Best Way to Image a Protected CD?
 

I'm trying to understand somthing about CD protection.

If i copy a CD ( that it is protected in some way ) can't i just read every chunk of data in the CD (like blindWrite does) without care if it an Error sector or not because i'm assuming that all data i read is correct.
even if i do this kind of Image to the CD there is (some how ) data missing
can some one please explaing me how can i make a perfect CD Image?

Regards,
LaBBa

Are you going to write your own code or looking for an app to do this for you?

If you mean an app
Then there are many programs to work with

One of best choices is PreGap Image Builder which is introduced here before
and also Alcohol 120%, CloneCD, and BlindWrite

Reading CD Image in ISO format is not a complete way
while it doesn't support multi-session CDs, Weak Sectors, and bad sectors.

This is what did I knew.

Interesting, I love this old subject. You have 2 kinds of protected CDs (you have more but it's to be short and simple)
A-Music CD
B-Data CD

A- Altered TOC: You can copy everything (not bit losses) with oVERfLOW tools u others. Mixed Audio-data: The same, uninstalling rootkit stuff. etc...
In any way, that systems are not often used today.
B- There are a lot of schemes but they can not hide usefull information, only fake information, error gaps, etc... and then you must debug exe loader to stop checking it. The main idea is to jump "check original CD" routine. There are heavy systems, Starforce, and others. I know one DVD that has not been copied yet and have several years in the market, do you have got a PS2? ;)
You must supply more information about the CD, data? audio?, what data exactly is missing?, is a setup CD? video?,etc...

Regards,

well it's a data CD it's an application and i don't see any loader it's build in the exe so it's not packed or somthing like that ..

this application comes with 2 CDs :
CD1- is installation. (no protection)
CD2- data CD of all DataBase of application - protected

in the protected CD there are 3 files with a XXX extension in root:
file00.xxx - 563,438 KB
file08.xxx - 850 KB
file09.xxx - 3KB

there is 2 more folders

MA folder files:
file08.MA - 1,054 KB
file09.MA - 36 KB

YZ folder files:
file08.yz - 361KB
file09.yz - 11KB


from what i have saw when i try to crack this when i'm running with an image of the CD i get an error from the application that this is not the original CD . it check first to see if there is a debugger present and then it check a black list of virtual dirves to see if it run from a virtual CD after that it try to load the CD ...
I have patch the CD check with error message "not original CD" so it will continue to load from the image CD but application crashes when it try to run.

I don't understand (yet) why it fails to run from image.
I guess there is a signed key in the CD and it try to read and decrypt with that key the files from the CD so i need to digg deeper.
I just don't understand why i can't copy in the CD image the signature like the code of the original CD does ..

I have maked all possible images with Alcohol 120% at speed x1 and still it fails.

Regards,
LaBBa

I hope you figured out something. I would like to know the solution to this.

Ok, You must first make a copy with another copy prog or with alcohol and setting on securerom ,etc... emulation. Mount the iso and compare the iso mounted with original CD (there're lot of programs to do it). You must analyze 2 things, a) There is not error copying original CD (can be fake sectors like I said in last post and then you must change your procedure) b) Are exactly ISO and original CD. Then mount ISO and debug. Before to work debugging ensure steps a) and b).
You can use gamejack better than alcohol, play with the settings in both progs.

Byes

welll if there was one i think that every app of burning would have done it for you and then fix the image .. i don't know any application that can tell me this info

if the iso is a perfect image and fixed so why i need to debug it ? it should run like the original... (meaning : won't ask for original CD)

Why don't you try :
1.Making an image file with blindwrite.
2.Then physically burning the image to a CD.
3.Then check if the newly burnt CD works...

If the newly burnt CD works, then the problem maybe that the prog checks for Virtual Drives and give problems if drive is virtual...

Its also possible I think that the prog checks for an unique ID of the CD before running or uses it to decrpyt the prog using the ID as a key. If so, then the CD's ID must be hardcoded somewhere in the program. I remember that Crypkey v6 uses the ID of the CD to check whether the prog has been running from some other cd, and if so, it gives error message.

I don't exactly remember where I got this e-book but it maybe of help. Kindly go through the e-book :

The rar contains several examples etc also... :cool:

That is not right ;) If you have a LiteOn drive you can use a very low level verify app. There're specialized apps to check CD integrity with its own low level driver. Some drives let you read hidden tracks. It's better to compare (generate a checksum, etc...) using Nero Disk Speed than putting verify on setting in your burning soft.
http://www.cdfreaks.com/software/Diagnostic_-Utility/

If the iso is perfect then your app reads CD manufacturer ID and other fields. Then you must debug CD API. :)

ok ...i didn't thought about this.....
i will look closer about this .. what do you recommend api to hook and trace?
DevicIoControl?

but still
If the Image is perfect, when app reads CD manufacturer ID it should emulate also the manufacturer ID no ?

DeviceIOcontrol & Createfilea. Like I said in a old post, use CDR Identifier or Nero's CD-DVD Speed/Disk Info and compare manufacturer ID with original and emulation CD. Another reason is that your app checks emulation soft and then refuse to run.
Can you upload to rapid or mega to take a view?

thanks for trying and help me
i'm not home and will return only next week so i will do it when i return and PM you

regards,
LaBBa

Hi all

I Have made some google search and found that more ppl have same issues
with same protection

http://club.cdfreaks.com/f18/defekte-sektoren-ab-316687-a-72880/

BTW i have made a image and compare the md5 of the mounted image againts the original CD and they are the same..

I'm currently uploading the CDs images will update you all soon..


regards,
LaBBa

trace logs
 

Hi
I have made a trace log with CD and with Image CD from the start of the loops on the DeviceIoControl , i use beyond compare to view them and i'm still debugging it to see the places where things goes wrong.
see attached files

the image was created with blindWrite with a liteOn CDRW with profile of "Bad Sectors"

the CD files and the Mounted CD file where compared with MD5 and verify
the CD and Image data matches when comparing with InfoTool.

ps: i have already patched the places of JNZ and JZ and the application crashes if i do it so i need to find out why the values are deffrent when it runs from the Image CD

from what i'm seeing in the trace log there is a diffrent behavior when returning from the DeviceIoControl when using the CD and when using the CD Image :

With CD:

and with Image CD:

the DeviceIoControl uses : IOCTL_SCSI_PASS_THROUGH_DIRECT
as we can see with CD
004B4196 Main MOV AL,BYTE PTR DS:[ECX+2] ; EAX=00000000

and without CD but with CD Image
004B4196 Main MOV AL,BYTE PTR DS:[ECX+2] ; EAX=00000002

we get diffrent values...
i'm currently debugging it to see what is the cause for this deffrent values

any help will be appreciated.

Regards,
LaBBa

What if you burn your image? Same difference?
And what if you change the eax value to the one returned by the original cd?
Is it working then?

I never tried to trace the code with burned cd because it showed me the same error msg about not original CD so i made an image and then start working on the image.. i will check and trace the code with a burned CD and will show my results of debugging.

if i patch the eax value the application crash.

Hi all

I have just found out that some one in my contry has cracked the CD protection of a newer version of the application i'm trying to crack
i don't know if this new version is like my version that comes with 2 CDs
maybe this version came with 1 DVD.

he added a file that he called : appName.emu
and it's a binary file with this header :

well i check and there is an application that create a CD copy called GEAR SOFTWARE but i don't see anything spcial about this app.

the Cracker also patch the application so it will read from file .emu data when trying to boot from CD

does any one knows about this kind of CD protection that need to be cracked like so ?

and i don't understand how did he make this dump file and make the application read this when needed... (i don't have the original exe file of this new version so i can't compare it)

i have added the emu file that was added to crack this newer app

regards,
LaBBa.

Hi ALL
i got it now ... :D

when i load the original CD after it uses the DeviceIoControl API it read the section of the data it need for password of the DB files.
the section of that data was created with Gear Software and from some reason can't be copy by any of the applications that i used.

so i run the original CD and when i saw that it read the data from the section i have make a dump and saw the section data like the emu file had...

now all i needed to do is make a dump with olly as a binary copy and now i have my own emu file like in the new version that was cracked ...

all i need to do is to make a load to the binary file in run time and thats it.. i belive that the CD will be hacked soon..

tnx for the help..

PS:
the only question left is why any of the software i have used with all kind of profiles coudn't copy the password section that was created with GEAR SOFTWARE ????

because, as i told you in the other forum where you got help... the gear software only made the image, the image was adjusted after this when the glass mastering / mass production was done....

sort of like you have a door with a lock, and a key, i then replace the lock... so the key you have is useless... clear?

loud and clear i understand now how it work ...

i just wanted to know if the application that runs from the original CD can read the Locked/Key data why can't any of the image makers (alcohol,BlindWrite,CloneCD) create an image that will contains the data that the application needs ?
i also have a good CD Burners Plextor and LiteOn so i can't be blamed that i'm using lame hardware to make CD images.. :)

I had a similar experience with a Video CD sometime back : I could play it on the computer AND on VCD players but I couldn't copy it...I tried to image it using various tools like Alcohol,Blindwrite etc but the images or the burnt CDs never worked. There was no special protection either immediately apparent by reading the directory on the CD etc.
Finally I found out that it was installing a driver in the background on the first run when played back on the computer, and this driver was extracting the relevant bytes from the .dat file and sending it to the media player, thus allowing the movie to play but not to allow copying directly.
The VCD players (set-top) merely ignored the irrelevant data in the .dat file and played the movie seamlessly.
Finally I could copy the movie by extracting using IsoBuster with the option "Extract but filter only M2F2 mpeg frames" , and then by re-burning it to another cd.

I would like to add a comment on this statement by evlncrn8:
I would like to think i slightly different way... You have a room whose door is locked by a lock and you have the key...But this particular locked room is behind another door locked by a lock but whose key you don't have...Unless you open BOTH the locks you can't enter the room...I can liken the outer lock to the security measures put onto the CD Media at the time of mass production, sometimes on an individual basis...
Our imagers are able to see and read upto the level of the inner lock but can't emulate the outer lock or open it...The running application is probably programmed to look for the outer lock and then open it first...
I know the analogy is not exact but it fits to a certain extent I think...

I disagree with you. Running application has not more powerfull than Blinread, Alcohol, etc..., very very specialized burning soft a lot of years ago. If that app reads it, burning soft reads it too... Like I said in first post, take a view hidden rootkit,etc... Search original dump data in master cd and take note physical position. Edit ISO file and change bytes. IF you take this way, please send me where are data.
BTW: Gear soft has professional software for mastering machines & of course for burning home made.
Regards,

I realy want to do what you say but :
with what apps ?

again.. how do i search for the dump data that i have in the original CD so i will know it's position ??

sorry that i'm asking many questions but your requests are too general...

I agree with this but I want to mention that many cd drives and even some software incorporate Error Correction and sometimes ECC ( Error Correction Codes) with some redundant data (maybe in the form of PURPOSELY made unreadable sectors etc). So, sometimes the data may ALL be recoverable or an image can be made but the SECTOR TO SECTOR mapping may not be possible.
So its a VERY simple case wherein a prog can check whether a particular unreadable sector (of REDUNDANT data) is present on the CD or not. IF it is present, the prog runs. Else it exits or crashes. The Mass Burnt CDs can incorporate it. But our CD image, though it has ALL the data (and hence even the md5 checksum also maybe same in some cases), it still can't have the unreadable sectors etc ( I remember that alcohol etc can emulate bad sectors and sub-channel data, but still it sometimes fails...)

I believe that WinHex 11 and above can do the direct sector reading and dumping quite well (though I haven't used it for quite some time)

Also I believe you can download and use the Rootkit Unhooker from this site:

http://www.antirootkit.com/software/RootKit-Unhooker.htm

to search for any suspicious processes and remove any hidden toolkits.

TechLord has made my work... :D :D