"Deep in the sea are riches beyond compare.
But if you seek safety, it is on the shore."

Copying Copy Protected CD's
Original by Zota, translatation by OpioN.

Software/Games-cd

CD-Cops
(Link Data Security)
Copy protection is recognisable by the files cdcops.dll and *.gz_ (16-bit applications). With 32-bit applications there is a file in the root directory ending on .w_z.
The cd can be read in RAW mode. The executable file can also be decrypted with the use of McLallo's CD-Cops 32 Decryptor.
-
Seit 1997

DiscGuard
(TTR Technologies)
On the cd there are the files ioslink.vxd and ioslink.sys. The executable file is encrypted and is verified first.
The cd can be read out in RAW mode, the subchannels have to be copied as well.
0
Omikron: Nomad Soul

Laserlock
(MLS International)
These cd's are visually recognisable, on the inner circle of the cd. There is also a hidden directory called 'Laserlok'. The files stored in there contain corrupted sectors.
CloneCD, BlindRead with the option to skip reading errors. The writer has to support the burning of corrupt sectors. Other wise use Deamon Tools.
3
Decent 3, Desperados, Icewind Dale

LockBlocks
(Dinamic Multimedia)
Older copy protection, has two circles visible and corrupt sectors.
Almost all modern burning programs can do this.
-
Indiana Jones 5

ProtectCD
(VOB)
Only after extensive analysis you will see that this cd violates the ISO-specification: 'mixed mode' with a data session, continued by a audio track and another data track. The audio tracks are shorter than 4 seconds and also violate the cd specification. The last data track consists entirely out of corrupt sectors. There is a Digital ID in the subchannels (also with audio).
The cd can be read out in RAW mode, subchannels have to be read out as well.
0
Wiggles, America

SafeDisc
(C-Dilla, Macrovision)
In the main-directory you will find files like dplayerx.dll, clcd16.dll, clcd32.dll, clockspl.exe and 00000001.tmp. There will also be a loader game.exe and the encrypted executable game.icd. There are over a thousand reading errors in the first three percent of the cd. The authenticity of the cd is checked by a digital signature and the number of corrupted sectors.
The cd can be read out in RAW mode. There are generic SafeDisc patches. You can also use Deamon Tools to simulate this type of copy protection.
+
Midtown Madness 2, Madden 2001, Dark Vengeance

SafeDisc2
(Macrovision)
drvmgt.dll, secdrv.sys, 00000001.tmp (and other) in the root directory. The SD-loader is in the game.exe. Besides the corrupted SD 1 sectors it now also uses SD 2 weak sectors. And with FIFA 2002 there is also a ATIP-check.
See article.
++
Aquanox, Operation Flashpoint, Battle Realms, Soul Reaver 2

SecuROM
(Sony DADC)
There are different types: the first and older version has the files cms16.dll, cms(32)_95.dll or cdms(32)_nt.dll and in the inner circle of the cd it states 'Sony DADC'. With the new version there are the files sintf16.dll, sintf32.dll, sintfNT.dll in the Window/System directory. This type of copy protection also checks for a digital signature in the subchannel data of the cd. An ATIP-check blocks the compatibility of a copy with cd-writers. Sometimes there are also data tracks on the cd which contain corrupt sectors.
The cd has to be read out in RAW mode (including all the subchannels). There are generic SecuROM cracks, or you can use Deamon Tools.
+
Diablo 2, Rally Championship 2000

Star Force
(Protection Technology
Only used in Russia, no further information available, www.star-force.com.
none known methods
--
Codename: Outbreak, IL 2

Tages
(Thomson)
Almost the same as SafeDisc2, but with some extra features. It is not yet possible to make 1:1 copies, not even with writers that can copy SafeDisc2 cd's.
No 1:1 copies possible, only usable when a patch is available.
--
Motoracer 3

Other

CD-check
The program checks on undivided intervals if the original cd is still in the cd-drive. The cd is functions as a dongle.
No-CD-patch or cd-emulator (Deamon Tools).
++
Empire Earth, Alien vs. Predator 2

Cd-key
No real copy protection, the program only asks for cd-key which is needed to install it.
Serials2K, and other serial generators.
++
Software, Online Games.

Invalid Sectors
Physical errors on the cd (rings or even drilled holes), which generate errors when the cd is read out per sector.
Every burning program that can read out in RAW mode and can skip corrupt sectors.
++
Most protected cd's

Dongle
The software is supplied with hardware, which usually is meant for the parallel or USB-port. The software checks it presents.
Patches that disable the dongle call.
-
AutoCAD

Manipulated TOC and dummy-files
Separate files appear to be bigger that the capacity of the cd, or in case of a audio-cd, the tracks will have a negative length. This is caused by manipulated registrations in the TOC.
Burning programs that ignore false TOC-registrations and support RAW mode.
-
DVD to Disk, Commanche 4

Video/DVD

CSS
(4C)
DVD's copied to the hard disk can't be played in total, because parts are encrypted. CSS is one of seven copy protection methods for DVD's.
DVD-rippers who crack the CSS protection of the DVD (Vobdec or SmartRipper).
++
Almost all Hollywood movies

Macrovision, APS
(Macrovision)
With the transfer of DVD to video the movie only appears in black and white or other wrong colours.
The Macrovision for video-in/out of special filter hardware.
++
About 700 million DVD's

++ very good, + good, 0 sufficient, - bad, -- very bad

RAW Writers

Without matching hardware are also the hands of programs in the category ‘CloneCD’ tied. Only cd-writers that can work with RAW-datamode can defeat the current copy protection. This means that the cd-writer has to be able to write and write both the useful data and the bytes meant for error correction without changing anything. There is a total of 2532 bytes a sector meant for error correction. The reading can be done by your cd/dvd-rom).

The simplest way of copy protection is when the cd itself is used as a dongle. But a ‘no-cd’ patch easily overcomes this. Previously the software only checked if the cd had the right name and if it was in the cd-drive. Nowadays these checks require a little more effort: a part of all copy protection techniques is the physical manipulation (‘drilled’ holes or other marks on the data side of the cd) or logical errors. If those are missing, the copy protection will think it is a copied cd and refuses to start the software. That’s why error correction data (ECC) should be copied one on one.

With a lot of copy protections the cd-reader/writer has to able to deal with so called ‘subchannels’, which contain extra data (cd-text etc.). The copy protection stores a digital signature in the subchannels, which should authenticate the originality of that cd. Examples of copy protection that uses this method are SecuROM, ProtectCD, Laserlock and on Playstation LibCrypt.
With pc-games there are only two subchannels (P: track status, Q: among others; time display). Although most new drives can read them correctly, only few support all subchannels (P – W). Full subchannel support is only needed when copying Playstation games.

On the websites of CloneCD and BlindWrite you can find extended list of tested writers, which support the different writing methods.
A few methods are aimed directly at cd-r/-rw-writers. The software checks at the start which contents the ATIP (Absolute Time in Pre Groove) of a data-cd has. If a (re) writable medium is concerned the copy protection will recognize it’s cd-signature and abort the start. Because only cd-writers read the ATIP, cd/dvd-rom’s are immune for this trick. CloneCD is equipped with a filter driver (Hide CD-R Media), which will fool the program, ensuring that the program will also start from a cd-writer.

Recently there is a new challenge for hard- and software. To beat the copy protection SafeDisc2 from Macrovision you need to have a cd-writer that supports ‘weak sectors’.

Conscious Weaknesses

This method used by SafeDisc2 is on it’s own weird: it uses sectors which cd-writers seemingly copy with success, but which proof to be unreadable when you actually use the cd. To do this the copy protection uses weak points in the cd-rom standard, the weak point SafeDisc2 is using is the actual implementation of that very same standard in cd/dvd-rom-drives.

The data lies ‘unencrypted’ on the cd, but first they go through a series of prewritten steps of the cd-rom standard: first the data goes through a ‘scrambler’ which makes sure that the data before burning isn’t in regular bit patterns. These bit patterns can be the reason for the next step, called Eight-to-Fourteen-Modulation (EFM), there will be errors on the written cd which makes the data on it unreadable.

Because the scrambler works according to a prewritten schedule you can prepare the data (using inverse operation) so that they will produce weak sectors after the split up.

You can outsmart copy protection by burning similar patterns, and interrupting the writing of the artificial errors. The error correction codes, which stay intact on a RAW copy, can be corrected when reading the cd. The tool ‘Betablocker’ (www.geocities.com/cdbeta/) repairs weak sectors in almost the same way. BlindWrite and CloneCD also support the boosting of weak sectors, so other cd-writers can burn SafeDisc2-cd’s (www.physics.udel.edu/wwwusers/watson/scen103/efm.html).
A lot of (newer) cd-writers can burn SafeDisc2-protected cd without tricks, if they support RAW-writing (www.sd2.does.it). In the compatibility list of CloneCD there are certain cd-writers with the note ‘correct EFM encoding of regular bit patterns’, these once are especially good at beating the SafeDisc2 copy protection system.

Demonical Cheaters

If you don’t have a cd-writer which supports SafeDisc2 and you don’t want to buy one, you can use, in most cases, Deamon Tools (www.deamon-tools.com). This free program is a normal cd-emulator for Windows, which will mount images as a normal cd. The Deamon Tools are, in contrast to their commercial competitors (VirtualCD and SimDisk), a little more refined. It is especially made to paralyse three different types of copy protection: SecuROM, Laserlock, SafeDisc 1 and 2.

The program intercepts the communication between the drive and the Operating System, and simulates the copy protection. In the mean time a lot of software manufacturers have updated their installation routine to search for an installed version of Deamon Tools, is one found, the installation process will be aborted.

Because every copy protection has it’s own tricks, there are special settings in CloneCD for each. CloneCD is very compatible with Clony XXL (www.clonywelt.com) together with the TCCD Database, which contains over 4200 pc- and playstation-games (www.clonecd.net/protection.htm).

But even programs like Blindwrite and CloneCD can screw up. So the last thing you can try is go to Game Copy World and look for a patch for your game (www.gamecopyworld.com).

Final Words

Despite the efforts of the multimedia-industry it still will be possible to make 1:1 copies of audio- or game-cd’s under Windows. The industry does try to make it hard for the incidental copiers by inventing new and improved copy protection methods. Even if programs like CloneCD would disappear over time, there still would be alternatives for people who want to make illegal or legal copied cd’s.

I think it is save to assume that copy protection in the future will be harder to beat, because they will try to disable the programs specifically used for this purpose. The consequence of this will be that most people have to wait longer before they can make a copy of their cd. But still it has proven that most copy protection isn’t as save as they promised.

It does make you wonder why the windows variants of certain programs are heavily secured, and the same Linux and Mac variants aren’t.

Future-proof-writers simply do not exist. Even if you are in the possession of an expensive Plextor writer that supports RAW mode, subchannels and weak sectors, you can’t assume it can handle all future copy protection methods. On the other hand, the ISO specifications can’t be bend anymore without braking a few.