===================
Disclaimers:
The information below comes without any warranty. This blog entry is solely for entertainment and educational purposes. (But I can't even guarantee any entertainment and/or educational value – my intention is to be entertaining and/or educational here.)
This blog entry must not be used for illegal activities!
I have zero interest in obtaining illegal software copies myself, but playing around with DRM garbage is fun.
===================
To my knowledge nobody yet shared a method of successfully copying a (newer) ProtectDISC CD that doesn't rely on emulation.
So I'll present my findings here.
Enough with the preliminaries! Let's go!
================================================
The conditions for the "fight" aren't exactly fair. I'm a single person with the mental capacity and computer skills of – what feels like– a Neanderthal with a wooden cudgel. My tools are these:
Okay not exactly a cudgel, but…
…the other side has a whole bunch of developers that get paid for thinking of ways to distinguish a CD-R copy from a pressed original and they have huge and precise mastering and pressing equipment which is so forbiddingly expensive that I can't even think about getting something like this.
Now let's see: I myself can't develop any solutions. My skill and knowledge levels are just too low. But I can patiently read (and did!) and use what smart people have already created. In the case of angle/density/timing based CD copy protection, this is the twin sectors method¹. Originally this was created for approximating the lower data density in some parts of the disc (visible as characteristic spikes in the angle sizes on DPM graphs). If you want to see it yourself: Search terms are "TwinPeak" and "SecuROM". There is a Twin Creator within "A-Ray" copy protection scanner (under options) as well as in "Alcoholer" if you find those old tools.
The Twin Peak tool (or Twin Creator) won't do anything with other geometry based systems as it is made for inserting lots and lots of twin sectors into specific spots (provided by a DPM measurement file). ProtectDISC, CD-COPS or StarForce CDs don't have these spikes.
Writing various images to CD-RW
========================================
A so-called 1:1 copy² of the original disc is reliably detected as illegitimate because the density on a normal 80min/700MB CD-R(W) is higher than on the original (shown by smaller values for the angles for each sector). In this case the deviation is about 1.5% – This means we can decrease data density with the twin sector method. This is a very heavy-handed and imprecise method, but it is all we can do (at least as far as I know). Inserting a twin sector every 100 sectors gave the following result: (Second picture random part zoomed in)
Better. But not good enough. Anybody reading this must be thinking: "Sinchen is pretty stupid! Can't she do basic calculations? To decrease the density by about 1.5%, she has to insert twins every 66 or 67 sectors – not 100. Far better approximation." Yes and no. Theoretically this is true. In practice it is not that easy. Inserting the same sector into a CD twice is fully transparent to the OS – but only as long as the drive ignores the nonsense we present it with this method. Not all drives handle this situation the same way. Some continue pretty normal, some struggle with this or even error out.
The more twins one inserts, the more likely the drive will struggle and stutter. The actual data on the disc might become unreadable (even if a protection module is satisfied with the timings produced).
I've had my first success with a step of 83 sectors yesterday on CD-RW. One of the four drives produced good enough timings for the game to start without legit CD and without RMPS emulation. Getting a DPM analysis of the CD-RW wasn't possible. DPM scanners all aborted and/or produced nonsensical values. Generally CD-R are easier to read for most drives compared to their rewritable counterparts – thanks to higher contrast. The better/faster readability somewhat compensates the problems I had yesterday: A CD-R copy with a step of 66 sectors starts in all four optical drives connected to the Windows XP computer (one very slow, almost two minutes detection, but eventually it succeeded). DPM analysis was very hard to get (multiple attempts, bad quality especially the nonsensical values at the beginning of the disc). Nevertheless I'll share the picture. It wouldn't be very honest to keep quiet about unpleasant results:
Ignoring the beginning (where the actual game data is – the rest of the disc is filled with several hundred MB of 0xFF), we can clearly see that the blue line frequently overlaps with the red (legit disc). Combined with the fact that ProtectDISC doesn't do a complete DPM measurement on each start (that would take far tooooo long) but only checks a few sectors, this copy is good enough to pass. I guess it passes just because of tolerances (unknown PCs, unknown setup, hundreds of different drive models, worn drives, anti-malware doing whatever in the background, scratched legit discs…)
Results:
==========
The game starts in four out of four drives. So will I simply declare victory and madly beat my chest like Donkey Kong? Tempting, but no. Can't do this. ProtectDISC still has one ace up it's sleeve: The one thing that cannot be hidden without helper software: The ATIP check. I consider this to be like a cheatsheet in class, but many disc based protections (ab)used the ATIP feature to reveal CD-R(W). At the beginning this wasn't a big deal as read-only CD/DVD drives cannot get this data. Back in 2001 to 2003 many desktop PCs had a reader additionally to the writer… or no writer at all. If you were interested in backing up your expensive games, you better invested into a secondary reader back then.
Lauras Vorschule 2 is from 2006… at this point dedicated readers became increasingly rare and the ATIP check became a serious additional line of defense against end user copies (obviously not against professional pirates pressing their bootlegs). Emulators and ATIP hiders played the usual cat and mouse game with the DRM makers and their blacklist.
I have dedicated readers and my copy is accepted as legit CD without any form of emulation.
I haven't lost this fight, but not fully won either. There is much room for improvement and tweaking to make the copy better.
If anybody got through this: Thanks for reading!
I'm planing doing a more detailed (and hopefully better) writeup of this as PDF file. If I manage to take a video, I'll do that as well.
__________________________________
¹ Writes the exact same data for one sector, including sector number, twice. This isn't specified in the CD standard. Normally each sector number must be unique on a CD
² 1:1 Copy is often considered to be what one wants to achieve. Copying all user data 1:1 isn't always sufficient to fool a CD protection. You shouldn't ask if a 1:1 copy is possible. You should ask if a working copy is possible.
EDIT:
The method has more potential than I initially thought. There is room for improvement, but a lot of tests have to be done. And I'll have to learn a bit more C in order to write the program.
A few finished tests: (Some other drives also passed the check. The newest is from 2017). More to come when I do the full writeup. That will be weeks (at minimum!)
Disclaimers:
The information below comes without any warranty. This blog entry is solely for entertainment and educational purposes. (But I can't even guarantee any entertainment and/or educational value – my intention is to be entertaining and/or educational here.)
This blog entry must not be used for illegal activities!
I have zero interest in obtaining illegal software copies myself, but playing around with DRM garbage is fun.
===================
To my knowledge nobody yet shared a method of successfully copying a (newer) ProtectDISC CD that doesn't rely on emulation.
So I'll present my findings here.
Since the previous blog entry about ProtectDISC last year I've learned a bit about the disc based DRM schemes used in the past (as well as optical media in general). Latest Alcohol 120% is successful in hiding itself so ProtectDISC doesn't find it. My problems last year was the old Windows installation containing ??? whatever ??? ProtectDISC didn't like. The paranoid thing was convinced to find emulators everywhere, even if there are none (occasionally it still does this). A clean Windows XP installation on an empty HDD got rid of most of the problems.
My opinion on ProtectDISC is clear: It is worse than most other disc based DRM. Being internationally way more successful SafeDisc, SecuROM and StarForce got all the fame for being a pain in the a.. – while this German phenomenon flew mostly under the radar. The paranoid disc emulator and debugger detection (seriously: Process Explorer is blacklisted) put ProtectDISC on a high position on the highscore list for being nerve-wrecking and intrusive for the paying customer
"Error on checking the CD or DVD: The disc could not be identified as a valid original. Please insert the original CD or DVD and restart the program.
Emulator active: info…" (clickable link)
"Please start the system without debugger"
Emulating the protection isn't hard for the end user anymore (unless the protection sees emulators which can happen without having ever used one while trying the legit CD). Still… having dodgy software installed (yes, my XP machine is offline) isn't my preferred way of handling stuff. I wouldn't want to advise parents to install Alcohol 120% or Daemon Tools in order to have their children play games without the risk of ruining original CDs. Cracks for unknown kiddie (niche) software aren't available (and I wouldn't recommend using cracks on online, productive machines either).
My opinion on ProtectDISC is clear: It is worse than most other disc based DRM. Being internationally way more successful SafeDisc, SecuROM and StarForce got all the fame for being a pain in the a.. – while this German phenomenon flew mostly under the radar. The paranoid disc emulator and debugger detection (seriously: Process Explorer is blacklisted) put ProtectDISC on a high position on the highscore list for being nerve-wrecking and intrusive for the paying customer
"Error on checking the CD or DVD: The disc could not be identified as a valid original. Please insert the original CD or DVD and restart the program.
Emulator active: info…" (clickable link)
"Please start the system without debugger"
Enough with the preliminaries! Let's go!
================================================
The conditions for the "fight" aren't exactly fair. I'm a single person with the mental capacity and computer skills of – what feels like– a Neanderthal with a wooden cudgel. My tools are these:
Okay not exactly a cudgel, but…
…the other side has a whole bunch of developers that get paid for thinking of ways to distinguish a CD-R copy from a pressed original and they have huge and precise mastering and pressing equipment which is so forbiddingly expensive that I can't even think about getting something like this.
Now let's see: I myself can't develop any solutions. My skill and knowledge levels are just too low. But I can patiently read (and did!) and use what smart people have already created. In the case of angle/density/timing based CD copy protection, this is the twin sectors method¹. Originally this was created for approximating the lower data density in some parts of the disc (visible as characteristic spikes in the angle sizes on DPM graphs). If you want to see it yourself: Search terms are "TwinPeak" and "SecuROM". There is a Twin Creator within "A-Ray" copy protection scanner (under options) as well as in "Alcoholer" if you find those old tools.
The Twin Peak tool (or Twin Creator) won't do anything with other geometry based systems as it is made for inserting lots and lots of twin sectors into specific spots (provided by a DPM measurement file). ProtectDISC, CD-COPS or StarForce CDs don't have these spikes.
Writing various images to CD-RW
========================================
A so-called 1:1 copy² of the original disc is reliably detected as illegitimate because the density on a normal 80min/700MB CD-R(W) is higher than on the original (shown by smaller values for the angles for each sector). In this case the deviation is about 1.5% – This means we can decrease data density with the twin sector method. This is a very heavy-handed and imprecise method, but it is all we can do (at least as far as I know). Inserting a twin sector every 100 sectors gave the following result: (Second picture random part zoomed in)
Better. But not good enough. Anybody reading this must be thinking: "Sinchen is pretty stupid! Can't she do basic calculations? To decrease the density by about 1.5%, she has to insert twins every 66 or 67 sectors – not 100. Far better approximation." Yes and no. Theoretically this is true. In practice it is not that easy. Inserting the same sector into a CD twice is fully transparent to the OS – but only as long as the drive ignores the nonsense we present it with this method. Not all drives handle this situation the same way. Some continue pretty normal, some struggle with this or even error out.
The more twins one inserts, the more likely the drive will struggle and stutter. The actual data on the disc might become unreadable (even if a protection module is satisfied with the timings produced).
I've had my first success with a step of 83 sectors yesterday on CD-RW. One of the four drives produced good enough timings for the game to start without legit CD and without RMPS emulation. Getting a DPM analysis of the CD-RW wasn't possible. DPM scanners all aborted and/or produced nonsensical values. Generally CD-R are easier to read for most drives compared to their rewritable counterparts – thanks to higher contrast. The better/faster readability somewhat compensates the problems I had yesterday: A CD-R copy with a step of 66 sectors starts in all four optical drives connected to the Windows XP computer (one very slow, almost two minutes detection, but eventually it succeeded). DPM analysis was very hard to get (multiple attempts, bad quality especially the nonsensical values at the beginning of the disc). Nevertheless I'll share the picture. It wouldn't be very honest to keep quiet about unpleasant results:
Ignoring the beginning (where the actual game data is – the rest of the disc is filled with several hundred MB of 0xFF), we can clearly see that the blue line frequently overlaps with the red (legit disc). Combined with the fact that ProtectDISC doesn't do a complete DPM measurement on each start (that would take far tooooo long) but only checks a few sectors, this copy is good enough to pass. I guess it passes just because of tolerances (unknown PCs, unknown setup, hundreds of different drive models, worn drives, anti-malware doing whatever in the background, scratched legit discs…)
Results:
==========
The game starts in four out of four drives. So will I simply declare victory and madly beat my chest like Donkey Kong? Tempting, but no. Can't do this. ProtectDISC still has one ace up it's sleeve: The one thing that cannot be hidden without helper software: The ATIP check. I consider this to be like a cheatsheet in class, but many disc based protections (ab)used the ATIP feature to reveal CD-R(W). At the beginning this wasn't a big deal as read-only CD/DVD drives cannot get this data. Back in 2001 to 2003 many desktop PCs had a reader additionally to the writer… or no writer at all. If you were interested in backing up your expensive games, you better invested into a secondary reader back then.
Lauras Vorschule 2 is from 2006… at this point dedicated readers became increasingly rare and the ATIP check became a serious additional line of defense against end user copies (obviously not against professional pirates pressing their bootlegs). Emulators and ATIP hiders played the usual cat and mouse game with the DRM makers and their blacklist.
I have dedicated readers and my copy is accepted as legit CD without any form of emulation.
I haven't lost this fight, but not fully won either. There is much room for improvement and tweaking to make the copy better.
If anybody got through this: Thanks for reading!
I'm planing doing a more detailed (and hopefully better) writeup of this as PDF file. If I manage to take a video, I'll do that as well.
__________________________________
¹ Writes the exact same data for one sector, including sector number, twice. This isn't specified in the CD standard. Normally each sector number must be unique on a CD
² 1:1 Copy is often considered to be what one wants to achieve. Copying all user data 1:1 isn't always sufficient to fool a CD protection. You shouldn't ask if a 1:1 copy is possible. You should ask if a working copy is possible.
EDIT:
The method has more potential than I initially thought. There is room for improvement, but a lot of tests have to be done. And I'll have to learn a bit more C in order to write the program.
A few finished tests: (Some other drives also passed the check. The newest is from 2017). More to come when I do the full writeup. That will be weeks (at minimum!)
