Preface | CD Cracking Uncovered: Protection Against Unsanctioned CD Copying (Uncovered series)

Historical Aspect

The first attempts to protect CDs against copying were undertaken in early 1990s. CD recorders didnt exist at that time, and developers mainly had to prevent unauthorized copying of CD contents to hard disk. But what about pirates? you may ask. Yes, piracy always has been and remains a serious problem. However, attempts at stopping piracy by software protection are, at least, naive. Those who replicate discs in commercial quantities always employ a team of experienced hackers who crack these protection mechanisms without any real effort. The intellectual potential of cracking teams in these clandestine enterprises is practically unlimited. They always try to employ the very best (I know this from personal experience, because some years ago, before the adoption of appropriate laws, I also worked on a team like this). The financial factor, by the way, is not the primary one here. Hackers were not paid large money, and had to work like slaves. The work itself was what attracted them. Where else could you get acquainted with such a large number of various protection mechanisms and learn how to crack them?

To be honest, I have exaggerated a bit in discussing the variety of protection mechanisms available. At that time, the variety included two main types of protection: LaserLock and code wheel. With the arrival of CD recorders, the importance of protection against copying grew considerably. As a result, they began to grow like mushrooms after a warm rain. By the beginning of 2003, there were already more than 50 various protection mechanisms available on the market. The majority of these were marketed on the basis of the know-how of their developers. However, most hackers, having analyzed one of these protections using a disassembler, began to feel nostalgic for days gone by, when software came on diskettes and one out of every two examples was protected. Contemporary CDs, of course, are different from old-fashioned diskettes. However, the techniques of their protection are, in principle, the same!

Contemporary protection mechanisms use the mainly following methods : non-standard formatting, the introduction of key marks, binding to the disc surface, and weak sectors. Let us consider each member of this family in more detail.

Non-standard formatting, in general, consists of intentionally introducing specific errors to prevent the normal processing of information. For example, if we artificially increase the length of every protected file to ~666 GB by correcting the length field, any attempt at copying such a file to a hard disk will fail. At the same time, the protection mechanism that knows exactly where each specific file starts and ends can work with them without any problems. Naturally, such a protection mechanism can be hacked easily by copying the disc at the sector level. However, to do this, the copier must know the exact number of sectors available on the disc. The developer of a protection mechanism can easily tweak the disc structures so that the disc looks either absolutely blank or, on the contrary, grows beyond any conceivable size. Recorders that mechanically read the disc TOC and blindly rely on the correctness of each byte of control data will fail immediately. More advanced examples will manage to determine the actual size of the disc through some implicit indications . Recorders of this type will move the optical head until the sectors under it remain readable while it is being moved. Lets assume that the protection is using a cunning mechanism and digs a hole consisting of a bunch of bad sectors near the end of the disc. Some recorders will fall into that pit, thinking that they have reached the end. Some recorders wont be deceived by this trick, because they carefully analyze the information returned by the drive, which should know the cause of the read errorbe it the actual end of the disc or simply a bad sector.

Some protection mechanisms play even dirtier tricks, boldly writing irrecoverable errors to the original disc (which means that these errors cannot be eliminated by the special error-correction codes placed on the CD). If this approach is used for protecting an audio CD, this means that its playback will be accompanied by endless clicks. This doesnt happen in practice because the developers of audio players have made the provision of a special filter that discards data that are sure to be erroneous and uses interpolation when necessary (in this case, the current sample is recreated on the basis of the averaged values of those that precede and follow it). Naturally, this degrades the playback quality. Media magnates, however, dont give much of a damn about this, and, realistically , the degradation isnt significant. However, the situation is different with regard to digital playback. Early versions of the standard instructed the drive to report only occasions where one or more irrecoverable errors were encountered , but didnt provide any mechanisms for marking the faulty bytes. So the drive has read 2,352 bytes of data and detected that about hundred of them were invalid! What next ? Use interpolation? If the answer is yes, what should we interpolate which byte by which?! Analyze the signal manually, searching for outbreaks? This is too difficult and, anyway, the quality of the restored audio will be very far from perfect. It is, of course, possible to try grabbing the audio flow from the digital audio output. However, most low-end sound adapters do not support this capability. Even if this kind of support is provided, it is implemented so poorly that music lovers would be better off simply shooting themselves . Put simply, dark clouds without the slightest trace of a sunshine began to gather over hackers. However, everything changed after manufacturers began to offer CD drives capable not only of simply reporting read errors, but also of reporting the positions of erroneous bytes within the sector. Now, fully functional interpolation became possible at the interface level! After this, software grabbers exploiting new possibilities arrived quickly.

Still, we are running ahead of ourselves . Lets return to that distant past when there were no CD drives, even in the project phase. All software was distributed on diskettes (both copyright and copyleft ). By that time, everyone who wanted to protect their diskettes scratched them using any means available: those who had the necessary financial resources burnt the magnetic layer using a laser, while others simply scratched it with a needle or rusty nail. All that remained to ensure protection was to check whether the surface defect was present in the predefined position. Copying such a diskette without special equipment was not a realistic task, because no one could place the scratches from the original in the same position on the copy. However, hackers understanding controller ports quickly came up with the idea that, if they modified the checksum of the key sectors, the diskette would be read with errors, despite the fact that its surface was physically intact! CD protection is based on the same method, and CDs can be cracked using the same approach. The manufacturer can stuff the disc with bad sectors and check their presence any time the protected software started. This generated the following problems: first, not every copier would agree to copy a disk bearing physical defects. Even if it agreed to do what you asked it, you would have to wait a very long time for the copying process to be completed (everyone is familiar with the snail s pace of reading defective sectors). Further, the resulting copy would be unusable, because it didnt contain the defects in predefined positions.

Less than intelligent hackers simply invalidate the checksum of the sector, thus making the drive return an error (naturally, the recording drive must allow us to write sectors with a checksum error, which is not always the case). This, however, doesnt solve the problem. After all, the disfigured sector is read practically immediately, and the protection mechanism, provided that it isnt absolutely useless, can detect easily that something is wrong here. Or, as a variant, it can carry out long sector reading, meaning that the sector with modified checksum will become readable.

What should a cunning hacker do? This question cant be answered immediately or in simple language. Simply speaking, the CD format is such that the high-frequency signal that results when reading a sequence of pits and lands under an optical head has no reference level. For the drive to be able to detect where there is a minus and where there is a plus, the number of lands must be approximately equal to the number of pits. If some specific section of a sector contains only pits, it will be catastrophically dark, and an automatic amplifier will try to increase the laser-ray power, erroneously assuming that there is something wrong either with the disc or with the optics. In this case, a number of the pits will be turned into lands and the drive will be confused in every respect. First, it will try to carry out recalibration, drag the optical head for some time, and only then will it sadly report that this sector is unreadable. From the protection mechanisms point of view, this sector will appear to be damaged, although, at the physical level, its surface is intact.

Now, lets return to the main aspect: Because the drive must be able to record any imaginable (and even unimaginable) data correctly, the developers must make provisions for a method that can bypass such unfavorable situations. In fact, such a mechanism does exist! To put it simply, there are several possible methods of encoding the data being written to the disc, and the drive must choose the most favorable options. Fortunately (or unfortunately ), not every drive is so scrupulous. Since the possibility of the unintentional occurrence of unfavorable sequences is infinitely small, some (in fact, many) drives encode the data using a single predefined method. Consequently, there is the possibility for simulating faulty sectors that practically do not differ from actual faulty examples.

The protection developers saw this as a gold rush! If they could only specially glean an unfavorable sequence of bytes, then a specialized drive would be required to write it correctly. When copying such discs on a normal low-end drive, the original would be read wonderfully, but there would be a lot of bad sectors on the copy and the duplicated disc would be unusable. Sectors with unfavorable sequences became known as weak sectors. To copy such sectors, it is necessary to have high-end sophisticated drives from well-known brand manufacturers. But what if you dont have such a drive at your disposal? Does this mean that you are unable to copy such a disc? The answer is no! If the protection doesnt take additional measures, the copier can compute error-correcting codes for a true unfavorable sequence and then correct it slightly and write to the disc. At the physical level, such a sector will be readable without any problems. At the logical level, the drive will restore it to its initial form using redundant codes. However, if the protection reads the sector in RAW mode, it will immediately recognize the forgery. Therefore, not every disc can be copied using this method.

To understand the concept behind the next protection mechanism, we must return to diskettes once again. The physical surface of the diskette is divided into concentric rings named cylinders, and cylinders , in turn, are divided into sectors. When the read head moves from the last sector of one cylinder to the first sector of the next cylinder, it is moved some distance away due to diskette rotation. Consequently, the drive must wait for an entire turn to meet that sector again. Those who spent days and nights in computing centers came to the idea that if the sectors of each of the next cylinders were shifted, the speed of the sequential reading would grow considerably, because the required sector would immediately be under the head. On the other hand, by rotating the sectors of different cylinders by certain angles, we would achieve certain fluctuations of the data-exchange speed. According to these fluctuations, the protection mechanism would be able to distinguish a duplicate from the original, because a duplicate wouldnt produce such fluctuations.

Now lets return to CDs. There are, of course, no cylinders, and the sequence of sectors has a spiral form. Head positioning to the sectors of the adjacent spiral track turns is carried out by means of deviating the laser head by a magnetic system (which means that it takes place almost instantly). Positioning to remote sectors involves the mechanism of moving the head along special sliders, which requires considerable time. Knowing the speed of disc rotation and having measured the time required for positioning the head to the sectors of the adjacent turns of the track, we will be able to find the angle between them, which depends directly on the spirals swirl. Different types of CD-R/CD-RW discs have different spiral structures. Even worse , this structure is created by the manufacturer, which means that the discs are supplied to the market with preliminary formatting required for orientation of the CD recorder. Copying a disc protected in this manner is unrealistic and, therefore, it is necessary to emulate it. The copier must carefully measure the angles between different sectors and recreate the initial structure of the spiral. The process of scanning the disc requires a monstrous amount of time (sometimes, several days). The result, however, is worth it.

The disc can also have a catastrophically non-standard format. For instance, it can have sectors of variable lengths. As a result, some sectors will be read faster than others. Because every change of the sector length is immediately reflected in the structure of the spiral track, the copier has to deal with two unknown valuesthe unknown angle of the spiral swirl and an unknown sector length. From the mathematical point of view, this equation can have many possible solutions. Only one of them, however, is correct. The copier can (and must!) present several variants of copies to allow us to decide on our own, which of them cracks the protection and which doesnt. Unfortunately, no copier, of which I am aware, is capable of doing this.

Nevertheless, long sectors represent a stand-alone entity, and some discs use these sectors alone for the protection. The dark side is that no CD burner available on the market allows us to control the lengths of the sectors being written. There is one clue though. Although we cannot increase the sector length, we can still create two sectors with identical headers. Having successfully read the first of the two sectors, we will ignore the second, but the visible sector length will be increased twofold. The weak spot in this technology is that we can only increase the sector length by a value that is a multiple of two. Even worse, not every drive provides this possibility. Some drives simply refuse to write twin sectors.

Now lets discuss key marks. Besides the user data sector area, which is copied by practically all copiers, there are numerous locations on CDs which have been poorly investigated. First, there are subcode channels. There are eight of these channels in total. One stores service information, according to which the laser head is oriented, the second stores information about pauses, and the remaining six channels are free. Standard copiers do not copy them, and not every burner provides the possibility to write them. These channels are exactly where protection mechanisms insert key marks!

By the way, subcode channels are stored independently on the main data channel, and there is no direct correspondence between them. First, when reading the subcode channel of sector X, the drive can return the subchannel data from any of neighboring sectors at its discretion. The second important factor is that most drives have very poor stability characteristics, and, when reading subchannel data from sectors X, Y, and Z, can return the data from X, X, X, or Y, Z, X, or Y, Z, Z, or any other combination. Lets assume that the subcode channel of one of the sectors contains a key mark, and we are trying to read it. Will we succeed? Not necessarily . If service information is modified at least slightly, we wont be able to determine, to which sectors the subchannel data that we have read actually belongs or whether or not our sector belongs to their list. The only way out is to use a high-quality CD-ROM drive that has good stability characteristics when reading subchannel data.

Finally, CD-R/CD-RW discs are significantly different in some characteristics from the replicated mechanically stamped CD-ROM. Is there any need to introduce ATIP? Aside from this, there also is such thing as TDB (Track Descriptor Block), where, among other information, there is laser power and other similar data. Naturally, CD-ROM discs do not contain anything of the sort . It is impossible to falsify the CD-ROM disc nature directly. However, there are many utilities that intercept all attempts at accessing the drive and return exactly what we need instead of the actual information.

At this point, lets complete our brief overview of protection mechanisms. Further on, each of them will be considered and discussed in more detail.

Note that bypassing the protection against CD copying is not the same thing as copyright violation! The laws of many countries explicitly allow the creation of backup copies of licensed media. At the same time, there is no existing law that prohibits the cracking of legally purchased software. License agreements can prohibit whatever the manufacturers like. They have, however, no legal status. By violating a license agreement, you automatically cancel the contract with the software vendor, which means that you make void all warranties and privileges that the vendor promised you. This is approximately the same thing that overclockers do when they cut specific processor pins to unlock its frequency multiplier . You wont land in court if your processor dies in clouds of smoke. However, no one is going to replace your burnt-out specimen. You can only be prosecuted by law if you start to distribute the cracked software. This is a risk, therefore, that I dont advise you to take.