Locking and Unlocking the EJECT Button
Investigation of Real Programs
To summarize all of this material and acquire practical skills, let s look at several popular programs working with CDs at a low level to find out how this interaction is carried out.
Having called on the indispensable Soft-Ice and set the breakpoint to bpx CreateFileA if (*esp- > 4=='\\\\. \\') , let us sequentially start the following three programs: Alcohol 120%, Easy CD Creator, and Clone CD, each time noting the name of the opened device.
Alcohol 120%
Alcohol 120%, depending on the settings, can access the disc in three different ways: via its own custom driver (by default), via ASPI/SPTI interface, and via ASPI Layer. Let s start with the custom driver. Setting the breakpoint on CreateFileA shows that Alcohol opens the \\.\SCSI2: device (the number, naturally, depends on the hardware configuration), and a further check confirms that the DeviceIoControl function receives the same descriptor that was returned when opening the SCSI device! Consequently, Alcohol considers as custom driver the miniport driver that it has installed in the system in the course of program installation.
Now, let s change the Alcohol 120% settings to make it work via the SPTI/ASPI interface. After restarting the program (and Alcohol requires that you restart after changing the access method), we once again will see the procedure of opening the \\.\SCSI2 device, and then the disk \\.\G: will be opened (the drive letter, naturally, depends on the hardware configuration). Essentially, in the course of interaction with the device via SPTI interface, things are proceeding in exactly this way. To be more precise, they must proceed in such a way. Alcohol 120% opens the \\. \G: disk multiple times, which is an indication of its freaky architecture . This complicates our task significantly, since we must trace all descriptors simultaneously . If we miss just one of them, the reconstructed working algorithm will be incorrect (isn t it interesting to find out how Alcohol 120% copies protected discs?).
Finally, by switching Alcohol 120% to the last mode of interaction with the disc, we will get the following result: \\.\\SCSI2, \\.\MbMmDp32, \\.\G: . The device with the name MbMmDp32 is the ASPI driver that we have already encountered . However, in this case it is not absolutely clear why Alcohol 120% opens disk \\.\G: , since the ASPI interface doesn t require it.
Easy CD Creator
Easy CD Creator accesses the drive directly by its native name (on my computer, this is CDR4_2K ), then opens the MbDlDp32 device, which CDR4_2K registers itself.
Consequently, Easy CD Creator works with the disc via the custom driver. To clarify how it works, we will have to, first, disassemble the CDR4_2K driver and analyze, which IOCTL codes correspond to which driver actions, and, second, trace all DeviceIoControl calls (simply set a conditional breakpoint, which pops up when passing its own descriptor returned by the CreateFileA( \\\\. \\CRDR_2K , ) and CreateFileA( \\\\. \\MbDlDp32 , ) functions).
After formatting the sequence of IOCTL calls in the form of an improvised program, we will be able to reconstruct the protocol of interaction with the disc and find the protection (if there is any).
Clone CD
The breakpoint set to the CreateFileA function indicates that Clone CD communicates with the disc via the custom driver \\. \ELBYCDIO , and, for reasons that are unclear, it is opened in the loop, so that the driver descriptor is returned multiple times.
EAN: 2147483647
Pages: 60