More than 15 years ago I was playing around with those garbage CDs. You know those PC games that required their original, some kind of non-standard, CD in the drive for starting up. Since having installed my very own PsNee in one of my PS1 consoles I started revisiting the topic "copy protected CDs" in general. As the methods got increasingly invasive and annoying I stopped buying PC games (and to this day buy only DRM free games for PC).
But the other side was aware of this and certainly not dumb. They came up with an idea¹ which certainly was more effective than hard(?) to replicate data that might even violate the CD standards: They altered the physical structure or density of the sectors across the disc. SecuRom New 4 and newer did it. I think many other protection schemes did it as well. I never fully understood how this works. What I think is by in/decreasing sector density, the data gets read with different speed at constant disc rotation speed (this is also the case when comparing inside and outside the disc of course -- but here it would change more extreme at areas right next to each other). Reading the actual data from the disc is possible as long as the deviations in density stay within some tolerances. The drive doesn't go to full speed though (between 8x and 16x CD in my test today) Better than only talking about it, here is a picture of the density on my legit You Don't Know Jack 4 (German) disc:
That is certainly not a picuture how the amount of data in each part of the spiral track increases from the inside to the outside.
Write the RAW image to CD-R and you will get a smooth graphic (see edit below). There is no way to write more or less sectors in a part of a CD-R. No way of making sectors smaller or larger. All the protection module has to do is put the drive on slower rotation, read some reference sectors on the disc and compare the read times for those sectors. On the legit disc they will show a characteristic deviation that won't be there on CD-R. Alcohol 120% (and others) are able to read these characteristics from the legit disc and note them in an extra part of the image. In virtual drives they can easily spoof the desired timings. They can also include this data in a hidden part on CD-R, but those backups always require the presence of the emulating software. In the last iterations of CD/DVD based DRM they included a blacklist of applications that must not be installed to prevent being fooled by emulators. Hide the emulator... Classic cat and mouse game.
You won't be able to make working copies that don't require the presence of a (possibly blacklisted) emulator. "Game Over" for Clone CD and similar. This is what I thought. The solution for this is writing some sector (numbers) twice. This clearly violates the CD standards, but you can mimic the variable density this way -- at least approximate it. The copy created this way may show read errors when trying to access the actual data (install the game). But since the protection module has to be a little lenient when doing the check -- many factors can make the measurements inaccurate (CPU background load, bad reader, scratches,...) -- this approximation can be good enough. Success depends on the reading drive.
In my Windows XP test and gaming PC only one of the three optical drives succeeded in reading at the desired timing.
I now have successfully created a working backup of my "You Don't Know Jack 4" game (bought in 2004) on CD-R. A little late.
Anybody got this far? Thanks for reading.
Edit:
It took longer than expected. Got a coaster and DPM measurement with Alcohol 120% on burned media takes forever. Never tried that before and certainly not back when I bought protected PC games. Here the two results from a naive, alleged 1:1 RAW clone copy, and the special twin sector copy -- each one compared to the legit disc.
This shows that a normal CD-R copy has virtually no distinct spots with big deviations. Although the twin sector copy goes absolutely nuts with the density, this very rough approximation of the original pattern is enough to satisfy SecuRom New 4.8 with one drive.
Interesting is, that SecuRom did a silent exit when trying to load the game with the standard copy with whatever drive. Trying to start the twin sector copy on the two other drives made SecuRom check the CD for about a minute. Then it gave an error like this (not a quote): "Could not verify original CD within the time limit. [Abort] [Retry]". Seems the protection module is completely sure about the simple copy being illegitimate, but unsure about the twin sector thing.
____________________________
¹ Other protections used physical structure / geometry (or whatever one wants to call it) of the disc before (CD-Cops). But they were not as widely used.
The wobble thing on PS1 discs is surprisingly effective at preventing attempts of producing backups that an unmodified console will accept (with this I also mean temporary modification with the nocash unlock).
For PC games the same can't be said for widely used protections. Despite the marketing brochures by Macrovision (SafeDisc) and Sony (SecuRom) promising game publishers top-notch protection against illegal copies, their early copy protection schemes were easily defeated by the famous Clone CD software (and even generic cracks or decrypters exist that can remove the disc check from all games using those protections). And many games did use them. If you got unlucky in the sense your CD reader did not support fast skipping of bad sectors, creating an image of a SafeDisc 1 protected game really tested your patience with the thousands of intentionally bad sectors. Once the image was on your HDD you could have CloneCD mass produce copies if you wanted. Early SecuRom protections had some kind of garbage data in the sub channel. The ability to write those in RAW-DAO+SUB96 mode was a hit or miss. Either your writer could -- or not. Having a good reader and writer you could create working backup copies of your games and put the precious originals away.
It seemed that customers with legitimate interest in having backups as well as "pirates" had won.
Macrovision improved their SafeDisc with better encryption (harder to develop generic cracks) as well as their discs. SafeDisc 2 used so-called weak sectors and most burners did not succeed at writing them. They also used a cheap trick: Loading the ATIP data. If there is ATIP data saying CD-R, it can't be the legit CD-ROM. But this was more or less a non-issue at the time because CD readers could not even get this information and many PCs had a drive only capable of reading additionally to the writer (if a writer at all when going back in time further).
Whatever mad markings copy protection engineers included, it seemed Clone CD, Alcohol 120%, Blindread/Blindwrite and the like would simply make 1:1 clone copies rendering the markings useless as protection. No need for CD emulation, no need for cracks. Read, write, put original aside and use the backup copy.
For PC games the same can't be said for widely used protections. Despite the marketing brochures by Macrovision (SafeDisc) and Sony (SecuRom) promising game publishers top-notch protection against illegal copies, their early copy protection schemes were easily defeated by the famous Clone CD software (and even generic cracks or decrypters exist that can remove the disc check from all games using those protections). And many games did use them. If you got unlucky in the sense your CD reader did not support fast skipping of bad sectors, creating an image of a SafeDisc 1 protected game really tested your patience with the thousands of intentionally bad sectors. Once the image was on your HDD you could have CloneCD mass produce copies if you wanted. Early SecuRom protections had some kind of garbage data in the sub channel. The ability to write those in RAW-DAO+SUB96 mode was a hit or miss. Either your writer could -- or not. Having a good reader and writer you could create working backup copies of your games and put the precious originals away.
It seemed that customers with legitimate interest in having backups as well as "pirates" had won.
Macrovision improved their SafeDisc with better encryption (harder to develop generic cracks) as well as their discs. SafeDisc 2 used so-called weak sectors and most burners did not succeed at writing them. They also used a cheap trick: Loading the ATIP data. If there is ATIP data saying CD-R, it can't be the legit CD-ROM. But this was more or less a non-issue at the time because CD readers could not even get this information and many PCs had a drive only capable of reading additionally to the writer (if a writer at all when going back in time further).
Whatever mad markings copy protection engineers included, it seemed Clone CD, Alcohol 120%, Blindread/Blindwrite and the like would simply make 1:1 clone copies rendering the markings useless as protection. No need for CD emulation, no need for cracks. Read, write, put original aside and use the backup copy.
But the other side was aware of this and certainly not dumb. They came up with an idea¹ which certainly was more effective than hard(?) to replicate data that might even violate the CD standards: They altered the physical structure or density of the sectors across the disc. SecuRom New 4 and newer did it. I think many other protection schemes did it as well. I never fully understood how this works. What I think is by in/decreasing sector density, the data gets read with different speed at constant disc rotation speed (this is also the case when comparing inside and outside the disc of course -- but here it would change more extreme at areas right next to each other). Reading the actual data from the disc is possible as long as the deviations in density stay within some tolerances. The drive doesn't go to full speed though (between 8x and 16x CD in my test today) Better than only talking about it, here is a picture of the density on my legit You Don't Know Jack 4 (German) disc:
That is certainly not a picuture how the amount of data in each part of the spiral track increases from the inside to the outside.
Write the RAW image to CD-R and you will get a smooth graphic (see edit below). There is no way to write more or less sectors in a part of a CD-R. No way of making sectors smaller or larger. All the protection module has to do is put the drive on slower rotation, read some reference sectors on the disc and compare the read times for those sectors. On the legit disc they will show a characteristic deviation that won't be there on CD-R. Alcohol 120% (and others) are able to read these characteristics from the legit disc and note them in an extra part of the image. In virtual drives they can easily spoof the desired timings. They can also include this data in a hidden part on CD-R, but those backups always require the presence of the emulating software. In the last iterations of CD/DVD based DRM they included a blacklist of applications that must not be installed to prevent being fooled by emulators. Hide the emulator... Classic cat and mouse game.
You won't be able to make working copies that don't require the presence of a (possibly blacklisted) emulator. "Game Over" for Clone CD and similar. This is what I thought. The solution for this is writing some sector (numbers) twice. This clearly violates the CD standards, but you can mimic the variable density this way -- at least approximate it. The copy created this way may show read errors when trying to access the actual data (install the game). But since the protection module has to be a little lenient when doing the check -- many factors can make the measurements inaccurate (CPU background load, bad reader, scratches,...) -- this approximation can be good enough. Success depends on the reading drive.
In my Windows XP test and gaming PC only one of the three optical drives succeeded in reading at the desired timing.
I now have successfully created a working backup of my "You Don't Know Jack 4" game (bought in 2004) on CD-R. A little late.
Anybody got this far? Thanks for reading.
Edit:
It took longer than expected. Got a coaster and DPM measurement with Alcohol 120% on burned media takes forever. Never tried that before and certainly not back when I bought protected PC games. Here the two results from a naive, alleged 1:1 RAW clone copy, and the special twin sector copy -- each one compared to the legit disc.
This shows that a normal CD-R copy has virtually no distinct spots with big deviations. Although the twin sector copy goes absolutely nuts with the density, this very rough approximation of the original pattern is enough to satisfy SecuRom New 4.8 with one drive.
Interesting is, that SecuRom did a silent exit when trying to load the game with the standard copy with whatever drive. Trying to start the twin sector copy on the two other drives made SecuRom check the CD for about a minute. Then it gave an error like this (not a quote): "Could not verify original CD within the time limit. [Abort] [Retry]". Seems the protection module is completely sure about the simple copy being illegitimate, but unsure about the twin sector thing.
____________________________
¹ Other protections used physical structure / geometry (or whatever one wants to call it) of the disc before (CD-Cops). But they were not as widely used.
