[HN Gopher] The cleverest floppy disc protection ever? Western S... ___________________________________________________________________ The cleverest floppy disc protection ever? Western Security Ltd Author : scarybeast Score : 177 points Date : 2020-12-14 19:01 UTC (3 hours ago) (HTM) web link (scarybeastsecurity.blogspot.com) (TXT) w3m dump (scarybeastsecurity.blogspot.com) | h2odragon wrote: | I never did BBC Micro, but in the early PC days there were "Copy | II PC" add in ISA cards that the floppy cable passed through on | the way to the drive. With their software most any floppy disk | could be copied with a standard PC drive; and with a bit of | hacking you could do things like read Victor 9000 floppies. | | There was only one floppy I could never get, a licensed Scrabble | game that insisted on writing scores to its game disc. My mom | loved that game and we had to buy it twice. It was humiliating, I | had this special hardware and I never did figure that one out. | | * found one: https://www.biocomp.net/o62799.htm | Firehawke wrote: | The "Copy II PC Option Board", yeah. I knew a guy who had one, | and it definitely could handle a lot of stuff that you normally | couldn't. Interestingly, you really wanted an early-era board | because they were forced to water down the later revisions so | they couldn't copy newer protection schemes. | dunham wrote: | My fuzzy recollection is that the option board could read the | entire track at once, raw - not MFM decoded, where the | typical controller in a PC had a high level interface that | only gave you sectors. | | One copy protection system that I remember was a track that | had a mix of long and short sectors with the short sectors | embedded in the middle of the longer ones. (Sectors | header/footers were marked by special bytes that were illegal | MFM coding.) If a program tried to copy the the track with a | normal floppy controller, they would have more sectors than | would fit on a track. | h2odragon wrote: | The original company got bought out by Central Point, they'd | been running for a bit before then. They were not quite | totally opaque in "API" then, there were like maybe 3 asm | examples floating around BBS and net.* era usenet. | RcouF1uZ4gsC wrote: | Fully online, streaming gaming a la Stadia, will be the ultimate | in copy and cheat protection. Since you don't have access the the | actual code, you won't be able to modify or hack it to either | cheat or bypass protection. | ev1 wrote: | I understand that this is horrible for unbreakable DRM, but in | my case, I only play multiplayer online games (MMOs) - there is | nothing to pirate. I'd happily take game streaming in exchange | for getting rid of invasive, useless, data-collecting | (including clipboard contents, uploading files on disk, etc.) | rootkit anticheats starting at boot being "mandatory" to play. | CobrastanJorji wrote: | There's another benefit here that I haven't seen yet. Suddenly | it becomes potentially reasonable to fully trust "clients". | That enables much better anti-latency schemes which, combined | with the clients probably being on the same low latency cloud | network as each other, could potentially produce some really | fantastic results. But you'd probably have to design the game | engine around it. | csl wrote: | Very clever and great article! But it sounds pretty easy to write | a cracker for it: Just rewrite the machine code to jump over the | check. Or did I miss anything? | | Edit: Guess it depends on the details and amount of "obfuscation" | that he mentions. | elahieh wrote: | Copying one of my old comments from slashdot... it sounds | similar to Sierra's "cpc.com". While I was reading the article | I wondered if the equivalent of this process for the 6502 | (BRK/COP interrupt table?) would work. | | Back in the 1980s Sierra On-Line used to copy protect their | adventure games with a copy protection system which involved | strangely formatted sectors on the original disk which were | impossible to duplicate exactly using standard PC hardware. | | The loader "sierra.com" used to call a copy-protection program | "cpc.com" which loaded data from the disk to decrypt the main | program and run it. cpc.com had some of the most obscure, | twisty, awful code ever written to prevent debugging and it | constantly used different methods to thwart stepping through | the program using INT 3 (these were the days before Soft-Ice). | | But the solution (or "crack") was just dead simple. Just fire | up debug, step to the beginning of cpc.com, and copy the vector | from INT 3 into the INT 13 vector - then cpc.com stops right at | the point where the data from the disk is being loaded, so it | can be copied. | | Despite all the incredibly complex code, cpc.com had to read | the data off the disk so there was no way the Sierra | programmers could thwart this method. | outworlder wrote: | > Just rewrite the machine code to jump over the check | | Sure. It's even easier today: not only we have specialized | software for cracking things, but we can even dump the memory | contents and inspect them, patch up while the program is | paused, and then rewind and try again from the same location. | If we mess up, we can quite easily restart, just run the | program again from our fast NVME drives(it will probably come | straight from the OS cache). Heck, in some cases we can "fuzz" | the program and let the computer try to figure out the winning | combination! We can do this in parallel with our multiple | cores. | | Now think about the context back in the day. For the most part, | people were trying to crack the copy protection using the same | machine that ran the software. In the case of the BBC Micro, | you could have anywhere from 16 to 128KB, depending on the | model. In that era, it was often the case that you couldn't | even run a debugger, because it wouldn't fit alongside the | program you were debugging. And even if you could, their | capabilities were nowhere close to what we have today and - | depending on the hardware - some breakpoints you couldn't even | reach (inside code that disabled interruptions - which was | often the case for software that accesses disks). | | It could be incredibly hard to find exactly what "jump" you had | to change. If you messed up, this could mean a machine lockup. | Now you have to reboot and load your stuff again from slow | floppy media. | | It was difficult. | pwg wrote: | >Very clever and great article! But it sounds pretty easy to | write a cracker for it: Just rewrite the machine code to jump | over the check. Or did I miss anything? | | Nope, you did not miss anything. Many of these old DOS game | floppy protections could be bypassed by a single byte change to | the exe (or com, depending on the game) file. The time | consuming part was working out exactly which byte to change. | | Source: I cracked most of my DOS games back in the day, using | nothing more than DOS's supplied 'debug' tool, so I did not | have to go find, and insert, the floppy in order to play the | game. On many of them, changing a single JC to JNC or a single | JE to JZ (or the reverse) was all it took to bypass the copy | protection. A few others took a few more bytes worth of | patching, one had to convert a conditional into an | unconditional branch or otherwise nop out a small code segment. | The one that required the most effort was MicroProse's Apache | helicopter simulator. They used the "weak sector trick" but the | contents of the "weak sector" was also a small bit of the | overall game code. So for that one I created a loader that | hooked the disk interrupt and when it detected the weak sector | read, it returned the sector data and the proper "disk read | error" state for the rest of the game to work with. | [deleted] | karmakaze wrote: | My thoughts exactly. I spent a good amount of time learning | about and cracking various schemes. It was never about | distribution but about bragging rights and the different ways | code was obfuscated. Most were disappointingly simple, others | had more layers, very rarely found ones that needed special | effort beyond say a person-day or two to solve. | beagle3 wrote: | IIRC, Quaid software's Copywrite on the PC was able to reliably | duplicate weak bits, and had a companion called "zerodisk" which | would -- in cooperation with marks left by Copywrite -- emulate | laser holes. | | I remember at least one copy protection system I analyzed, which | get "free reign" into writing tracks, by configuring the drive to | write just one huge sector per track (which ended up being longer | than the track), end encoding the sector gaps "in band" which | later became "out of band" because the main track header was | overwritten (and an "in band" one became out-of-band). | | It was interesting, but I have no nostalgia for that. | notacoward wrote: | I remember a similar "easy to write, easy to read, hard to | recreate" approach being touted for credit-card security a while | ago. The idea was to embed bits of glitter in a clear epoxy | matrix, and collect a "fingerprint" of the result when read from | different angles. It would be nearly impossible to recreate the | glitter pattern. I really liked the idea, but apparently they | never solved the alignment problem well enough to make the "easy | to read" part a reality. | berkut wrote: | Slightly off-topic, but since when were floppies referred to as | "disc", as opposed to "disk"? I thought it was from Diskette? | | Is it a language / region thing? | | Optical discs __were __ "disc", but at least growing up in the UK | in the 80s/90s with DOS/Windows, I'm pretty certain I remember | them always being "disk" for floppies? | | Am I misremembering? | karmakaze wrote: | I remember it the same way. But then if floppies are diskettes, | what's the non-'ette' disk referring to? | | DASD Direct-access storage device[0] | | Disk Pack[1] perhaps? | | Answer seems to be the 8" floppy disk[2] which only IBM called | "Diskette-1" and 5-1/4" ones called mini-diskettes, floppy | diskettes, etc. | | [0] https://en.wikipedia.org/wiki/Direct-access_storage_device | | [1] https://en.wikipedia.org/wiki/Disk_pack | | [2] | https://en.wikipedia.org/wiki/Floppy_disk#8-inch_floppy_disk | kgwgk wrote: | So you think diskette was derived from disk, where disk | refers to "8-inch floppy disk introduced by IBM under the | name of diskette"? | | https://www.ibm.com/ibm/history/exhibits/vintage/vintage_450. | .. | | I'd say IBM called floppy disks diskettes by opposition to | hard disks, which were huge at that time: | | https://www.computerhistory.org/storageengine/winchester- | pio... | dragonwriter wrote: | > But then if floppies are diskettes, what's the non-'ette' | disk referring to | | Fixed disks (which were also quite large at the time.) | Floppies were removable disks, like cassettes; disk + | cassette = diskettes, also disk + dimunitive -ette = | diskette. | kgwgk wrote: | Note that removable hard disks and hard disk cartridges | were also a thing. | Groxx wrote: | I've kinda wondered if the "c" spelling comes from "discus", | i.e. https://en.wikipedia.org/wiki/Discus_throw | | I have absolutely no evidence for or against this though. | dwb wrote: | I read somewhere a long time ago (I forget where) that it was | (or tended to be) "disc" where the format came from the audio | world, and "disk" otherwise. So, "Compact Disc", but "hard | disk". No idea if this is rubbish or not but maybe it jogs | someone's memory. | panzagl wrote: | From the US 80-90's (c64/Amiga/DOS), I remember it as "disk". I | always thought "disc" was European in origin. | tremon wrote: | We also used hard disk/floppy disk here in Europe (NL). My | recollection is as the GP says, "disc" was only consistently | used for optical discs (CD, DVD, BR). | | It may still be that "disc" is European in origin -- the | original CD came from Philips (NL) and Sony (JP) -- but for | computer components, I've never seen it spelled "disc". | kgwgk wrote: | No idea, but someone uses disc here: | https://jdebp.eu/FGA/floppy-discs-are-90mm-not-3-and-a-half-... | | (btw, diskette comes from disk) | afandian wrote: | The 'k' spelling is American. Look at the ports on the BBC and | you'll find British spellings of 'analogue', 'disc'. | | https://oldcomputers.net/bbc-micro.html | | The User manual contains more language. For example, 'program' | for computer program (vs 'programme' which would be used for | TV) | | http://bbc.nvg.org/doc/BBCUserGuide-1.00.pdf | Doctor_Fegg wrote: | The Amstrad CPC was "disc" too, reputedly because the first | mouldings used it by mistake and Amstrad was too cheap to | ever correct their error. | i_am_new_here wrote: | This is so off topic and/but (currently) still the top comment. | | Since when would anyone remember how to properly write | something, when the representation he has is the phonetics in | his head? | | Nobody thinks "It's disk, because it comes from diskette." | | Why do people argue as if anyone would think like that? - | Though I don't doubt that it's the origin. Are we supposed to | know the origin of (every)thing(s)? - We mostly don't. | | To then write it "disc" makes sense, except you are from | Germany. | | To then pseudo-intellectually pretend that people know whatever | and what not and don't rather go by guts feel (what it sounds | like) is blatantly dishonest. | wolco2 wrote: | 20 posts in two years and you use 21 to complain this is | still off topic post is still #1. Drop a parent level post if | you have something better to discuss, don't reply on this | post saying this doesn't meet your standards | jcelerier wrote: | > Nobody thinks "It's disk, because it comes from diskette." | | uh ? that's pretty much how I think all the time when writing | words for which I'm not sure of the spelling | empressplay wrote: | See also Spiradisc | https://paleotronic.com/2018/10/27/microm8-update-apple-ii-e... | jedberg wrote: | My favorite copy protection was on some games I had (I want to | say they were Microprose games? But I could be wrong) where they | would cut the hole in the disk just slightly bigger, and then | take advantage of the fact that in DOS you could talk directly to | the hardware to convince the read head to go just a little too | far. Then it could read the magic 41st track to load the game, | but no disk copy program could copy it. | dirkt wrote: | My favorite one is the spiral tracks on the Apple II, which | were possible because all phases of the stepper motor were | directly accessible on the controller, so you could move the | stepper motor in quarter tracks. | | Impossible to copy unless you reproduce the head movements at | the right time. | FpUser wrote: | Nah. I remember those days. Programs that could | read/write/discover more tracks than the standard amount were | widely available. | jedberg wrote: | Well, it was 30 plus years ago, but what I remember is that | at first it was just the games that were doing it, and then | people figured it out and made those other programs, making | the copy protection useless. | marzell wrote: | There was a similar situation with CDs where you could | overprovision data that existed past the technical limit of | useable range. I think that's was utilized in NINs Year Zero | ARG experiment. | userbinator wrote: | Some of the "floppy extender" programs used more than the usual | number of tracks, so unless the 41st was hidden somehow so that | its existence was a secret, it would be no harder to copy than | all the others. | | Of course, that may well be why it was so successful --- the | extra track wasn't well known, and information travelled much | slower back then. | m463 wrote: | Back in the 1980's I think there were a lot of interesting | schemes. | | The solution was to just get an updated version of copy2pc or | copywrite and they would have a fix. | | But I remember a few schemes that were interesting workarounds. | | One was the hole in the disk, one was a laser-burned dot on the | disk. | | I recall with the hole in the disk - the software would try to | read and if it succeeded it was a copy. | | The second one was _slightly_ different and I believe the | software would write to it, and read it back, and if it could | read it back it was a copy. | | However the best of all was either the scratch-n-sniff card from | Leather Godesses of Phobos, or the Age Verification of Leisure | Suit Larry. | | example: "Gone With The Wind" is about a. | outer space. b. a bank robbery. c. four hours long. | d. dust. | | or President Ford prescribed _____ for dealing | with economic problems. a. tranquilizers b. | employment c. that everyone wear a WIN button d. that | everyone should have a nice day | hbbio wrote: | It's also quite funny that Quaid (who made copywrite) was sued | by a protection vendor... but won! | | "We hold that: (1) Quaid did not infringe Vault's exclusive | right to reproduce its program in copies under SS 106(1); (2) | Quaid's advertisement and sale of RAMKEY does not constitute | contributory infringement; (3) RAMKEY does not constitute a | derivative work of Vault's program under SS 106(2); and (4) the | provision in Vault's license agreement, which prohibits the | decompilation or disassembly of its program, is unenforceable." | | in https://cyber.harvard.edu/ilaw/Contract/vault.htm | | Edit: there is a Wikipedia page for that https://en.wikipedia.o | rg/wiki/Vault_Corp._v._Quaid_Software_.... (there is a dot at | the end of the URL but HN parser does not treat it correctly) | carapace wrote: | Who recalls the provenance of this old legend about the fellow | who challenged his pal to decode a certain floppy? | | It was a bog-standard DOS boot disk (IIRC) that he could put in | his machine and boot normally. But his pal put it in his computer | and... nothing doing, no boot. Analysis of the floppy availed | not. The challenge went unmet. | | What did our hero do to make the floppy? | | .esrever ni nups evird eht os ytiralop etisoppo htiw meht | dehcattaer dna ,rotom eldnips evird eht ot seriw rewop eht | deredlosed ,evird ksid eht denepo eH | kgwgk wrote: | Hint: If the hero had tried a Plan 9 boot disk on his machine | it would have booted into Inferno :-) | anakaine wrote: | Tricky | AndrewStephens wrote: | Was this fellow a white haired gentleman in a velvet smoking | jacket who travelled in a police box? He was always solving | problems like that. | Dylan16807 wrote: | > Analysis of the floppy availed not. | | It's not a very good puzzle if the only clue is "I dunno he | looked at it real squinty and it didn't help." | | Apparently _any_ alternate formatting would have tripped up the | friend. | MisterTea wrote: | This reminds me of a less interesting story: | | My father bought a 386 for his work to replace a 286 which only | had a 5.25 floppy drive. The 386 had both a 3.5 and 5.25 floppy | drive so he quickly switched to the more sturdy 3.5 disks and | moved a lot of work to the 3.5's. | | Everything was working great until he got a second similarly | spec'd 386. For some reason the machines couldn't read each | others 3.5" disks. So he called his programmer friend who | stopped by and did some testing. Both machines could | format/read/write their respective disks no problem. So he | formats and writes a test file to a disk from each machine and | takes them home with him. | | My father gets a call from him the next day: "call the vendor | and have them give you a new 3.5 drive in the original machine" | Turns out the heads in the original machines 3.5 drive were | slightly misaligned mechanically to the tracks. This caused the | disk to be perfectly workable in the bad drive but fail to read | in any other machine. | Zardoz84 wrote: | This remembered me when I had a ZX Spectrum +3 as child. At | some point, a belt broken and my father replaced with a | different belt. So, it can't read anymore my old floppies. I | can only use the floppies if I formatted again. | 1996 wrote: | The spoiler format is perfectly adapted to the content :) | speps wrote: | > He opened the disk drive, desoldered the power wires to the | drive spindle motor, and reattached them with opposite polarity | so the drive spun in reverse | rightbyte wrote: | Would that work for CDs too? | duskwuff wrote: | It'd take some doing. You wouldn't be able to burn a CD-R | backwards without some extra steps; a "blank" CD-R contains | some data in the pregroove to identify it as a recordable | disc and specify some parameters to the burner. A reverse- | rotating drive wouldn't be able to read that data, since it'd | be backwards. :) | mattbee wrote: | The other thing this scheme gives you is a unique image per | customer, so you could use it to trace illegal copies. | | When I worked on some expensive emulator software 22 years ago, | floppy protection wasn't appropriate but I suggested to the boss | that we use the order of linker symbols in the main executable to | encode the customer's serial number. | | I guess it was a No because they wanted to use a standard | duplicator, but also piracy was pretty well deterred by the 486 | daughter board you needed to run it :) | DrBazza wrote: | I seem to remember the only software that would copy any disk you | pointed it at, was in fact the source code listed in the official | Acorn DFS manual. With the drawback that it copied one sector at | a time, so without a double drive, that was a lot of swapping for | a 40 track disk, let alone an 80 track one. | ballenf wrote: | I don't think it was mentioned, but I wonder if the mains power | fluctuation (voltage or hz) would affect drive sector length / | rpm also? So even the same drive couldn't produce a high fidelity | copy of one of these discs if the power input was different. | xxpor wrote: | I'm not sure how good the power supplies were back then, but | ideally you'd have no idea what the mains power was at the | drive since the power supply converts everything to DC. Now of | course rectification isnt perfect so there were probably some | artifacts, but enough to detect on the disk? Seems unlikely. | phnofive wrote: | Seems like intentionally randomizing this would be a good way | to mass produce fingerprinted copies - in addition to any | variants in the media. | garmaine wrote: | Wouldn't this be trivial to defeat once you know how it works | though? Make a bit-for-bit copy, then overwrite track 9 with the | new obfuscated lengths. | Dylan16807 wrote: | The same goes for any copy protection. If you understand how it | works, you can change the code to bypass it. | | So it's "trivial" _after_ you do the hard part. The clever | thing is that it forces you to do the hard part without special | hardware. | MagnumOpus wrote: | Once you know how it works, you would just overwrite the checks | for track 9 with NOPs (or a fancy picture of your cracking | team's logo)... | enriquto wrote: | I'm just halfway of the text and I'm already tippy-tapping like | an excited toddler waiting for candy! This has the same hackish | aura as the "story of Mel" | VikingCoder wrote: | I remember my tech-savvy uncle was used to PCs which could read | double-sided floppy disks. His jaw about dropped out of his skull | when he saw me do the 0.5 second floppy-disk-flip that Apple IIc | gamers got used to doing, because they could only read from a | single side of the disk. | m3kw9 wrote: | DVD or CD protections had this type of protection where they read | a part of the disk most DVD writers can't write to | agumonkey wrote: | SONY Playstation fault injection was clever too. | acomjean wrote: | Its all very clever. Till it doesn't work. A long time ago, we | got EA's "seven cities of gold" from my parents for apple. | | My brothers and I were all excited but it would start to load | then the drive would make a strange sound and it didn't work. We | exchanged at the local software store, the next one did the same | thing.. We tried on a friends apple //c and it worked there. Our | //e drives must have been slightly out of spec. It was bitter | disappointment. But a valuable lesson. | | They're now imaging floppies into new formats so the copy | protected disk can still run in emulation: | | Things like the "Woz" format | https://applesaucefdc.com/woz/reference1/ ___________________________________________________________________ (page generated 2020-12-14 23:00 UTC)