CD Cracking Uncovered: Protection Against Unsanctioned CD Copying by Kris Kaspersky A-List © 2004 (300 pages) ISBN:1931769338 Aimed at shareware and commercial software programmers, as well as users interested in CD protection, this book will help readers defeat hackers and crackers who try to copy CDs without authorization Table of Contents CD Cracking Uncovered—Protection against Unsanctioned CD Copying Preface Introduction On the CD Part I - CD Anathomy Chapter 1 - CD Organization Chapter 2 - Power of Reed-Solomon Codes Part II - Low-Level Control over Hardware Chapter 3 - Practical Advice on Urgent System Recovery Chapter 4 - Interfaces for Interaction with the Hardware Chapter 5 - Methods of Revealing Protection Mechanisms Part III - Protection against Unauthorized Copying and Data Recovery Chapter 6 - Anti-Copying Mechanisms Chapter 7 - Protection Mechanisms for Preventing Playback in PC CD-ROM Chapter 8 - Protection against File-by-File Disc Copying Chapter 9 - Protection Mechanisms Based on Binding to Storage Media Chapter 10 - Data Recovery from CDs List of Figures List of Tables List of Code Examples CD Content CD Cracking Uncovered: Protection Against Unsanctioned CD Copying by Kris Kaspersky A-LIST Publishing © 2004 (432 pages) ISBN:1931769338 Aimed at shareware and commercial software programmers, as well as users interested in CD protection, this book will help readers defeat hackers and crackers who try to copy CDs without authorization Back Cover A manual on protecting CDs against illegal copying, this book shows how crackers copy CDs using various access methods The methods covered include the CDFS driver, cooked mode, SPTI, ASPI, the SCSI port, and the MSCDEX driver Explained is how to prevent cracker break-ins using protections based on nonstandard CD formats such as the CD driver and weak CD sectors Information on CD functioning fundamentals and tips related to CD protection in a format free of math and assembling-such as data formats, the scrambler, the Reed-Solomon coder/encoder, the CIRC coder/encoder, and a weaksectors generator-are also provided The main program interfaces, which provide direct control via peripheral devices on the application level in UNIX, Novell, and Windows 9x/NT/2000/XP, are considered, as is how to read and write RAW sectors After reading this book, readers will know how to change the format of a CD to make it accessible for reading and/or writing on most CD drives, but not accessible for copying Aimed at shareware and commercial software programmers, as well as users interested in CD protection, this book will help readers defeat hackers and crackers who try to copy CDs without authorization It is targeted at advanced users as well as application system programmers About the Author Kris Kaspersky is an IT consultant working in security and system programming He specializes in issues such as compiler development, optimization techniques, security mechanism research, real-time OS kernel creation, software protection, and the creation of antivirus programs He is the author of Hacker Disassembling Uncovered and Code Optimization: Effective Memory Usage CD Cracking Uncovered—Protection against Unsanctioned CD Copying KRIS KASPERSKY alist © 2004 by A-LIST, LLC All rights reserved No part of this publication may be reproduced in any way, stored in a retrieval system of any type, or transmitted by any means or media, electronic or mechanical, including, but not limited to, photocopying, recording, or scanning, without prior permission in writing from the publisher A-LIST, LLC 295 East Swedesford Rd PMB #285 Wayne, PA 19087 702-977-5377 (FAX) mail@alistpublishing.com http://www.alistpublishing.com This book is printed on acid-free paper All brand names and product names mentioned in this book are trademarks or service marks of their respective companies Any omission or misuse (of any kind) of service marks or trademarks should not be regarded as intent to infringe on the property of others The publisher recognizes and respects all marks used by companies, manufacturers, and developers as a means to distinguish their products CD Cracking Uncovered: Protection against Unsanctioned CD Copying By Kris Kaspersky ISBN: 1931769338 04 05 7 6 5 4 3 2 1 A-LIST, LLC, titles are available for site license or bulk purchase by institutions, user groups, corporations, etc Book Editor: Thomas Rymer LIMITED WARRANTY AND DISCLAIMER OF LIABILITY A-LIST, LLC, AND/OR ANYONE WHO HAS BEEN INVOLVED IN THE WRITING, CREATION, OR PRODUCTION OF THE ACCOMPANYING CODE (ON THE CD-ROM) OR TEXTUAL MATERIAL IN THIS BOOK CANNOT AND DO NOT GUARANTEE THE PERFORMANCE OR RESULTS THAT MAY BE OBTAINED BY USING THE CODE OR CONTENTS OF THE BOOK THE AUTHORS AND PUBLISHERS HAVE WORKED TO ENSURE THE ACCURACY AND FUNCTIONALITY OF THE TEXTUAL MATERIAL AND PROGRAMS CONTAINED HEREIN; HOWEVER, WE GIVE NO WARRANTY OF ANY KIND, EXPRESSED OR IMPLIED, REGARDING THE PERFORMANCE OF THESE PROGRAMS OR CONTENTS THE AUTHORS, PUBLISHER, DEVELOPERS OF THIRD-PARTY SOFTWARE, AND ANYONE INVOLVED IN THE PRODUCTION AND MANUFACTURING OF THIS WORK SHALL NOT BE LIABLE FOR ANY DAMAGES ARISING FROM THE USE OF (OR THE INABILITY TO USE) THE PROGRAMS, SOURCE CODE, OR TEXTUAL MATERIAL CONTAINED IN THIS PUBLICATION THIS INCLUDES, BUT IS NOT LIMITED TO, LOSS OF REVENUE OR PROFIT, OR OTHER INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF THE PRODUCT THE CD-ROM, WHICH ACCOMPANIES THE BOOK, MAY BE USED ON A SINGLE PC ONLY THE LICENSE DOES NOT PERMIT ITS USE ON A NETWORK (OF ANY KIND) THIS LICENSE GRANTS YOU PERMISSION TO USE THE PRODUCTS CONTAINED HEREIN, BUT IT DOES NOT GIVE YOU RIGHT OF OWNERSHIP TO ANY OF THE SOURCE CODE OR PRODUCTS YOU ARE SUBJECT TO LICENSING TERMS FOR THE CONTENT OR PRODUCT CONTAINED ON THIS CD-ROM THE USE OF THIRD-PARTY SOFTWARE CONTAINED ON THIS CD-ROM IS LIMITED THE RESPECTIVE PRODUCTS THE USE OF “IMPLIED WARRANTY” AND CERTAIN “EXCLUSIONS” VARY FROM STATE TO STATE, AND MAY NOT APPLY TO THE PURCHASER OF THIS PRODUCT Preface This book is a practical guide to protecting CDs against unauthorized copying It is oriented toward a wide reader audience, including advanced users and application and system programmers It is not necessary to have expensive specialized equipment or be a security expert to create strong, inexpensive, and reliable protection All that you need to achieve this is a low-end CD recorder and a couple of evenings free from other work This book provides a detailed description of CD structure and will let you in to a lot of secrets known only to security experts (and not even they know them all), explaining all this in simple language, without higher mathematics and practically without Assembler language This is the book’s main unique feature! While reading this book, you will learn how to invalidate the disc format in order to make it readable (that is, playable) on most CD-ROM drives, but practically impossible for any copier to copy, and how to bind to the physical disc structure so that copiers are unable either to reproduce or imitate it You’ll also learn about the physical and technical limitations of low-end recorders and how to use these to achieve your goals Also covered will be the control over CD drives and recorders at a low level and how to get the maximum control allowed by specific drive models over CDs All circumstances being equal, a disc protected using high-tech drive cannot be copied by all other drives The book provides detailed information on the differences between drive models and which characteristics deserve the most attention when choosing a drive The book also discusses practically all commercial CD protection packets available today It lists their implementation errors, “thanks” to which the copying of protected discs is still possible The author also suggests several protection mechanisms that take into account his own bitter experience and that of his friends and colleagues These protection mechanisms cannot be copied using any of the copiers that exist today With regard to copiers, here you’ll find detailed description of the most popular protected CD copiers: Clone CD and Alcohol 120%, which, to carry out short sector read (i.e., user data only) and always processes entire sectors by forcibly adding the checksum and error-correction codes to the end of each sector As a result, none of our manipulations will produce any effect They will, on the contrary, be corrected automatically on the fly by the drive’s firmware It is possible, of course, to compute a new checksum and error-correction codes after entering the required changes, but why complicate our life unnecessarily? If you do not have Easy CD Creator, take Alcohol 120%, and choose the Standard ISO images option OK, now let’s assume that the CD image has been successfully saved in the trask.iso file, with which we are going to work now Open this file using HIEW or any other HEX editor and find the sector that contains the TOC A pretty business! How can we find it? To do so, we need at least to view the Joliet/ISO-9660 file system specification or exert a bit of mental effort Since the file size is specified in bytes, not in sectors (it just can’t be specified in sectors, file systems that measure files in blocks became obsolete long time ago), then we can find the required field using a trivial context search Choose the file the length of which we are going to measure, and convert it to a hex For instance, let it be the file named “01 —Personal Jesus.mp3” having the length of 3,591,523 bytes In hex notation, taking into account the inverse byte order, this value will appear as follows: 63 CD 36 00 Press and enter the sequence that we are looking for… Listing 8.1: The first occurrence of the desired sequence in the disc image Listing 8.2: The second occurrence of the desired sequence in the disc image The desired value is actually present in the disc image In fact, there are not one, or even two, but four such occurrences! No, this isn’t some kind of devilry—in fact, this is how it should be Contemporary CDs contain two file systems: one of them, ISO-9660, is written to the disc exclusively for compatibility with obsolete software, limiting the maximum length of a file name to 11 characters (eight for the name itself, and the remaining three for the filename extension) Contemporary software operates with more advanced file systems, including Joliet, developed by Microsoft If you think that all we need now is Romeo, strangely enough, there is a file system by that name! It was developed by Adaptec, but, unfortunately, didn’t become widespread and passed away quite soon Joliet, therefore, will remain alone Enough of romance, let’s get back to business Generally, it isn’t necessary to worry about synchronization of the two file systems, because Windows “sees” only Joliet and ignores ISO-9660, while MSDOS does exactly the opposite Therefore, if we increase the file length in Joliet, but “forget” about doing the same in ISO-9660 (this is the particular trick that some developers of protection mechanisms play), Windows will never even have a shadow of suspicion that some deception is taking place However, the question is different with hackers! The original length of files left without changes in ISO-9660 will considerably simplify the task of the cracker Consequently, it isn’t recommended to leave them as they are! Besides this, there are several drivers that allow you to manually choose, which of the two file systems you wish to mount Don’t be lazy, therefore, and correct both values simultaneously by changing the two most significant bytes from 36 00 to FF 66 (you may, of course, prefer another value) When doing this, pay special attention to the double word 00 36 CD 63 This also is the file length, written, however, in the inverse order, which is unnatural for IBM PC Here, the least significant byte is located at the higher address The address of the starting sector of the file is also written in two variants Such a scheme of information representation has obviously been chosen on the basis of considerations of compatibility Every platform is free to choose the byte order that is natural for it There is no guarantee, however, that Windows will choose the “less significant byte by lower address” variant Everything depends on the file system driver, which, in turn, depending on the specific features of its implementation, can work with any of these two fields Therefore, both fields must always be coordinated Now the modified (I mean, invalidated) ISO image can be burnt onto a CD-R/CD-RW or mounted to a virtual CD drive (for this purpose, you’ll need Alcohol 120% or any similar program) Issue the dir command, and you’ll see the following: Listing 8.3: The size of the “Personal Jesus.mp3” file is modified on purpose > dir N:\Depeche Mode Volume in drive N has label 030706_2038 Volume serial number is 61A1-A7EE Directory of N:\Depeche Mode 06.07.2003 21:56 06.07.2003 21:56 01.01.1601 04:00 1 728 040 291 01 - Personal Jesus.mp3 30.06.2003 00:11 3 574 805 02 - See You.mp3 30.06.2003 00:12 3 472 405 03 - Strangerlove.mp3 30.06.2003 00:12 3 718 165 04 - Enjoy The Silence.m 30.06.2003 00:13 2 956 643 05 - The Meaning Of Love 30.06.2003 00:14 3 820 565 06 - Master and Servant 30.06.2003 00:15 3 066 149 07 - Never Let Me Down A 30.06.2003 00:16 3 806 772 08 - Its Called a Heart 30.06.2003 00:16 3 813 460 09 - Little 15.mp3 30.06.2003 00:17 3 574 805 10 - Everything Counts.m 30.06.2003 00:18 3 687 236 11 - People Are People.m 30.06.2003 00:19 4 916 036 12 - The Thing You Said 30.06.2003 00:20 4 182 100 13 - Agent Orange.mp3 30.06.2003 00:21 4 585 012 14 - World in my Eyes.mp 30.06.2003 00:22 3 646 276 15 - Behind The Wheel.mp 30.06.2003 00:22 3 049 012 16 - Black Celebration ( 30.06.2003 00:23 3 800 085 17 - Nothing.mp3 30.06.2003 00:25 7 151 700 18 - Bonus (unnamed).mp3 18 files 1 794 861 517 bytes 2 folders 0 bytes free Well! The file size has increased to 1,728,040,291 bytes (see the string highlighted in bold), which is more than twice the volume of the entire CD And they have the gall to say that one part cannot be larger than the whole! Naturally, any attempt to copy this file to the hard disk will fail Therefore, we must look for a way to bypass this Let’s focus on the fact that files on the CD are placed sequentially, which means that the last sector of the current file is directly followed by the starting sector of the next file Because we know the starting sectors of all files, determining the position of the terminating sectors, except for the last, shouldn’t present any problem Let’s copy the ISO image of the protected disc into a file and consider its directory once again: Listing 8.4: A fragment of the file image under consideration The smallest number of the file’s starting sector, after sector 0191h, is 086Bh Thus, the “01—Personal Jesus.mp3” file cannot contain more than 086Bh − 0191h == 6DAh sectors or 1754 * 2048 == 3,592,192 bytes Naturally, this is a somewhat excessive value, and the actual file is 1.5 K shorter This difference, however, is already of no importance Most multimedia files will be processed correctly, even with the presence of a certain amount of irrelevant garbage at the tail Having corrected the file image, let’s write it to the disc or simply shorten the file to the required length using any available program, such as “Pinch of file.” What should you do if you are not satisfied with such a low level of reliability from this protection? There is, in fact, something that can be done For example, it is possible to reduce the numbers of starting sectors of several files, which allows you to kill two birds with one stone First, the file with an incorrectly specified sector definitely won’t be processed correctly by an associated application (which isn’t surprising, since after this kind of manipulation, the actual starting point of the file will be somewhere in its middle) Second, the algorithm used to determine original file lengths from the difference of the neighboring starting sector addresses is sure to produce an incorrect result, according to which the restored file will be cut off A protection mechanism that knows the actual offset of the file’s starting sector in relation to its real starting point must either shift the file pointer by means of calling the SetFilePointer function or “swallow” the garbage data using the ReadFile function Both methods are equally effective, and each of them has its strong and weak points SetFilePointer operates considerably faster However, it is easily recognizable (especially to hackers) When encountering the ReadFile call, on the contrary, it is necessary to find out what kind of data it actually reads—useful information or simply garbage Let’s study how the cracking process appears in practice Writing a fully functional MP3 player just for the sake of illustration isn’t a rational approach (besides which, it would take a lot of space) Therefore, all of the data processing in this demo example consists of displaying the original file contents on the screen Before starting this program the first time, the starting sector number of the protected file must be decreased by the _NSEC_ value, and the size must be increased by at least 2048*_NSEC_ bytes There is no limitation on the maximum length (which means that you can use all 32 bits of the length field) Listing 8.5: [crackme.27AF7A2Dh] A demo example illustrating the processing of files with incorrect attributes for starting sector and length /* * * crack me 27AF7A2D * ================= * * A demo example illustrating the processing of files with an * decreased number for the starting sector and an increased le * pointer is carried out by a call to the fseek function, ther * is very easy to crack * * Build 0x001 @ 02.07.2003 #include // Program settings // =================== // Name of the file to be opened // If protection resides on the CD, then there is no need to sp // full pathname #define _FN_ "M: \\Depeche Mode\\01 - Personal Jesus m // The number of sectors by which the starting point of the fil #define _NSEC_ // Original file size #define _FSIZ_ 3591523 // User data size #define SECTOR_SIZE 2048 // Screen width in characters (needed to display a dump) #define _SCREEN_LEN_80 // Size of the block being processed #define BLOCK_SIZE 0x666 // Finding the minimum of two numbers #define _MIN(a,b) ((a