Best Way to Image a Protected CD?

[LaBBa]

I'm trying to understand somthing about CD protection.

If i copy a CD ( that it is protected in some way ) can't i just read every chunk of data in the CD (like blindWrite does) without care if it an Error sector or not because i'm assuming that all data i read is correct.
even if i do this kind of Image to the CD there is (some how ) data missing
can some one please explaing me how can i make a perfect CD Image?

Regards,
LaBBa

[oVERfLOW]

Are you going to write your own code or looking for an app to do this for you?

If you mean an app
Then there are many programs to work with

One of best choices is PreGap Image Builder which is introduced here before
and also Alcohol 120%, CloneCD, and BlindWrite

Reading CD Image in ISO format is not a complete way
while it doesn't support multi-session CDs, Weak Sectors, and bad sectors.

This is what did I knew.

[taos]

Interesting, I love this old subject. You have 2 kinds of protected CDs (you have more but it's to be short and simple)
A-Music CD
B-Data CD

A- Altered TOC: You can copy everything (not bit losses) with oVERfLOW tools u others. Mixed Audio-data: The same, uninstalling rootkit stuff. etc...
In any way, that systems are not often used today.
B- There are a lot of schemes but they can not hide usefull information, only fake information, error gaps, etc... and then you must debug exe loader to stop checking it. The main idea is to jump "check original CD" routine. There are heavy systems, Starforce, and others. I know one DVD that has not been copied yet and have several years in the market, do you have got a PS2?
You must supply more information about the CD, data? audio?, what data exactly is missing?, is a setup CD? video?,etc...

Regards,

[LaBBa]

well it's a data CD it's an application and i don't see any loader it's build in the exe so it's not packed or somthing like that ..

this application comes with 2 CDs :
CD1- is installation. (no protection)
CD2- data CD of all DataBase of application - protected

in the protected CD there are 3 files with a XXX extension in root:
file00.xxx - 563,438 KB
file08.xxx - 850 KB
file09.xxx - 3KB

there is 2 more folders

MA folder files:
file08.MA - 1,054 KB
file09.MA - 36 KB

YZ folder files:
file08.yz - 361KB
file09.yz - 11KB


from what i have saw when i try to crack this when i'm running with an image of the CD i get an error from the application that this is not the original CD . it check first to see if there is a debugger present and then it check a black list of virtual dirves to see if it run from a virtual CD after that it try to load the CD ...
I have patch the CD check with error message "not original CD" so it will continue to load from the image CD but application crashes when it try to run.

I don't understand (yet) why it fails to run from image.
I guess there is a signed key in the CD and it try to read and decrypt with that key the files from the CD so i need to digg deeper.
I just don't understand why i can't copy in the CD image the signature like the code of the original CD does ..

I have maked all possible images with Alcohol 120% at speed x1 and still it fails.

Regards,
LaBBa

[SOLAR]

I hope you figured out something. I would like to know the solution to this.

[taos]

Quote:

Originally Posted by LaBBa

well it's a data CD it's an application
I have maked all possible images with Alcohol 120% at speed x1 and still it fails.

Ok, You must first make a copy with another copy prog or with alcohol and setting on securerom ,etc... emulation. Mount the iso and compare the iso mounted with original CD (there're lot of programs to do it). You must analyze 2 things, a) There is not error copying original CD (can be fake sectors like I said in last post and then you must change your procedure) b) Are exactly ISO and original CD. Then mount ISO and debug. Before to work debugging ensure steps a) and b).
You can use gamejack better than alcohol, play with the settings in both progs.

Byes

[LaBBa]

Code:

Mount the iso and compare the iso mounted with original CD (there're lot of programs to do it).

welll if there was one i think that every app of burning would have done it for you and then fix the image .. i don't know any application that can tell me this info

Code:

Then mount ISO and debug

if the iso is a perfect image and fixed so why i need to debug it ? it should run like the original... (meaning : won't ask for original CD)

[TechLord]

Why don't you try :
1.Making an image file with blindwrite.
2.Then physically burning the image to a CD.
3.Then check if the newly burnt CD works...

If the newly burnt CD works, then the problem maybe that the prog checks for Virtual Drives and give problems if drive is virtual...

Its also possible I think that the prog checks for an unique ID of the CD before running or uses it to decrpyt the prog using the ID as a key. If so, then the CD's ID must be hardcoded somewhere in the program. I remember that Crypkey v6 uses the ID of the CD to check whether the prog has been running from some other cd, and if so, it gives error message.

I don't exactly remember where I got this e-book but it maybe of help. Kindly go through the e-book :

Code:

The name of e-book is : CD Cracking Uncovered-Protection Against Unsanctioned CD Copying.

The download link is : http://rapidshare.com/files/120464076/06062008.rar.html

The password is : cdcopy

The rar contains several examples etc also...

[taos]

That is not right If you have a LiteOn drive you can use a very low level verify app. There're specialized apps to check CD integrity with its own low level driver. Some drives let you read hidden tracks. It's better to compare (generate a checksum, etc...) using Nero Disk Speed than putting verify on setting in your burning soft.
http://www.cdfreaks.com/software/Diagnostic_-Utility/

Quote:

Originally Posted by LaBBa

welll if there was one i think that every app of burning would have done it for you and then fix the image .. i don't know any application that can tell me this info

Code:

Then mount ISO and debug

if the iso is a perfect image and fixed so why i need to debug it ? it should run like the original... (meaning : won't ask for original CD)

If the iso is perfect then your app reads CD manufacturer ID and other fields. Then you must debug CD API.

[LaBBa]

Quote:

Originally Posted by taos

If the iso is perfect then your app reads CD manufacturer ID and other fields. Then you must debug CD API.

ok ...i didn't thought about this.....
i will look closer about this .. what do you recommend api to hook and trace?
DevicIoControl?

but still
If the Image is perfect, when app reads CD manufacturer ID it should emulate also the manufacturer ID no ?

[taos]

Quote:

Originally Posted by LaBBa

ok ...i didn't thought about this.....
i will look closer about this .. what do you recommend api to hook and trace?
DevicIoControl?

but still
If the Image is perfect, when app reads CD manufacturer ID it should emulate also the manufacturer ID no ?

DeviceIOcontrol & Createfilea. Like I said in a old post, use CDR Identifier or Nero's CD-DVD Speed/Disk Info and compare manufacturer ID with original and emulation CD. Another reason is that your app checks emulation soft and then refuse to run.
Can you upload to rapid or mega to take a view?

[LaBBa]

thanks for trying and help me
i'm not home and will return only next week so i will do it when i return and PM you

regards,
LaBBa

[LaBBa]

Hi all

I Have made some google search and found that more ppl have same issues
with same protection

http://club.cdfreaks.com/f18/defekte-sektoren-ab-316687-a-72880/

BTW i have made a image and compare the md5 of the mounted image againts the original CD and they are the same..

I'm currently uploading the CDs images will update you all soon..


regards,
LaBBa

[LaBBa]

Hi
I have made a trace log with CD and with Image CD from the start of the loops on the DeviceIoControl , i use beyond compare to view them and i'm still debugging it to see the places where things goes wrong.
see attached files

the image was created with blindWrite with a liteOn CDRW with profile of "Bad Sectors"

the CD files and the Mounted CD file where compared with MD5 and verify
the CD and Image data matches when comparing with InfoTool.

ps: i have already patched the places of JNZ and JZ and the application crashes if i do it so i need to find out why the values are deffrent when it runs from the Image CD

[LaBBa]

from what i'm seeing in the trace log there is a diffrent behavior when returning from the DeviceIoControl when using the CD and when using the CD Image :

With CD:

Code:

004B415F Main     PUSH EAX
004B4160 Main     PUSH 50
004B4162 Main     PUSH ECX
004B4163 Main     PUSH 50
004B4165 Main     PUSH ECX
004B4166 Main     PUSH 4D014 // IOCTL_SCSI_PASS_THROUGH_DIRECT
004B416B Main     MOV ECX,Copy_of_.004B398B                 ; ECX=004B398B
004B4170 Main     ADD ECX,16D                               ; ECX=004B3AF8
004B4176 Main     PUSH DWORD PTR DS:[ECX]
004B4178 Main     MOV ECX,Copy_of_.004B398B                 ; ECX=004B398B
004B417D Main     ADD ECX,2FB                               ; ECX=004B3C86
004B4183 Main     CALL DWORD PTR DS:[ECX]
DeviceIoControl   PUSH 14
7C801627 Main     PUSH kernel32.7C810CC8
.....
......
7C801662 Main     PUSH DWORD PTR SS:[EBP+8]
7C801665 Main     JE kernel32.7C801743
7C80166B Main     CALL DWORD PTR DS:[<&ntdll.NtDeviceIoControlFile>]
ZwDeviceIoControl>MOV EAX,42                                ; EAX=00000042
7C90D8E8 Main     MOV EDX,7FFE0300                          ; EDX=7FFE0300
....
....
7C802519 Main     LEAVE                                     ; EBP=0012FF08
7C80251A Main     PUSH ECX
7C80251B Main     RETN
7C801694 Main     RETN 20
004B4185 Main     POP ECX                                   ; ECX=00149988
004B4186 Main     POP EDX                                   ; EDX=004B3CD5
004B4187 Main     MOV ECX,Copy_of_.004B398B                 ; ECX=004B398B
004B418C Main     ADD ECX,18C                               ; ECX=004B3B17
004B4192 Main     MOV ECX,DWORD PTR DS:[ECX]                ; ECX=00149988
004B4194 Main     OR EAX,EAX
004B4196 Main     MOV AL,BYTE PTR DS:[ECX+2]                ; EAX=00000000
004B4199 Main     JE SHORT Copy_of_.004B41A1
004B419B Main     OR AL,AL
004B419D Main     JNZ SHORT Copy_of_.004B41A1 -> HERE WILL NOT JMP
004B419F Main     MOV AL,1                                  ; EAX=00000001

and with Image CD:

Code:

004B4150 Main     PUSH 0
004B4152 Main     MOV EDX,Copy_of_.004B398B                 ; EDX=004B398B
004B4157 Main     ADD EDX,17D                               ; EDX=004B3B08
004B415D Main     MOV EAX,EDX                               ; EAX=004B3B08
004B415F Main     PUSH EAX
004B4160 Main     PUSH 50
004B4162 Main     PUSH ECX
004B4163 Main     PUSH 50
004B4165 Main     PUSH ECX
004B4166 Main     PUSH 4D014  // IOCTL_SCSI_PASS_THROUGH_DIRECT
004B416B Main     MOV ECX,Copy_of_.004B398B                 ; ECX=004B398B
004B4170 Main     ADD ECX,16D                               ; ECX=004B3AF8
004B4176 Main     PUSH DWORD PTR DS:[ECX]
004B4178 Main     MOV ECX,Copy_of_.004B398B                 ; ECX=004B398B
004B417D Main     ADD ECX,2FB                               ; ECX=004B3C86
004B4183 Main     CALL DWORD PTR DS:[ECX]
DeviceIoControl   PUSH 14
7C801627 Main     PUSH kernel32.7C810CC8
7C80162C Main     CALL kernel32.7C8024CB
7C8024CB Main     PUSH kernel32.7C8399F3
....
....
7C801660 Main     PUSH EBX
7C801661 Main     PUSH EBX
7C801662 Main     PUSH DWORD PTR SS:[EBP+8]
7C801665 Main     JE kernel32.7C801743
7C80166B Main     CALL DWORD PTR DS:[<&ntdll.NtDeviceIoControlFile>]
ZwDeviceIoControl>MOV EAX,42                                ; EAX=00000042
7C90D8E8 Main     MOV EDX,7FFE0300                          ; EDX=7FFE0300
.....
.....
7C802516 Main     POP EDI
7C802517 Main     POP ESI                                   ; ESI=00591D60
7C802518 Main     POP EBX                                   ; EBX=00000010
7C802519 Main     LEAVE                                     ; EBP=0012FF08
7C80251A Main     PUSH ECX
7C80251B Main     RETN
7C801694 Main     RETN 20
004B4185 Main     POP ECX                                   ; ECX=00149988
004B4186 Main     POP EDX                                   ; EDX=004B3CD5
004B4187 Main     MOV ECX,Copy_of_.004B398B                 ; ECX=004B398B
004B418C Main     ADD ECX,18C                               ; ECX=004B3B17
004B4192 Main     MOV ECX,DWORD PTR DS:[ECX]                ; ECX=00149988
004B4194 Main     OR EAX,EAX
004B4196 Main     MOV AL,BYTE PTR DS:[ECX+2]                ; EAX=00000002
004B4199 Main     JE SHORT Copy_of_.004B41A1
004B419B Main     OR AL,AL
004B419D Main     JNZ SHORT Copy_of_.004B41A1 ->HERE WILL JUMP

the DeviceIoControl uses : IOCTL_SCSI_PASS_THROUGH_DIRECT
as we can see with CD
004B4196 Main MOV AL,BYTE PTR DS:[ECX+2] ; EAX=00000000

and without CD but with CD Image
004B4196 Main MOV AL,BYTE PTR DS:[ECX+2] ; EAX=00000002

we get diffrent values...
i'm currently debugging it to see what is the cause for this deffrent values

any help will be appreciated.

Regards,
LaBBa