Phoenix Rising BBS

home *** CD-ROM | disk | FTP | other *** search

/ Phoenix Rising BBS / phoenixrising.zip / phoenixrising / vir-docs / nk-info6.arj / NK-INFO6.007 < prev next >

Wrap

Text File | 1993-05-05 | 20KB | 332 lines

=============================================================================== Volume 1, Issue 6, May 1993 NuKE Info-Journal #6 NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE uK E- KE "The Arms Race on Disk-Based Protection -N E- Methods : Round One" Nu -N uK Nu By KE uK Rock Steady E- KE -N E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu % The `Arms Race' on Disk-Based Copy Protection Methods : Round One % Disk-based techniques of protecting software have existed since the early days of microcomputers. The very first microcomputers used cassette tapes to store programs and data. (Remember the C-64s old days?) The first mass- market microcomputer to use disk drives instead of cassette tapes was the Apple-II in 1978. Its great popularity was largely due to its reliable and inexpensive disk drive system, devised by Steve Wozniak. The disks, much faster and more convenient than cassettes, in turn made it practical to run large and complex programs. Disks became standard equipment on all but the cheapest microcomputers. The tremendous success of the IBM PC microcomputer in the early 1980s confirmed this trend. The history of disk-based protection methods and the of efforts to defeat them, resembles an escalating arms race, and hence the name. Early, elementary protection techniques were countered by skilled users, some did it for their own convenience, others for the intellectual challenge. And hence, the arms race began. The `guerrillas' of the arms race were the `software hackers': mission; to device a method for removing `cracking' the copy-protection of each new program marketed, and who then distributed the copy-able version to their friends, who passed it on, and so on. I have witnessed and was quite an active member of this arms race, the intellectual challenge was the main reason of my membership. During the years I have come upon several protection techniques some I was able to easily bypass, and others that brought upon great challenge. Slowly I began noting the several methods of disk-based copy-protection, and I also did acquire several documents on other disk-based copy-protection, and today you will read upon this very interesting concept of disk-based copy-protection. Some methods were quite frightening as it tried to perform dangerous disk- access techniques. Some methods were quite trivial, others were loops and flaws of the disk structures, and how the disk controller reacts. All the methods I was able to collect are documented bellow, a lot of time and effort was put into this, I do hope you appreciate it. % Disk Format % The early generation of disk protection methods depended on technical details of the diskette and disk drives. To describe the methods, it is first necessary to outline the structure of a formatted floppy. For convenience I will only use the IBM PC 5.25 inch disk, formatted by the popular PC-DOS or MS-DOS. Information is stored on the disk in a series of circles, called `tracks'. In a normal 5.25 double density disk you have 40 series of circles, aka tracks. Tracks are numbered from 0, being the outermost track, to 39 being the inner- most. Each track is divided into 9 arcs, called `sectors', numbered from 0-8. Each sector consists of an `address field', which identifies the sector, and a `data field', which contains the data stored in that sector. Both fields contain a prologue, data, a checksum and an epilogue, of the information stored in that field. Therefore, in reality DOS does NOT make the total number of possible bytes available for your data storing. In a 5.25 DSDD (double sided, double density) disk there really is a possible of 500k where only 360k is available for you. In a 5.25 DSHD (double sided, high density) disk, there is 1.6 Megs, but only 1.2 Megs is available to you. In a 3.5 DSDD disk, there is 1 Meg, but 720k is available for you. In a 3.5 DSDD disk, there is an amazing 2.0 Megs but only 1.44Megs is available to you. The same applies for hard drives, ever buy a HD and it says 120 Megs, but when you format it, you only get 114 Megs? Its because of DOS, there are some programs that enable you to use this space and get rid of the address field, that is present before _every_ sector. One popular program is called "MAXI - Form" by Herne Data Systems Ltd. This program allows 360k floppy to hold 420k, 720k -> 810k, 1.2M -> 1.44M, 1.44M -> 1.66M. Maxi CANNOT make use of ALL the possible number of bytes, because we MUST reserve some space for the Boot Sector, 2 copies of the FAT and the DIR Structures. However it does rid the address fields, and is compatible with DOS with the help of a TSR program that `fools' DOS in thinking that it was structured correctly. Now, when you `boot' off a diskette, a copy of DOS _MUST_ reside on the outer few tracks of the disk. Another Track is reserved for the file directory. When the computer is turned on, a process occurs, called `booting'. The IBM PC does not contain a built-in DOS. Its ROM contains just enough information to enable to find and read sector 0 of track 0 of the disk, which is the boot sector. That sector contains a program to read a few more sectors, which in turn contains a program to read the entire DOS into memory. % Sector Format % The majority of floppy disks are `soft-sectored', meaning that the software must be able to locate any given track and sector with no help from the hardware. On a `hard-sectored' disks there is a physical marker, such as a small index hole, that tells the hardware precisely where each track and sector is physically located. On the soft-sectored disk the software searches for the desired sector by a trail-and-error process, reading the sector's address field until it finds the sector it wants. This certainly takes a little longer, but allows much more flexibility, since the sectors may be placed anywhere the DOS likes. Anyhow floppies are usually soft-sectored, but IBM 5.25 inch and 3.5 inch diskettes contain physical markers. Hard Disks usually tend to be soft-sectored, but that was only on the MFM, RLL Hard Drives the IDE, and SCSI drives are hard-sectored, that is why we have a _major_ access time. MFM,RLL range at 50-70ms (milliseconds) IDE,SCSI tend to range from 8-15ms. % Copy-protection Method #1 : Disk Appearance % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ % Unformatted Tracks % The simplest protection against disk copier utilities was to include a blank (unformatted) track or sector on the disk. The disk copy utility will fail at that track and copy nothing further. This was probably the first kind of whole- disk copy protection introduced. % Non-standard DOSes % Although the disk cannot be copied, it will still boot and run properly as long as the DOS does not attempt to access the unformatted track. This can be easily be prevented by using a modified version of the normal DOS. When a disk is booted, the DOS on the disk replaces any that may have been in RAM. It can have any modifications the author pleases. The only requirement is that the modifications to the DOS must correlate with the modifications to the disk format. Some of theses methods are listed bellow. a) Altered track/sector count The number of tracks per disk and sectors per track are usually chosen to provide maximum data storage per disk. There is no reason why lesser numbers cannot be used. For example we could create an IBM disk with only 7 sectors per track or 30 tracks per disk. And with a sightly more complex DOS modification the number of sectors could vary from track to track. b) Altered sector size A normal sector on an IBM PC disk always contains 512 bytes of user data as its payload. It is easy to alter the DOS to expect a different number of bytes per sector. In some cases, huge sectors have been used that fill an entire track. c) Altered track/sector numbering Each sector on a disk has an address field containing its track number and sector number. The DOS checks this before reading the track. Instead of numbering the sectors on a track from 0 to 9, one could number them from 70 to 79. The 40 tracks, likewise, could have bizarre numbering, say the first 40 prime numbers. d) Altered checksums Each sector contains a byte which is a checksum of the data contained in that sector. It is calculated by performing an eXclusive-OR (XOR) operation across all the bytes in the sector. The DOS recalculates the checksum each time it reads a sector, and compares its value to the one actually stored in the sector. If they differ, the DOS assumes that it read some byte(s) in the sector incorrectly. One can protect a disk by using a different algorithm for calculating the checksum to be stored in each sector. Of course the disk's own DOS uses the same algorithm, and so agrees with the stored checksums, but standard DOS thinks it has read each sector incorrectly, and will retry up to 5 times, and once all 5 test fail it will report the message "Bad CRC Data...." error message. e) Half-Tracks The newer half-height floppy drive were quite advanced, as a matter of fact they were capable of stepping to positions half-way between the normal track position. These half-track positions are not ordinarily suitable for recording data, because they are so close to the normal track that there would crosstalk. (Meaning signals would spill over from the normal tracks to the half-tracks and vice-versa. On the other hand, the half-tracks can be used it the normal tracks are left unused. For instance a disk could use track 0, 1.5, 2.5, 4, 5, etc. A normal copy program will miss all the half-tracks. % Nibble Copy Programs Fight Back % In response to the above protection techniques, computer hobbyists began to write and circulate special copy programs known as `Nibble Copiers'. These were passed gratis along the grapevine of hobbyists. The first commercially advertised bit copier was `Locksmith' by Omega Microware of Chicago at around 1984. The first version of Locksmith was slow but reliable, and was able to cope quite easily with all the copy-protection methods described above. Within a year other company programs appeared, like Copy-Write, Copy-II-PC and E.D.D., but Locksmith remained the most prominent until Omega Microware collapsed near 1985-86. A bit copier makes as few assumptions as possible about the format of the disk. It does not assume any particular number of sectors pet track or tracks per disk, or any particular number of sectors per tracks per disk, or any other possible sector alteration. This is something DOS was never able to do. Bit copiers read each track, and attempts to reproduce what it finds exactly on the destination disk, bit for bit. Error checking is performed by reading the track several times over and comparing the data. Completely unformatted tracks were identified and ignored. % Spiral Tracking % This is probably the ultimate in format alteration, and the last to be developed. This method was actually very clever. The way the data was structured on the diskette, actually `looked' like a spiralling pattern. The floppy drive heads would travel a small arc starting from the outer track, then jump to the next track (or half-track) and immediately travel another small arc, then jump to the next track, and so on. The resulting series of arcs resemble a broken spiral, hence the name. So instead of track 1 being the outmost ring, it would spiral towards the innermost track. This type of protection is quite difficult for a bit copier to overcome, since it depends on the accurately synchronized copying of partially formatted tracks. Unformatted areas of tracks contain magnetic signals of intermediate values, bits neither 0 nor 1. Therefore it was extremely difficult for the bit copier to identify all those portions of the track that can be copied correctly. One major serious problem with spiral tracking is that it depends on precise timing of events. It the disk drive is rotating a bit too fast or slow, or is slightly misaligned in other ways, the protected disk is likely to fail. % Slow Drives % Another protection technique used in combination with some of the above methods is to record the protected software using a disk drive turning SLOWER than normal. When data is recorded on a track passing slowly under the head, more data per inch than normal is recorded. This makes it possible to record more data on a track than would normally fit. Therefore if the user would try to copy the software with a regular drive, the destination disk will complete a full revolution before all the data is copied, and the tail of the track will overlap and destroy the head of the track on the destination disk. % Copy-protection Method #2 : Signatures % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As we could see the protection wars, escalation proceeded rapidly. The methods described above were all `format alteration methods. They use a non-standard disk format that is not recognized by standard copy programs, but copy-able by the bit copiers. So a new method was introduced, a signature, which was any minor feature of a disk that serves as an identification mark to verify that the disk is an original. To be effective, a signature must be a feature that is not properly duplicated by a copy program, including bit copiers. % Innermost track % Probably the first signature protection method was the use of an extra track. A normal IBM disk uses 0 to 39. The disk drive is in fact capable of stepping the head to an extra innermost track, track 40. (and sometimes to track 41) The innermost track is normally unused because of reliability problems. A protected program may format this track and use the fact that it is formatted as a signature to verify that the disk is an original. It may even keep some portion of itself (eg the disk directory) on the innermost track. An ordinary copy program will overlook this track, and a bit copier will only copy it if specifically instructed to. % Check for write-protection % An ancient and crude signature method is to issue original disks with the write-protect notch covered. The program would try to write to the disk, if the write operation succeeds, the program can assume that the user made a duplicate disk and refuse to execute. % Bit Counting % It is _very_ difficult to get two disk drives to turn at precisely the same speed. Any characteristic of a disk that depends critically on the speed of the drive on which is was recorded will make a good signature. For example, when a disk is formatted, there is always some empty spaces remaining on each track between the end of the last sector and the beginning of the first sector. The formatting program fills this space with meaningless bits. The size of the space, and therefore the number of bits, and therefore the total number of bits on the track, depends on the rotational speed of the disk drive. If the bits are counted, and the count is recorded somewhere else in the disk, the software can compare the number of bits to the count every time the disk is booted. If a duplicate is made on a different drive, the duplicate disk will have a different number of bits on that track, and the count will fail. Even small variations in the speed of a single drive will cause different disks made on that drive to have different numbers of bits per track, so that each disk has a different signature. This is an _extremely_ difficult protection method for bit copiers to overcome. Some version of Locksmith included a utility to prompt the user to adjust the speed of the drive (by turning a vernier with a screwdriver) until it matched the apparent speed of the drive on which the original disk was recorded. However, E.D.D. (Essential Data Duplicator) used a variable timing loop to vary the rate at which the bits are recorded on the destination disk, to compensate for the speed of the destination disk drive. These methods required a great deal of trial-and-error to make satisfactory duplicate disks. % Deliberately Damaged Media % This method consisted of deliberately damaged media; a disk which is damaged in a predictable way that can be detected by the software. The damage serves as a signature. An example is the `Prolok' systems by Vault Corporation. Prolok is a special disk sold to software companies, to publish their programs on. The disk included software that may be adapted to work with any application program the software publisher records on the disk. The signature is a small hole, cut by laser, in the recording surface of the disk. The Prolok software can detect this hole because it is an area on which no data can be recorded, bad sector. Prolok is actually quick easy to defeat for a programmer. The technique was to insert a small TSR program hooked to int 13h, and it would review all requests by programs to the DOS. If Prolok asks the DOS to read the area of the disk where the hole is, the TSR captures the request and forges a reassuring response. There was also a pubic domain program specifically designed to defeat Prolok, called FUProlok. In general ALL these disk-based copy-protection had one major flaw, they all had some easy pattern that would enable us to defeat them easily. The pattern was the usage of Int 13h, the knowledgable `cracker' would construct a simple generic TSR that would hook Int 13h, that would create a break-point (Int 3h) whenever the interrupt was called. From there the knowledgable cracker could trace through the code, and see if the information obtained by the Int 13h was used in a peculiar method. Most programs are written in a high level language so the use of Int 13h is not common therefore get to the bottom of the Int 13h % Difficulties of Disk-based Copy-protection % ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The major obstacle of disk-based copy-protection was a hard disk. Hard disk users were not content to run programs from the floppy disks, they almost insisted on transferring the software to the hard disk. One solution that was adopted was for the program to execute itself from the hard disk, but to also require the floppy to be left in its drive. The floppy was usually referred to as a `key disk', which was periodically checked to validate the signature. The major problem was that it didn't allow the user to have access to his floppy drive while using the hard disk. Another bad side effect was that it prevented users connected to a network, in executing more than one copy at the same time, as you only had one copy of the `key disk' to go around. And all of the `format' methods examples cannot be used on a hard disk. In general you cannot tamper with the structure of the hard disk, because it may contain several hundreds different applications. Also the interface system does not give the host computer direct control of details like the number and arrangement of sectors per track or count of bits on a track. ================================================================================