Results 1 to 7 of 7

Thread: CD-Cops Generic Unpacker v1.1 Open source

  1. #1

    CD-Cops Generic Unpacker v1.1 Open source

    I am tired of working on this unpacker.If anyone cares, I present you my latest unpacker.It can fully emulates main.exe's behaviour, load qz_ file hook some apis and dump the process.It has currently two bugs in IAT building.Hope it give some ideas to you about ApiHooking.
    Attached Files Attached Files
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

  2. #2
    blackcheck
    Guest
    hi

    is it true that cdcops checks the physical angle between
    the first and the last sector ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    I guess yes.Because sometimes copied CD's may run without any error if the layout is the same.Main weakness about this protection scheme is below

    CheckSerialFromReg
    if CheckDiskLayout OK then
    run qz_file with Cmdline which is derived from gettickcount+productnumber+productname
    1 possibilty to crack this protection sniff product number,name and run qz_ file.Everyting will be ok
    Second method can be,
    When qz_ file runs, it debugs w_x file which crypted original exe.At first waitfordebugevent api program is decrypted but imports are wrong.Decrypt the imports and you are done.All versions I have from v1.72 to v2.04 are exactly the same.They change only code and data sections decrypt algo in every version.
    Emulation of main exe file is the simpliest and easy method.Total emulation code is 3.5 kb.Can you belive it
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

  4. #4
    IcyDee
    Guest
    blackcheck

    Yes it does check the angle beween sectors. It does this by timing the response of the drive to read sector commands. This suggests an alternative method of simulating the original CD which is to hook the relevent API, keep a record of the time and then 'play back' this time on a copy of the CD. This worked for me on an earlier version of this protection since when it reads the sector it only uses the response time and is not bothered with the actual sector content.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    blackcheck
    Guest

    Cool

    hehe i don't want to crack it, i want to implement this into
    my own protection
    getting a cdcops target here is not that simple.

    I guess yes.Because sometimes copied CD's may run without any error if the layout is the same.
    that is *usually* a clonecd copy does not work,right? i also
    heard that it calculates the angle with 8 bit precision. so
    you have a 1:256 chance for the copy to work i guess.

    It does this by timing the response of the drive to read sector commands
    sounds like you reversed the proc that does this...
    can this be done trough aspi ?
    does this piece of code get decrypted witout the cd ,too?.

    if so i would be glad if someone could send me a cdcops exe

    i don't understand how you can compute this by timing, could
    you explain ?
    should be easy to calculate the length of one 'ring' with timing,but the angle ?

    yeah, well i guess it's my lack of knowledge about cds...
    how is a single sector arranged on the cd (physically) ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    IcyDee
    Guest
    Originally posted by blackcheck

    i don't understand how you can compute this by timing, could
    you explain ?
    should be easy to calculate the length of one 'ring' with timing,but the angle ?

    yeah, well i guess it's my lack of knowledge about cds...
    how is a single sector arranged on the cd (physically) ?
    [/B]
    Sectors are arranged in a continuous groove (rather like a record) but instead of a constant angular speed (45 rpm) it is a constant linear speed. This means that there are more sectors in an outer loop of the spiral than on an inner spiral.

    I worked out once that each sector takes a linear distance of about 14mm (this is not exactly true since adjacent sectors are combined to improve the error correction.

    Imagine two sectors, sector 1 on the inner loop of the spiral and a sector on an outer loop (say sector 200000). If the disk drive is told to read sector 1 and then sector 200000 then there will be a delay between the data being returned for each sector. This delay will be made up of several components.

    1. The operating system overhead.
    2. The time for the drive to seek from the inner to the outer sector.
    3. The time for the sector 200000 to rotate under the read head.

    Now (1) can be ruled out since it will be fairly constant for each read (and very short anyway) and will cancel out if we are looking for timing differences.

    (2) will be fairly constant and will depend upon the drive.

    (3) will depend upon a few factors, one being the angular distance between the start and end sector. The other being the rotational speed of the drive. We can assume that the rotational speed is constant and will cancel out.

    By making several measurements between sector 1-200000, 1-200001, 1-200002 etc. it is possible to work out which outer sector has the smallest angular distance to sector 1. This is what I believe CD-Cops measures.

    One flaw with CD-Cops was that it always measured between the same sectors. If you measure these timings and then 'play them back' on another copied disk then you could fool the protection into believing that the disk was an original.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    blackcheck
    Guest
    thanks a lot for your exlanation.
    i tried it and it really works.
    i can detect a perfect clonecd copy.
    the only hard thing is to make it work
    reliably.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Open Sourcing
    By Hero in forum The Newbie Forum
    Replies: 0
    Last Post: January 12th, 2005, 12:24
  2. Generic ways to find OEP
    By black_ice in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: November 10th, 2002, 17:52
  3. Cops Copylock II !
    By dream-weaver in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: March 16th, 2002, 16:28
  4. I need CD-Cops protected exe
    By LaptoniC in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: December 12th, 2001, 10:05
  5. Searching for CD-Cops protected app
    By DakienDX in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: March 19th, 2001, 11:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •