1. A new CD
I've already posted quite a few entries about CDs infected with DRM garbage. Nevertheless I took the opportunity and bought a pile of nonsense CD/DVD/BD in the 1€ shop (actually it is now the 1.10€ shop since they increased the price). Mostly it was mediocre audio books. But one thing in particular caught my interest. Learning software, 5th grade math. It was well worth 1.10€ for the fun I had with it (and it differs from all the others enough to mention it in a separate entry). Please bear with me. My grandmother can now finally rest in peace. Lots and lots of bureaucracy to come for me. I had to distract myself a bit, so I did this yesterday and wrote this blog entry today.
The shiny surface of the CD immediately revealed that something interesting was on there: A visible ring!(I will try to take a picture of this when I have better daylight – my camera sucks) Such a Ring is almost always a sign of DRM garbage – bad sectors en mass. It is literally a copy protection. A protection against copying. It tries to stop a copier dead in it's tracks with several thousand of bad sectors. Depending on the reading drive, skipping over such a sector can take about 10 to 30 seconds. I hope you have patience… It can take days and wear down your drive.
Edit:
I completely forgot to ever upload a picture… and nobody ever complained. That is how unimportant such a blog is.
===============
Well, none of the protection scanners (ProtectionID for example) found anything – neither on the disc nor on the installation directory. Such a result usually means the developer/publisher didn't buy any commercial DRM solution but implemented one themselves. You shouldn't do that… implementing a protection correctly is hard. In this case they did everything wrong (my opinion).
There are a few protections out there (Laserlock, Ring Protech/ProRing for example) that use visible rings of bad sectors as a marking for the legit disc. To counter the tedious, boring and wearing down the drive copying process, Alcohol 120% offers a semi-intelligent solution. If it encounters a certain number (five or six) of bad sectors in a row it skips over the next 500 sectors and tests if the read errors have ended (else it skips another 500 sectors). If the read errors ended it goes back again to locate the exact position where good sectors start again. Enough talk. Let's see what we got with some screenshots:
2. Trying to copy the CD
Without a CD or with a naive (bad) copy I got:
So I fired up Alcohol 120% and selected the Ring Protech+ profile. It took little more than 15 minutes to create an image of the disc. That was easy and fast. But it didn't work:
3. Where is the issue?
That was a depressing but expected result. The program is from the year 2009 and the edition has a 2011 printed on somewhere. I expected them to prevent Alcohol 120% from simply pulling a working image and started pondering what the program was looking for. I'm not a reverse engineer and never will be one. I still wanted to play detective and started IDA Free to see what I got. Seems no obfuscation was used. A clear graph and it ran normally with the debugger active. Seems no anti-debug or anti-crack is present. Then I opened the folder and found a suspicious file: ALW.ex_
CD-Cops uses the same method. A tiny checking program does the CD-check and decrypts/unwraps the main program on success. To my surprise the main program doesn't seem to be encrypted. I guess it just expects a parameter to start correctly. It does start without parameter (which an encrypted EXE certainly won't) – but terminates right away:
Okay, that is pathetic DRM. Not even encrypted. And it still beat Alcohol 120%… now what? I bet a reverse engineer could crack it. I can't. So I had to find out what it was looking for. Maybe it was DPM (Data Position Measurement)? That would be extremely clever! All DPM scanners (Alcohol, Daemon Tools, Blindwrite) fail creating DPM data of a CD containing read errors. The time (almost none) the check takes to authenticate the legit discs speaks against DPM. Measuring density or angles (seek times) takes time. Even the Tagés trick (twin sectors) takes some seconds for the check.
4. Solution
I was clearly overthinking this and overestimating their abilities. Seems these DRM programmers were on the same beginner level as I am – a user. Alcohol 120% identified the bad sector ranges with these numbers:
236025-236549
242851-251825
But the first range was wrong. The jump of 500 sectors went over a small good range in between – landing in bad sectors again. This lead to omitting some valid sectors and those must contain the needed information. It seems they did that on purpose. They chose values intentionally to make Alcohol miss the target. Simply turning the jump range down to only 100 sectors made Alcohol 120% find the small intact portion at the cost of a little longer dumping time. Other dumpers without a sector jump should eventually lead to a valid image as well, but I don't have the patience to test this.
The resulting image works in virtual drives as well as from CD-RW. No ATIP check, no DPM, no twin sectors, no anti-emulation, nothing. Boy, I surely overestimated them. Security by obscurity at it's worst! Once you have the disc dumped it can be successfully burned in RAW mode.
I now successfully backed up another children's program I don't need. It can now be used on computers without optical drive.
I've already posted quite a few entries about CDs infected with DRM garbage. Nevertheless I took the opportunity and bought a pile of nonsense CD/DVD/BD in the 1€ shop (actually it is now the 1.10€ shop since they increased the price). Mostly it was mediocre audio books. But one thing in particular caught my interest. Learning software, 5th grade math. It was well worth 1.10€ for the fun I had with it (and it differs from all the others enough to mention it in a separate entry). Please bear with me. My grandmother can now finally rest in peace. Lots and lots of bureaucracy to come for me. I had to distract myself a bit, so I did this yesterday and wrote this blog entry today.
The shiny surface of the CD immediately revealed that something interesting was on there: A visible ring!
Edit:
I completely forgot to ever upload a picture… and nobody ever complained. That is how unimportant such a blog is.
Well, none of the protection scanners (ProtectionID for example) found anything – neither on the disc nor on the installation directory. Such a result usually means the developer/publisher didn't buy any commercial DRM solution but implemented one themselves. You shouldn't do that… implementing a protection correctly is hard. In this case they did everything wrong (my opinion).
There are a few protections out there (Laserlock, Ring Protech/ProRing for example) that use visible rings of bad sectors as a marking for the legit disc. To counter the tedious, boring and wearing down the drive copying process, Alcohol 120% offers a semi-intelligent solution. If it encounters a certain number (five or six) of bad sectors in a row it skips over the next 500 sectors and tests if the read errors have ended (else it skips another 500 sectors). If the read errors ended it goes back again to locate the exact position where good sectors start again. Enough talk. Let's see what we got with some screenshots:
2. Trying to copy the CD
Without a CD or with a naive (bad) copy I got:
So I fired up Alcohol 120% and selected the Ring Protech+ profile. It took little more than 15 minutes to create an image of the disc. That was easy and fast. But it didn't work:
3. Where is the issue?
That was a depressing but expected result. The program is from the year 2009 and the edition has a 2011 printed on somewhere. I expected them to prevent Alcohol 120% from simply pulling a working image and started pondering what the program was looking for. I'm not a reverse engineer and never will be one. I still wanted to play detective and started IDA Free to see what I got. Seems no obfuscation was used. A clear graph and it ran normally with the debugger active. Seems no anti-debug or anti-crack is present. Then I opened the folder and found a suspicious file: ALW.ex_
CD-Cops uses the same method. A tiny checking program does the CD-check and decrypts/unwraps the main program on success. To my surprise the main program doesn't seem to be encrypted. I guess it just expects a parameter to start correctly. It does start without parameter (which an encrypted EXE certainly won't) – but terminates right away:
Okay, that is pathetic DRM. Not even encrypted. And it still beat Alcohol 120%… now what? I bet a reverse engineer could crack it. I can't. So I had to find out what it was looking for. Maybe it was DPM (Data Position Measurement)? That would be extremely clever! All DPM scanners (Alcohol, Daemon Tools, Blindwrite) fail creating DPM data of a CD containing read errors. The time (almost none) the check takes to authenticate the legit discs speaks against DPM. Measuring density or angles (seek times) takes time. Even the Tagés trick (twin sectors) takes some seconds for the check.
4. Solution
I was clearly overthinking this and overestimating their abilities. Seems these DRM programmers were on the same beginner level as I am – a user. Alcohol 120% identified the bad sector ranges with these numbers:
236025-236549
242851-251825
But the first range was wrong. The jump of 500 sectors went over a small good range in between – landing in bad sectors again. This lead to omitting some valid sectors and those must contain the needed information. It seems they did that on purpose. They chose values intentionally to make Alcohol miss the target. Simply turning the jump range down to only 100 sectors made Alcohol 120% find the small intact portion at the cost of a little longer dumping time. Other dumpers without a sector jump should eventually lead to a valid image as well, but I don't have the patience to test this.
The resulting image works in virtual drives as well as from CD-RW. No ATIP check, no DPM, no twin sectors, no anti-emulation, nothing. Boy, I surely overestimated them. Security by obscurity at it's worst! Once you have the disc dumped it can be successfully burned in RAW mode.
I now successfully backed up another children's program I don't need. It can now be used on computers without optical drive.
