SecuROM new 4.48.00.0004 Reverse Engineering (Technical Paper)

KleinesSinchen · Mar 20, 2023

As you might remember, reverse engineering goes way above my head. So this:

Luca91 said:
Have fun and please share your binary aventures *****

is out of range for me. Still trying to follow such things as good as possible.

Being interested in the actual implementation of checking disc marks/characteristics I'll take the opportunity to ask you if it i possible to find out what exactly the protection does. Can we find out what commands are sent to the drive via ASPI/SPTI or whatever method? Same for the answers/results/return values. What data gets extracted from CD (and how is it used)? Does it depend on the drive? It should differ when using drives from the early or mid 1990s… and SecuROM sometimes did an ATIP check on writers (later on they dropped this additional defense because of… no idea why).

This version of SecuROM is most likely still playing around with subchannel/subcode. This is what they called (probably in some marketing brochure) "Electronic fingerprint applied onto the glass master which assigns a unique number to each CD-ROM title." (Full BS-bingo in first round, I had to insert this hilarious quote).

Edit:

Luca91 said:
Please note that you need the original game disc to follow this paper *****

I've yet to encounter a SecuROM infected (sic!) game which actually requires me to use the original CD.

Seriously, I never play with the originals. They are used exactly once: For creating a copy.

Luca91 · Mar 20, 2023

KleinesSinchen said:
Being interested in the actual implementation of checking disc marks/characteristics I'll take the opportunity to ask you if it i possible to find out what exactly the protection does.

Yes, it is possible. What you are talking about happens right before the creation of the buffer containing the OEP. That’s why there is cd-rom drive activity in that phase.
I haven’t studied that part, as my focus was to get to the OEP, but surely with a couple of breakpoints in the right places, it is definitely possibile to understand what’s happening there.
Maybe in the future I’ll give it a closer look: I’m currently busy writing a SecuROM *new* 3 technical paper.

Even if you said this is out of your range, I still invite you to go download a debugger and try it yourself. You can set a breakpoint (I suggest an hardware breakpoint on the API you want to break + 0x02 to avoid triggering anti debugging shit) on the Windows APIs used to send commands to the cd drive and check on the stack what parameters are actually passed to that functions.

Do not tell me you aren’t able to do reversing: nobody is, initially

when you start reversing something, most of the time you have 0 knowledge of that thing (being a DRM, a malware or both

) then you proceed step by step gaining knowledge (and of course you can check if other ppl shared some infos about what you are reversing). Most of the time you have to guess. Most of the time your guess will be wrong. But in the long run it will be a quite rewarding experience

KleinesSinchen said:
I've yet to encounter a SecuROM infected (sic!) game which actually requires me to use the original CD.
Seriously, I never play with the originals. They are used exactly once: For creating a copy.

Ahah that’s for sure, but this is not a cracking tutorial, it more like a “clean room” reverse engineering paper.
That said, I have fond memories of a 12-years-old myself making 1:1 backup copies using a tool called BlindRead/BlindWrite. Fuck, these where good times.

KleinesSinchen · Mar 21, 2023

Luca91 said:
Do not tell me you aren’t able to do reversing: nobody is, initially

RE requires a lot of previous knowledge. That is dependency hell if trying to grasp it, especially with a brain which feels like mashed potatoes.
The topics are highly interesting for me, but I'm unable to follow them in detail.

Luca91 said:
But in the long run it will be a quite rewarding experience

No doubts! Rewarding experience for sure. Even my baby steps of fooling ProtectDISC (CD version) with CD-R copies, not using emulation, by applying previous knowledge about SecuROM approximation with twin sectors… felt awesome. Can now create working copies is semi-automatic manner.

Luca91 said:
Ahah that’s for sure, but this is not a cracking tutorial, it more like a “clean room” reverse engineering paper.
That said, I have fond memories of a 12-years-old myself making 1:1 backup copies using a tool called BlindRead/BlindWrite. Fuck, these where good times.

Don't get me wrong: I've zero interest in pirating stuff. When I say backups I mean exactly this: Legitimate backups and not the "backups" in quotes used as euphemism for illegal copies. Just look at my signature. Do you think it doesn't apply to SecuROM discs?
I have been revisiting and trying to understand disc based DRM on the disc level for quite some time now (as the software part goes over my head even more). The paradox behind physical storage media as key for a DRM is fascinating. Mutually exclusive goals: Being able to read something, but not being able to copy it. Simple reading is already a form of copying…

Blindwrite Suite is a thing where RE would be very helpful as well. This is especially true since VSO seems to have stopped selling it (gone from their site). To my knowledge it is the only software to ever implement abusing Plextor Premium GigaRec to simulate the awkward density variations of SecuROM New 4.8+. Two things would be nice to know:

How did they implement it? What does the burning engine send to the drive firmware?
What is different on the other Plextor drives firmware featuring GigaRec (PX-712, PX-716, PX-755, PX-760, Premium 2) that prevents the trick… and could the firmware be modified in our favor?

Luca91 · Mar 21, 2023

KleinesSinchen said:
RE requires a lot of previous knowledge.

Well, I agree that previous knowledge is required, if you are talking about "general approach" knowledge, like how to read/write asm, how to use a debugger, the difference between sw/hw breakpoints, Windows APIs etc. You can get it by studying and experimenting. Try to start with something simpler if you are really interested in (some entry-level crackmes, that's how I started, back in the day).

KleinesSinchen said:
Even my baby steps of fooling ProtectDISC (CD version) with CD-R copies

I still have that game protected with ProtectDISC you suggested me last year. I'll pick it up and start working on it one day

Too many interesting old-skool DRMs, too little free time :rolleyes:

KleinesSinchen said:
Blindwrite Suite is a thing where RE would be very helpful as well. This is especially true since VSO seems to have stopped selling it (gone from their site). To my knowledge it is the only software to ever implement abusing Plextor Premium GigaRec to simulate the awkward density variations of SecuROM New 4.8+. Two things would be nice to know:

How did they implement it? What does the burning engine send to the drive firmware?

What is different on the other Plextor drives firmware featuring GigaRec (PX-712, PX-716, PX-755, PX-760, Premium 2) that prevents the trick… and could the firmware be modified in our favor?

You can try an API monitoring tool like APISPY, APIMonitor or drstrace. By spying the API used to send commands to the cd-rom drive (DeviceIOControl? I'm not sure about this, I need to check) you might be able to retrieve the commands (in hex) you are looking for. These are GUI-based programs (except drstrace).

I don't know about the firmware part, but if the hardware support such feature, I guess..... why not? Patching a firmware is surely a job that require skills tho (and the right hardware/tools).

GBAtemp's Backup Reminder + Fearless Testing Sina

Well-Known Member

GBAtemp's Backup Reminder + Fearless Testing Sina

Well-Known Member

Similar threads

Popular threads in this forum