|
DonNews #11
21 апреля 2000 |
|
Programming - The algorithm disk protection against copying.
Disabler / DPl
Protect disks from being copied
(For example, protection UltraSonic)
So, here I will detail the algorithm
protect discs from being copied to the example
protection applied to UltraSonic'e and
precisely in its earlier versions. Code
the name of protection: Disabler Protection
System (DPS).
First, some history. Creating a US
I was faced with the problem of protection from disk
nasanktsionirovannogo copy or
Put simply, how to make the entire disk
not copied. Were based on two
protection algorithm. This Fucklock Protection
System by Destroyer / OHG and protection from the game
Prince of Persia (version of Magic Soft).
The first thing I do is collect one
all non-standard disc copiers
formats, as well as programs for
formatting and bend, allowing
scan paths.
The result was a set here:
Copiers:
Omega Copy v1.3, v1.4, v2.0
UFO v1.0
SoftCopy v1.3
McDonald v1.x, v2.x
Elastic Copy v0.1demo
Formatters:
Free Format v8.3
Elastic Copy v0.1demo
Scanners:
Conver Commander v4.61
RDS v3.1
Elastic Copy v0.1demo
After this, experiments with
formatting. At first I probyval
make non-standard format in the program
Free Format, but broken off, because there is always
was copyist who could it
copy. Had to be deleted from the
list. Next, he took Elastic Copy (by
Disabler (that's me)) and worked! None
copyist, but my, I could not
copy the disc. The whole trick is
in this: to take the drive and format as follows:
track sectors - size (tr-dos)
1,2,3,4,5,6,7,8,16 0 - 1
0 9, # F8 - 3
0 18 - 0
1-10 # F8, # F9, # FA, # FB, # FC - 3
1-10 # FD - # FD
11-160 1,2 ,..., 15.16 - 1
11-160 # FD - # FD
With this format, the sector # FD obtained
bat checksum, and size of
his nonstandard (128 * 2 ^ 253 bytes). After
format scan paths and seek
broken sector, and then put them
checksums in the table. Table
written on the 16th sector of the zero track.
Checksums sectors will be different
for each copy of the disk and recreate them
impossible.
And now an algorithm to test drive at
license (procedure error -
"Treatment" is not a license disk):
1. Grab a random dislocation from 1 to 128 - is
number of tested paths;
2. We are looking at her broken sector, if it is not
call error;
3. Check number of the sector if it
is not equal to # FD - error;
4. Read checksum sector
compares with a value in the table if they
are not equal - error;
Thus it turns out that we have achieved
her. Disc can not be copied. All
copiers for scanning are
Sector # FD, read it and try to
record, thus spoiling his control
amount.
Continuing the theme ...
Some of the algorithms of protection
Today I will talk about how to protect
prog'u from all kinds of buttons, as well as
how to make those same buttons.
So, today known the following
snide button. (I'm just going to describe how
they do and how to intercept)
1. Break
Done: press Space + Caps Shift
Interception: LD IX, ERROR; extradition procedure
; Error
PUSH IX
LD (23613), SP
CALL ..... ; What can be
; Stop Break'om
POP IX
I want to say that this example is
procedure to intercept any errors related to
with RST 8, ie, using a variable
err_sp (23,613).
2. NMI
Done: feeding ground for the 17th leg Z80
Interception: LD HL, ERROR
LD (23728), HL
3. 48kb RESET (It makes sense to ROM 91go
years where there are no clear memory of rst 0)
Done: Normal reset, but when you reset
ROM included with the basic 48.
Interception: XOR A; Option 1 - reset
LD (23568), A
or
LD A, 1, Option 2 - to intercept
LD (23568), A
LD HL, 52
LD (23730), HL; Transition to
; Address 24872
ORG 24872
JP ERROR
Explains the detail how it works
the last example. When done RESET'e JP
0 in the ROM. The ROM is checked:
.....
LD A, (23568)
DEC A
JP NZ, 99, ie, if at
, 23568 no 1, 99 JP
; (Sm.Variant 1)
.....
The address is 1999 prospect pa cleanup.
Next is a fragment:
.....
LD A, # FE
IN A, (254)
RRA
JP NC, 1202; if pressed Caps
; Shift, then reset
.....
At 1202 is the same as for
at 99. And finally below is
fragment:
.....
LD HL, (23730)
LD (HL), 62
DEC HL
LD SP, HL
CALL .....
.....
He we are interested. If the address
23730 will be a number less than # 4000 (16384), then
CPU goes to the first team and CALL
exit does not return to the place of entrance, and
goes to:
LD HL, (23730)
DEC HL
DEC HL
LD A, (HL)
DEC HL
LD L, (HL)
LD H, A
JP (HL)
Thus, if the address is 23730
stuff setting of 52 processor will take
values of the addresses 49 and 50, ie, # 2A
# 61 and go to address # 612A (24872)
4. Normal magic
Done: Pressing the NMI at work
ROM DOS'a
Interception: is impossible, but it can be dirtied
disk on which the program is reset.
After pressing the Magic triggered procedure
at 102 in the ROM DOS'a. This procedure
makes a copy of disk space. But she
doing something else, or to be precise,
after Magic'a located at 23552
# C9. Thus do the checking:
LD A, (23552)
CP # C9
RET NZ; magic'a nebylo!
DI
LD A, # 3F
LD I, A
IM 1
ERROR XOR A
LD (23798), A
LD (23801), A
LD (23883), A
LD C, 1
LD IX, ERROR
PUSH IX
LD (23613), SP
CALL 15635
XOR A
LD HL, 0
LD DE, 0
LD BC, 9 * 256 5
CALL 15635
POP IX
.....
5.Scorpion magic
I can not say, because never
saw this car.
6.Cashe magic
Done: pressing for NMI
enabled Cash'e
Interception: The Magic is different from all
others in that JP is a 102
Cashe. The security is:
DI
IN A, (251)
LD HL, ERROR
LD A, 195
LD (102), A
LD (103), HL
IN A, (123)
EI
7.Cashe reset
Done: pressing RESET while the
Cash'e
Interception: DI
IN A, (251)
LD HL, ERROR
LD A, 195
LD (0), A
LD (1), HL
IN A, (123)
EI
That's all that I know about protection ...
C U, May Be ...
Other articles:
Similar articles:
В этот день... 21 November