OpioN writes: Original by Zota, translated, edited and updated by OpioN.

The turnover losses with which the manufactories from the audio, video and software industry have to deal, is according to them the blame of crackers who make illegal copies of their products. The cure against this could be the mass use of copy protection. But can manufacturers feel safe knowing that their piece of software/audio/ video is protected by such a utility. I went on a quest to find out what copy protection could really do, and how it could be fooled.

The software industry is complaining about turnover losses because of illegal copies since the introduction of the Commodore 64. This is about the time when they began their campaign against crackers and the numerous illegal copies. But since even though it is a long time ago, they don?t seem to have won any territory from the crackers, because the only thing you need these days is a cd-writer and a good burning program to make usable copies.

Not long ago even the music industry started using copy protection to stop the illegal copied audio cd?s. But because the compact disc does not have an intrinsic copy protection, there are serious side effects attached. The last great revolution in audio cd copy protection was by Sony DADC, which developed the pc-playback protection Key2Audio. Key2Audio made sure that the audio cd could not be read by most cd-rom?s, it was not recognized by most drives. Unfortunately this was also the case for most dvd-players and portable cd-players, which caused a lot of irritation among the consumers.

With SafeAudio, until now only used in the US, the manufacturer Macrovision didn?t even care about obvious audio quality losses. The SafeAudio method is one of scattering errors through the audio data, which cd-rom drives can?t filter out, but the error correction of most cd- players can.

The video-dvd was equipped with CSS and Macrovision to render digital and analogue copies useless, but over the years both methods showed to be easily overcome. Currently there is even commercial software available for a private backup in DivX- or VCD-format. And if you are not happy with that quality you can even make 1:1 copies.

But the dvd-producers in contrast to the software and music manufacturers do not notice any turnover loss. On the contrary, the turnover in this segment grew explosively in comparison to other consumer electronics divisions. That doesn?t mean that the dvd-industry won?t have to come up with new barriers for a future format, which will work with a much higher data speed, to protect their income.

Opposition

Because the software games industry doesn?t want to make it a heaven for (illegal) copiers they will invent new, and develop further copy protection software. Most manufacturers know that they are fighting for a lost cause, because no copy protection has proven to be ?uncrackable? against the dissasemblers of the crackers society.

That?s why most of the copy protection is aimed at incidental copiers; people who pass on copies of new game- or audio-cd?s to their friends or acquaintances, and rip off the manufacturers in this way. The manufacturers try to create a big a barrier as possible, so that at least in the first few weeks of sale there will be no illegal copies of their product available on the black market (mostly schools). And although this might seem fair, this also stops most legal users who want to make a backup-copy, which is allowed.

A lot of high quality cd burning programs like Nero Burning ROM, WinOnCD or DiscJuggler crash on some of the more advanced copy protection. But luckily there are programs that have proven to be real copy specialists. Especially Blindwrite Suite, CloneCD and the latest CD Mate have very good credentials, with both the legal and illegal copying scene. Using these tools almost all cd?s can be copied, or distributed as an ISO-image, without further tools.

But the creators of copy protection for software are very creative: they use the weak spots in the cd-rom-specification of cd-writers or weak spots of the Operating System. Although most copy protection is in violation with the cd-rom-specifications, they have to be 99 percent compatible with all the available cd-rom-drives and dvd-rom-drives. Because of this they usually can be copied. This article also includes a table where you can find a list of most common used copy protection, their recognition methods and the solution for making a successful backup-cd. This table is widely available all over the internet, I only updated it a bit.

Copy Protection Table

Copy-/Play- protection (manufacturer)
Symptoms/ Recognition methods
Bypassing Methods
Used how often
Examples

Audio-cd
Cactus Data Shield 100
(Midbar Tech)
This cd will run in only very few pc-drives, because wrong registration of the lead-out and the TOC confuse the pc- drive, there are also sound interruptions
Every burning program that ignores illegal TOC's and writes/ reads in RAW mode.
-
Him- Razorblade Romance, LoveParade Compilation 2001

Cactus Data Shield 200
(Midbar Teck)
The pc will only recognize this cd as a data session. Because there is a Windows program 'CactusPJ.exe and an archive file 'Yucca.cds' which contain all numbers in mp3 format. With Mac OS X and Linux this cd appears to be a normal compact disc, but there can be troubles when reading or playing the first track.
Every burning program that ignores illegal TOC's and writes/ reads in RAW mode.
+
Right said Fred - Freadhead, Die Prinzen - D, Bild - Mallorca Hits

Duolizer
(Bayview Systems)
This player- application only loads the missing parts, from some server, when playing the music. As you probably expect, this isn't very useful for a normal audio cd.
The music can be digital recorded with a virtual sound card (TotalRecorder).
--
none known

Enhanced CD/CD- Extra
Enhanced-cd's only look copy protected. On the cd there is behind the audio tracks a hybrid track with multimedia content for Windows and Mac. In Explorer you can only see the data part of the cd, while cd players only play the audio part. There is usually the 'Enhanced CD' logo on the back of the cd.
Every burning program that supports multisession cd's. Linux and Mac OS (X) show both the audio tracks and the data track separate, so this is also a work around.
+
Live - V, Bush - Golden State, Kylie Minogue - Can't get you...

MediaCloq
(SunnComm)
This cd can only be played on a stand-alone cd player. The pc consumer will be redirected to the web page with the label of that cd. MediaCloQ marks all audio tracks as data tracks, and fools most pc drives. MediaCloQ 2.0 protected cd's can be played from a pc-drive.
Until now only readable with Plextor PX40 and CloneCD. Various drives can burn it.
--
Heather Nova - South, NSync - Celebrity

SafeAudio
(Macrovision)
No visible clues. When playing these cd's in a pc-drive the copy protection generates errors, the same when grabbing it for a mp3.
The 'Burst Copy Mode' of different cd-grabbers. The alternative cd driver CDFS.vxd by 'Cyber7' bypasses the copy protection.
-
none known

SCMS
(Sony)
Prevents any further reproduction of DAT- and MiniDisc- recordings by setting a copy- bit.
An extern copy-bit- killer is required, or a sound card which generates a SCMS- signal.
0
Heather Nova - South, commercial minidisks.

Software/ Games-cd
CD-Cops
(Link Data Security)
Copy protection is recognisable by the files cdcops.dll and *.gz_ (16-bit applications). With 32-bit applications there is a file in the root directory ending on .w_z.
The cd can be read in RAW mode. The executable file can also be decrypted with the use of McLallo's CD-Cops 32 Decryptor.
-
Seit 1997

DiscGuard
(TTR Technologies)
On the cd there are the files ioslink.vxd and ioslink.sys. The executable file is encrypted and is verified first.
The cd can be read out in RAW mode, the subchannels have to be copied as well.
0
Omikron: Nomad Soul

Laserlock
(MLS International)
These cd's are visually recognisable, on the inner circle of the cd. There is also a hidden directory called 'Laserlok'. The files stored in there contain corrupted sectors.
CloneCD, BlindRead with the option to skip reading errors. The writer has to support the burning of corrupt sectors. Other wise use Deamon Tools.
3
Decent 3, Desperados, Icewind Dale

LockBlocks
(Dinamic Multimedia)
Older copy protection, has two circles visible and corrupt sectors.
Almost all modern burning programs can do this.
-
Indiana Jones 5

ProtectCD
(VOB)
Only after extensive analysis you will see that this cd violates the ISO- specification: 'mixed mode' with a data session, continued by a audio track and another data track. The audio tracks are shorter than 4 seconds and also violate the cd specification. The last data track consists entirely out of corrupt sectors. There is a Digital ID in the subchannels (also with audio).
The cd can be read out in RAW mode, subchannels have to be read out as well.
0
Wiggles, America

SafeDisc
(C-Dilla, Macrovision)
In the main- directory you will find files like dplayerx.dll, clcd16.dll, clcd32.dll, clockspl.exe and 00000001.tmp. There will also be a loader game.exe and the encrypted executable game.icd. There are over a thousand reading errors in the first three percent of the cd. The authenticity of the cd is checked by a digital signature and the number of corrupted sectors.
The cd can be read out in RAW mode. There are generic SafeDisc patches. You can also use Deamon Tools to simulate this type of copy protection.
+
Midtown Madness 2, Madden 2001, Dark Vengeance

SafeDisc2
(Macrovision)
drvmgt.dll, secdrv.sys, 00000001.tmp (and other) in the root directory. The SD-loader is in the game.exe. Besides the corrupted SD 1 sectors it now also uses SD 2 weak sectors. And with FIFA 2002 there is also a ATIP- check.
See article.
++
Aquanox, Operation Flashpoint, Battle Realms, Soul Reaver 2

SecuROM
(Sony DADC)
There are different types: the first and older version has the files cms16.dll, cms(32)_95.dll or cdms(32)_nt.dll and in the inner circle of the cd it states 'Sony DADC'. With the new version there are the files sintf16.dll, sintf32.dll, sintfNT.dll in the Window/ System directory. This type of copy protection also checks for a digital signature in the subchannel data of the cd. An ATIP-check blocks the compatibility of a copy with cd- writers. Sometimes there are also data tracks on the cd which contain corrupt sectors.
The cd has to be read out in RAW mode (including all the subchannels). There are generic SecuROM cracks, or you can use Deamon Tools.
+
Diablo 2, Rally Championship 2000

Star Force
(Protection Technology
Only used in Russia, no further information available, www.star- force.com.
none known methods
--
Codename: Outbreak, IL 2

Tages
(Thomson)

Almost the same as SafeDisc2, but with some extra features. It is not yet possible to make 1:1 copies, not even with writers that can copy SafeDisc2 cd's.
No 1:1 copies possible, only usable when a patch is available.
--
Motoracer 3

Other

CD-check
The program checks on undivided intervals if the original cd is still in the cd- drive. The cd is functions as a dongle.
No-CD-patch or cd- emulator (Deamon Tools).
++
Empire Earth, Alien vs. Predator 2

Cd-key
No real copy protection, the program only asks for cd-key which is needed to install it.
Serials2K, and other serial generators. All available at astalavista.box.sk.
++
Software, Online Games.

Invalid Sectors
Physical errors on the cd (rings or even drilled holes), which generate errors when the cd is read out per sector.
Every burning program that can read out in RAW mode and can skip corrupt sectors.
++
Most protected cd's

Dongle
The software is supplied with hardware, which usually is meant for the parallel or USB- port. The software checks it presents.
Patches that disable the dongle call.
-


AutoCAD

Manipulated TOC and dummy-files
Separate files appear to be bigger that the capacity of the cd, or in case of a audio-cd, the tracks will have a negative length. This is caused by manipulated registrations in the TOC.
Burning programs that ignore false TOC-registrations and support RAW mode.
-
DVD to Disk, Commanche 4

Video/DVD

CSS (4C)
DVD's copied to the hard disk can't be played in total, because parts are encrypted. CSS is one ofeven copy protection methods for DVD's.
DVD-rippers who crack the CSS protection of the DVD (Vobdec or SmartRipper).
++
Almost all Hollywood movies

Macrovision, APS (Macrovision)
With the transfer of DVD to video the movie only appears in black and white or other wrong colours.
The Macrovision for video-in/out of special filter hardware.
++
About 700 million DVD's

RAW Writers

Without matching hardware are also the hands of programs in the category ?CloneCD? tied. Only cd-writers that can work with RAW-datamode can defeat the current copy protection. This means that the cd-writer has to be able to write and write both the useful data and the bytes meant for error correction without changing anything. There is a total of 2532 bytes a sector meant for error correction. The reading can be done by your cd/dvd-rom).

The simplest way of copy protection is when the cd itself is used as a dongle. But a ?no-cd? patch easily overcomes this. Previously the software only checked if the cd had the right name and if it was in the cd-drive. Nowadays these checks require a little more effort: a part of all copy protection techniques is the physical manipulation (?drilled? holes or other marks on the data side of the cd) or logical errors. If those are missing, the copy protection will think it is a copied cd and refuses to start the software. That?s why error correction data (ECC) should be copied one on one.

With a lot of copy protections the cd-reader/writer has to able to deal with so called ?subchannels?, which contain extra data (cd-text etc.). The copy protection stores a digital signature in the subchannels, which should authenticate the originality of that cd. Examples of copy protection that uses this method are SecuROM, ProtectCD, Laserlock and on Playstation LibCrypt.
With pc-games there are only two subchannels (P: track status, Q: among others; time display). Although most new drives can read them correctly, only few support all subchannels (P ? W). Full subchannel support is only needed when copying Playstation games.

On the websites of CloneCD and BlindWrite you can find extended list of tested writers, which support the different writing methods.
A few methods are aimed directly at cd-r/-rw-writers. The software checks at the start which contents the ATIP (Absolute Time in Pre Groove) of a data-cd has. If a (re) writable medium is concerned the copy protection will recognize it?s cd-signature and abort the start. Because only cd-writers read the ATIP, cd/dvd-rom?s are immune for this trick. CloneCD is equipped with a filter driver (Hide CD-R Media), which will fool the program, ensuring that the program will also start from a cd-writer.

Recently there is a new challenge for hard- and software. To beat the copy protection SafeDisc2 from Macrovision you need to have a cd-writer that supports ?weak sectors?.

Conscious Weaknesses

This method used by SafeDisc2 is on it?s own weird: it uses sectors which cd-writers seemingly copy with success, but which proof to be unreadable when you actually use the cd. To do this the copy protection uses weak points in the cd-rom standard, the weak point SafeDisc2 is using is the actual implementation of that very same standard in cd/dvd-rom- drives.

The data lies ?unencrypted? on the cd, but first they go through a series of prewritten steps of the cd-rom standard: first the data goes through a ?scrambler? which makes sure that the data before burning isn?t in regular bit patterns. These bit patterns can be the reason for the next step, called Eight-to-Fourteen-Modulation (EFM), there will be errors on the written cd which makes the data on it unreadable.

Because the scrambler works according to a prewritten schedule you can prepare the data (using inverse operation) so that they will produce weak sectors after the split up.

You can outsmart copy protection by burning similar patterns, and interrupting the writing of the artificial errors. The error correction codes, which stay intact on a RAW copy, can be corrected when reading the cd. The tool ?Betablocker? (www.geocities.com/cdbeta/) repairs weak sectors in almost the same way. BlindWrite and CloneCD also support the boosting of weak sectors, so other cd-writers can burn SafeDisc2-cd?s (www.physics.udel.edu/ wwwusers/watson/scen103/efm.html).
A lot of (newer) cd-writers can burn SafeDisc2-protected cd without tricks, if they support RAW-writing (www.sd2.does.it). In the compatibility list of CloneCD there are certain cd- writers with the note ?correct EFM encoding of regular bit patterns?, these once are especially good at beating the SafeDisc2 copy protection system.

Demonical Cheaters

If you don?t have a cd-writer which supports SafeDisc2 and you don?t want to buy one, you can use, in most cases, Deamon Tools (www.deamon-tools.com). This free program is a normal cd-emulator for Windows, which will mount images as a normal cd. The Deamon Tools are, in contrast to their commercial competitors (VirtualCD and SimDisk), a little more refined. It is especially made to paralyse three different types of copy protection: SecuROM, Laserlock, SafeDisc 1 and 2.

The program intercepts the communication between the drive and the Operating System, and simulates the copy protection. In the mean time a lot of software manufacturers have updated their installation routine to search for an installed version of Deamon Tools, is one found, the installation process will be aborted.

Because every copy protection has it?s own tricks, there are special settings in CloneCD for each. CloneCD is very compatible with Clony XXL (www.clonywelt.com) together with the TCCD Database, which contains over 4200 pc- and playstation-games (www.clonecd.net/ protection.htm).

But even programs like Blindwrite and CloneCD can screw up. So the last thing you can try is go to Game Copy World and look for a patch for your game (www.gamecopyworld.com).

Final Words

Despite the efforts of the multimedia-industry it still will be possible to make 1:1 copies of audio- or game-cd?s under Windows. The industry does try to make it hard for the incidental copiers by inventing new and improved copy protection methods. Even if programs like CloneCD would disappear over time, there still would be alternatives for people who want to make illegal or legal copied cd?s.

I think it is save to assume that copy protection in the future will be harder to beat, because they will try to disable the programs specifically used for this purpose. The consequence of this will be that most people have to wait longer before they can make a copy of their cd. But still it has proven that most copy protection isn?t as save as they promised.

It does make you wonder why the windows variants of certain programs are heavily secured, and the same Linux and Mac variants aren?t.

Future-proof-writers simply do not exist. Even if you are in the possession of an expensive Plextor writer that supports RAW mode, subchannels and weak sectors, you can?t assume it can handle all future copy protection methods. On the other hand, the ISO specifications can?t be bend anymore without braking a few.

Links

CloneCD supported writers:

http://www.elby.org/clonecd/english/index.htm

BlindWrite supported writers:

http://www.blindwrite.com/tested/writers.htm

Complete EFM-list:

http://www.physics.udel.edu/wwwusers/watson/scen103/efm.html

Writers which support SafeDisc2:

http://www.sd2.does.it/

CloneCD extra software:

http://www.clonecd.net/protection.htm

http://www.clonywelt.com/

Game Copy World Homepage:

http://www.gamecopyworld.com/

Betablocker Homepage:

http://www.geocities.com/cdbeta/

Deamon Tools Homepage:

http://www.deamon-tools.com/

Greetz, OpioN, with special thanks to Zota...

_ top | [ back ]