Introducing DiscCheckEmu (DCE)

[Kwyjor]

the exact ISBN of the target game

Do games have ISBNs..? It's certainly not something written on the CDs. You'd be better off with the CRC32 of the executable, or something.

Uhm, IIRC _inmm.dll is for audio playback, am I wrong?

It's related in that it allows you to play a disc-based game without having to mount the disc on a virtual drive.

 

[Luca91]

Do games have ISBNs..? It's certainly not something written on the CDs. You'd be better off with the CRC32 of the executable, or something.

Yes, it is written on the back of every game case. Most of the time bottom-right.

EDIT: crc32 works too

It's related in that it allows you to play a disc-based game without having to mount the disc on a virtual drive.

Quoting PCGamingWiki:

"_inmm.dll is a patch program that tweaks a CD-only game to play any kind of song you like (MIDI, MP3, another CD, etc.).
If you convert CD music to MP3 and put it on the HDD, you can enjoy the game with music without having to bother to insert the CD (if there is no CD check)."

Uhm, are you sure we are talking about the same dll? :/

 

[Kwyjor]

Yes, it is written on the back of every game case. Most of the time bottom-right.

I checked a bunch of my jewel cases, and none of them have something like that..? I figured only books my definition would have an ISBN.

Uhm, are you sure we are talking about the same dll? :/

I guess the connection isn't as obvious to you as it is to me.

 

[KleinesSinchen]

I figured only books my definition would have an ISBN.

It is the EAN/IAN code then.

 

[Luca91]

It is the EAN/IAN code then.

Yes, sorry for the confusion, I used the wrong term. But anyway the point is that both CRC32 (of the main exe) and EAN/IAN (mistakenly labeled as ISBN by me) should be ok to guarantee that the binary is indeed the intended target.

Post automatically merged: Mar 9, 2024

Many user asked for a central repository where to share or just grab pre-made DCEConfig file.
I decied to do it.

Here is the official DCEConfig repository: https://github.com/Luca1991/DCEConfigs

 

[Luca91]

I've got bitpool drm successfully emulated Next version will support bitpool protected games

 

[KleinesSinchen]

bitpool drm successfully emulated

Can you give me an example what games came with this? Searching Bitpool online gave the GitHub page of BinaryObjectScanner and some dumping comments on ReDump wiki but nothing else at first glance.

Some of these generic "bad sectors" things seem to be more a minor dumping protection than anything else. Often enough it seems the presence of the bad sectors isn't even checked. The bad sector protections are more of academic value and provide almost no security anyway. While a CD burner technically can't properly create real bad sectors, it is easy enough to fill EDC/ECC with garbage to simulate read errors or even do some smarter approaches, which will include a delay before error like a real bad sector.

A title worth trying might be "Dungeon Siege II" containing the lesser known SMARTE. All I could find on CD 1 are ten bad sectors, which seem to do nothing (have to verify this again). This is one of the titles where I failed at creating a copy that is *not* accepted. Oddly enough Dungeon Siege II has an add-on CD (Broken World) available, which is heavily protected with SecuROM v7.x → What a sharp contrast!

 

[Luca91]

Can you give me an example what games came with this? Searching Bitpool online gave the GitHub page of BinaryObjectScanner and some dumping comments on ReDump wiki but nothing else at first glance.

Mercedes-Benz Truck Racing. I have the German version, purchased last year on ebay, in the hope of getting the version protected by ProtectCD (a DRM I was interested in), but instead I received this one protected by Bitool. Barcode: 4012160340106. I was aware that the game was german-only, but I didn't care because I was buying it just for ProtectCD.

Some of these generic "bad sectors" things seem to be more a minor dumping protection than anything else. Often enough it seems the presence of the bad sectors isn't even checked. The bad sector protections are more of academic value and provide almost no security anyway. While a CD burner technically can't properly create real bad sectors, it is easy enough to fill EDC/ECC with garbage to simulate read errors or even do some smarter approaches, which will include a delay before error like a real bad sector.

You are 100% correct. Bitpool is a passive DRM. It uses actual game data and assets loaded directly from the disc. These files can't be copied by just using explorer (crc errors). Furthermore, the file sizes are completely wrong. Another interesting thing about this DRM is that it checks file attributes in order to determine if the file was moved to the HDD or is still in the cd-rom.
Also, on the disc surface there is ring. Another interesting thing: if the GetDiskFreeSpaceA check fails, the game silently continues to run until you leave the main menu, after which it crashes.

A title worth trying might be "Dungeon Siege II" containing the lesser known SMARTE. All I could find on CD 1 are ten bad sectors, which seem to do nothing (have to verify this again). This is one of the titles where I failed at creating a copy that is *not* accepted. Oddly enough Dungeon Siege II has an add-on CD (Broken World) available, which is heavily protected with SecuROM v7.x → What a sharp contrast!

Noted, thanks. I'll try to find a cheap second hand copy on ebay/vinted. Thanks.

 

[KleinesSinchen]

protected by ProtectCD

Could be the first release in big cardboard box. But… nah… too expensive. Will try to hunt down the (cheaper) Bitpool version.

I know it is off-topic, but I just have to: Please be careful with ProctetDISC drivers, especially on newer Windows.


ProtectDISC as such is not so much off-topic as later v6.x and all above that of the CD version might be within range of DiscCheckEmu. It doesn't do much but checking read timings on sectors near the outer end of the CD. All newer ProtectDISC CDs have the same size (or two very similar sizes, mostly 348300 sectors). The unoccupied space had been filled up with 0x00. In many cases the read timings based check is done in the zeroes-area, which would make a spoofed answer to a read CD command or similar very easy: Return 2048 bytes full of zeroes for each sector.
What seems an embarrassing programming error to me, allows to forget everything related to providing accurate timings. Just delivering data ===A LOT ==> faster than any optical drive could ever do, it is enough to fool the check.

Since we are on a gaming and mostly Nintendo related site: Reminds of the missing check in Super Mario 64 for Marios speed variable into the negative direction, which is allowing backwards long jump in a way breaking the game to pieces in awesome TAS movies.

===============

For the DVD version, at least the earlier instances, a single command might do the trick:
Unterschiede bei der DVD-Version – Test mit "Bus Hound" (Free Edition).

SCSI Operation Command 0xAD with format field 0x01h delivers for original:
ad 00 00 00 00 00 00 01 READ DVD STRUCT 29us 00 06 00 00 01 00 00 00 ........ 1.4ms --------------------↑↑----------------------

For DVD±R(W)
ad 00 00 00 00 00 00 01 READ DVD STRUCT 29us 00 06 00 00 00 00 00 00 ........ 1.4ms --------------------↑↑----------------------

For CD-R (Ja, two of ProtectDISC DVD fit on overburned CD)
ad 00 00 00 00 00 00 01 READ DVD STRUCT 28us 00 00 00 00 00 00 00 00 ........ 1.5ms 70 00 05 00 00 00 00 0a illegal request 2us


I've been pondering if there was an easy possibility to make a DVD drive (firmware modification) always return the 01 at the marked position – no matter if the inserted DVD has CSS flag set or nor. Not entirely sure, but it would be possible, that simply spoofing that flag on drive level would bear earlier ProtectDISC DVD.

 

[Luca91]

Could be the first release in big cardboard box.

It is possible. If you look closely at the CD pic, the ring that is on mine is missing.

I know it is off-topic, but I just have to: Please be careful with ProctetDISC drivers, especially on newer Windows.

Don't worry, I have a set of VMs for reverse engineering old DRMs and malware (like the one I used in my techincal papers).

ProtectDISC as such is not so much off-topic as later v6.x and all above that of the CD version might be within range of DiscCheckEmu. It doesn't do much but checking read timings on sectors near the outer end of the CD. All newer ProtectDISC CDs have the same size (or two very similar sizes, mostly 348300 sectors). The unoccupied space had been filled up with 0x00. In many cases the read timings based check is done in the zeroes-area, which would make a spoofed answer to a read CD command or similar very easy: Return 2048 bytes full of zeroes for each sector.
What seems an embarrassing programming error to me, allows to forget everything related to providing accurate timings. Just delivering data ===A LOT ==> faster than any optical drive could ever do, it is enough to fool the check.

Interesting, thank you very much for sharing these info! Now I'm just missing a game protected by ProtectCD.

For the DVD version, at least the earlier instances, a single command might do the trick:
Unterschiede bei der DVD-Version – Test mit "Bus Hound" (Free Edition).

I still have the Mata Hari game I purchased on Amazon some years ago. I know it is protected by ProtectDisc (DVD), but I haven't analyzed it yet. Anyway it is good to know this trick!

I've been pondering if there was an easy possibility to make a DVD drive (firmware modification) always return the 01 at the marked position – no matter if the inserted DVD has CSS flag set or nor. Not entirely sure, but it would be possible, that simply spoofing that flag on drive level would bear earlier ProtectDISC DVD.

I'm not an expert about dvd drive firmware (I find the topic interesting tho), so I might be extremely wrong, but maybe you don't need a custom firmware to do this. Depending how the driver get access to the buffer, it might be possible to modify it before it is passed to other OS components.
Again, I'm not sure about this as I know very little about it

A title worth trying might be "Dungeon Siege II" containing the lesser known SMARTE.

I did some research and found some claims that SMARTE is actually an "active" DRM and a sort of "lite versione of Safedisc". Interesting. Also I've read that it misleads users of burn copies that everything works up until a certain point where they are asked to purchase a legitimate version of the game. Dunno if this is actually correct or accurate. I'll try to purchase that game and try it

 

[Luca91]

DiscCheckEmu v0.2.1 is now available to download.

Changelog:

v0.2.1
### Added
* "/WX" flag in debug builds

### Fixed
* RegQueryValueExA hook: fixed various bugs + code optimizations

v0.2.0
### Added
* FindFirstFileA hook (currently only used in file redirection)
* RegQueryValueExA hook
* DCE is now compatible with BitPool DRM!

### Changed
* Added more info on debuggers into ConfigurationDocumentation.md (thanks to @greenozon).

### Fixed
* Fixed some warnings (thanks to @greenozon).

 

[NEILYOUNG]

oh yes so cool

 

[Luca91]

DiscCheckEmu v0.3.0 is now available to download.

Changelog:

### Added
- RegEnumValueA hook
- Ability to pass parameters to the process to be created


### Changed
- API Logger (only in Debug build) is now powered by spdlog.
- Optimized hooking engine install/uninstall.
- Optimized injector code for better performance.

DCE is starting to be ready for general use by end users: the hooking engine and subset of hookable APIs are sufficient to successfully boot many many games, and thanks to recent patches, adding (and logging) more API hooks is very easy and fast.

Furthermore, DCE is now used by SafeDiscLoader: the author of this tool decided to add automatic injection of DCEAPIHook.dll to bypass disc checks present in many SafeDisc protected games.

Starting with the next release I'll focus on extra features like adding support for memory-patches (like bug fixes or hacks) and cheats.

I would like to take a moment to thank everyone who has believed in this seemingly crazy project so far, dispensing excellent advice and contributing patches, or more simply demonstrating their interest.

 

[KleinesSinchen]

Still not able to concentrate. Planning to buy a few games on Medimops. The copy of Mercedes truck racing I received turned out to not have Bitpool.

I wish I could do more. Keep up the good work.

 

[Luca91]

I wish I could do more. Keep up the good work.

Your past tests were invaluable
Please, keep your time. Health really is more important than a hobby project.

 

[Luca91]

Hey... we just reached a milestone in DCE history: IN-MEMORY PATCHES SUPPORT


DiscCheckEmu v0.4.0 is now available to download.

### Added
- Memory Patches support
- MemoryUtils

### Changed
- Reorganized project structure

Donal Duck Quak Attack DCEConfig is now updated to make the game bootable on Windows 10/11 by applying in-memory patch! (HERE)

Now DCE is more than a disc check emu

As always: special thanks to enthusiasts/end users/contributors to this CRAZY project!