List of Figures | CD Cracking Uncovered: Protection Against Unsanctioned CD Copying (Uncovered series)

Chapter 1: CD Organization

Example 1.1: The software implementation of the scrambler shown in Fig. 1.16
Example 1.2: An example of the implementation of the scrambling algorithm borrowed from the Clone CD program
Example 1.3: An example of the application of the table scrambling algorithm written in C
Example 1.4: The first eight members of the pseudo-random sequence used for sector scrambling by Clone CD
Example 1.5: The IDA-C script converting table elements into binary code
Example 1.6: A pseudo-random sequence written in the form of 16-bit words displayed in binary format
Example 1.7: [/etc/RawScrambler.c] The program for computing the scrambling sequence
Example 1.8: An example demonstrating the technique for forming F1 frames (for the case, in which the frame and sector boundaries match)

Chapter 2: Power of Reed-Solomon Codes

Example 2.1: An example of the simplest four-bit code with Hamming distance equal to one. Such a code is widely used in computing, despite its inability to detect errors
Example 2.2: An example of a four-bit code with Hamming distance equal to 2. This code is already capable of detecting single errors
Example 2.3: An example of 10-bit code with Hamming distance equal to 5. This code can detect 4-bit errors and correct 2-bit errors
Example 2.4: An attempt at correcting a 4-bit error
Example 2.5: The correcting capabilities of a simple Hamming code
Example 2.6: The codeword with check bits
Example 2.7: Calculation of the effective information capacity of Hamming codes for codewords of different length
Example 2.8: Calculation of the effective information capacity of Hamming codes for codewords of different length
Example 2.9: [/etc/EDC.ECC/rs.simplest.c] The simplest example of implementation of the Reed-Solomon coder /decoder
Example 2.10: The output of the simplest Reed-Solomon coder/decoder
Example 2.11: Addition carried out according to the rules of polynomial binary arithmetic (left) and according to the rules of normal binary arithmetic (right)
Example 2.12: The function implementing addition/subtraction in Galois fields
Example 2.13: Look-up table for GF(256). The leftmost column specifies polynomials /indexes (designated as i ), the second column represents the table of powers of the trivial polynomial 2 (designated as alpha ), the third column contains indexes corresponding to the current polynomial (designated as index )
Example 2.14: The procedure of generating the lookup table of quick polynomial multiplication
Example 2.15: A function of fast multiplication in Galois Fields using a table
Example 2.16: The function of fast division of polynomials in Galois fields
Example 2.17: The key fragment of the Reed-Solomon coder/decoder from the original code of the IBM 3370 hard disk firmware
Example 2.18: The key fragment of the Reed/Solomon coder/decoder from the IBM 3370 hard disk firmware
Example 2.19: The source code for the simplest Reed-Solomon encoder
Example 2.20: Dynamic loading of the ElByECC.DLL library
Example 2.21: The prototype of the GenECCAndEDC_Mode1 function
Example 2.22: Structure of the raw sector
Example 2.23: The prototype of the CheckSector function
Example 2.24: An example of calling EIByECC.DLL functions from your program

Chapter 3: Practical Advice on Urgent System Recovery

Example 3.1: Installing Doctor Watson as the default debugger
Example 3.2: An example of report produced by Doctor Watson (with the author's comments in bold).
Example 3.3: Specifying Microsoft Visual Studio Debugger as your default debugger for critical errors
Example 3.4: A demo example that causes a critical exception
Example 3.5: Microsoft Visual Studio Debugger has disassembled the function that has thrown an exception
Example 3.6: Searching for the return address from the current function (in bold)
Example 3.7: Disassembled listing of the parent function
Example 3.8: The contents of the Call Stacks window displayed by Microsoft Visual Studio Debugger
Example 3.9: Stack content after unwinding
Example 3.10: Disassembled listing of the grandmother function
Example 3.11: Return address from the grandmother function
Example 3.12: Disassembled listing of the great-grandmother function
Example 3.13: The contents of the registers saved in the stack along with the return address
Example 3.14: A classic message-handling loop
Example 3.15: Searching TranslateMessage/DispatchMessage functions in the import table
Example 3.16: The disassembled listing of the message-handling function
Example 3.17: A fragment of the disassembled listing of the Run function
Example 3.18: The addresses of the IsIdleMessage/PumpMessage functions located in the data section
Example 3.19: Stubs to the IsIdleMessage/PumpMessage functions located in the data segment
Example 3.20: Virtual table of the CWinThread class
Example 3.21: The instance of CWinThread, manually located in memory
Example 3.22: The results of disassembling the memory dump from the current address
Example 3.23: The stack contents dont provide any clues to the actual nature of the critical error
Example 3.24: A BSOD copy saved in the system log
Example 3.25: The results of disassembling of the memory dump by the address reported by BSOD
Example 3.26: A copy of a BSOD in the program dump header
Example 3.27: Bug Check parameters displayed in more readable format

Chapter 4: Interfaces for Interaction with the Hardware

Example 4.1: An Example illustrating the opening of the device
Example 4.2: The prototype of the DeviceIoControl function
Example 4.3: [/IOCTL.CDDA.raw.read.c] A function demonstrating techniques for reading raw sectors via a CDFS driver (intended for CDDA discs only )
Example 4.4: [/IOCTL.read.TOC.c] A sample program interacting with the CDFS driver via IOCTL and reading the TOC contents (with decryption)
Example 4.5: [/cooked.sector.read.c] An example illustrating the technique for reading sectors in cooked mode
Example 4.6: Brief description of the SCSI_REQUEST_BLOCK structure
Example 4.7: The format of the SCSI_PASS_THROUGH_DIRECT structure (the SCSI_PASS_THROUGH structure is similar to it in many respects. However, it doesnt ensure data transmission through DMA)
Example 4.8: Opening the drive in order to get its descriptor, which will be used for device control
Example 4.9: Passing the IOCTL_SCSI_PASS_THROUGH structure
Example 4.10: [/SPTI.raw.sector.read.c] The function that reads raw sectors via SPTI
Example 4.11: The SRB_ExecSCSICmd structure
Example 4.12: Sequential polling of ports in order to detect devices connected to them
Example 4.13: Devices connected to the authors computer
Example 4.14: [\etc\RAW.CD.READ\aspi32.raw.c]. Demo example of a program that reads raw sectors from the CD
Example 4.15: The relationship between logical SCSI devices and native-NT devices
Example 4.16: An example of incorrect operation with a virtual SCSI port
Example 4.17: Opening the SCSI port for controlling the miniport driver
Example 4.18: The purpose of the SRB_IO_CONTROL structure fields
Example 4.19: The SMART control commands in Windows NT, which can be passed to the miniport driver via the ControlCode field of the
Example 4.20: The SENDCMDINPARAMS structure providing direct access to IDE registers
Example 4.21: The IDEREGS structure providing low-level access to IDE registers
Example 4.22: A fragment of the disassembled listing of the ATAPI.SYS driver
Example 4.23: [/etc/SCSI.mini-port.c] A sample program demonstrating the technique of interacting with the SCSI miniport
Example 4.24: Checking whether addresses of accessed ports belong to the range of virtual device ports created by the driver
Example 4.25: Calculating the actual port address via the base address
Example 4.26: Pseudo-code of the OUT instruction
Example 4.27: [/etc/GIVEIO.c] A demo example of the drive opening direct access to the I/O ports from the application level
Example 4.28: [/etc/GIVEIO.demo.c] An example of input/output to the port from the application level
Example 4.29: A key fragment of a program illustrating the technique for communicating with the MSCDEX driver from 16-bit DLL executed in Windows

Chapter 5: Methods of Revealing Protection Mechanisms

Example 5.1: An example illustrating the determination of the protection mechanism using Soft-Ice
Example 5.2: The contents of intercepted CDB blocks sent by Alcohol to the device in the course of fast clearing of the disc
Example 5.3: The contents of intercepted CDB blocks sent by Alcohol to the device in the course of CD burning
Example 5.4: The [/etc/CD.lock.c] Utility for locking/unlocking the CD-ROM tray

Chapter 6: Anti-Copying Mechanisms

Example 6.1: The contents of a valid TOC in RAW format
Example 6.2: Attributes of track 1
Example 6.3: The attributes of track 1 before distortion (left), and after distortion (right)
Example 6.4: The summary information on the image to be written, displayed by Alcohol
Example 6.5: The summary information on the image to be written displayed by Clone CD
Example 6.6: Note that Clone CD has recognized only the first session, and, further, done it incorrectly
Example 6.7: The image of the protected disk obtained using the Clone CD program (Incorrect fields are highlighted in bold)
Example 6.8: [crackme.9822C095h.c] A demo example of the simplest protection binding to the incorrect TOC and preventing unauthorized copying
Example 6.10: A sector from the Pre-gap area of an audio track (left) and data track (right)
Example 6.9: An example of a raw disc TOC with comments
Example 6.11: Defining the length of the Pre-gap area by subchannel data
Example 6.12: Example of a TDB from a disc burnt using Nero
Example 6.13: An example of a subchannel data section. The field highlighted in bold contains the number of the current track
Example 6.14: Creating a fictitious tracktrack 2. All changes are in bold, and contents of original fields is shown in odd columns
Example 6.15: A demonstration of the changes of subchannel information in the course of disc copying
Example 6.16: A fictitious track in the Post-gap of the genuine track, located by the address 00:01:00
Example 6.17: Clone CD displays incorrect information about the length of the first track
Example 6.18: The reaction of Alcohol 120% to the fictitious track in the Lead-Out area (the error-skipping option is disabled)
Example 6.19: The Alcohol 120% reaction to a fictitious track in Lead-out (the error-skipping option was enabled)
Example 6.20: An attempt at reading the X-sector of the original disc using the READ CD command results in the following error: Sense Key == 3 MEDIUM ERROR (left), disc duplicated obtained using Clone CD behaves similarly (right)
Example 6.21: An attempt at reading the header of the original disc using the READ HEADER command results in the following error: Sense Key==5 ILLEGAL REQUEST (left), but the copy obtained using Clone CD is processed normally (right)
Example 6.22: An attempt at positioning on the X-sector of the original disc using the SEEK command with subsequent reading of subchannel information using the READ SUBCHANNEL command results in an interesting effect: the drive doesnt diagnose an error, but it also doesnt move the optical head and, after issuing the READ SUBCHANNEL command, it returns subchannel data from its previous location (left). A disc duplicate obtained using Clone CD, on the contrary, doesnt prevent head positioning on the X-sector and returns successfully its subchannel data (right)
Example 6.23: Having encountered a disc with fictitious track in the Post-gap area, Clone CD incorrectly computes its length (in bold and gray)
Example 6.24: Alcohol 120% without skipping errors
Example 6.25: Alcohol 120% with error-skipping enabled. Having reached 100 percent, it freezes , but continues to report bad sectors
Example 6.26: Alcohol 120% with fast error skipping
Example 6.27: Clone CDs reaction to a fictitious track coinciding with the genuine track
Example 6.28: Creating a gap between the second and the third track. Odd columns, filled with gray, contain the original contents of the CCD file. Even columns show the modified values (modifications are in bold)
Example 6.29: Changing the number of the first track. Original values are in the columns marked in black, while modified values are shown in the columns marked in gray. The modified values are set out in bold and marked with arrows.
Example 6.30: Changing the number of the second track
Example 6.31: Changing the map
Example 6.32: The data on the protected disc (left) and data on the disc image created by Alcohol 120% (right)
Example 6.33: A map of the protected disc tracks (left) and disc map created by Alcohol 120% (right)
Example 6.34: The data for the protected disc (left) and information taken from its image created by Clone CD (right)
Example 6.35: Creating a gap in the numbering of tracks of the first session
Example 6.36: Clone CD has inadequately reacted to the gap in the track numbering
Example 6.37: Clone CD has incorrectly determined the number of tracks to be eight tracks (actually, there are two)
Example 6.38: Clone CD incorrectly displays track numbers
Example 6.39: TOC contents of the original disc (left) and that of the copy produced by Clone CD (right)
Example 6.40: How Alcohol 120% opens the image of the protected disc
Example 6.41: A fragment of a CCD file with track number zero added.
Example 6.42: The original TOC (left; attributes of track 0 are marked by gray shading) and its copy obtained by Clone CD (right)
Example 6.43: Contents of the TOC of an original key disc returned by the TEAC drive
Example 6.44: The TOC of the Soul Ballet Hit Collection disc (left) and the TOC of the key disc (right), returned by the TEAC drive
Example 6.45: The TOC of the key disc returned by the ASUS drive
Example 6.46: A correct interpretation of subchannel information
Example 6.47: The result of reading subchannel information from the Lead-in on the TEAC drive; track 0 is clearly visible
Example 6.48: The result of reading Lead-in subchannel information on the ASUS drive
Example 6.49: The result of reading the subchannel information from the Lead-in area by a NEC drive
Example 6.50: A fragment of the CCD file containing a non-standard track number
Example 6.51: The raw TOC contents with a missing non-standard track
Example 6.52: The starting address of the Lead-out area of the first session
Example 6.53: The contents of the TOC read at the subchannel level on the TEAC drive contains a non-standard track number
Example 6.54: The TOC contents read at the subchannel level on the NEC drive also contain the non-standard track number
Example 6.55: A copy of the protected disc wont contain any non-standard tracks
Example 6.56: Identification of the protected disc
Example 6.57: Forming an entry for copying protected discs
Example 6.58: Creating a protected disc image
Example 6.59: A fragment of the original disc
Example 6.60: A fragment of the copied disc
Example 6.61: Invalid sector headers
Example 6.62: Extended interpretation of the MODE field
Example 6.63: Determining the Lead-out address
Example 6.64: Watermarks implanted into the next -to-last Post-gap sector by the Stomp Record Now! program: The incorrect track number in the sector header (E1h instead of 01 h) is marked in bold and framed, and the identifier of the recorder, on which the disc was burnt, is marked in bold
Example 6.65: [crackme. 68E8B0Abh] Searching for watermarks implanted by Stomp Record NOW!
Example 6.66: In the copy of the original disc obtained using Clone CD, watermarks disappear, and the MODE field is corrected in such a way that the program being protected can easily distinguish original disc from its unauthorized copy
Example 6.67: ASUS drive SENSE- INFO
Example 6.68: NEC drive SENSE-INFO
Example 6.69: TEAC drive SENSE-INFO
Example 6.70: The contents of the original IMAGE.SUB file (the location where the mark will be implanted is in bold)
Example 6.71: The contents of the marked IMAGE.SUB (the mark is in bold)
Example 6.72: The key mark in the Q subcode channel of X-sector (left) and the unprotected disc (right)
Example 6.73: Subchannel information of the X-sector of the original disc (left) and its copy, obtained using Clone CD (right)
Example 6.74: Contents of X-sector returned by ASUS
Example 6.75: Contents of X-sector returned by NEC
Example 6.76: Contents of X-sector returned by TEAC

Chapter 7: Protection Mechanisms for Preventing Playback in PC CD-ROM

Example 7.1: Correcting the CCD to crack a protected disc

Chapter 8: Protection against File-by-File Disc Copying

Example 8.1: The first occurrence of the desired sequence in the disc image
Example 8.2: The second occurrence of the desired sequence in the disc image
Example 8.3: The size of the Personal Jesus.mp3 file is modified on purpose
Example 8.4: A fragment of the file image under consideration
Example 8.5: [crackme.27AF7A2Dh] A demo example illustrating the processing of files with incorrect attributes for starting sector and length
Example 8.6: Soft-ice log file
Example 8.7: [crackme.CEE99D84h.c] Software implementation of a protection mechanism based on an invalid disc TOC
Example 8.8: The hex dump of the header of the file being investigated
Example 8.9: A regular sequence detected inside the file being investigated
Example 8.10: [/etc/DeXOR.c] A demo example of a simple decryptor
Example 8.11: [crackme.765B98ECh.c] Using rand() for storing the encryption key

Chapter 10: Data Recovery from CDs

Example 10.1: The starting addresses of the first tracks of each of the three disk sessions (track number AA is the Lead-out area and doesnt present any interest to us)
Example 10.2: A comparison of the contents of the directories of three sessions shows that the second session contains the deleted file, See You.mp3 (in this listing, in bold), which is missing from the third session
Example 10.3: The operating system views the disc contents as shown in this listing. However, we arent so easily deceived! We know that there is one deleted file
Example 10.4: The disk being recovered has two sessions with starting addresses equal to 0 and 12,000, respectively
Example 10.5: Both sessions contain the same file, asm.drf.zip; however, the starting addresses of the file dont match, and their lengths are also different
Example 10.6: The original starting address of Lead-out (left) and starting address of the first track of the disc (left)
Example 10.7: A key fragment of the reanimating file for 75-minute CD-RW discs