Reverse engineering Academy
hcu97 Founded by +ORC in April 1996 hcu98

project4
CD-ROM faking
CD-ROM related reverse engineering
Updated in September 1999

The commonest tricks and the CD-Rom landscape


by fravia+, January 1999

The increase in illegal copying and burning of CD, that -take note- we don't condone if made for commercial purposes, seems now to be a phenomenon that has taken such a dimension that IMO the producers should better try to understand correctly instead of annoying software reversers that have NOTHING to do with it... see, I'm not speaking of the fact that you can buy wherever in Russia now (on the Arbat!) whole compilations for 2 Euro (each one of them containing the most recent software, each CD worth 4-5000 Euros) since you could have done that even before the disappearance of the good old Soviet Union, in Singapore, Beyruth, Belgrad or even at the rastro in Madrid... and since actually there'snt any need to spend even those 2 lonely Euros, on a huge web where you can download whatever you fancy for free from any decent warez site.

BTW, you may as well say goodbye to copyrighted music... to use Seidman's recent words: "Dear Music Company Executives, The software to encode music into MP3 format already exists. I already have it on my computer. So do a lot of other people. You will not be able to stop it because it is already there. Do you get it? I know you're scared. I don't blame you. But the genie is already out of the bottle and try as you might, you won't be able to stuff it back in. Get over it. You can store about 150 songs in MP3 format on a CD or about 10 HOURS of music on one CD. The Diamond Rio, which holds 60 minutes of music is only the TIP of the iceberg."
Of course Seidman's is right... and I may add that all the encryption plans of those same commercial bastards (my own translation of music company executives :-) mean only more fun for our reversing studies... :-)

Yet the real problem remains another, IMO: the real problem is that there are many completely 'legal' HARDWARE fellons out there, that should worry the copyright holders even more than the warez-pirates that sell (and protect :-) their (protected) pirated CD (like Twilight).
You want an hardware example? Here you go: Memodis has announced a CD-ROM burner that can chain up to 28 burners together in groups of seven. It's a PC-independent hardware pirate-dream, that will be delivered in three version, the biggest one with 7 burners and a LCD screen... now, pray tell me, who will use this product? Ah ah... the 'free market' laws of demand and offer should always be respected... :-(

So let's do our work: let's reverse engineer software protection schemes, since this field because is relevant for our reverse engineering studies.

CD-ROM protection schemes are based on some common tricks: first of all the idea (actively spreaded by some software houses) that there is some space 'between tracks' on a CD, that would be written on the original CD and checked by the protection scheme is nonsense. A Cd-ROM track is a spiral. The main protection schemes used to day to avoid CD-ROM copying are based on the fact that CD-ROM disks have a layout divised in tracks. The common structure is 
Track #1 - MODE1
Track #2 - MODE2
Track #3 - AUDIO
Track #4 - AUDIO
Track #5 - MODE1

Note that in multisession CD-EXTRA discs the audio tracks are in the first session and there is a data track in the second sesssion.
This 'mixed' mode stuff is used to "protect" games from being copied by beginners. Adaptect's software, for instance cannot duplicate (on purpose) these mixed CDs. You'll need to use better software (CdWin or, even better, Nero) to do it.
All the protection schemes based on the above structure can be easily cracked. There are two kind of protection schemes that are more difficult to crack (yet they are not uncrackable, of course :-) and these are Kodak Photo-CDs and Sony Playstation games (I don't mean those that you can bypass fixing the playstatiuon unit), which both contain inside their pre-header (or subroutines) some code that initializes the lusers' machine.
Let's have a look at the commonest tricks:
Trick: To avoid CD-copy, the most banal trick is to make the CD's bigger than the usual format. You will therefore not be able to copy the CD on a regular (74 minutes) CD.
Bypass: there are two possible options to copy an 'enlarged' protected CD:
1) Get hold of good software that can copy more data on regular CD's (CDRWin, for instance... but the best software IMO is Nero. If you use Nero, then 'Ignore Illegal TOC' + 'Ignore Read Errors' + 'Unreadable Data' & continue copying')
2) get CD's that are large enough to hold all the data.
3)If your CD-Recorder supports overburning (TEAC, PLEXTOR, YAMAHA) then u can enable the overburn option in NERO ('Preferences' & Advanced settings' & 'enable CD oversize'). If you are not sure all the data of the original disk will fit then just use a 80 minutes CD-R.

Trick: As it was to be expected, there are now a series of protection schemes out that use partitions that are larger than the largest CD-r available. Interestingly enough, pirates have been the first one to use this kind of protection (Twilight began using this kind of protection from number 15, and went 'bigger' from number 21).
Bypass: 1): (simple): Crack the scheme (remove the CD-size check from the menu).
2): (expensive): use CDRWin with one of the following recorders: Plextor PX-R412 Ci; Teac CDR 55 S; ALL Yamaha recorders; Panasonic 7502. The reason you should use CDRWIn has to do with the ToC of all CD-Roms: Every CD contains a table of contents (TOC) and a Lead In in which is listed what is on the CD, so the CD-ROM drive can find the data on the disc. This TOC is on every CD and will be written by the start of every recording session. And this of course takes up space on the CD so less space is available for the actual data. This is where CDRWin comes in; the TOC and Lead In written by CDRWin (CDRWin: www.goldenhawk.com) are much smaller if you compare it to other recording software (NERO: www.ahead.de; Creator Deluxe: www.adaptec.com; DiskJuggler: www.padus.com; Prassi CD Replicator: www.prassi.com; Feurio www.feurio.de everyone of these programs can be fished from the web)

This important project was started by the +HCU in May 1997. Take note: part of the following essays are considered HISTORY of the cracking scene, and relate to various CD-Rom protection schemes.
Please note that there are on the academy many other CD-related essays that should be included in here (anyone has the will to do a little 'polishing'? :-)

PHASE 1 by Animadei:

EMULATE CD-ROM (an ASM file), 11 May - 3 November 1997
(Emulating MSCDEX)

This asm file introduces to all future good crackers the BASIS of cd-rom emulation, which has an obvious importance for our trade. As animadei himeself writes to me: I've taken the liberty to give my cd-emulator source as a small contribution to the cracking community. There's a file attached to this letter. ECD "Emulate CD" - introduces emulating a CD and substitutions of drives like "subst.exe"...
PHASE 2 by Aesculapius:

Brief Tutorial on CD Access Based Protection Schemes Under Windows, 28 August 1997
(Cracking Virtua Fighter PC)

Well, a VERY welcome contribution by our Aesculapius! It was time that somebody took care of the CD-ROM checks, which btw, in general, are NOT very difficult to defeat. I hope that with the help of this addition many +crackers will be stimulated and work on such schemes, bringing ahead this poor and neglected (yet important) project 4!
PHASE 3 by +DataPimp:

WarLords 3 Cd-Check, 24 September 1997
(A Very Simple Protection)

Well, it was about time that somebody wrote something more! Riddler shows here how (relatively) easy it is to reverse engineer such schemes! I hope that with the help of this addition many +crackers will be stimulated and work on such schemes, bringing ahead this poor and neglected (yet important) project 4!
PHASE 4 by +DataPimp:

CD-Rom reversing MechWarrior2 Mercenaries, 26 September 1997
(Another Approach to the Cd-Check scheme)

Well, +DataPimp is slowly "specialising" in this very interesting cracking subject! Here is his SECOND essay in a very short time. Let's hope he keeps sending material, as I will repeat (once more): "I hope that with the help of this addition many +crackers will be stimulated and work on such schemes, bringing ahead this poor and neglected (yet important) project 4!
PHASE 5 by +ALT-F4:

Cracking the Mystique Patch for Tombraider, 17 October 1997
(the write random file trick)

A new +HCUker (that has already contributed to our site in the past) shows here how (relatively) easy it is to reverse engineer a video patch for Tombraider... a good game btw, you'll find it on almost any warez server... I personally prefer the older version 1 to version 2 :-)
PHASE 5 by +Rcg:

CD ROM from top to down, 19 October 1997
(MSCDEX, reversing drivers and CD-ROM related interrupts)

Well, a welcome "basic" addition by +Rcg, who clear things a little out on such important matters like accessing the CD-ROM through the MSCDEX driver.
PHASE 6 by NaTzGUL:

InstallSHIELD Script Cracking, 22 November 1997
(Object oriented cracking: INSTALL WIZARDS CRACKING)

Well, a very interesting essay. Here we have a very "sound" approach to Installshield cracking. Read and enjoy!
PHASE 7 by -= +DataPimp =-:

Quake2 CD-Rom reversing, 20 December 1997
(More about CD-ROM deprotections and Cd-Checks)

Quake II... so easy you could cry!
PHASE 8 by TWD:

The cracking of "Age of Empires", 27 Dec 1997
(with a general digression about CD-based copy protections of most Windows95 games)
PHASE 9 by FootSteps:

Oldies but Goodies, 04 Mar 1998
(A Dos Game CD-check with Sourcer 7)
Well, let's rationalize things a little...
01 June 98 Q ~ q_tsr601.htm A different approach cracking a DOS CD-protection proj 4 ~fra_0124
09 Jan 99 Kilby ~ kilby.htm Thief and the current Eidos protection scheme proj 4 ~ fra_017B
20 Jan 99 McLallo ~ cdromcla.htm CD-Cops ~ Another ready-made protection annihilated advanced
proj 4
protec 		~ fra_0183
24 Sep 99 zoltan ~ d2kessay.htm Reverse Engenering The Protections From WestWood: DUNE proj 4 ~ fra_xxxx
24 Sep 99 zoltan ~ zltcomma.htm How to defeat a cd-lock protection: COMMANDOS proj 4 ~ fra_xxxx


red

You'r deep inside fravia's pages of reverse engineering, choose your way out!

 


red

redhomepage red links red anonymity red+ORC redstudents' essays redacademy database redbots wars
redantismut redtools redcocktails redjavascript wars redsearch_forms redmail_fravia
redIs reverse engineering illegal?