How does copy protection on CDs/CD-ROMs work?

Schnitte · April 11, 2005, 6:29pm

…and what’s the approach made when “cracking” such a protection?

I’m not asking this out of an intention to circumvent copy protection, nor do I want an explanation detailed in any way telling me how to circumvent it. I’m merely asking out of technical interest, in respect of the general principle. How can data on a CD prevent a CD burner from copying a CD (or cause the resulting copy to be of no use because it doesn’t play), given that the system is simply reading the original bit by bit and copying those bits on another medium?

As said, I don’t want details, I’m interested in the principles of this technology. If the mods think that this question already goes to far, please delete it; but having read the Board rules, I think it’s still OK to ask that.

Jayrot · April 11, 2005, 7:04pm

One popular example of such a copy protection scheme is SafeDisc. Here is an excerpt of the explanation.

SafeDisc 2 was first encountered on the game ‘Red Alert 2’ by Electronic Arts which caused a little shock in the back-up world… There were a lot of people who had problems copying this game while some seemed to copy it without any problems whatsoever. What was the deal here?

SafeDisc has a few hundred errors in the first 10.000 sectors of the disc but so does SafeDisc 2. The difference (and problem) lies in the first, what appear to be ‘good,’ 500 sectors of the disc. The reading of the disc is not really a problem but when you want to write these sectors something goes wrong. We have to get a bit technical now but I’ll keep it simple so you can understand it:

The (estimated) first 500 sectors of a SafeDisc 2 protected game at first sight look like a collection of crappy data. It has a lot of zero’s but is also has special 10 sector groups containing a regular bit pattern. When you read this data with a CD-ROM it will pass through a so-called ‘sector scrambler’ which is present in all CD-ROMs and Writers. A regular pattern like this will ‘appear’: XYXYXYXYXYXY…

But, like I said, the problem occurs when you want to write these regular bit patterns because there are a lot of burners that don’t like to do this. A writer has to produce the same patterns and it uses a so-called ‘EFM Encoder’ for this. When a regular bit pattern goes through the EFM Encoder it is converted to a smaller value by converting bits to bytes (8 bit = 1 byte) in a pre-determined way. Now here’s the problem: SafeDisc 2 tries to overload the EFM Encoder of the writer, by using the 10 sector groups, so it will loose synch and write wrong (irregular) bit patterns.

In short this is what happens when you write a SafeDisc 2 protected game. When you want to play a SafeDisc 2 back-up the game will check if there are regular bit patterns on the disc and if not it will give an error and refuse to play. We will call these sectors with regular bit patterns ‘Weak Sectors’ from now on.

from here.

DougC · April 11, 2005, 7:35pm

- - Also here: http://www.cdrfaq.org/faq02.html#S2-4
    ~

Dog80 · April 11, 2005, 7:53pm

Anyone knows how StarForce 3 works?

Dog80 · April 12, 2005, 9:05pm

Bump!

Roches · April 12, 2005, 9:59pm

The idea of using bad sectors put on the disc in certain locations which are known to the copy-protection software goes back to the C64/Atari days. There were even floppy drives that had the ability to create bad sectors so they could be used to make copies of protected software. It’s not surprising that this technology is also used on CD-ROMS.

Some protection technologies for more expensive software go a bit further – for example, they might not only check the CD, but they might also ‘call home’ and check with a server that the user has a valid license. I’m not sure how common it is now, but there used to be some software (3D Studio being one example) that required a hardware ‘dongle’ on the computer’s parallel port; if the software didn’t find a ‘dongle’ with a code to match its code, it wouldn’t run. An early GUI, Visi ON (made by the developers of VisiCalc, an early spreadsheet), came with a mouse that contained a code that the software checked before it would run.

For modern software, there are a variety of techniques that have already been mentioned. It is possible to defeat most if not all of them, although of course it is not permissible to do this even if the user has a legitimate reason to copy the disc. It’s only permissible to deactivate the copy-protection routines if the software developer themself provides a patch. This does happen occasionally, because some copy-protection schemes won’t work with some CD-ROM drives. If enough people who purchase a program can’t run it, sometimes the manufacturer will provide a patch.

Mangetout · April 12, 2005, 11:32pm

Pretty sure it’s also conceptually similar to some of the videotape anti-piracy schemes; subtly damage the data so that it can be read/played, but will generate brand new (and catastrophic) errors when verbatim copying is attempted.

DougC · April 13, 2005, 1:28am

- - Look harder. Most CD copy-protection schemes are broken within three days of their release. Many are broken within the first 24 hours.
    Off this link I provided: http://www.cdrfaq.org/faq02.html#S2-4
    was this link: http://www.cdmediaworld.com/hardware/cdrom/cd_protections.shtml
    that contained this link: http://www.cdmediaworld.com/hardware/cdrom/cd_protections_star_force.shtml
    that lead to this link: http://forum.alcohol-software.com/index.php?act=ST&f=1&t=2838
    …which explains that Starforce capitalizes on the fact that virtual drives are detected as SCSI devices, where real-CD drives are detected as IDE devices. There is not yet a crack, but the available workaround involves disabling IDE drives, because Starforce will apparently accept running off an SCSI drive (virtual drive) if no IDE drives are detected.
    ~

Mr2001 · April 13, 2005, 4:19am

The general principle behind copy protection on PC games is that some aspects of the CD can be read by a drive, but can’t be reproduced accurately by a burner. That is, making a bit for bit copy is impossible.

The EFM encoding Jayrot mentioned is one example. For various technical reasons, CD readers like to see a roughly equal number of 1s and 0s. EFM is part of this process, converting 8 bits that may have any bit pattern to 14 bits that have about the same number of 1s and 0s (also, not too many 1s or 0s in a row). But for certain repeating patterns, EFM by itself isn’t enough - writing those patterns will still gradually produce more and more 1s than 0s (or vice versa). The CD burner has an opportunity every so often to write “garbage” bits, used only to even out the number of 1s and 0s… but some burners are unable to correctly calculate which bits they should write to even it out, which makes that part of the disc unreadable. OTOH, every bit can be precisely controlled when the original CD is mastered, so the original is still readable.

Another example is sectors with duplicate numbers. Each sector of data on the CD is identified by a number, and these numbers are supposed to be unique, but someone figured out that if you have two runs of sectors with the same numbers, but different data, then you can tell them apart by moving to another part of the disc before you try to read the duplicated areas. If you seek from the start of the disc, you’ll read the first copy; if you seek from the end of the disc, you’ll read the second copy. But the typical CD copying program reads sectors in order, starting from the beginning of the disc, so it’ll only see one copy of those duplicated areas!

A more complicated example is sectors with varied spacing. Most CDs have sectors laid out evenly in order: at a certain distance from the center of the disc, the angle between sector N and sector N+1000 will always be the same. But some protected discs have managed to change this, perhaps by inserting dummy sectors, duplicating other sectors, etc. You can make a copy of these discs, but the program carefully checks the angle between certain sectors at runtime (by measuring seek times), and rejects copied discs that have the usual angle between those sectors instead of the tweaked angle.

A much simpler example is CSS, the encryption on DVDs. The content on the disc is encrypted with a key that’s stored right on the disc, but the area where the keys are written is unwritable on the blank discs you can buy in stores. You can read the key from a purchased disc, but you can’t write it onto a copy.

Protection on audio CDs must be weaker, because the discs have to stay compatible enough with the CD specifications that most CD players will read them. Typically, protected audio CDs take advantage of newer CD features that old CD players ignore, but PCs (and newer CD/MP3 players) will investigate and get confused by. For example, the simplest kind of protection (the kind you can bypass by holding Shift) is just a hybrid CD with one audio session and one data session. A CD player only cares about the first session, so it sees the disc as an audio CD, but a PC only cares about the last session, so it sees the disc as a data CD that may contain encrypted music files, animation/videos, or maybe nothing at all.

Mr2001 · April 13, 2005, 4:22am

Er… holding Shift bypasses Windows’ AutoPlay feature, which is useful if the disc tries to install a driver that makes ripping CD audio impossible (which some particularly evil discs do). Holding Shift does not cause Windows to see the disc as an audio CD instead of a data CD.