Howdy...for the first time, I came across a situation that got me wondering about interference with softice, etc., with other drivers. This is a warning displayed by a popular product when installing it:

"this program will install SCSI pass throught direct (SPTD) layer on your computer. WARNING - SPTD is not compatible with kernel mode debuggers (softice, winDBG etc) please cancel setup if you plan to use kernel debugger on this machine"

I did a quick scan of the archives to see if anyone had encountered this. I have no idea to what extent another kernel-mode device could interfere with softice, and I was wondering if one of the gurus could enlighten me.

A few newer protections are looking for IceExt in the registry at:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IceExt. Fortunately, Sten has allowed an option to rename IceExt at installation time and this solves the issue. IceExt is so good that it hides softice from its own Symbol Loader. :-)

"not compatible with kernel mode debuggers"... how many times have I heard that phrase... they just don't want you tracing through their code (which does have antidebug, if I guessed your target correctly). Just keep your 'ice hidden properly and you won't run into any problems.

Hi,

I threw part of that warning message into google and found out you're probably talking about Daemon Tools and sptd.sys (let's call a digging implement a digging implement here). I'm thinking that the content of the message is a bit of a ruse, there may be incompatibilities with Sice or WinDbg but I don't see how it could be due to SPTD directly.

SPTD is one of a series of MS defined driver SCSI interfaces used with DeviceIoControl, IOCTL_SCSI_PASS_THROUGH_DIRECT, defined in ntddscsi.h. I can't really see why this would cause a problem with either of those kernel debuggers, at least directly.

More likely the driver does some other undocumented stuff that may cause a problem, or it's just a total BS job because they don't want anyone reversing their driver. If there IS an "honest" incompatibility with the kernel debuggers (I've never tried to see if it's true), then there must be some commonality in how Softice and WinDbg(KD) works where the effect is. I have no idea how WinDbg(KD) operates so I can't guess at any comparisons between the two.

Unfortunately this sounds like another situation where the implementation or paranoia of an application and its 'protection' crosses the boundary of compatibility with the OS and other applications.

Heh, I see LLXX smells a rat too

Cheers,
Kayaker

Hi Kayaker, thanks for response. Your guess was close, and I would have mentioned the name, but I didn't want to take a chance on transgressing the rules of the board. Seeing you mentioned Daemon tools, I guess you can figure out it's a cousin in the same business of defeating anti-protection on CDROMs, particularly in games.

You know the old saying about being "under the affluence of incohol"? Well, it's the latest version of incohol (...3823). Daemon Tools is a freeware version aimed at anti-protection, but seeing incohol is not freeware, I was reluctant to mention it by name. If it had been another app, I would have come to the same conclusion as you and LLXX. But incohol is almost anti-protection itself, and that got me to wondering why they would issue such a warning. My concern stems from interference I encountered with ice by an older version of the free Sygate firewall. It took a long time to isolate that and I don't have the expertise to do the same with an app running in kernel mode.

that's the whole point, why would they? The protectionists, like securom et al, have been blacklisting apps like Daemon, incohol, etc., because part of their anti-protection subterfuge is to conceal the virtual drives that come with their packages. Those dastardly fiends who dare to play commercial games that are not, shall we say 'purchased'??, and are bent on 'try before you buy', are loading the game images on virtual drives instead of in the CDROM. When the game images are in the virtual CDROM's, the anti-protection apps, like Daemon, attempt to fool the protections into thinking they are actually mounted in real CDROMs. The other major function, as you know, is to make copies of the protected games that somehow come out with the protection removed. Holy deceit, Batman!!

It's kind of clever how commercial companies like incohol have gotten away with this. I don't regard them as the old enemy because their aim seems to be similar to that of reversers. I would guess that the SPTD driver is somehow being manipulated by protectionists like securom, safedisk, etc., and incohol has diddled the driver somehow for their benefit. I'm wondering if they are hooking it and using software to defeat whatever the protectionists are doing. Of course, that's way beyond my level of expertise.


that's what I was wondering. It just occured to me that [yAtEs] specialized in CDROM protection, but I haven't seen him around lately. Maybe I'll try to contact him at his website, if it's still up. Or maybe he'll just happen by and see this post. :-)

that's not an uncommon problem created by protection packages. One writer on an audio-related website was lamenting the fact that he buys legitimate audio software and his friend uses cracked stuff. The protection on the writer's software is causing severe problems for him on the Windows OS, yet his friend doesn't have that problem since the crackers removed the protection. He was questioning what motive people would have in buying legitimate software that screwed up their systems.

A humourous aside to this happened to me recently. I was feverishly tracing through an app that creates a bootable CDROM. It would run , then suddenly disappear. I couldn't figure it out, thinking it was detecting a tool like filemon, or something, and terminating. In fact, I found it's termination point.

It turned out that I had the IMAPI CD-Burning COM service turned off in XP. I found that out quite by accident (is that called serendipity??). The app was trying to make a DOS-bootable CDROM and it was using the DOS services in XP. On a hunch, I tried entering the app name at the DOS prompt in a DOS window with the old DOS /? after it. I was looking for command line info and sure enough, the app told me it's command line options. When I used them on an iso that accompanied the app, it gave me the error message that IMAPI was not loaded. Doh!!

Meantime, the protection on the app had failed to realize that maybe someone might have that service turned off. It simply exited when it didn't find the the IMAPI driver turned on. It seems that many people who write protection software are either oblivious to the havoc they wreak on peoples' OS's, or they don't care. I would think it would have occured to a good programmer that an XP service might be turned off and at least give the user an error window. Then again, I don't think high end programmers would be wasting their time writing protection programs. :-)

hi LLXX...thanks for response. Please see my reply to Kayaker.

That sounds like the exact comment that was mentioned here, a nice treatise on the subject of intrusive copy protections from a legitimate user. I quoted from this about a year ago actually, but just to repeat the bitchin'...

http://www.prorec.com/prorec/articles.nsf/files/4F0B51C39C17DA6386256B7F0077FBA6


-----
"Isn’t it a pity that such intrusive code was introduced to such a benign application as an audio plugin?

"My experience is clear: products protected by PACE Interlok are incompatible with one another such that uninstalling one can deactivate the others. It’s a shame when an application will not play fair and interoperate with other applications. It’s ridiculous when it will not interoperate with itself.

The situation is so farcical that the common practice is, “buy the software, but install the crack.” A large majority of people I know and respect have all done exactly that. They purchased the software, so that they own a license, but they installed the pirated version, and so avoided the copy protection altogether.

You might ask why someone would install the pirated version if they own the license. The answer is that the common wisdom is that the pirated version (which does not contain any traces of PACE Interlok) is more stable, and if you need to reinstall it, you don’t have to request a reauthorization"
-----

yeah....that was the article. Thanks for reposting the URL...I had forgotten how outrageous the situation was with Waves and Pace.


You wanna see what they are charging for those benign plugins. Some of them cost more than XP Pro itself, or the app they plug into.

Much of the underground software referenced in the article would have emanated from a group called Radium. I got a kick out of those guys because they were like the Robin Hoods of the audio software world. There was a humour, intelligence and cheekiness about them that I'm sure would have escaped any judge if they'd been caught. Their justification for the hacked software was 'try before you buy', but they urged everyone to buy the software if they liked it. In fact, they stopped hacking inexpensive audio software to give the small producers a break.

Much of the argument in favour of hacked audio software had to do with the price audio software companies were asking, and the lack of guarantees that it would work as advertised. I fell into that trap with a MIDI patch librarian that did not come cheaply. I didn't have the software a year before the company was bought out by MOTU (Mark of the Unicorn), a big player in the audio software field. They immediately put a new name on the product and asked as much as I paid for it to upgrade. We're talking over US $100.

That software has been sitting on a shelf since. I fully commiserate with the people in the article who bought the Waves software only to be stuck with the Pace protection and its quirks. Waves is an excellent product, but so is Cakewalk, now called Sonar. One of them puts a flaky protection scheme on their product that crashes users' systems, and Cakewalk sticks with a serial that could be cracked by a 6 year old.

You can't run Waves plugins without a sequencer like Cakewalk's Sonar, or the likes. Why would a company like Waves go to that length to protect their stuff, when the engine to which it must be plugged hardly has any protection? Is it paranoia, stupidity, meanness or a general distrust of consumers? And why would they continue with it when genuine custormers complain of grievous harm to their systems?

I don't have the answers, but articles like the one referenced, sure seem to put forward justification for groups like Radium, who did the general music population a lot of favours, as corroborated by the article.

On the whole, I agree with your argument, but I don't like this point. There's no reason why the protection level (or even the pricing) of a plugin should be dependent on that of its host. Many VST plugins cost way more than the most expensive mixing software you could find and I think that's justification for stronger protection. The VST/VSTi business is a huge one these days and, in this reverser's opinion, it has just as much right to protection as any other.

Perhaps less importantly I'd like to point out that although Sonar may be flaky, some of the other 'industry standard's are far more troublesome. Cubase SX 3 in particular caused much grief for the bigger cracking groups.

Regards
Admiral

Something I meant to post in off-topic a few weeks back, on the same topic. The whole "copyprotection screws legit customers" subject has caused Ubisoft to drop Starforce as their primary protection scheme. About time too.

Hi Admiral...thanks for response. Can't say I disagree totally with your arguement, and I'd like to expound in detail. As it is, I feel I've gotten off the track of the original post, so I'll try to keep to the point. Perhaps the moderators would like to move this to another arena, or just axe it.

The entire process of making music to be played back over a stereophponic system is illusion. The producer's aim is to create illusions of depth, height, ambience, and even to enhance and augment talent. The purists don't even need plugins other than those that come bundled with the software, which is pretty decent stuff these days. And the industrious can find loads of adequate freeware on the net.

Although waves is a real good product, it's a luxury. If you were buying a car, and an 'extra' cost you more than the car itself, what would you think?



when you say 'flaky', I assume you're referring to my comment about the low-level serial protection on the product. Sonar/Cakewalk has established itself as one of the premier DAW's (digital Audio Workstations) available. It is used by many top flight audio/video producers.

One of the problems I have seen with Cubase/Steinberg is their almost paranoid protection schemes. I remember way back trying one of that genre of European products and I found the logic behind it so remote that I had to give up on it. For me, early Cubase offered the same problems. Between their unusual logic and their protection schemes, I have stayed as far away from those products as possible, for the same reason the writer of Kayaker's article did. When I buy a product, I don't want to be at the mercy of the manaufacturer, waiting for them to fix the situtation at their leisure. Cakewalk, being one of the earliest of such software, have ignored the piracy and plodded on.

One of the top Daw's available today is the Digisound product, but it comes with a proprietary sound card/interface that makes it pricey. I had forgotten till I read Kayaker's article that it also uses the Pace system. I could never understand their requirement of an in-house audio card/interface for their software product till now. It's just another level of protection. I mean, how paranoid can you get, that you'd alienate many buyers with a flaky protection system and the requirements of their own interface card?

Even at that, I had considered buying their system, card and all. I nearly fell over when I learned it would not work on an Asus motherboard. If you don't know, Asus is about the premier motherboard manufacturer out there. Now, wasn't that brilliant? You put out a product with an interface that wont work on one of the top motherboards available, and all because of one voltage on the PCI card.

It just so happens that Steinberg and Digisound are two of the manufacturers whose pricing is beyond the average Joe. These are the people who are charging megabucks for their plugins, and in the case of Digisound, are so paranoid, that they use a proprietary sound card on top of a flaky protection. I'll bet everyone in their offices runs around wearing suspenders and a belt to hold up their pants. My take on it is this: these companies are run by hackers who are so greedy thay can't put out a decent, affordable system.

If you want an example of a decent afforable system, look no farther than the Soundblaster series of Audigy cards. Purists still look down their noses at Soundblaster, largely because of the toy-like quality of their earlier products. That's their loss because the Audigy series has stepped up the quality to a point where professional recordings can be made on them by people who know what they are doing.

WHat most people don't know is that the Audigy IV card drivers can be adapted for use on the earliest Audigy I models, giving the user access to state-of-the-art drivers. And the price has remained pretty even at under US $300 for a professional quality card. Soundblaster has made their money by not being greedy and appealing to the masses. They have know for some time that the Audigy II, III and IV drivers can be easily hacked and applied to earlier models, but have taken no steps to protect their software.

At least two of the major players in the audio business, Cakewalk and Soundblaster, have not fallen prey to greediness. I think the problem with some of the rest is a general paranoia that comes with the desire to make money and the unrealistic fear of losing it to imaginary sources. The laughable part, however, is that no matter how difficult the protectionists have tried to make it, ALL of their products are freely available on the internet in good, working condition. So what was the point?

The thing that has amazed me is that major software companies haven't gotten together with Microsoft and Intel to design a hardware/software approach to protection. Maybe that is in the offing, and Microsoft have already indulged that to an extent. I don't know if that would work, however, since even hardware can be hacked. Just as software code can be hooked, hardware signals can be diverted.

That's probably because any Ubisoft product can be found in news groups with the appropriate patch. If not, there are the products mentioned already in this post to deal with that kind of protection, and they are doing it legally.

I'm not smirking at this. I feel people have a right to make money for the work they have done on their products. The internet has brought a new reality, however, even though companies like Sony have approached the Big Brother ideal to counteract it.

I was looking at a tutorial from R!sk on Securom on Yates' site, and it made me grin at the ingenuity of the guy. Sure, it was an older Securom but still, I don't think protectionist have a clue about the intelligence they are up against.

hi,

i've just read the whole thread, this is a nice discussion! i join you and shoot out my
thanx and respect to radium, they've helped me learning in the audio field until i could
afford some licenses (and until i could work them out myself :devil

i want to say sthg to the vst/vsti stuff - olthough that aspect is a bit off topic of the initial post:



hm, what if that extra would be an airplane extension so you could then fly with the car?

i mean many vendors put an awesome amount into their plugins, which are like precision scientific instruments, with a lot of experience in it (built by expensive people ) on a particular topic, full of reasonable presets etc ... which also takes quite some time to do.
imho this just has its own value with almost no limit to a "top" - olthough i of course also would prefer if plugin prices would stay in an "affordable" range.

regards, 0xf001

thanks for you comments and acknowledging Radium. I agree that the thread has gotten way off topic.

One thing to realize is that plugins are not designed from the ground up. Most of the work has already been done by companies like Microsoft and Cakewalk (DX/DXi), Digidesign (RTAS), and Steinberg (VST/VSTi) and other, who supply SDK's. The DX/DXi brand of audio plugin is based on the Microsoft DirectX, and they supply a lot of the know-how regarding how to interface with the Windows audio machine. Cakewalk is involved with that too. It's to the advantage of companies like Microsoft's and Cakewalk, of course, but they should get credit for supplying in-depth SDK's and much of the code needed to write plugins.

Some good points, WaxfordSqueers.

Before I get lumped with the responsibility for yet another thread-hijacking, I'll try to keep this short:

You say that the purists don't even need plugins other than those that come bundled with the software (I quote). Although it may be true that a minority of professionals will insist on working this way, I don't think it's fair to say that the out-of-the-box plugins are always adequate. I have little experience with Cakewalk (or Logic) but I can say that while Cubase SX's effect list is commendably complete, it is missing a few criticals. In particular, there is no tube/speaker simulator and absolutely nothing (outside of a four-band EQ and awful 4-band compressor) in the way of mastering.
As for the free alternatives on the web, I can't say I've looked too hard, but if you ask me, it comes down to 'why have cotton when you can have silk?'. I'd say that Waves Platinum or even iZotope Ozone are more valuable than the engine they run on when a tough master needs to be done.

So to stick with your car paradigm, I'd willingly pay the price again twice if the case were to upgrade a poor engine into something special. Otherwise, indeed, I'll pass on the air conditioning, thanks.

Regards
Admiral

that applies to me too, in which case I'd be hijacking my own thread, so let's wrap it up in general agreement. The initial essence of the thread had to do with a confusion over why an outfit in the business of anti-protection was warning people not to use their software with a kernel-mode debugger. That lead to questions of ulterior motive and to whether certain companies were implementing drivers in such a manner as to interfere with the sound operation of an OS. That lead further to an example of a protection that was doing exactly that.

I remember reading about an intrusion by Sony and had forgotten the name of it. I was fortunate enough to find the article again, by Mark Russinovich of Sysinternals: hxxp://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html . It's very interesting reading on 'root kits', and just how far Big Brother has gone to keep an eye on us. Might also provide answers to why some of our tools don't work right at times.

hi WaxfordSqueers,

i keep it short, too - you refer a lot to the aspect of the interface technology etc.



hm i "do not agree to this", i agree the interface provides the infrastructure very well.
but that is all. you can have a cheap or a very expensive compressor for example. you can
treat compression as a thing you do on the surface, or you can drive it to an own science,
which imho happens in the professional audio engineering field.
or another example: synthesizers - similar, maybe better understandable. the analog emulation and blah etc ... can be done cheap or you get a damn professional synth which competes also with hw synths. and this i mean - is more like an own product itself, rather than an "expansion".

regards, 0xf001

I was chatting with someone about this a few days ago. The one and only reason this was possible was because the vast majority of people simply didn't understand the issue. Even Sony's head honcho admitted as much, and it took a huge outcry in the "tech" world before anything happened about it.

Now here's a challenge. Find someone you know who isn't really into technology - Joe Average, if you like. Despite the massive outcry over what Sony did, I bet they won't even know what you're talking about. That's the damning proof.

Of course it did benefit the security industry in a way. I'm sure it became much easier for security consultants to explain why users can't use "innocent" things on company equipment.

If it wasn't for gurus like Mark Russinovich, Matt Pietrek, et al, even informed people wouldn't know. If you read the article, rootkits are very hard to detect, and according to what Russinovich says, there's no guarantee you'll be able to detect them even with his software.

I've run his software on my own system and it gets to be like running a registry cleaner only much more complicated. How do you know which files are legit and which aren't? I mentioned Alcohol earlier in this post, and their driver shows up in the RootkitRevealer listing. I know they put a disguised driver on drives to hide from the protectionists. They don't try to hide from the user because they allow you to name the driver, if you like. I recognized it because I saw the driver name when they installed it. If you didn't know that, you'd remove it and kill your installation.

Getting back to the context of this post, a few years ago, some of the protectionists were erasing some of your directories if they detected certain apps, like Boundschecker. One app in particular, I can't remember it's name, would actually erase a critical sub-directory in Boundschecker. You got around that by keeping a spare copy of the sub-directory. Now we have protectionists monitoring imports and selectively manipulation your system to hide themselves.

Russinovich points out as well that the programmers who wrote the rootkit on his system were hackers. This seems to be the problem with many protectionists: they really don't know what they are doing. They set up drivers to run in the background unaware of the overall damage they can cause. The damning thing is they don't care, and it seem companies like Waves don't care either.

I got kind of frustrated a while back by the number of people complaining that they couldn't get softice running on XP. I'm wondering how much of that was related to malware running in the background? That's why I started this thread. I don't understand enough about what goes on below the user level in Windows and I guess it's about time I found out.

My complaint smacks a lot of the stove calling the kettle black. I realize that I'm being somewhat hypocritical. I want to use tools to spy on software but I don't like other software spying on me. That's not what wrankles me so much since a bit of ingenuity could get around that. I'm bugged by the fact that some corporate type feels it's kosher to come into my home and do what they damn well please. There are laws against that, and if they are going to prosecute hackers for the same thing, why does Sony get off Scot free?

maybe baby

add an r onto my old email address for it to become my new email address.
will read this thread someother day, im ill at the moment, puuuh.

/yates.

those damned viruses, eh?