Log in

View Full Version : CD-Cops Generic Unpacker v1.1 Open source


LaptoniC
March 30th, 2002, 15:25
I am tired of working on this unpacker.If anyone cares, I present you my latest unpacker.It can fully emulates main.exe's behaviour, load qz_ file hook some apis and dump the process.It has currently two bugs in IAT building.Hope it give some ideas to you about ApiHooking.

blackcheck
April 16th, 2002, 05:28
hi

is it true that cdcops checks the physical angle between
the first and the last sector ?

LaptoniC
April 16th, 2002, 12:47
I guess yes.Because sometimes copied CD's may run without any error if the layout is the same.Main weakness about this protection scheme is below

CheckSerialFromReg
if CheckDiskLayout OK then
run qz_file with Cmdline which is derived from gettickcount+productnumber+productname
1 possibilty to crack this protection sniff product number,name and run qz_ file.Everyting will be ok
Second method can be,
When qz_ file runs, it debugs w_x file which crypted original exe.At first waitfordebugevent api program is decrypted but imports are wrong.Decrypt the imports and you are done.All versions I have from v1.72 to v2.04 are exactly the same.They change only code and data sections decrypt algo in every version.
Emulation of main exe file is the simpliest and easy method.Total emulation code is 3.5 kb.Can you belive it

IcyDee
April 16th, 2002, 17:34
blackcheck

Yes it does check the angle beween sectors. It does this by timing the response of the drive to read sector commands. This suggests an alternative method of simulating the original CD which is to hook the relevent API, keep a record of the time and then 'play back' this time on a copy of the CD. This worked for me on an earlier version of this protection since when it reads the sector it only uses the response time and is not bothered with the actual sector content.

blackcheck
April 16th, 2002, 19:11
hehe i don't want to crack it, i want to implement this into
my own protection
getting a cdcops target here is not that simple.

Quote:

I guess yes.Because sometimes copied CD's may run without any error if the layout is the same.


that is *usually* a clonecd copy does not work,right? i also
heard that it calculates the angle with 8 bit precision. so
you have a 1:256 chance for the copy to work i guess.

Quote:

It does this by timing the response of the drive to read sector commands


sounds like you reversed the proc that does this...
can this be done trough aspi ?
does this piece of code get decrypted witout the cd ,too?.

if so i would be glad if someone could send me a cdcops exe

i don't understand how you can compute this by timing, could
you explain ?
should be easy to calculate the length of one 'ring' with timing,but the angle ?

yeah, well i guess it's my lack of knowledge about cds...
how is a single sector arranged on the cd (physically) ?

IcyDee
April 20th, 2002, 18:09
Quote:
Originally posted by blackcheck

i don't understand how you can compute this by timing, could
you explain ?
should be easy to calculate the length of one 'ring' with timing,but the angle ?

yeah, well i guess it's my lack of knowledge about cds...
how is a single sector arranged on the cd (physically) ?
[/B]


Sectors are arranged in a continuous groove (rather like a record) but instead of a constant angular speed (45 rpm) it is a constant linear speed. This means that there are more sectors in an outer loop of the spiral than on an inner spiral.

I worked out once that each sector takes a linear distance of about 14mm (this is not exactly true since adjacent sectors are combined to improve the error correction.

Imagine two sectors, sector 1 on the inner loop of the spiral and a sector on an outer loop (say sector 200000). If the disk drive is told to read sector 1 and then sector 200000 then there will be a delay between the data being returned for each sector. This delay will be made up of several components.

1. The operating system overhead.
2. The time for the drive to seek from the inner to the outer sector.
3. The time for the sector 200000 to rotate under the read head.

Now (1) can be ruled out since it will be fairly constant for each read (and very short anyway) and will cancel out if we are looking for timing differences.

(2) will be fairly constant and will depend upon the drive.

(3) will depend upon a few factors, one being the angular distance between the start and end sector. The other being the rotational speed of the drive. We can assume that the rotational speed is constant and will cancel out.

By making several measurements between sector 1-200000, 1-200001, 1-200002 etc. it is possible to work out which outer sector has the smallest angular distance to sector 1. This is what I believe CD-Cops measures.

One flaw with CD-Cops was that it always measured between the same sectors. If you measure these timings and then 'play them back' on another copied disk then you could fool the protection into believing that the disk was an original.

blackcheck
April 20th, 2002, 21:19
thanks a lot for your exlanation.
i tried it and it really works.
i can detect a perfect clonecd copy.
the only hard thing is to make it work
reliably.