 |
Founded by +ORC in April 1996 |  |
Reverse engineering Academy
|
Founded by +ORC in April 1996 | |
CD-ROM faking
CD-ROM related reverse engineering
| Updated in September 1999 |
by fravia+, January 1999
The increase in illegal copying and burning of CD, that -take note- we don't condone if
made for commercial purposes, seems now to be a phenomenon that has taken such a dimension
that IMO the producers should better try to understand correctly instead of annoying
software reversers that have NOTHING to do with it... see, I'm not speaking of the fact
that you can buy wherever in Russia now (on the Arbat!) whole compilations for 2 Euro
(each one of them containing the most recent software, each CD worth 4-5000 Euros) since
you could have done that even before the disappearance of the good old Soviet Union, in
Singapore, Beyruth, Belgrad or even at the rastro in Madrid... and since actually
there'snt any need to spend even those 2 lonely Euros, on a huge web where you can
download whatever you fancy for free from any decent warez site.
BTW, you may as well say goodbye to copyrighted music... to use Seidman's recent words:
"Dear Music Company Executives, The software to encode music
into MP3 format already exists. I already have it on my computer. So do a lot of other
people. You will not be able to stop it because it is already there. Do you get it? I know
you're scared. I don't blame you. But the genie is already out of the bottle and try as
you might, you won't be able to stuff it back in. Get over it. You can store about 150
songs in MP3 format on a CD or about 10 HOURS of music on one CD. The Diamond Rio, which
holds 60 minutes of music is only the TIP of the iceberg."
Of course Seidman's is right... and I may add that all the encryption plans of those same
commercial bastards (my own translation of music company executives :-) mean only more fun
for our reversing studies... :-)
Yet the real problem remains another, IMO: the real problem is that there are many
completely 'legal' HARDWARE fellons out there, that should worry the copyright holders
even more than the warez-pirates that sell (and protect :-) their (protected) pirated CD
(like Twilight).
You want an hardware example? Here you go: Memodis has announced a CD-ROM burner that can
chain up to 28 burners together in groups of seven. It's a PC-independent hardware
pirate-dream, that will be delivered in three version, the biggest one with 7 burners and
a LCD screen... now, pray tell me, who will use this product? Ah ah... the 'free market'
laws of demand and offer should always be respected... :-(
So let's do our work: let's reverse engineer software protection schemes, since this field
because is relevant for our reverse engineering studies.
CD-ROM protection schemes are based on some common tricks: first of all the idea (actively
spreaded by some software houses) that there is some space 'between tracks' on a CD, that
would be written on the original CD and checked by the protection scheme is nonsense. A
Cd-ROM track is a spiral. The main protection schemes used to day to avoid CD-ROM copying
are based on the fact that CD-ROM disks have a layout divised in tracks. The common
structure is
Track #1 - MODE1 Track #2 - MODE2 Track #3 - AUDIO Track #4 - AUDIO Track #5 - MODE1
Note that in multisession CD-EXTRA discs the audio tracks are in the first session and
there is a data track in the second sesssion.
This 'mixed' mode stuff is used to "protect" games from being copied by
beginners. Adaptect's software, for instance cannot duplicate (on purpose) these mixed
CDs. You'll need to use better software (CdWin or, even better, Nero) to do it.
All the protection schemes based on the above structure can be easily cracked. There are
two kind of protection schemes that are more difficult to crack (yet they are not
uncrackable, of course :-) and these are Kodak Photo-CDs and Sony Playstation games (I
don't mean those that you can bypass fixing the playstatiuon unit), which both contain
inside their pre-header (or subroutines) some code that initializes the lusers' machine.
Let's have a look at the commonest tricks:
Trick: To avoid CD-copy, the most banal trick is to make the CD's bigger than the
usual format. You will therefore not be able to copy the CD on a regular (74 minutes) CD.
Bypass: there are two possible options to copy an 'enlarged' protected CD:
1) Get hold of good software that can copy more data on regular CD's (CDRWin, for
instance... but the best software IMO is Nero. If you use Nero, then 'Ignore Illegal
TOC' + 'Ignore Read Errors' + 'Unreadable Data' & continue copying')
2) get CD's that are large enough to hold all the data.
3)If your CD-Recorder supports overburning (TEAC, PLEXTOR, YAMAHA) then u can
enable the overburn option in NERO ('Preferences' & Advanced settings' & 'enable
CD oversize'). If you are not sure all the data of the original disk will fit then just
use a 80 minutes CD-R.
Trick: As it was to be expected, there are now a series of protection schemes out
that use partitions that are larger than the largest CD-r available. Interestingly enough,
pirates have been the first one to use this kind of protection (Twilight began using this
kind of protection from number 15, and went 'bigger' from number 21).
Bypass: 1): (simple): Crack the scheme (remove the CD-size check from the
menu).
2): (expensive): use CDRWin with one of the following recorders: Plextor PX-R412
Ci; Teac CDR 55 S; ALL Yamaha recorders; Panasonic 7502. The reason you should use CDRWIn
has to do with the ToC of all CD-Roms: Every CD contains a table of contents (TOC) and a
Lead In in which is listed what is on the CD, so the CD-ROM drive can find the data on the
disc. This TOC is on every CD and will be written by the start of every recording session.
And this of course takes up space on the CD so less space is available for the actual
data. This is where CDRWin comes in; the TOC and Lead In written by CDRWin (CDRWin:
www.goldenhawk.com) are much smaller if you compare it to other recording software (NERO:
www.ahead.de; Creator Deluxe: www.adaptec.com; DiskJuggler: www.padus.com; Prassi CD
Replicator: www.prassi.com; Feurio www.feurio.de everyone of these programs can be fished
from the web)
PHASE 1 by Animadei:
EMULATE CD-ROM (an ASM file), 11 May
- 3 November 1997
(Emulating MSCDEX)
This asm file introduces to all future good crackers the BASIS of cd-rom emulation,
which has an obvious importance for our trade. As animadei himeself writes to me: I've
taken the liberty to give my cd-emulator source as a small contribution to the cracking
community. There's a file attached to this letter. ECD "Emulate CD" - introduces
emulating a CD and substitutions of drives like "subst.exe"...
PHASE 2 by Aesculapius:
Brief Tutorial on CD Access Based
Protection Schemes Under Windows, 28 August 1997
(Cracking Virtua Fighter PC)
Well, a VERY welcome contribution by our Aesculapius! It was time that somebody took
care of the CD-ROM checks, which btw, in general, are NOT very difficult to defeat. I hope
that with the help of this addition many +crackers will be stimulated and work on such
schemes, bringing ahead this poor and neglected (yet important) project 4!
PHASE 3 by +DataPimp:
WarLords 3 Cd-Check, 24 September
1997
(A Very Simple Protection)
Well, it was about time that somebody wrote something more! Riddler shows here how
(relatively) easy it is to reverse engineer such schemes! I hope that with the help of
this addition many +crackers will be stimulated and work on such schemes, bringing ahead
this poor and neglected (yet important) project 4!
PHASE 4 by +DataPimp:
CD-Rom reversing MechWarrior2 Mercenaries,
26 September 1997
(Another Approach to the Cd-Check scheme)
Well, +DataPimp is slowly "specialising" in this very interesting cracking
subject! Here is his SECOND essay in a very short time. Let's hope he keeps sending
material, as I will repeat (once more): "I hope that with the help of this addition
many +crackers will be stimulated and work on such schemes, bringing ahead this poor and
neglected (yet important) project 4!
PHASE 5 by +ALT-F4:
Cracking the Mystique Patch for Tombraider,
17 October 1997
(the write random file trick)
A new +HCUker (that has already contributed to our site in the past) shows here how
(relatively) easy it is to reverse engineer a video patch for Tombraider... a good game
btw, you'll find it on almost any warez server... I personally prefer the older version 1
to version 2 :-)
PHASE 5 by +Rcg:
CD ROM from top to down, 19 October
1997
(MSCDEX, reversing drivers and CD-ROM related interrupts)
Well, a welcome "basic" addition by +Rcg, who clear things a little out on
such important matters like accessing the CD-ROM through the MSCDEX driver.
PHASE 6 by NaTzGUL:
InstallSHIELD Script Cracking, 22
November 1997
(Object oriented cracking: INSTALL WIZARDS CRACKING)
Well, a very interesting essay. Here we have a very "sound" approach to
Installshield cracking. Read and enjoy!
PHASE 7 by -= +DataPimp =-:
Quake2 CD-Rom reversing, 20 December
1997
(More about CD-ROM deprotections and Cd-Checks)
Quake II... so easy you could cry!
PHASE 8 by TWD:
The cracking of "Age of
Empires", 27 Dec 1997
(with a general digression about CD-based copy protections of most Windows95 games)
PHASE 9 by FootSteps:
Oldies but Goodies, 04 Mar 1998
(A Dos Game CD-check with Sourcer 7)
Well, let's rationalize things a little... |
|||||||
| 01 June 98 | Q | ~ | q_tsr601.htm | A different approach cracking a DOS CD-protection | proj 4 | ~ | fra_0124 |
| 09 Jan 99 | Kilby | ~ | kilby.htm | Thief and the current Eidos protection scheme | proj 4 | ~ | fra_017B |
| 20 Jan 99 | McLallo | ~ | cdromcla.htm | CD-Cops ~ Another ready-made protection annihilated | advanced proj 4 protec |
~ | fra_0183 |
| 24 Sep 99 | zoltan | ~ | d2kessay.htm | Reverse Engenering The Protections From WestWood: DUNE | proj 4 | ~ | fra_xxxx |
| 24 Sep 99 | zoltan | ~ | zltcomma.htm | How to defeat a cd-lock protection: COMMANDOS | proj 4 | ~ | fra_xxxx |
You'r deep inside fravia's pages of reverse engineering, choose your way out!
homepage links anonymity +ORC javascript wars academy database
bots' wars tools cocktails antismut CGI-scripts search forms mail fravia+
Is reverse engineering legal?