Protection Mechanisms Based on Physical Defects

Protection Mechanisms Based on Weak Sectors

I had already had plenty of hacking experience when I first encountered these protection mechanisms, but I was greatly impressed by them all the same ”anybody would be! Consider for yourself ”copying of the protected disc takes place normally and without error. However, when the copy is checked, this check reveals numerous bad sectors, which show up even when the contents of the original disc are copied to the hard disk file by file and then burnt onto the CD-R from there. What causes this effect? Is it a hardware malfunction or, possibly, the result of operations by some intricate driver, secretly installed by the protection during the first run of the protected program? The answer is no.. All of the equipment is operating normally and there is no stealth driver lurking. Bad sectors appear even when the disc is copied on a brand new computer with a freshly installed OS.

Investigating the files being copied using debugger (HEX editor, disassembler) doesn t reveal anything unusual either. If we crack the protection based on binding to the CD (provided that it is present there), then the protected application will start successfully from a hard disk (or Zip drive). It will, however, still be impossible to burn it onto the CD-R. If the protected files are corrected in some way (for example, by being compressed using any archiver), they will be copied to CD-R successfully and without errors. This, however, isn t exactly what we are after.

Thus, the reason for the strange behavior on the part of the protection must lie at the physical, and not the software level. This is the most cunning anti-debugging technique that I have ever encountered! Actually, from the point of view of a hacker without access to sophisticated measurement equipment at his disposal, a CD-ROM drive is a black box, operating according to approximately the same principle as any other storage media. Even if we open it, we won t see anything other than a mess of wires and chips. The only thing that remains is to read the standards carefully . After all, if the protection mechanism works on all (or at least on the overwhelming majority of) CD-ROM models, it must be based on standard properties, features or characteristics.

Here is one part of the standard: A regular bit pattern fed into the EFM encoder can cause large values for the Digital Sum Value in cases where the merging bits cannot reduce this value (see annex E). The scrambler reduces this risk by converting the bits in bytes from 12 to 2, 351 of a Sector in a prescribed way . If you still think that CD-ROMs are the ideal storage media for executable files and databases, you are sadly mistaken. CDs were initially developed for storage and playback of music. Only after considerable efforts and wondrous advances in engineering theory did they agree to store binary data. Note the non-itatlicized words in the quotation above. Scrambler does not guarantee that the data being written will be readable. It simply reduces the risk of encountering unfavorable (from the drive s point of view) sequences to an acceptable level. Nevertheless, with enough effort, it is quite possible to create a couple of files stuffed with such unfavorable sequences. Theoretically, these files will be readable, but only CDROM models of the highest quality will be able to cope with this task, while all others will fail and return an error message.

Let s consider the following combination: 04 B9 04 B9 04 B9 Having revised the EFM encoding table, we will find out that 04 is converted to 01000100000000 , and B9 to 10000000001001 . Now let us try to write them together: 01000100000000 xxx 10000000001001 yyy 01000100000000 , where xxx and yyy are merging bits. Since 04 has eight trailing zeros, and B9 starts with 1, the only possible combination for the first set of merging bits will be 100 . Accordingly, because B9 is terminated by 1 and 04 has only one starting zero, the only possible combination for the second set of merging bits will be 000 .

Look at the effect that this sequence will produce (Fig. 9.9). The DSV value is sharply negative! This means that pits dominate over lands and disc surface becomes very dark. Consequently, the tracking device will lose the track because of insufficient brightness of the light falling into the photoelectric receptor. Most interesting here is the fact that, according to the standard, such bit combinations are not obliged to be readable (although some drive models cope with this task successfully). Would anyone still cling to the fallacy that CDs represent a reliable storage medium?

Fig. 9.9: Physical representation of the 04 B9 04 sequence

If, of course, we simply create a file stuffed with \x04\xB9\x04\xB9 , the process of its recording and subsequent reading will take place without problems, because the data flow being recorded is scrambled previously! A scrambling algorithm chosen on the basis of expertise shouldn t allow for effective conversion. Otherwise, the hacker can pass the most unfavorable regular sequences through an anti-scrambler, and then, after repeated scrambling, they will be written to the disc in their initial form. So here s a complaint ”the scrambling algorithm used by the CD-ROM allows for this kind of reversible conversion! All you ll need for the writing of an anti-scrambler is a couple of free evenings and the text of the ECMA-120 standard. Since the scrambling algorithm is based on the XOR function, repeated scrambling of the data already processed by the scrambler converts this data back to its initial form. Thanks to this, we can get by with just one function ”that of the scrambler.

Having passed the protected files through the scrambler, we will discover that they contain at least one very unfavorable sequence, for which the DSV is strongly negative (or on rare occasions, strongly positive). Generally speaking, it is considerably different from zero. Having complemented the scrambler with the function for computing DSV (details of its implementation are described in ECMA-120), we will get an automatic scanner for protection mechanisms based on weak sectors. Wow! Isn t this great?! If particular unfavorable sequences are discovered in the protected files, don t even try to copy them to CD-R ”you ll fail.

But how can we explain the fact that these same unfavorable sequences are successfully read from the original disc?! To answer this question, we ll have to go deep into the maze of CD spiral tracks. This travel will be long and full of dangers. People will try to warn you and talk you out of it. For instance, here is a quotation from the work of some anonymous author: actually, things are even more interesting, since, in addition to sectors, there are also sections of the same effective size , but having mismatching boundaries, part of the addresses being sector addresses and part being section addresses. However, it is better to forget about it immediately;) . The smiley sign terminating this phrase stimulates your curiosity and leads you to reread the standard repeatedly (because, unfortunately , there is nothing more informative at hand). One way or another (see the forum on http://club.cdfreaks.com), we will discover that boundaries of sectors and frames may or may not coincide. The sector can start from 0, 4, 8, 12, 16, or the 20 ^th byte! Changing the starting point inevitably changes the DSV of the first frame and the most interesting facts begin here. If the number of binary ones of the frame is odd, then the second frame is inverted (which means that the pits and lands exchange positions ). Otherwise, the next frame appears as is. Thanks to this, it becomes possible to compose a regular sequence that will be quite favorable for one of the entry points and very unfavorable for all others.

Unfortunately, recorders still do not allow you to choose the entry point arbitrarily, and set it on by themselves and at their own discretion. Good recorders (like Plextor) choose the entry point so as to minimize the absolute value of the sector DSV (because of this, they allow for the copying of protected discs without problems). Unfortunately, the vast majority of other models aren t this clever, and cannot cope with the task of DSV minimization. Either they don t try to compute the correct entry point or they compute it incorrectly. Consequently, errors appear when trying to read the copies of protected discs.

Nevertheless, advanced copiers (Clone CD, for example) have long ago bypassed protections of this type. How did they manage this? Having prepared the sector image for burning in the raw mode, they slightly disfigure its contents, thus breaking the unfavorable sequences (the inversion of a single data bit of the source data will dramatically change the data after scrambling). Error correction codes (prepared beforehand for the source data) are not changed . As a result, writing the sector written using this method will produce an error, and the drive will have to correct it on the basis of redundant information contained in the error-correction codes. After correction, the sector is returned to its initial state.

The advantage of this approach is that the copy of the protected disc contains a weakened protection mechanism that can be freely duplicated in raw mode. Standard copying will result in error, though, because honest copiers place corrected sectors on the CD. On the other hand, copiers writing sectors as is cannot differentiate intentionally introduced errors from physical read errors. Writing the uncorrected sector will result in the growth of the number of errors. Consequently, when attempting to make a copy of a copy, we may receive an unreadable duplicate (a considerable drawback). Is there any way out? Read the sector, correct it, pass it through the scanner, and, if any unfavorable sequence is detected there, intentionally invert one or more bits there. Copying errors will then cease to accumulate!