Summary Table of Characteristics of Various Interfaces

CD Burning: Pros, Cons, and Something about

To protect CDs from copying, it is not necessary to undertake the development of a custom CD-burning program. Instead of this, you can work with raw disc images supported by Alcohol or Clone CD. Despite the fact that all of these programs impose certain limitations on the images they create, the development of high-quality protection mechanisms is still possible. In other words, these programs easily burn the things that they are unable to copy on their own!

When creating a custom copying program for protected discs, it is possible to do this without the burning functionality ”it is enough to prepare the disc image (i.e., correctly read the protected disc). Mass-production of the hacked image doesn t present any problem. Thus, it is better to focus directly on the analysis of protected discs rather than to reinvent the wheel, so to speak, developing once again things that were invented long ago. Alcohol and Clone CD have excellent burning capabilities. However, the reading engine of these programs is obviously weak, so that even minor distortions of the control structures of the CD are able to confuse them.

If, despite all of this, you are still convinced that you need a custom program like Nero CD-ROM Burner, there is an answer! Make a call to Maxwell s daemon [i] , where it is easier to fall into its clutches than to escape (just kidding). The biggest problem, however, lies in technique of CD burning, and even a brief overview of it would require a separate book. Having only the standards and specifications for SCSI commands will be insufficient, since they don t clarify many details of the process for generating various data structures required by the drive for correctly burning the source image onto a CD. In my opinion, the best manual on CD burning is the Functional Requirements for CD-R (Informative) supplement to the SCSI-3 Multimedia Commands document, a version of which can be downloaded from: http://www.t10.org/ftp/t10/drafts/mmc/mmc-r10a.pdf (note that in later revisions of this document, this supplement was removed).

It would also be useful to analyze the source code of the CDRTOOLS utility, which can be found on the site: http://prdownloads. sourceforge .net/cdromtool/cdromtool_2002 “11 “26.zip?download. Of course, a little more than seven megabytes of source code is rather appalling than appealing prospect. However, I do not know simpler programs.

A more laborious (but, at the same time, more tempting) method is disassembling executable files of the Alcohol, Clone CD, CDRWin, and other programs, including the monstrous Nero. It is not actually necessary to carry out complete disassembling . It is sufficient to intercept SCSI commands passed to the drive and analyze the sequence of their calls, without forgetting about the values of arguments, which, in fact, contain all of the key data structures.

Depending on the method chosen by the developer of an application intended for communicating with the device, espionage is carried out either by intercepting the DeviceIoControl function with the arguments IOCTL_SCSI_PASS_THROUGH/ IOCTL_SCSI_PASS_THROUGH_DIRECT (4D004h/4D014h) , or the SendASPI32Command function for SPTI and ASPI interfaces, respectively. Applications interacting with the drive via a custom driver can also be intercepted. However, there are no universal solutions here and each specific case must be considered individually.

Let s look at the Alcohol copier for detecting the algorithms of clearing and burning CD-RW discs (CD-R is burned in a similar way, but doesn t require clearing, for obvious reasons). Start Alcohol, go to Alcohol copier and then to the Settings tab, click on the General link, and choose the WinASPI Layer Interface (safe mode) option in the Disk management interface drop-down list (if it was not chosen before). After changing the interface, the program must be restarted. Exit the program and start it again to make sure that it is usable.

Now, start soft-ice (or any other debugger supporting breakpoints on API functions) and, having previously loaded ASPI export ( NuMega Symbol Loader File Load Exports wnaspi32.dll ), open the Alcohol.exe process, unpacking it if necessary (as a rule, it is packed with UPX).

Now, try to set the breakpoint on SendASPI32Command , giving the following command to the debugger: bpx SendASPI32Command . However, nothing useful will come of this. Soft-Ice will complain that it can t find such a function, despite the fact that its name is spelled correctly. This is not surprising, if we suppose that wnaspi32.dll is loaded dynamically in the course of program execution, and the address of ASPI functions are unknown at the stage of loading Alcohol.exe.

It is possible to set the breakpoint on LoadLibraryA , tracking the process of loading of all DLLs. However, since Alcohol loads an enormous number of various DLLs, the debugging session will take a long time, during which we have to watch the screen and endure the monotonous activity of pressing <CTRL-D> repeatedly. A more advanced monitoring approach is setting a conditional breakpoint that will automatically discard all obviously false calls. The command corresponding to it might look, for example, as follows : bpx LoadLibraryA if *(esp ˆ’ > 4) == SANW , where SANW are the first two characters of the wnaspi32.dll name written in inverse order, with the account of the case chosen by the program developer (if you do not know this beforehand, it is possible to use the case-insensitive comparison function).

The bpx GetProcAddress command will then allow all of the ASPI functions to be intercepted, including SendASPI32Command . The name of the loaded function can be viewed by means of issuing the d esp 4 command. Having waited until the SendASPI32Command appears, click P RET and, having set the breakpoint to bpx eax , press <Ctrl>+<D> to exit Soft-Ice (all the other breakpoints can be deleted if desired).

When the debugger pops up, issue the d esp 4 command, and the contents of the SRB_ExecSCSICmd structure will appear in the memory dump window. Now the byte number 30h will be the first byte of the CDB (Attention: This is the first byte of the packet, rather than the pointer to the packet itself); bytes 03h and 10h are the data direction flags and pointer to the clipboard, respectively.

Provided below are examples of spy protocols intercepted in the course of clearing and burning CD-RW.

Listing 5.2: The contents of intercepted CDB blocks sent by Alcohol to the device in the course of fast clearing of the disc
image from book
 IE 00 00 00 01 00    PREVENT REMOVAL (ON) -----------+  51 00 00 00 00 00    READ DISK INFORMATION-------+     IE 00 00 00 00 00    PREVENT REMOVAL (OFF) ---------+  BB 00 FF FF FF FF    SET SPEED ---------------+       5A 00 2A 00 00 00    MODE SENSE -----+               BB 00 FF FF 02 C2    ------------------+             5A 00 2A 00 00 00    ----------------+                IE 00 00 00 00 00    -------------------------------+  51 00 00 00 00 00    ----------------------------+  A1 11 00 00 00 00    BLANK  
image from book
 

Pay special attention to the fact that, for clearing the disc, Alcohol uses the BLANK SCSI command, a detailed description of which can be found in the Multimedia Commands ”4 and Information Specification for AT API DVD Devices documents.

Let s continue our activity in the field of espionage by tracing the process of CD burning. The sequence of SCSI commands sent to the device will appear as follows:

Listing 5.3: The contents of intercepted CDB blocks sent by Alcohol to the device in the course of CD burning
image from book
 Choosing burn from the menu  BB 00 FF FF FF FF     SET SPEED  5A 00 2A 00 00 00     MODE SENSE  AC 00 00 00 00 52     GET PERFORMANCE  Write dialog appears  IE 00 00 00 00 01     PREVENT REMOVAL (LOCK)  51 00 00 00 00 00     READ DISK INFORMATION  IE 00 00 00 00 00     PREVENT REMOVAL (UNLOCK)  CD burning in progress  43 02 04 00 00 00     READ ATIP  51 00 00 00 00 00     READ DISK INFORMATION   52 00 00 00 00 00     READ TRACK/ZONE INFORMATION  5A 00 05 00 00 00     MODE SENSE  55 10 00 00 00 00     MODE SELECT  51 00 00 00 00 00     READ DISK INFORMATION  2A 00 FF FF D2 AC     WRITE(10) -+  2A 00 00 00 D2 BC     ----------+-- write Lead-In  2A 00 00 00 D2 CC     ----------+   2A 00 00 00 65 B3     WRITE(10) -+  2A 00 00 00 65 CD     ----------+-- write track  2A 00 00 00 65 E7     ----------+ 
image from book
 

To conclude, let us mention the list of SCSI commands directly related to CD burning and recommended for future careful investigation: BLANK , CLOSE TRACK/SESSION , FORMAT UNIT , READ BUFFER CAPACITY , READ DISC INFORMATION , READ MASTER CUE, READ TRACK INFORMATION , REPAIR TRACK , RESERVE TRACK , SEND CUE SHEET , SEND OPC INFORMATION , SYNCHRONIZE CACHE , WRITE (10) . All of the above-listed commands relate to the MMC-1 standard and, therefore, are easy to understand. The text of the standard can be downloaded from the site: http://www.t10.org/ftp/t10/drafts/mmc/mmc-r10a.pdf .

[i] An imaginary creature who is able to sort hot molecules from cold molecules without expending energy, thus bringing about a general decrease in entropy and violating the second law of thermodynamics . After James Clerk Maxwell.



CD Cracking Uncovered. Protection against Unsanctioned CD Copying
CD Cracking Uncovered: Protection Against Unsanctioned CD Copying (Uncovered series)
ISBN: 1931769338
EAN: 2147483647
Year: 2003
Pages: 60

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net