Tải bản đầy đủ - 0 (trang)
Hacking Secrets. Brake Fluid for CDs

Hacking Secrets. Brake Fluid for CDs

Tải bản đầy đủ - 0trang

HackingSecrets.BrakeFluidforCDs

Thearrivalofhigh-speedCD-ROMdriveshasresultedinalargenumber

ofproblems.Thepopularopinionisthattheconsfaroutnumberthepros.

Thelistofdrawbacksincludesterriblenoise,vibration,andbrokendiscs.

Whoneedsit?Besides,manyalgorithmsforbindingtoCDfeel

somewhatuncertainathighspeeds.Hence,protecteddiscsdonotstart

onthefirstattempt,iftheyeverstartatallWhatcanwedoaboutthis?

Naturally,wejustslowthemdown!Fortunately,mostdrivessupportthe

SETCDSPEED(opcode0BBh)command.Atfirstglance,thereisno

problematall—justspecifytherequiredparameters.However,thingsare

notassimpleastheyseem.

Thefirstnuisance(minor,butstillannoying)isthatthespeedisspecified

inKBpersecond,ratherthanin“x”(notethatthemeasurementunitis

KBratherthanbytes).Atthesametime,singlespeedcorrespondstoa

throughputof176KBpersecond.Whataboutdoublespeed?Ifyou

deducethatitwillbe352(2×176),youaremistaken.Thespeedis

actually353!Triplespeeddoesequalwhatwewouldexpect:176×3=528.

However,4xspeedonceagaindeviatesfromwhatwouldseemlogical,

being706ratherthan704(4×176).Anincorrectlyspecifiedspeedwill

resultinthesettingofthespeedonegradelowerthanexpected,andthe

correspondencebetweenthegradesandstageswillbeambiguous.

Supposethatthedrivesupportsthefollowingrangeofspeeds:16x,24x,

32x,and40x.Ifthespecifiedspeed(inkilobytespersecond)islower

thanthenominal32xspeed,thedrivewilloperateatthenextlower

supportedspeed,16xinourcase.Hence,totranslatethe“x”into

kilobytespersecond,theymustbemultipliedby177ratherthanby176!

Thesecondnuisance(muchmoresignificantandconsiderablymore

frustrating)isthatthestandardspecificationdoesnotcontainacommand

producingthecompletelistofsupportedspeeds.Thisinformationmust

beobtainedbymeansoftrialanderror.Beforestartingthetrial,a

properlyoperatingprogrammustmakesurethatthereisnodiscinthe

drive.Ifthereis,itmustforciblyejectit.Asamatteroffact,runningalowqualitydiscathighspeedsmightresultinthediscexploding,rendering

thedriveunusable.Theusermustbeabsolutelysurethatthedisc



insertedintothedrivewillrotateatexactlythespeedthatisrequested,

andthattheprogramwon’tincreasetherotationspeedwithout

justification.

Thethirdnuisance(ofahorrifyingnaturethistime)isthatsomedrives

(TEAC522E,forinstance)successfullyswallowtheSETCDSPEED

commandandconfirmthechangingoftherotationspeedbyreturningits

newvalueinMODESENSE.However,theactualrotationspeedremains

asbeforeuntilthediscisaccessedonceagain.Therefore,itiswiseto

issueacommandforreadingasectorfromthediscdirectlyaftertheSET

CDSPEEDcommand(ifthediscispresent).Measuringthedrivespeed

withoutadiscinthetrayispointless,suitableonlyforbuildingthe

sequenceofsupportedspeeds,becauseallofthepreviousspeed

settingsbecomeinvalidafterinsertinganewdiscintothedrive.Thus,the

optimalrotationspeedforeachdisc(fromthedrive’spointofview)must

bedeterminedforeachindividualdisc.Thedrivealsohastherightto

changetherotationspeedbydecreasingitifthereadoperationisnot

goingwell,orincreasingitifeverythingisOK.











InvestigationofRealPrograms

Tosummarizeallofthismaterialandacquirepracticalskills,let’slookat

severalpopularprogramsworkingwithCDsatalowleveltofindouthow

thisinteractioniscarriedout.

HavingcalledontheindispensableSoft-Iceandsetthebreakpointto

bpxCreateFileAif(*esp->4=='\\\\.\\'),letussequentially

startthefollowingthreeprograms:Alcohol120%,EasyCDCreator,and

CloneCD,eachtimenotingthenameoftheopeneddevice.



Alcohol120%

Alcohol120%,dependingonthesettings,canaccessthediscinthree

differentways:viaitsowncustomdriver(bydefault),viaASPI/SPTI

interface,andviaASPILayer.Let’sstartwiththecustomdriver.Setting

thebreakpointonCreateFileAshowsthatAlcoholopensthe

\\.\SCSI2:device(thenumber,naturally,dependsonthehardware

configuration),andafurthercheckconfirmsthattheDeviceIoControl

functionreceivesthesamedescriptorthatwasreturnedwhenopening

theSCSIdevice!Consequently,Alcoholconsidersas“customdriver”the

miniportdriverthatithasinstalledinthesysteminthecourseofprogram

installation.

Now,let’schangetheAlcohol120%settingstomakeitworkviathe

SPTI/ASPIinterface.Afterrestartingtheprogram(andAlcoholrequires

thatyourestartafterchangingtheaccessmethod),weonceagainwill

seetheprocedureofopeningthe\\.\SCSI2device,andthenthedisk

\\.\G:willbeopened(thedriveletter,naturally,dependsonthe

hardwareconfiguration).Essentially,inthecourseofinteractionwiththe

deviceviaSPTIinterface,thingsareproceedinginexactlythisway.Tobe

moreprecise,theymustproceedinsuchaway.Alcohol120%opensthe

\\.\G:diskmultipletimes,whichisanindicationofits“freaky

architecture”.Thiscomplicatesourtasksignificantly,sincewemusttrace

alldescriptorssimultaneously.Ifwemissjustoneofthem,the

reconstructedworkingalgorithmwillbeincorrect(isn’titinterestingtofind

outhowAlcohol120%copiesprotecteddiscs?).



Finally,byswitchingAlcohol120%tothelastmodeofinteractionwiththe

disc,wewillgetthefollowingresult:\\.\\SCSI2,\\.\MbMmDp32,

\\.\G:.Thedevicewiththename“MbMmDp32”istheASPIdriverthat

wehavealreadyencountered.However,inthiscaseitisnotabsolutely

clearwhyAlcohol120%opensdisk\\.\G:,sincetheASPIinterface

doesn’trequireit.



EasyCDCreator

EasyCDCreatoraccessesthedrivedirectlybyits“native”name(onmy

computer,thisis“CDR4_2K”),thenopensthe“MbDlDp32”device,which

CDR4_2Kregistersitself.

Consequently,EasyCDCreatorworkswiththediscviathecustom

driver.Toclarifyhowitworks,wewillhaveto,first,disassemblethe

CDR4_2Kdriverandanalyze,whichIOCTLcodescorrespondtowhich

driveractions,and,second,traceallDeviceIoControlcalls(simply

setaconditionalbreakpoint,whichpopsupwhenpassingits“own”

descriptorreturnedbytheCreateFileA(“\\\\.\\CRDR_2K”,…)

andCreateFileA(“\\\\.\\MbDlDp32”,…)functions).

AfterformattingthesequenceofIOCTLcallsintheformofanimprovised

program,wewillbeabletoreconstructtheprotocolofinteractionwiththe

discandfindtheprotection(ifthereisany).



CloneCD

ThebreakpointsettotheCreateFileAfunctionindicatesthatCloneCD

communicateswiththediscviathecustomdriver“\\.\ELBYCDIO”,

and,forreasonsthatareunclear,itisopenedintheloop,sothatthe

driverdescriptorisreturnedmultipletimes.











PartIII:ProtectionagainstUnauthorized

CopyingandDataRecovery



ChapterList

Chapter6:Anti-CopyingMechanisms

Chapter7:ProtectionMechanismsforPreventingPlaybackinPCCDROM

Chapter8:ProtectionagainstFile-by-FileDiscCopying

Chapter9:ProtectionMechanismsBasedonBindingtoStorage

Media

Chapter10:DataRecoveryfromCDs











Chapter6:Anti-CopyingMechanisms



Overview

Thischaptercoverstheorganizationofvariousmechanismsfor

protectionagainsttheunauthorizedcopyingofCDsandprovides

explanationsoftheprinciples,bywhichtheyoperate,aswellas

examplesofhowthesemechanismsareimplementedindifferent

software.Italsodemonstrateshowtheseprotectionmechanismscanbe

neutralized.

Classificationofprotectionmechanisms:Methodsofprotectionagainst

unauthorizedcopyingcanbeclassifiedinrelationtoanumberofcriteria,

themostimportantamongwhicharethefollowing:

Thestrengthoftheprotectionmechanism(cantheprotectedCD

becopiedbyastandardcopier;byaspecializedcopiercapable

ofemulatingprotectedmedia;orcanitsimplynotbecopiedat

all).

Principlebywhichtheprotectionoperates(non-standarddisc

formatting;bindingtophysicalcharacteristicsofaspecificmedia).

Compatibilitywithhardwareandsoftware(theprotection

mechanismisfullycompliantwiththestandardandiscompatible

withallstandardequipment;theprotectionmechanismdoesn’t

formallyviolatethestandardbut,however,relieson

undocumentedfeaturesofhardwareimplementationthataren’t

guaranteedtobesupported;ortheprotectionmechanismclearly

violatesthestandardandreliesonaspecificequipmentline).

Implementationlevel(softwarelevel—thecreationofthemaster

disciscarriedoutusingstandardequipment;hardwarelevel—the

creationofthemasterdiscrequiresspecialequipment).

InterfaceofcommunicationwiththeCDdrive(standardCand/or

Pascallibrary;OSAPI;low-levelhardwareaccess.

Objectofprotection(protectionoftheentiredisc;protection



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Hacking Secrets. Brake Fluid for CDs

Tải bản đầy đủ ngay(0 tr)

×