[HN Gopher] The cleverest floppy disc protection ever? Western S...
___________________________________________________________________
The cleverest floppy disc protection ever? Western Security Ltd
Author : scarybeast
Score : 177 points
Date : 2020-12-14 19:01 UTC (3 hours ago)
(HTM) web link (scarybeastsecurity.blogspot.com)
(TXT) w3m dump (scarybeastsecurity.blogspot.com)
| h2odragon wrote:
| I never did BBC Micro, but in the early PC days there were "Copy
| II PC" add in ISA cards that the floppy cable passed through on
| the way to the drive. With their software most any floppy disk
| could be copied with a standard PC drive; and with a bit of
| hacking you could do things like read Victor 9000 floppies.
|
| There was only one floppy I could never get, a licensed Scrabble
| game that insisted on writing scores to its game disc. My mom
| loved that game and we had to buy it twice. It was humiliating, I
| had this special hardware and I never did figure that one out.
|
| * found one: https://www.biocomp.net/o62799.htm
| Firehawke wrote:
| The "Copy II PC Option Board", yeah. I knew a guy who had one,
| and it definitely could handle a lot of stuff that you normally
| couldn't. Interestingly, you really wanted an early-era board
| because they were forced to water down the later revisions so
| they couldn't copy newer protection schemes.
| dunham wrote:
| My fuzzy recollection is that the option board could read the
| entire track at once, raw - not MFM decoded, where the
| typical controller in a PC had a high level interface that
| only gave you sectors.
|
| One copy protection system that I remember was a track that
| had a mix of long and short sectors with the short sectors
| embedded in the middle of the longer ones. (Sectors
| header/footers were marked by special bytes that were illegal
| MFM coding.) If a program tried to copy the the track with a
| normal floppy controller, they would have more sectors than
| would fit on a track.
| h2odragon wrote:
| The original company got bought out by Central Point, they'd
| been running for a bit before then. They were not quite
| totally opaque in "API" then, there were like maybe 3 asm
| examples floating around BBS and net.* era usenet.
| RcouF1uZ4gsC wrote:
| Fully online, streaming gaming a la Stadia, will be the ultimate
| in copy and cheat protection. Since you don't have access the the
| actual code, you won't be able to modify or hack it to either
| cheat or bypass protection.
| ev1 wrote:
| I understand that this is horrible for unbreakable DRM, but in
| my case, I only play multiplayer online games (MMOs) - there is
| nothing to pirate. I'd happily take game streaming in exchange
| for getting rid of invasive, useless, data-collecting
| (including clipboard contents, uploading files on disk, etc.)
| rootkit anticheats starting at boot being "mandatory" to play.
| CobrastanJorji wrote:
| There's another benefit here that I haven't seen yet. Suddenly
| it becomes potentially reasonable to fully trust "clients".
| That enables much better anti-latency schemes which, combined
| with the clients probably being on the same low latency cloud
| network as each other, could potentially produce some really
| fantastic results. But you'd probably have to design the game
| engine around it.
| csl wrote:
| Very clever and great article! But it sounds pretty easy to write
| a cracker for it: Just rewrite the machine code to jump over the
| check. Or did I miss anything?
|
| Edit: Guess it depends on the details and amount of "obfuscation"
| that he mentions.
| elahieh wrote:
| Copying one of my old comments from slashdot... it sounds
| similar to Sierra's "cpc.com". While I was reading the article
| I wondered if the equivalent of this process for the 6502
| (BRK/COP interrupt table?) would work.
|
| Back in the 1980s Sierra On-Line used to copy protect their
| adventure games with a copy protection system which involved
| strangely formatted sectors on the original disk which were
| impossible to duplicate exactly using standard PC hardware.
|
| The loader "sierra.com" used to call a copy-protection program
| "cpc.com" which loaded data from the disk to decrypt the main
| program and run it. cpc.com had some of the most obscure,
| twisty, awful code ever written to prevent debugging and it
| constantly used different methods to thwart stepping through
| the program using INT 3 (these were the days before Soft-Ice).
|
| But the solution (or "crack") was just dead simple. Just fire
| up debug, step to the beginning of cpc.com, and copy the vector
| from INT 3 into the INT 13 vector - then cpc.com stops right at
| the point where the data from the disk is being loaded, so it
| can be copied.
|
| Despite all the incredibly complex code, cpc.com had to read
| the data off the disk so there was no way the Sierra
| programmers could thwart this method.
| outworlder wrote:
| > Just rewrite the machine code to jump over the check
|
| Sure. It's even easier today: not only we have specialized
| software for cracking things, but we can even dump the memory
| contents and inspect them, patch up while the program is
| paused, and then rewind and try again from the same location.
| If we mess up, we can quite easily restart, just run the
| program again from our fast NVME drives(it will probably come
| straight from the OS cache). Heck, in some cases we can "fuzz"
| the program and let the computer try to figure out the winning
| combination! We can do this in parallel with our multiple
| cores.
|
| Now think about the context back in the day. For the most part,
| people were trying to crack the copy protection using the same
| machine that ran the software. In the case of the BBC Micro,
| you could have anywhere from 16 to 128KB, depending on the
| model. In that era, it was often the case that you couldn't
| even run a debugger, because it wouldn't fit alongside the
| program you were debugging. And even if you could, their
| capabilities were nowhere close to what we have today and -
| depending on the hardware - some breakpoints you couldn't even
| reach (inside code that disabled interruptions - which was
| often the case for software that accesses disks).
|
| It could be incredibly hard to find exactly what "jump" you had
| to change. If you messed up, this could mean a machine lockup.
| Now you have to reboot and load your stuff again from slow
| floppy media.
|
| It was difficult.
| pwg wrote:
| >Very clever and great article! But it sounds pretty easy to
| write a cracker for it: Just rewrite the machine code to jump
| over the check. Or did I miss anything?
|
| Nope, you did not miss anything. Many of these old DOS game
| floppy protections could be bypassed by a single byte change to
| the exe (or com, depending on the game) file. The time
| consuming part was working out exactly which byte to change.
|
| Source: I cracked most of my DOS games back in the day, using
| nothing more than DOS's supplied 'debug' tool, so I did not
| have to go find, and insert, the floppy in order to play the
| game. On many of them, changing a single JC to JNC or a single
| JE to JZ (or the reverse) was all it took to bypass the copy
| protection. A few others took a few more bytes worth of
| patching, one had to convert a conditional into an
| unconditional branch or otherwise nop out a small code segment.
| The one that required the most effort was MicroProse's Apache
| helicopter simulator. They used the "weak sector trick" but the
| contents of the "weak sector" was also a small bit of the
| overall game code. So for that one I created a loader that
| hooked the disk interrupt and when it detected the weak sector
| read, it returned the sector data and the proper "disk read
| error" state for the rest of the game to work with.
| [deleted]
| karmakaze wrote:
| My thoughts exactly. I spent a good amount of time learning
| about and cracking various schemes. It was never about
| distribution but about bragging rights and the different ways
| code was obfuscated. Most were disappointingly simple, others
| had more layers, very rarely found ones that needed special
| effort beyond say a person-day or two to solve.
| beagle3 wrote:
| IIRC, Quaid software's Copywrite on the PC was able to reliably
| duplicate weak bits, and had a companion called "zerodisk" which
| would -- in cooperation with marks left by Copywrite -- emulate
| laser holes.
|
| I remember at least one copy protection system I analyzed, which
| get "free reign" into writing tracks, by configuring the drive to
| write just one huge sector per track (which ended up being longer
| than the track), end encoding the sector gaps "in band" which
| later became "out of band" because the main track header was
| overwritten (and an "in band" one became out-of-band).
|
| It was interesting, but I have no nostalgia for that.
| notacoward wrote:
| I remember a similar "easy to write, easy to read, hard to
| recreate" approach being touted for credit-card security a while
| ago. The idea was to embed bits of glitter in a clear epoxy
| matrix, and collect a "fingerprint" of the result when read from
| different angles. It would be nearly impossible to recreate the
| glitter pattern. I really liked the idea, but apparently they
| never solved the alignment problem well enough to make the "easy
| to read" part a reality.
| berkut wrote:
| Slightly off-topic, but since when were floppies referred to as
| "disc", as opposed to "disk"? I thought it was from Diskette?
|
| Is it a language / region thing?
|
| Optical discs __were __ "disc", but at least growing up in the UK
| in the 80s/90s with DOS/Windows, I'm pretty certain I remember
| them always being "disk" for floppies?
|
| Am I misremembering?
| karmakaze wrote:
| I remember it the same way. But then if floppies are diskettes,
| what's the non-'ette' disk referring to?
|
| DASD Direct-access storage device[0]
|
| Disk Pack[1] perhaps?
|
| Answer seems to be the 8" floppy disk[2] which only IBM called
| "Diskette-1" and 5-1/4" ones called mini-diskettes, floppy
| diskettes, etc.
|
| [0] https://en.wikipedia.org/wiki/Direct-access_storage_device
|
| [1] https://en.wikipedia.org/wiki/Disk_pack
|
| [2]
| https://en.wikipedia.org/wiki/Floppy_disk#8-inch_floppy_disk
| kgwgk wrote:
| So you think diskette was derived from disk, where disk
| refers to "8-inch floppy disk introduced by IBM under the
| name of diskette"?
|
| https://www.ibm.com/ibm/history/exhibits/vintage/vintage_450.
| ..
|
| I'd say IBM called floppy disks diskettes by opposition to
| hard disks, which were huge at that time:
|
| https://www.computerhistory.org/storageengine/winchester-
| pio...
| dragonwriter wrote:
| > But then if floppies are diskettes, what's the non-'ette'
| disk referring to
|
| Fixed disks (which were also quite large at the time.)
| Floppies were removable disks, like cassettes; disk +
| cassette = diskettes, also disk + dimunitive -ette =
| diskette.
| kgwgk wrote:
| Note that removable hard disks and hard disk cartridges
| were also a thing.
| Groxx wrote:
| I've kinda wondered if the "c" spelling comes from "discus",
| i.e. https://en.wikipedia.org/wiki/Discus_throw
|
| I have absolutely no evidence for or against this though.
| dwb wrote:
| I read somewhere a long time ago (I forget where) that it was
| (or tended to be) "disc" where the format came from the audio
| world, and "disk" otherwise. So, "Compact Disc", but "hard
| disk". No idea if this is rubbish or not but maybe it jogs
| someone's memory.
| panzagl wrote:
| From the US 80-90's (c64/Amiga/DOS), I remember it as "disk". I
| always thought "disc" was European in origin.
| tremon wrote:
| We also used hard disk/floppy disk here in Europe (NL). My
| recollection is as the GP says, "disc" was only consistently
| used for optical discs (CD, DVD, BR).
|
| It may still be that "disc" is European in origin -- the
| original CD came from Philips (NL) and Sony (JP) -- but for
| computer components, I've never seen it spelled "disc".
| kgwgk wrote:
| No idea, but someone uses disc here:
| https://jdebp.eu/FGA/floppy-discs-are-90mm-not-3-and-a-half-...
|
| (btw, diskette comes from disk)
| afandian wrote:
| The 'k' spelling is American. Look at the ports on the BBC and
| you'll find British spellings of 'analogue', 'disc'.
|
| https://oldcomputers.net/bbc-micro.html
|
| The User manual contains more language. For example, 'program'
| for computer program (vs 'programme' which would be used for
| TV)
|
| http://bbc.nvg.org/doc/BBCUserGuide-1.00.pdf
| Doctor_Fegg wrote:
| The Amstrad CPC was "disc" too, reputedly because the first
| mouldings used it by mistake and Amstrad was too cheap to
| ever correct their error.
| i_am_new_here wrote:
| This is so off topic and/but (currently) still the top comment.
|
| Since when would anyone remember how to properly write
| something, when the representation he has is the phonetics in
| his head?
|
| Nobody thinks "It's disk, because it comes from diskette."
|
| Why do people argue as if anyone would think like that? -
| Though I don't doubt that it's the origin. Are we supposed to
| know the origin of (every)thing(s)? - We mostly don't.
|
| To then write it "disc" makes sense, except you are from
| Germany.
|
| To then pseudo-intellectually pretend that people know whatever
| and what not and don't rather go by guts feel (what it sounds
| like) is blatantly dishonest.
| wolco2 wrote:
| 20 posts in two years and you use 21 to complain this is
| still off topic post is still #1. Drop a parent level post if
| you have something better to discuss, don't reply on this
| post saying this doesn't meet your standards
| jcelerier wrote:
| > Nobody thinks "It's disk, because it comes from diskette."
|
| uh ? that's pretty much how I think all the time when writing
| words for which I'm not sure of the spelling
| empressplay wrote:
| See also Spiradisc
| https://paleotronic.com/2018/10/27/microm8-update-apple-ii-e...
| jedberg wrote:
| My favorite copy protection was on some games I had (I want to
| say they were Microprose games? But I could be wrong) where they
| would cut the hole in the disk just slightly bigger, and then
| take advantage of the fact that in DOS you could talk directly to
| the hardware to convince the read head to go just a little too
| far. Then it could read the magic 41st track to load the game,
| but no disk copy program could copy it.
| dirkt wrote:
| My favorite one is the spiral tracks on the Apple II, which
| were possible because all phases of the stepper motor were
| directly accessible on the controller, so you could move the
| stepper motor in quarter tracks.
|
| Impossible to copy unless you reproduce the head movements at
| the right time.
| FpUser wrote:
| Nah. I remember those days. Programs that could
| read/write/discover more tracks than the standard amount were
| widely available.
| jedberg wrote:
| Well, it was 30 plus years ago, but what I remember is that
| at first it was just the games that were doing it, and then
| people figured it out and made those other programs, making
| the copy protection useless.
| marzell wrote:
| There was a similar situation with CDs where you could
| overprovision data that existed past the technical limit of
| useable range. I think that's was utilized in NINs Year Zero
| ARG experiment.
| userbinator wrote:
| Some of the "floppy extender" programs used more than the usual
| number of tracks, so unless the 41st was hidden somehow so that
| its existence was a secret, it would be no harder to copy than
| all the others.
|
| Of course, that may well be why it was so successful --- the
| extra track wasn't well known, and information travelled much
| slower back then.
| m463 wrote:
| Back in the 1980's I think there were a lot of interesting
| schemes.
|
| The solution was to just get an updated version of copy2pc or
| copywrite and they would have a fix.
|
| But I remember a few schemes that were interesting workarounds.
|
| One was the hole in the disk, one was a laser-burned dot on the
| disk.
|
| I recall with the hole in the disk - the software would try to
| read and if it succeeded it was a copy.
|
| The second one was _slightly_ different and I believe the
| software would write to it, and read it back, and if it could
| read it back it was a copy.
|
| However the best of all was either the scratch-n-sniff card from
| Leather Godesses of Phobos, or the Age Verification of Leisure
| Suit Larry.
|
| example: "Gone With The Wind" is about a.
| outer space. b. a bank robbery. c. four hours long.
| d. dust.
|
| or President Ford prescribed _____ for dealing
| with economic problems. a. tranquilizers b.
| employment c. that everyone wear a WIN button d. that
| everyone should have a nice day
| hbbio wrote:
| It's also quite funny that Quaid (who made copywrite) was sued
| by a protection vendor... but won!
|
| "We hold that: (1) Quaid did not infringe Vault's exclusive
| right to reproduce its program in copies under SS 106(1); (2)
| Quaid's advertisement and sale of RAMKEY does not constitute
| contributory infringement; (3) RAMKEY does not constitute a
| derivative work of Vault's program under SS 106(2); and (4) the
| provision in Vault's license agreement, which prohibits the
| decompilation or disassembly of its program, is unenforceable."
|
| in https://cyber.harvard.edu/ilaw/Contract/vault.htm
|
| Edit: there is a Wikipedia page for that https://en.wikipedia.o
| rg/wiki/Vault_Corp._v._Quaid_Software_.... (there is a dot at
| the end of the URL but HN parser does not treat it correctly)
| carapace wrote:
| Who recalls the provenance of this old legend about the fellow
| who challenged his pal to decode a certain floppy?
|
| It was a bog-standard DOS boot disk (IIRC) that he could put in
| his machine and boot normally. But his pal put it in his computer
| and... nothing doing, no boot. Analysis of the floppy availed
| not. The challenge went unmet.
|
| What did our hero do to make the floppy?
|
| .esrever ni nups evird eht os ytiralop etisoppo htiw meht
| dehcattaer dna ,rotom eldnips evird eht ot seriw rewop eht
| deredlosed ,evird ksid eht denepo eH
| kgwgk wrote:
| Hint: If the hero had tried a Plan 9 boot disk on his machine
| it would have booted into Inferno :-)
| anakaine wrote:
| Tricky
| AndrewStephens wrote:
| Was this fellow a white haired gentleman in a velvet smoking
| jacket who travelled in a police box? He was always solving
| problems like that.
| Dylan16807 wrote:
| > Analysis of the floppy availed not.
|
| It's not a very good puzzle if the only clue is "I dunno he
| looked at it real squinty and it didn't help."
|
| Apparently _any_ alternate formatting would have tripped up the
| friend.
| MisterTea wrote:
| This reminds me of a less interesting story:
|
| My father bought a 386 for his work to replace a 286 which only
| had a 5.25 floppy drive. The 386 had both a 3.5 and 5.25 floppy
| drive so he quickly switched to the more sturdy 3.5 disks and
| moved a lot of work to the 3.5's.
|
| Everything was working great until he got a second similarly
| spec'd 386. For some reason the machines couldn't read each
| others 3.5" disks. So he called his programmer friend who
| stopped by and did some testing. Both machines could
| format/read/write their respective disks no problem. So he
| formats and writes a test file to a disk from each machine and
| takes them home with him.
|
| My father gets a call from him the next day: "call the vendor
| and have them give you a new 3.5 drive in the original machine"
| Turns out the heads in the original machines 3.5 drive were
| slightly misaligned mechanically to the tracks. This caused the
| disk to be perfectly workable in the bad drive but fail to read
| in any other machine.
| Zardoz84 wrote:
| This remembered me when I had a ZX Spectrum +3 as child. At
| some point, a belt broken and my father replaced with a
| different belt. So, it can't read anymore my old floppies. I
| can only use the floppies if I formatted again.
| 1996 wrote:
| The spoiler format is perfectly adapted to the content :)
| speps wrote:
| > He opened the disk drive, desoldered the power wires to the
| drive spindle motor, and reattached them with opposite polarity
| so the drive spun in reverse
| rightbyte wrote:
| Would that work for CDs too?
| duskwuff wrote:
| It'd take some doing. You wouldn't be able to burn a CD-R
| backwards without some extra steps; a "blank" CD-R contains
| some data in the pregroove to identify it as a recordable
| disc and specify some parameters to the burner. A reverse-
| rotating drive wouldn't be able to read that data, since it'd
| be backwards. :)
| mattbee wrote:
| The other thing this scheme gives you is a unique image per
| customer, so you could use it to trace illegal copies.
|
| When I worked on some expensive emulator software 22 years ago,
| floppy protection wasn't appropriate but I suggested to the boss
| that we use the order of linker symbols in the main executable to
| encode the customer's serial number.
|
| I guess it was a No because they wanted to use a standard
| duplicator, but also piracy was pretty well deterred by the 486
| daughter board you needed to run it :)
| DrBazza wrote:
| I seem to remember the only software that would copy any disk you
| pointed it at, was in fact the source code listed in the official
| Acorn DFS manual. With the drawback that it copied one sector at
| a time, so without a double drive, that was a lot of swapping for
| a 40 track disk, let alone an 80 track one.
| ballenf wrote:
| I don't think it was mentioned, but I wonder if the mains power
| fluctuation (voltage or hz) would affect drive sector length /
| rpm also? So even the same drive couldn't produce a high fidelity
| copy of one of these discs if the power input was different.
| xxpor wrote:
| I'm not sure how good the power supplies were back then, but
| ideally you'd have no idea what the mains power was at the
| drive since the power supply converts everything to DC. Now of
| course rectification isnt perfect so there were probably some
| artifacts, but enough to detect on the disk? Seems unlikely.
| phnofive wrote:
| Seems like intentionally randomizing this would be a good way
| to mass produce fingerprinted copies - in addition to any
| variants in the media.
| garmaine wrote:
| Wouldn't this be trivial to defeat once you know how it works
| though? Make a bit-for-bit copy, then overwrite track 9 with the
| new obfuscated lengths.
| Dylan16807 wrote:
| The same goes for any copy protection. If you understand how it
| works, you can change the code to bypass it.
|
| So it's "trivial" _after_ you do the hard part. The clever
| thing is that it forces you to do the hard part without special
| hardware.
| MagnumOpus wrote:
| Once you know how it works, you would just overwrite the checks
| for track 9 with NOPs (or a fancy picture of your cracking
| team's logo)...
| enriquto wrote:
| I'm just halfway of the text and I'm already tippy-tapping like
| an excited toddler waiting for candy! This has the same hackish
| aura as the "story of Mel"
| VikingCoder wrote:
| I remember my tech-savvy uncle was used to PCs which could read
| double-sided floppy disks. His jaw about dropped out of his skull
| when he saw me do the 0.5 second floppy-disk-flip that Apple IIc
| gamers got used to doing, because they could only read from a
| single side of the disk.
| m3kw9 wrote:
| DVD or CD protections had this type of protection where they read
| a part of the disk most DVD writers can't write to
| agumonkey wrote:
| SONY Playstation fault injection was clever too.
| acomjean wrote:
| Its all very clever. Till it doesn't work. A long time ago, we
| got EA's "seven cities of gold" from my parents for apple.
|
| My brothers and I were all excited but it would start to load
| then the drive would make a strange sound and it didn't work. We
| exchanged at the local software store, the next one did the same
| thing.. We tried on a friends apple //c and it worked there. Our
| //e drives must have been slightly out of spec. It was bitter
| disappointment. But a valuable lesson.
|
| They're now imaging floppies into new formats so the copy
| protected disk can still run in emulation:
|
| Things like the "Woz" format
| https://applesaucefdc.com/woz/reference1/
___________________________________________________________________
(page generated 2020-12-14 23:00 UTC)