home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Phoenix Rising BBS
/
phoenixrising.zip
/
phoenixrising
/
vir-docs
/
nk-info6.arj
/
NK-INFO6.007
< prev
next >
Wrap
Text File
|
1993-05-05
|
20KB
|
332 lines
===============================================================================
Volume 1, Issue 6, May 1993
NuKE Info-Journal #6
NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE
uK E-
KE "The Arms Race on Disk-Based Protection -N
E- Methods : Round One" Nu
-N uK
Nu By KE
uK Rock Steady E-
KE -N
E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu
% The `Arms Race' on Disk-Based Copy Protection Methods : Round One %
Disk-based techniques of protecting software have existed since the early
days of microcomputers. The very first microcomputers used cassette tapes
to store programs and data. (Remember the C-64s old days?) The first mass-
market microcomputer to use disk drives instead of cassette tapes was the
Apple-II in 1978. Its great popularity was largely due to its reliable
and inexpensive disk drive system, devised by Steve Wozniak. The disks,
much faster and more convenient than cassettes, in turn made it practical
to run large and complex programs. Disks became standard equipment on all
but the cheapest microcomputers. The tremendous success of the IBM PC
microcomputer in the early 1980s confirmed this trend.
The history of disk-based protection methods and the of efforts to defeat them,
resembles an escalating arms race, and hence the name. Early, elementary
protection techniques were countered by skilled users, some did it for their
own convenience, others for the intellectual challenge. And hence, the
arms race began. The `guerrillas' of the arms race were the `software hackers':
mission; to device a method for removing `cracking' the copy-protection of
each new program marketed, and who then distributed the copy-able version to
their friends, who passed it on, and so on.
I have witnessed and was quite an active member of this arms race, the
intellectual challenge was the main reason of my membership. During the
years I have come upon several protection techniques some I was able to
easily bypass, and others that brought upon great challenge. Slowly I
began noting the several methods of disk-based copy-protection, and I also
did acquire several documents on other disk-based copy-protection, and today
you will read upon this very interesting concept of disk-based copy-protection.
Some methods were quite frightening as it tried to perform dangerous disk-
access techniques. Some methods were quite trivial, others were loops and flaws
of the disk structures, and how the disk controller reacts. All the methods I
was able to collect are documented bellow, a lot of time and effort was put
into this, I do hope you appreciate it.
% Disk Format %
The early generation of disk protection methods depended on technical details
of the diskette and disk drives. To describe the methods, it is first
necessary to outline the structure of a formatted floppy. For convenience I will
only use the IBM PC 5.25 inch disk, formatted by the popular PC-DOS or MS-DOS.
Information is stored on the disk in a series of circles, called `tracks'. In
a normal 5.25 double density disk you have 40 series of circles, aka tracks.
Tracks are numbered from 0, being the outermost track, to 39 being the inner-
most. Each track is divided into 9 arcs, called `sectors', numbered from 0-8.
Each sector consists of an `address field', which identifies the sector, and
a `data field', which contains the data stored in that sector. Both fields
contain a prologue, data, a checksum and an epilogue, of the information stored
in that field. Therefore, in reality DOS does NOT make the total number of
possible bytes available for your data storing. In a 5.25 DSDD (double sided,
double density) disk there really is a possible of 500k where only 360k is
available for you. In a 5.25 DSHD (double sided, high density) disk, there
is 1.6 Megs, but only 1.2 Megs is available to you. In a 3.5 DSDD disk, there
is 1 Meg, but 720k is available for you. In a 3.5 DSDD disk, there is an
amazing 2.0 Megs but only 1.44Megs is available to you.
The same applies for hard drives, ever buy a HD and it says 120 Megs, but when
you format it, you only get 114 Megs? Its because of DOS, there are some
programs that enable you to use this space and get rid of the address field,
that is present before _every_ sector. One popular program is called
"MAXI - Form" by Herne Data Systems Ltd. This program allows 360k floppy to
hold 420k, 720k -> 810k, 1.2M -> 1.44M, 1.44M -> 1.66M. Maxi CANNOT make use
of ALL the possible number of bytes, because we MUST reserve some space for
the Boot Sector, 2 copies of the FAT and the DIR Structures. However it does
rid the address fields, and is compatible with DOS with the help of a TSR
program that `fools' DOS in thinking that it was structured correctly.
Now, when you `boot' off a diskette, a copy of DOS _MUST_ reside on the outer
few tracks of the disk. Another Track is reserved for the file directory. When
the computer is turned on, a process occurs, called `booting'. The IBM PC
does not contain a built-in DOS. Its ROM contains just enough information
to enable to find and read sector 0 of track 0 of the disk, which is the boot
sector. That sector contains a program to read a few more sectors, which in
turn contains a program to read the entire DOS into memory.
% Sector Format %
The majority of floppy disks are `soft-sectored', meaning that the software
must be able to locate any given track and sector with no help from the
hardware. On a `hard-sectored' disks there is a physical marker, such as a
small index hole, that tells the hardware precisely where each track and
sector is physically located. On the soft-sectored disk the software
searches for the desired sector by a trail-and-error process, reading the
sector's address field until it finds the sector it wants. This certainly
takes a little longer, but allows much more flexibility, since the sectors may
be placed anywhere the DOS likes. Anyhow floppies are usually soft-sectored,
but IBM 5.25 inch and 3.5 inch diskettes contain physical markers. Hard Disks
usually tend to be soft-sectored, but that was only on the MFM, RLL Hard Drives
the IDE, and SCSI drives are hard-sectored, that is why we have a _major_
access time. MFM,RLL range at 50-70ms (milliseconds) IDE,SCSI tend to range
from 8-15ms.
% Copy-protection Method #1 : Disk Appearance %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
% Unformatted Tracks %
The simplest protection against disk copier utilities was to include a blank
(unformatted) track or sector on the disk. The disk copy utility will fail at
that track and copy nothing further. This was probably the first kind of whole-
disk copy protection introduced.
% Non-standard DOSes %
Although the disk cannot be copied, it will still boot and run properly as
long as the DOS does not attempt to access the unformatted track. This can
be easily be prevented by using a modified version of the normal DOS. When
a disk is booted, the DOS on the disk replaces any that may have been in RAM.
It can have any modifications the author pleases. The only requirement is that
the modifications to the DOS must correlate with the modifications to the disk
format. Some of theses methods are listed bellow.
a) Altered track/sector count
The number of tracks per disk and sectors per track are usually chosen
to provide maximum data storage per disk. There is no reason why lesser
numbers cannot be used. For example we could create an IBM disk with
only 7 sectors per track or 30 tracks per disk. And with a sightly more
complex DOS modification the number of sectors could vary from track to
track.
b) Altered sector size
A normal sector on an IBM PC disk always contains 512 bytes of user data
as its payload. It is easy to alter the DOS to expect a different number
of bytes per sector. In some cases, huge sectors have been used that fill
an entire track.
c) Altered track/sector numbering
Each sector on a disk has an address field containing its track number
and sector number. The DOS checks this before reading the track. Instead
of numbering the sectors on a track from 0 to 9, one could number them
from 70 to 79. The 40 tracks, likewise, could have bizarre numbering,
say the first 40 prime numbers.
d) Altered checksums
Each sector contains a byte which is a checksum of the data contained in
that sector. It is calculated by performing an eXclusive-OR (XOR)
operation across all the bytes in the sector. The DOS recalculates the
checksum each time it reads a sector, and compares its value to the one
actually stored in the sector. If they differ, the DOS assumes that it
read some byte(s) in the sector incorrectly. One can protect a disk by
using a different algorithm for calculating the checksum to be stored in
each sector. Of course the disk's own DOS uses the same algorithm, and so
agrees with the stored checksums, but standard DOS thinks it has read
each sector incorrectly, and will retry up to 5 times, and once all 5 test
fail it will report the message "Bad CRC Data...." error message.
e) Half-Tracks
The newer half-height floppy drive were quite advanced, as a matter of
fact they were capable of stepping to positions half-way between the
normal track position. These half-track positions are not ordinarily
suitable for recording data, because they are so close to the normal
track that there would crosstalk. (Meaning signals would spill over from
the normal tracks to the half-tracks and vice-versa. On the other hand,
the half-tracks can be used it the normal tracks are left unused. For
instance a disk could use track 0, 1.5, 2.5, 4, 5, etc. A normal copy
program will miss all the half-tracks.
% Nibble Copy Programs Fight Back %
In response to the above protection techniques, computer hobbyists began to
write and circulate special copy programs known as `Nibble Copiers'. These were
passed gratis along the grapevine of hobbyists. The first commercially
advertised bit copier was `Locksmith' by Omega Microware of Chicago at around
1984. The first version of Locksmith was slow but reliable, and was able to
cope quite easily with all the copy-protection methods described above. Within
a year other company programs appeared, like Copy-Write, Copy-II-PC and
E.D.D., but Locksmith remained the most prominent until Omega Microware
collapsed near 1985-86.
A bit copier makes as few assumptions as possible about the format of the disk.
It does not assume any particular number of sectors pet track or tracks per
disk, or any particular number of sectors per tracks per disk, or any other
possible sector alteration. This is something DOS was never able to do. Bit
copiers read each track, and attempts to reproduce what it finds exactly on
the destination disk, bit for bit. Error checking is performed by reading the
track several times over and comparing the data. Completely unformatted tracks
were identified and ignored.
% Spiral Tracking %
This is probably the ultimate in format alteration, and the last to be
developed. This method was actually very clever. The way the data was
structured on the diskette, actually `looked' like a spiralling pattern.
The floppy drive heads would travel a small arc starting from the outer
track, then jump to the next track (or half-track) and immediately travel
another small arc, then jump to the next track, and so on. The resulting
series of arcs resemble a broken spiral, hence the name. So instead of track
1 being the outmost ring, it would spiral towards the innermost track. This
type of protection is quite difficult for a bit copier to overcome, since it
depends on the accurately synchronized copying of partially formatted tracks.
Unformatted areas of tracks contain magnetic signals of intermediate values,
bits neither 0 nor 1. Therefore it was extremely difficult for the bit copier
to identify all those portions of the track that can be copied correctly. One
major serious problem with spiral tracking is that it depends on precise
timing of events. It the disk drive is rotating a bit too fast or slow, or is
slightly misaligned in other ways, the protected disk is likely to fail.
% Slow Drives %
Another protection technique used in combination with some of the above methods
is to record the protected software using a disk drive turning SLOWER than
normal. When data is recorded on a track passing slowly under the head, more
data per inch than normal is recorded. This makes it possible to record more
data on a track than would normally fit. Therefore if the user would try to
copy the software with a regular drive, the destination disk will complete
a full revolution before all the data is copied, and the tail of the track will
overlap and destroy the head of the track on the destination disk.
% Copy-protection Method #2 : Signatures %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As we could see the protection wars, escalation proceeded rapidly. The methods
described above were all `format alteration methods. They use a non-standard
disk format that is not recognized by standard copy programs, but copy-able
by the bit copiers. So a new method was introduced, a signature, which was any
minor feature of a disk that serves as an identification mark to verify that
the disk is an original. To be effective, a signature must be a feature that
is not properly duplicated by a copy program, including bit copiers.
% Innermost track %
Probably the first signature protection method was the use of an extra track.
A normal IBM disk uses 0 to 39. The disk drive is in fact capable of stepping
the head to an extra innermost track, track 40. (and sometimes to track 41)
The innermost track is normally unused because of reliability problems. A
protected program may format this track and use the fact that it is formatted
as a signature to verify that the disk is an original. It may even keep some
portion of itself (eg the disk directory) on the innermost track. An ordinary
copy program will overlook this track, and a bit copier will only copy it if
specifically instructed to.
% Check for write-protection %
An ancient and crude signature method is to issue original disks with the
write-protect notch covered. The program would try to write to the disk, if
the write operation succeeds, the program can assume that the user made a
duplicate disk and refuse to execute.
% Bit Counting %
It is _very_ difficult to get two disk drives to turn at precisely the same
speed. Any characteristic of a disk that depends critically on the speed of
the drive on which is was recorded will make a good signature. For example,
when a disk is formatted, there is always some empty spaces remaining on each
track between the end of the last sector and the beginning of the first sector.
The formatting program fills this space with meaningless bits. The size of the
space, and therefore the number of bits, and therefore the total number of bits
on the track, depends on the rotational speed of the disk drive. If the bits
are counted, and the count is recorded somewhere else in the disk, the software
can compare the number of bits to the count every time the disk is booted. If
a duplicate is made on a different drive, the duplicate disk will have a
different number of bits on that track, and the count will fail. Even small
variations in the speed of a single drive will cause different disks made
on that drive to have different numbers of bits per track, so that each disk
has a different signature.
This is an _extremely_ difficult protection method for bit copiers to overcome.
Some version of Locksmith included a utility to prompt the user to adjust the
speed of the drive (by turning a vernier with a screwdriver) until it matched
the apparent speed of the drive on which the original disk was recorded.
However, E.D.D. (Essential Data Duplicator) used a variable timing loop to
vary the rate at which the bits are recorded on the destination disk, to
compensate for the speed of the destination disk drive. These methods required
a great deal of trial-and-error to make satisfactory duplicate disks.
% Deliberately Damaged Media %
This method consisted of deliberately damaged media; a disk which is damaged
in a predictable way that can be detected by the software. The damage serves
as a signature. An example is the `Prolok' systems by Vault Corporation. Prolok
is a special disk sold to software companies, to publish their programs on. The
disk included software that may be adapted to work with any application program
the software publisher records on the disk. The signature is a small hole, cut
by laser, in the recording surface of the disk. The Prolok software can detect
this hole because it is an area on which no data can be recorded, bad sector.
Prolok is actually quick easy to defeat for a programmer. The technique
was to insert a small TSR program hooked to int 13h, and it would review
all requests by programs to the DOS. If Prolok asks the DOS to read the area
of the disk where the hole is, the TSR captures the request and forges a
reassuring response. There was also a pubic domain program specifically
designed to defeat Prolok, called FUProlok.
In general ALL these disk-based copy-protection had one major flaw, they all
had some easy pattern that would enable us to defeat them easily. The pattern
was the usage of Int 13h, the knowledgable `cracker' would construct a simple
generic TSR that would hook Int 13h, that would create a break-point (Int 3h)
whenever the interrupt was called. From there the knowledgable cracker could
trace through the code, and see if the information obtained by the Int 13h
was used in a peculiar method. Most programs are written in a high level
language so the use of Int 13h is not common therefore get to the bottom of
the Int 13h
% Difficulties of Disk-based Copy-protection %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The major obstacle of disk-based copy-protection was a hard disk.
Hard disk users were not content to run programs from the floppy disks, they
almost insisted on transferring the software to the hard disk. One solution
that was adopted was for the program to execute itself from the hard disk,
but to also require the floppy to be left in its drive. The floppy was usually
referred to as a `key disk', which was periodically checked to validate the
signature.
The major problem was that it didn't allow the user to have access to his
floppy drive while using the hard disk. Another bad side effect was that it
prevented users connected to a network, in executing more than one copy
at the same time, as you only had one copy of the `key disk' to go around.
And all of the `format' methods examples cannot be used on a hard disk. In
general you cannot tamper with the structure of the hard disk, because it
may contain several hundreds different applications. Also the interface
system does not give the host computer direct control of details like
the number and arrangement of sectors per track or count of bits on a track.
================================================================================