a copied CD, the second part decrypts the necessary code to run the game, if this test fails the game will crash.
4.2. Sega dreamcast
Sega Dreamcast actually uses GD-ROM, which hold a maximum of 1GB of data developed by Yamaha. Generally, those GD-ROMs cannot be produced using the usual CD writers. A GD-ROM consists of two data tracks; the first is between 10 & 50 MB that can be read using the normal CD-Readers, whereas the second track uses a high-density format that is not readable by the normal CD-ROMs. A tool called DreamRip is usually used to read the GD-ROM after connecting the dreamcast console to the PC using a serial cable.
5. Conclusion
It is obvious that until now there is no functional CD protection that is not possible to be cracked, all the games and software protected using any of the techniques mentioned in this report someway or another could work without the protection. Also sometimes when it comes to games specially it is possible, and common, to find the game available even before the official release. So it seems like developing such protections is just a waste of time and money that can be devoted to enhance the product in concern, simply whenever a new technique is used just it takes may be one week at most to fine some workaround to run the product without having the original CD. A user equipped with simple tools that ranges from a professional CD burner software (nero/Alcohol) to a generic virtual CD (Deamon tools) can easily make a functional copy of whatever software he wants, of course not mentioning the numerous tools that are available online that make this task easier and easier. To sum up for each new CD protection that claims to be unconquerable there will be a simple workaround to beat it, may this will continues till either really a functional idea will pop up or till the developers give up the CD protection idea at all.