CDCracking
Uncovered:
ProtectionAgainst
UnsanctionedCD
Copying
byKrisKaspersky
A-List©2004(300pages)
ISBN:1931769338
Aimedatshareware
andcommercial
software
programmers,aswell
asusersinterestedin
CDprotection,this
bookwillhelpreaders
defeathackersand
crackerswhotryto
copyCDswithout
authorization.
TableofContents
CDCrackingUncovered—Protectionagainst
UnsanctionedCDCopying
Preface
Introduction
OntheCD
PartI-CDAnathomy
Chapter1 - CDOrganization
Chapter2 - PowerofReed-SolomonCodes
PartII-Low-LevelControloverHardware
Chapter3 - PracticalAdviceonUrgentSystem
Recovery
Chapter4 - InterfacesforInteractionwiththe
Hardware
Chapter5 - MethodsofRevealingProtection
Mechanisms
PartIII-ProtectionagainstUnauthorizedCopyingand
DataRecovery
Chapter6 - Anti-CopyingMechanisms
Chapter7 - ProtectionMechanismsforPreventing
PlaybackinPCCD-ROM
Chapter8 - ProtectionagainstFile-by-FileDisc
Copying
Chapter9 - ProtectionMechanismsBasedonBinding
toStorageMedia
Chapter10 - DataRecoveryfromCDs
ListofFigures
ListofTables
ListofCodeExamples
CDContent
CDCrackingUncovered:Protection
AgainstUnsanctionedCDCopying
byKrisKaspersky
A-LISTPublishing©2004(432pages)
ISBN:1931769338
Aimedatsharewareandcommercialsoftware
programmers,aswellasusersinterestedin
CDprotection,thisbookwillhelpreaders
defeathackersandcrackerswhotrytocopy
CDswithoutauthorization.
BackCover
AmanualonprotectingCDsagainstillegalcopying,
thisbookshowshowcrackerscopyCDsusingvarious
accessmethods.Themethodscoveredincludethe
CDFSdriver,cookedmode,SPTI,ASPI,theSCSIport,
andtheMSCDEXdriver.Explainedishowtoprevent
crackerbreak-insusingprotectionsbasedon
nonstandardCDformatssuchastheCDdriverand
weakCDsectors.InformationonCDfunctioning
fundamentalsandtipsrelatedtoCDprotectionina
formatfreeofmathandassembling-suchasdata
formats,thescrambler,theReed-Solomon
coder/encoder,theCIRCcoder/encoder,andaweaksectorsgenerator-arealsoprovided.Themainprogram
interfaces,whichprovidedirectcontrolviaperipheral
devicesontheapplicationlevelinUNIX,Novell,and
Windows9x/NT/2000/XP,areconsidered,asishowto
readandwriteRAWsectors.
Afterreadingthisbook,readerswillknowhowto
changetheformatofaCDtomakeitaccessiblefor
readingand/orwritingonmostCDdrives,butnot
accessibleforcopying.
Aimedatsharewareandcommercialsoftware
programmers,aswellasusersinterestedinCD
protection,thisbookwillhelpreadersdefeathackers
andcrackerswhotrytocopyCDswithout
authorization.Itistargetedatadvancedusersaswell
asapplicationsystemprogrammers.
AbouttheAuthor
KrisKasperskyisanITconsultantworkinginsecurity
andsystemprogramming.Hespecializesinissuessuch
ascompilerdevelopment,optimizationtechniques,
securitymechanismresearch,real-timeOSkernel
creation,softwareprotection,andthecreationof
antivirusprograms.HeistheauthorofHacker
DisassemblingUncoveredandCodeOptimization:
EffectiveMemoryUsage.
CDCrackingUncovered—Protectionagainst
UnsanctionedCDCopying
KRISKASPERSKY
alist
©2004byA-LIST,LLC
Allrightsreserved.
Nopartofthispublicationmaybereproducedinanyway,storedina
retrievalsystemofanytype,ortransmittedbyanymeansormedia,
electronicormechanical,including,butnotlimitedto,photocopying,
recording,orscanning,withoutpriorpermissioninwritingfromthe
publisher.
A-LIST,LLC
295EastSwedesfordRd.
PMB#285
Wayne,PA19087
702-977-5377(FAX)
Thisbookisprintedonacid-freepaper.
Allbrandnamesandproductnamesmentionedinthisbookare
trademarksorservicemarksoftheirrespectivecompanies.Anyomission
ormisuse(ofanykind)ofservicemarksortrademarksshouldnotbe
regardedasintenttoinfringeonthepropertyofothers.Thepublisher
recognizesandrespectsallmarksusedbycompanies,manufacturers,
anddevelopersasameanstodistinguishtheirproducts.
CDCrackingUncovered:ProtectionagainstUnsanctionedCDCopying
ByKrisKaspersky
ISBN:1931769338
04057654321
A-LIST,LLC,titlesareavailableforsitelicenseorbulkpurchaseby
institutions,usergroups,corporations,etc.
BookEditor:ThomasRymer
LIMITEDWARRANTYANDDISCLAIMEROFLIABILITY
A-LIST,LLC,AND/ORANYONEWHOHASBEENINVOLVEDINTHE
WRITING,CREATION,ORPRODUCTIONOFTHEACCOMPANYING
CODE(ONTHECD-ROM)ORTEXTUALMATERIALINTHISBOOK
CANNOTANDDONOTGUARANTEETHEPERFORMANCEOR
RESULTSTHATMAYBEOBTAINEDBYUSINGTHECODEOR
CONTENTSOFTHEBOOK.THEAUTHORSANDPUBLISHERSHAVE
WORKEDTOENSURETHEACCURACYANDFUNCTIONALITYOF
THETEXTUALMATERIALANDPROGRAMSCONTAINEDHEREIN;
HOWEVER,WEGIVENOWARRANTYOFANYKIND,EXPRESSED
ORIMPLIED,REGARDINGTHEPERFORMANCEOFTHESE
PROGRAMSORCONTENTS.
THEAUTHORS,PUBLISHER,DEVELOPERSOFTHIRD-PARTY
SOFTWARE,ANDANYONEINVOLVEDINTHEPRODUCTIONAND
MANUFACTURINGOFTHISWORKSHALLNOTBELIABLEFORANY
DAMAGESARISINGFROMTHEUSEOF(ORTHEINABILITYTO
USE)THEPROGRAMS,SOURCECODE,ORTEXTUALMATERIAL
CONTAINEDINTHISPUBLICATION.THISINCLUDES,BUTISNOT
LIMITEDTO,LOSSOFREVENUEORPROFIT,OROTHER
INCIDENTALORCONSEQUENTIALDAMAGESARISINGFROMTHE
USEOFTHEPRODUCT.
THECD-ROM,WHICHACCOMPANIESTHEBOOK,MAYBEUSEDON
ASINGLEPCONLY.THELICENSEDOESNOTPERMITITSUSEON
ANETWORK(OFANYKIND).THISLICENSEGRANTSYOU
PERMISSIONTOUSETHEPRODUCTSCONTAINEDHEREIN,BUTIT
DOESNOTGIVEYOURIGHTOFOWNERSHIPTOANYOFTHE
SOURCECODEORPRODUCTS.YOUARESUBJECTTOLICENSING
TERMSFORTHECONTENTORPRODUCTCONTAINEDONTHIS
CD-ROM.THEUSEOFTHIRD-PARTYSOFTWARECONTAINEDON
THISCD-ROMISLIMITEDTHERESPECTIVEPRODUCTS.
THEUSEOF“IMPLIEDWARRANTY”ANDCERTAIN“EXCLUSIONS”
VARYFROMSTATETOSTATE,ANDMAYNOTAPPLYTOTHE
PURCHASEROFTHISPRODUCT.
Preface
ThisbookisapracticalguidetoprotectingCDsagainstunauthorized
copying.Itisorientedtowardawidereaderaudience,includingadvanced
usersandapplicationandsystemprogrammers.
Itisnotnecessarytohaveexpensivespecializedequipmentorbea
securityexperttocreatestrong,inexpensive,andreliableprotection.All
thatyouneedtoachievethisisalow-endCDrecorderandacoupleof
eveningsfreefromotherwork.Thisbookprovidesadetaileddescription
ofCDstructureandwillletyouintoalotofsecretsknownonlyto
securityexperts(andnoteventheyknowthemall),explainingallthisin
simplelanguage,withouthighermathematicsandpracticallywithout
Assemblerlanguage.Thisisthebook’smainuniquefeature!
Whilereadingthisbook,youwilllearnhowtoinvalidatethediscformatin
ordertomakeitreadable(thatis,playable)onmostCD-ROMdrives,but
practicallyimpossibleforanycopiertocopy,andhowtobindtothe
physicaldiscstructuresothatcopiersareunableeithertoreproduceor
imitateit.You’llalsolearnaboutthephysicalandtechnicallimitationsof
low-endrecordersandhowtousethesetoachieveyourgoals.
AlsocoveredwillbethecontroloverCDdrivesandrecordersatalow
levelandhowtogetthemaximumcontrolallowedbyspecificdrive
modelsoverCDs.Allcircumstancesbeingequal,adiscprotectedusing
high-techdrivecannotbecopiedbyallotherdrives.Thebookprovides
detailedinformationonthedifferencesbetweendrivemodelsandwhich
characteristicsdeservethemostattentionwhenchoosingadrive.
ThebookalsodiscussespracticallyallcommercialCDprotectionpackets
availabletoday.Itliststheirimplementationerrors,“thanks”towhichthe
copyingofprotecteddiscsisstillpossible.Theauthoralsosuggests
severalprotectionmechanismsthattakeintoaccounthisownbitter
experienceandthatofhisfriendsandcolleagues.Theseprotection
mechanismscannotbecopiedusinganyofthecopiersthatexisttoday.
Withregardtocopiers,hereyou’llfinddetaileddescriptionofthemost
popularprotectedCDcopiers:CloneCDandAlcohol120%,which,
accordingtotheirdevelopers,“cancopypracticallyanyprotecteddisc,
providedthattherightcombinationofCD-ROMandCDrecorderis
chosen.”Theauthordemonstrates,usingpracticalexamples,thatthisis
notactuallythecase,andsuggestssomeprotectionmechanismsthat
cannotbecopiedbyCloneCDand/orbyAlcohol120%.
Finally,thebookexplainshowtocreateaprotectedCDcopieronyour
own,makingthereplicationofprotecteddiscsamucheasiertask.
Introduction
CDprotectionisimportanttodayasneverbefore.Thewidespreaduseof
low-endrecordersallowedanyusertoduplicatediscsinalmostmassproductionquantities.Thelion’sshareofexistingdiscshasnotbeen
purchasedbecauseuserssimplyborrowthemfromtheirfriendsor
colleagues.Atthesametime,mostsharewareprogrammersdistribute
theirproductsonCD-Rdiscsbymail,whichconsiderablycomplicatesthe
hacker’stask.Iftheprogramisnotfreelyavailable,howcanitbe
cracked?
Asaresult,usersareinterestedincrackingprotecteddiscs,while
developershavetheoppositegoal,namely,protectingCDsagainst
cracking.Thisbooksatisfiestheneedsofbothgroups.Itexplainshowto
crackpracticallyanycurrentlyexistingprotectionsoftwareandsuggests
arangeofnewprotectionmechanismsthatvirtuallycannotbecracked.
CDprotectionagainstcopyingcontainsalargeamountofmaterialthat
hasneverbeenpublishedbefore.Itprovidesthereaderwithdetailed
informationonCDstructureanddiscloseslotsofsecretsknownonlyto
professionals(andnoteventoeveryprofessional).Atthesametime,the
authortriestopresentthismaterialinanaccessibleform,without
excessiveuseofhighermathematicsandpracticallywithouttheuseof
Assemblerlanguage.
Havingreadthisbook,thereader(evenwithnospecialtraining)willlearn
howtocreatediscsthat,inprinciple,cannotbecopiedbecauseofthe
hardwarelimitationsofcontemporaryCD-R/CD-RWrecorders.Besides
this,thereaderwilllearnhowtoavoidconflictswithnon-standard
equipment,asaresultofwhichprotectionmechanismsrefusetoworkor,
evenworse,damagetheuser’sequipment.
Thebookisorientedtothewidespectrumofreaders,sothereader
doesn’thavetohaveanypreviousexperienceorbackgroundknowledge.
ThereadermightevenlackknowledgeofthesectorstructureofaCDROM(bytheway,99percentofprogrammersdon’tknowmuchabout
thiseither).Alloftheinformationnecessaryforunderstandingthe
principlesofCDoperationisprovideddirectlyinthebook,andreferences
tothird-partysourcesareminimal.Thereaderdoesn’tneedtobea
programmer,becausealloftherequiredutilitiesfortheanalysis,
protectionandcrackingofCDsaresuppliedalongwiththebook.These
copiers,developedbytheauthor,willmakeallworkautomaticallyforthe
reader.Thus,thebookisworthpurchasing,ifonlyforofthecontentsof
thecompanionCDalone.
Atthemost,thereadermustbefamiliarwithmathematicsatthe
Universitylevel,knowhowtousedisassembler,andbeabletoworkwith
CandAssemblerprogramminglanguages.Ofcourse,readingthisbook
won’tmakeyouaguru,butyou’llstillacquirealmostunlimitedpower
overCDsandbeabletodowhateveryoulikewiththem.
NotationConventions
Topreventconfusionandatthesametimeavoidunnecessaryverbosity,
thebookwilluseseveralnotationconventions,whicharebrieflyoutlined
below:
NECdrive—_NECCD-RWNR-9100A,firmwareversion1.4
ASUSdrive—ASUSCD-S500/A,firmwareversion1.4
TEACdrive—TEACCD-W552E,firmwareversion1.09
PHILIPSdrive—PHILIPSCDRW2412A,firmwareversion1.5
Alcohol120%—anexcellentcopierofprotectedCDs,ashareware
versionofwhichcanbedownloadedfrom />Thisautomaticallycracksmorethanhalfofallcurrentlyexistinganticopyingmechanismsandallowsyoutomountimagesofprotecteddiscs
dynamicallytoavirtualCD-ROMdrive,whichisveryconvenientforthe
purposeofexperimentation.Unfortunately,only“correct”imagescanbe
mounted,andmostimagesinprotecteddiscscannotbeclassifiedas
such.
CloneCD—agoodcopierofprotecteddiscs,asharewareversionof
whichcanbedownloadedfromCopyingprotected
discsincompletelyautomaticmodeis,ofcourse,notthestrongestpoint
ofCloneCD.Itcouldbemoreaccuratetosaythatitcopeswiththistask
poorly.However,aftermanuallytweakingtheprogramsettingsandthe
imageoftheprotecteddisc,italsocancopyoverhalfofallexisting
examplesofprotectionmechanisms.ButtosaythatCloneCDcan
“crack”practicallyanytypesofprotectionwouldbefarfromaccurate.
HistoricalAspect
ThefirstattemptstoprotectCDsagainstcopyingwereundertakenin
early1990s.CDrecordersdidn’texistatthattime,anddevelopersmainly
hadtopreventunauthorizedcopyingofCDcontentstoharddisk.But
whataboutpirates?youmayask.Yes,piracyalwayshasbeenand
remainsaseriousproblem.However,attemptsatstoppingpiracyby
softwareprotectionare,atleast,naive.Thosewhoreplicatediscsin
commercialquantitiesalwaysemployateamofexperiencedhackers
whocracktheseprotectionmechanismswithoutanyrealeffort.The
intellectualpotentialof“cracking”teamsintheseclandestineenterprises
ispracticallyunlimited.Theyalwaystrytoemploytheverybest(Iknow
thisfrompersonalexperience,becausesomeyearsago,beforethe
adoptionofappropriatelaws,Ialsoworkedonateamlikethis).The
financialfactor,bytheway,isnottheprimaryonehere.Hackerswerenot
paidlargemoney,andhadtoworklikeslaves.Theworkitselfwaswhat
attractedthem.Whereelsecouldyougetacquaintedwithsuchalarge
numberofvariousprotectionmechanismsandlearnhowtocrackthem?
Tobehonest,Ihaveexaggeratedabitindiscussingthevarietyof
protectionmechanismsavailable.Atthattime,the“variety”includedtwo
maintypesofprotection:LaserLockand“codewheel”.Withthearrivalof
CDrecorders,theimportanceofprotectionagainstcopyinggrew
considerably.Asaresult,theybegantogrowlikemushroomsaftera
warmrain.Bythebeginningof2003,therewerealreadymorethan50
variousprotectionmechanismsavailableonthemarket.Themajorityof
theseweremarketedonthebasisofthe“know-how”oftheirdevelopers.
However,mosthackers,havinganalyzedoneoftheseprotectionsusing
adisassembler,begantofeelnostalgicfordaysgoneby,whensoftware
cameondiskettesandoneoutofeverytwoexampleswasprotected.
ContemporaryCDs,ofcourse,aredifferentfromold-fashioneddiskettes.
However,thetechniquesoftheirprotectionare,inprinciple,thesame!
Contemporaryprotectionmechanismsusethemainlyfollowingmethods:
non-standardformatting,theintroductionofkeymarks,bindingtothe
discsurface,andweaksectors.Letusconsidereachmemberofthis
familyinmoredetail.
Non-standardformatting,ingeneral,consistsofintentionallyintroducing
specificerrorstopreventthenormalprocessingofinformation.For
example,ifweartificiallyincreasethelengthofeveryprotectedfileto
~666GBbycorrectingthelengthfield,anyattemptatcopyingsuchafile
toaharddiskwillfail.Atthesametime,theprotectionmechanismthat
knowsexactlywhereeachspecificfilestartsandendscanworkwith
themwithoutanyproblems.Naturally,suchaprotectionmechanismcan
behackedeasilybycopyingthediscatthesectorlevel.However,todo
this,thecopiermustknowtheexactnumberofsectorsavailableonthe
disc.Thedeveloperofaprotectionmechanismcaneasilytweakthedisc
structuressothatthedisclookseitherabsolutelyblankor,onthe
contrary,growsbeyondanyconceivablesize.Recordersthat
mechanicallyreadthediscTOCandblindlyrelyonthecorrectnessof
eachbyteofcontroldatawillfailimmediately.Moreadvancedexamples
willmanagetodeterminetheactualsizeofthediscthroughsomeimplicit
indications.Recordersofthistypewillmovetheopticalheaduntilthe
sectorsunderitremainreadablewhileitisbeingmoved.Let’sassume
thattheprotectionisusingacunningmechanismand“digsahole”
consistingofabunchofbadsectorsneartheendofthedisc.Some
recorderswillfallintothatpit,thinkingthattheyhavereachedtheend.
Somerecorderswon’tbedeceivedbythistrick,becausetheycarefully
analyzetheinformationreturnedbythedrive,whichshouldknowthe
causeofthereaderror—beittheactualendofthediscorsimplyabad
sector.
Someprotectionmechanismsplayevendirtiertricks,boldlywriting
irrecoverableerrorstotheoriginaldisc(whichmeansthattheseerrors
cannotbeeliminatedbythespecialerror-correctioncodesplacedonthe
CD).IfthisapproachisusedforprotectinganaudioCD,thismeansthat
itsplaybackwillbeaccompaniedbyendlessclicks.Thisdoesn’thappen
inpracticebecausethedevelopersofaudioplayershavemadethe
provisionofaspecialfilterthatdiscardsdatathataresuretobe
erroneousandusesinterpolationwhennecessary(inthiscase,the
currentsampleisrecreatedonthebasisoftheaveragedvaluesofthose
thatprecedeandfollowit).Naturally,thisdegradestheplaybackquality.
Mediamagnates,however,don’tgivemuchofadamnaboutthis,and,
realistically,thedegradationisn’tsignificant.However,thesituationis
differentwithregardtodigitalplayback.Earlyversionsofthestandard
instructedthedrivetoreportonlyoccasionswhereoneormore
irrecoverableerrorswereencountered,butdidn’tprovideany
mechanismsfor“marking”thefaultybytes.Sothedrivehasread2,352
bytesofdataanddetectedthatabouthundredofthemwereinvalid!What
next?Useinterpolation?Iftheanswerisyes,whatshouldweinterpolate
—whichbytebywhich?!Analyzethesignalmanually,searchingfor
“outbreaks?”Thisistoodifficultand,anyway,thequalityofthe“restored”
audiowillbeveryfarfromperfect.Itis,ofcourse,possibletotrygrabbing
theaudioflowfromthedigitalaudiooutput.However,mostlow-end
soundadaptersdonotsupportthiscapability.Evenifthiskindofsupport
isprovided,itisimplementedsopoorlythatmusicloverswouldbebetter
offsimplyshootingthemselves.Putsimply,darkcloudswithoutthe
slightesttraceofasunshinebegantogatheroverhackers.However,
everythingchangedaftermanufacturersbegantoofferCDdrives
capablenotonlyofsimplyreportingreaderrors,butalsoofreportingthe
positionsoferroneousbyteswithinthesector.Now,fullyfunctional
interpolationbecamepossibleattheinterfacelevel!Afterthis,software
grabbersexploitingnewpossibilitiesarrivedquickly.
Still,wearerunningaheadofourselves.Let’sreturntothatdistantpast
whentherewerenoCDdrives,evenintheprojectphase.Allsoftware
wasdistributedondiskettes(bothcopyrightandcopyleft).Bythattime,
everyonewhowantedtoprotecttheirdiskettesscratchedthemusingany
meansavailable:thosewhohadthenecessaryfinancialresourcesburnt
themagneticlayerusingalaser,whileotherssimplyscratcheditwitha
needleorrustynail.Allthatremainedtoensureprotectionwastocheck
whetherthesurfacedefectwaspresentinthepredefinedposition.
Copyingsuchadiskettewithoutspecialequipmentwasnotarealistic
task,becausenoonecouldplacethescratchesfromtheoriginalinthe
samepositiononthecopy.However,hackersunderstandingcontroller
portsquicklycameupwiththeideathat,iftheymodifiedthechecksumof
thekeysectors,thediskettewouldbereadwitherrors,despitethefact
thatitssurfacewasphysicallyintact!CDprotectionisbasedonthesame
method,andCDscanbecrackedusingthesameapproach.The
manufacturercanstuffthediscwithbadsectorsandchecktheir
presenceanytimetheprotectedsoftwarestarted.Thisgeneratedthe
followingproblems:first,noteverycopierwouldagreetocopyadisk
bearingphysicaldefects.Evenifitagreedtodowhatyouaskedit,you
wouldhavetowaitaverylongtimeforthecopyingprocesstobe
completed(everyoneisfamiliarwiththesnail’spaceofreadingdefective
sectors).Further,theresultingcopywouldbeunusable,becauseitdidn’t
containthedefectsinpredefinedpositions.
Lessthanintelligenthackerssimplyinvalidatethechecksumofthe
sector,thusmakingthedrivereturnanerror(naturally,therecording
drivemustallowustowritesectorswithachecksumerror,whichisnot
alwaysthecase).This,however,doesn’tsolvetheproblem.Afterall,the
disfiguredsectorisreadpracticallyimmediately,andtheprotection
mechanism,providedthatitisn’tabsolutelyuseless,candetecteasily
thatsomethingiswronghere.Or,asavariant,itcancarryoutlongsector
reading,meaningthatthesectorwithmodifiedchecksumwillbecome
readable.
Whatshouldacunninghackerdo?Thisquestioncan’tbeanswered
immediatelyorinsimplelanguage.Simplyspeaking,theCDformatis
suchthatthehigh-frequencysignalthatresultswhenreadingasequence
ofpitsandlandsunderanopticalheadhasnoreferencelevel.Forthe
drivetobeabletodetectwherethereisaminusandwherethereisa
plus,thenumberoflandsmustbeapproximatelyequaltothenumberof
pits.Ifsomespecificsectionofasectorcontainsonlypits,itwillbe
catastrophicallydark,andanautomaticamplifierwilltrytoincreasethe
laser-raypower,erroneouslyassumingthatthereissomethingwrong
eitherwiththediscorwiththeoptics.Inthiscase,anumberofthepits
willbeturnedintolandsandthedrivewillbeconfusedineveryrespect.
First,itwilltrytocarryoutrecalibration,dragtheopticalheadforsome
time,andonlythenwillitsadlyreportthatthissectorisunreadable.From
theprotectionmechanism’spointofview,thissectorwillappeartobe
damaged,although,atthephysicallevel,itssurfaceisintact.
Now,let’sreturntothemainaspect:Becausethedrivemustbeableto
recordanyimaginable(andevenunimaginable)datacorrectly,the
developersmustmakeprovisionsforamethodthatcanbypasssuch
unfavorablesituations.Infact,suchamechanismdoesexist!Toputit
simply,thereareseveralpossiblemethodsofencodingthedatabeing
writtentothedisc,andthedrivemustchoosethemostfavorableoptions.
Fortunately(orunfortunately),noteverydriveissoscrupulous.Sincethe
possibilityoftheunintentionaloccurrenceofunfavorablesequencesis
infinitelysmall,some(infact,many)drivesencodethedatausinga
singlepredefinedmethod.Consequently,thereisthepossibilityfor
simulatingfaultysectorsthatpracticallydonotdifferfromactualfaulty
examples.
Theprotectiondeveloperssawthisasagoldrush!Iftheycouldonly
speciallygleananunfavorablesequenceofbytes,thenaspecialized
drivewouldberequiredtowriteitcorrectly.Whencopyingsuchdiscson
anormallow-enddrive,theoriginalwouldbereadwonderfully,butthere
wouldbealotofbadsectorsonthecopyandtheduplicateddiscwould
beunusable.Sectorswithunfavorablesequencesbecameknownas
weaksectors.Tocopysuchsectors,itisnecessarytohavehigh-end
sophisticateddrivesfromwell-knownbrandmanufacturers.Butwhatif
youdon’thavesuchadriveatyourdisposal?Doesthismeanthatyou
areunabletocopysuchadisc?Theanswerisno!Iftheprotection
doesn’ttakeadditionalmeasures,thecopiercancomputeerrorcorrectingcodesforatrueunfavorablesequenceandthencorrectit
slightlyandwritetothedisc.Atthephysicallevel,suchasectorwillbe
readablewithoutanyproblems.Atthelogicallevel,thedrivewillrestoreit
toitsinitialformusingredundantcodes.However,iftheprotectionreads
thesectorinRAWmode,itwillimmediatelyrecognizetheforgery.
Therefore,noteverydisccanbecopiedusingthismethod.
Tounderstandtheconceptbehindthenextprotectionmechanism,we
mustreturntodiskettesonceagain.Thephysicalsurfaceofthediskette
isdividedintoconcentricringsnamedcylinders,andcylinders,inturn,
aredividedintosectors.Whenthereadheadmovesfromthelastsector
ofonecylindertothefirstsectorofthenextcylinder,itismovedsome
distanceawayduetodisketterotation.Consequently,thedrivemustwait
foranentireturntomeetthatsectoragain.Thosewhospentdaysand
nightsincomputingcenterscametotheideathatifthesectorsofeachof
thenextcylinderswereshifted,thespeedofthesequentialreadingwould
growconsiderably,becausetherequiredsectorwouldimmediatelybe
underthehead.Ontheotherhand,byrotatingthesectorsofdifferent
cylindersbycertainangles,wewouldachievecertainfluctuationsofthe
data-exchangespeed.Accordingtothesefluctuations,theprotection
mechanismwouldbeabletodistinguishaduplicatefromtheoriginal,
becauseaduplicatewouldn’tproducesuchfluctuations.
Nowlet’sreturntoCDs.Thereare,ofcourse,nocylinders,andthe
sequenceofsectorshasaspiralform.Headpositioningtothesectorsof
theadjacentspiraltrackturnsiscarriedoutbymeansofdeviatingthe
laserheadbyamagneticsystem(whichmeansthatittakesplacealmost
instantly).Positioningtoremotesectorsinvolvesthemechanismof
movingtheheadalongspecial“sliders,”whichrequiresconsiderable
time.Knowingthespeedofdiscrotationandhavingmeasuredthetime
requiredforpositioningtheheadtothesectorsoftheadjacentturnsof
thetrack,wewillbeabletofindtheanglebetweenthem,whichdepends
directlyonthespiral’sswirl.DifferenttypesofCD-R/CD-RWdiscshave
differentspiralstructures.Evenworse,thisstructureiscreatedbythe
manufacturer,whichmeansthatthediscsaresuppliedtothemarketwith
preliminaryformattingrequiredfororientationoftheCDrecorder.
Copyingadiscprotectedinthismannerisunrealisticand,therefore,itis
necessarytoemulateit.Thecopiermustcarefullymeasuretheangles
betweendifferentsectorsandrecreatetheinitialstructureofthespiral.
Theprocessofscanningthediscrequiresamonstrousamountoftime
(sometimes,severaldays).Theresult,however,isworthit.
Thedisccanalsohaveacatastrophicallynon-standardformat.For
instance,itcanhavesectorsofvariablelengths.Asaresult,some
sectorswillbereadfasterthanothers.Becauseeverychangeofthe
sectorlengthisimmediatelyreflectedinthestructureofthespiraltrack,
thecopierhastodealwithtwounknownvalues—theunknownangleof
thespiralswirlandanunknownsectorlength.Fromthemathematical
pointofview,thisequationcanhavemanypossiblesolutions.Onlyone
ofthem,however,iscorrect.Thecopiercan(andmust!)presentseveral
variantsofcopiestoallowustodecideonourown,whichofthemcracks
theprotectionandwhichdoesn’t.Unfortunately,nocopier,ofwhichIam
aware,iscapableofdoingthis.
Nevertheless,longsectorsrepresentastand-aloneentity,andsome
discsusethesesectorsalonefortheprotection.Thedarksideisthatno
CDburneravailableonthemarketallowsustocontrolthelengthsofthe
sectorsbeingwritten.Thereisonecluethough.Althoughwecannot
increasethesectorlength,wecanstillcreatetwosectorswithidentical
headers.Havingsuccessfullyreadthefirstofthetwosectors,wewill
ignorethesecond,butthevisiblesectorlengthwillbeincreasedtwofold.
Theweakspotinthistechnologyisthatwecanonlyincreasethesector
lengthbyavaluethatisamultipleoftwo.Evenworse,noteverydrive
providesthispossibility.Somedrivessimplyrefusetowritetwinsectors.
Nowlet’sdiscusskeymarks.Besidestheuserdatasectorarea,whichis
copiedbypracticallyallcopiers,therearenumerouslocationsonCDs
whichhavebeenpoorlyinvestigated.First,therearesubcodechannels.
Thereareeightofthesechannelsintotal.Onestoresserviceinformation,
accordingtowhichthelaserheadisoriented,thesecondstores
informationaboutpauses,andtheremainingsixchannelsarefree.
Standardcopiersdonotcopythem,andnoteveryburnerprovidesthe
possibilitytowritethem.Thesechannelsareexactlywhereprotection
mechanismsinsertkeymarks!
Bytheway,subcodechannelsarestoredindependentlyonthemaindata
channel,andthereisnodirectcorrespondencebetweenthem.First,
whenreadingthesubcodechannelofsectorX,thedrivecanreturnthe
subchanneldatafromanyofneighboringsectorsatitsdiscretion.The
secondimportantfactoristhatmostdriveshaveverypoorstability
characteristics,and,whenreadingsubchanneldatafromsectorsX,Y,
andZ,canreturnthedatafromX,X,X,orY,Z,X,orY,Z,Z,oranyother
combination.Let’sassumethatthesubcodechannelofoneofthe
sectorscontainsakeymark,andwearetryingtoreadit.Willwe
succeed?Notnecessarily.Ifserviceinformationismodifiedatleast
slightly,wewon’tbeabletodetermine,towhichsectorsthesubchannel
datathatwehavereadactuallybelongsorwhetherornotoursector
belongstotheirlist.Theonlywayoutistouseahigh-qualityCD-ROM
drivethathasgoodstabilitycharacteristicswhenreadingsubchannel
data.
Finally,CD-R/CD-RWdiscsaresignificantlydifferentinsome
characteristicsfromthereplicatedmechanicallystampedCD-ROM.Is
thereanyneedtointroduceATIP?Asidefromthis,therealsoissuch
thingasTDB(TrackDescriptorBlock),where,amongotherinformation,
thereislaserpowerandothersimilardata.Naturally,CD-ROMdiscsdo
notcontainanythingofthesort.ItisimpossibletofalsifytheCD-ROM
discnaturedirectly.However,therearemanyutilitiesthatinterceptall
attemptsataccessingthedriveandreturnexactlywhatweneedinstead
oftheactualinformation.
Atthispoint,let’scompleteourbriefoverviewofprotectionmechanisms.
Furtheron,eachofthemwillbeconsideredanddiscussedinmoredetail.
NotethatbypassingtheprotectionagainstCDcopyingisnotthesame
thingascopyrightviolation!Thelawsofmanycountriesexplicitlyallow
thecreationofbackupcopiesoflicensedmedia.Atthesametime,there
isnoexistinglawthatprohibitsthe“cracking”oflegallypurchased
software.Licenseagreementscanprohibitwhateverthemanufacturers
like.Theyhave,however,nolegalstatus.Byviolatingalicense
agreement,youautomaticallycancelthecontractwiththesoftware
vendor,whichmeansthatyoumakevoidallwarrantiesandprivileges
thatthevendorpromisedyou.Thisisapproximatelythesamethingthat
overclockersdowhentheycutspecificprocessorpinstounlockits
frequencymultiplier.Youwon’tlandincourtifyourprocessordiesin
cloudsofsmoke.However,nooneisgoingtoreplaceyourburnt-out
specimen.Youcanonlybeprosecutedbylawifyoustarttodistributethe
crackedsoftware.Thisisarisk,therefore,thatIdon’tadviseyoutotake.