SafeDisc
From Wikipedia, the free encyclopedia
SafeDisc is a CD/DVD copy protection program for Windows applications and games, developed by Macrovision Corporation, aiming to prevent software piracy, as well as resisting home media duplication devices, professional duplicators, and reverse engineering attempts. There have been several editions of SafeDisc over the years, each one has the goals of making discs harder to copy. The current revision is marketed as SafeDisc Advanced.
Though SafeDisc protection effectively prevents regular home users from creating functional copies of CDs or DVDs, it is quite easy for skilled software crackers to bypass. The early versions of SafeDisc did not make the discs very difficult to copy. Recent versions 2.9+ can produce discs that are difficult to copy or reverse engineer, requiring specific burners capable of burning the "weak sectors" and odd data formats that are characteristic of SafeDisc.
Previous versions of SafeDisc were overcome by loopback mount software such as DAEMON Tools and Alcohol 52%. SafeDisc currently blacklists such software, meaning that those who want to use this method must install additional software to cloak the mounter. Example include CureRom.
Another potential attack on SafeDisc is to pull the encrypted application out of the archive it is contained in. All SafeDisc encrypted discs contain an ICD file, an encrypted format used by SafeDisc to ensure that the original CD is loaded. UnSafeDisc circumvents and decrypts SafeDisc encrypted files by opening the ICD file format, decrypting it, and converting it to an EXE file. However each program requires a specific patch to enable full functionality.
Contents |
[edit] Version History
[edit] SafeDisc (V1)
SafeDisk V1 protected CDs can be recognized by several Files on the CD:
- 00000001.TMP
- CLCD16.DLL
- CLCD32.DLL
- CLOKSPL.EXE
- DPLAYERX.DLL
And also by the existence of two files <GAME>.EXE and <GAME>.ICD (where <GAME> is replaced with the acual game's name).
The EXE executable is only a loader which decrypts and loads the protected game executable in the encrypted ICD File.
The initial version of SafeDisc was easy for home users and professional duplicators alike to copy.
[edit] SafeDisc (V2)
The following files should exist on every original CD:
- 00000001.TMP
- 00000002.TMP - not always available!
The loader file (<GAME>.EXE) is now integrated into the main executable, making the <GAME>.ICD file obsolete. Also the CLOKSPL.EXE file, which was present in SafeDisc v1, does not exist anymore.
To check for the SD2 version search the <GAME>.EXE file for this string: "BoG_ *90.0&!! Yy>", after this string there are 3 unsigned longs, these are the version, subversion and revision numbers (in hex). Read errors will be encountered between sectors 822-10255 when making a backup.
The protection also has "weak" sectors which causes synchronization problems with certain CD-Writers. Digital signatures are still present in this version.
After the introduction of SafeDisc Version 2, "weak sectors" was introduced, making it more difficult to burn a copy of the disk, this has no effect on disc images mounted in DAEMON Tools or similar programs. In addition, SafeDisc Version 2.50 added ATIP detection making it impossible to use a copy in a burner unless software that masks this is used (CloneCD has the ability to do this). SafeDisc Versions 2.90 and above make burning copies more difficult requiring burners that are capable of burning the "weak sectors"; these drives are uncommon.
[edit] SafeDisc (V3)
SafeDisc v3 uses a key to encrypt the main executable (EXE or DLL) and creates a corresponding digital signature which is added to the CD-ROM/DVD-ROM when they are replicated. The size of the digital signature varies from 3 to 20 MB depending how good the encryption must be. The authentication process takes about 10 to 20 seconds.
SafeDisc v3 is capable of encrypting multiple executables over one or more CD/DVD medias, as long as the executables are encrypted with the same key and the digital signature is added to each media. SafeDisc v3 supports Virtual Drives as long as the original CD/DVD is available. Once the CD has been authenticated the game should continue to run from the virtual drive (as long as the virtual drive software has not been blacklisted...).
With the introduction of SafeDisc Version 3 which included support for CD/DVD media, as well as virtual drives, the difficulty of burning a copy increased even further.
[edit] SafeDisc (V4)
The current SafeDisc version in use is Version 4. As of November 2006, even DVDs using SafeDisc v4.70 can be burned using the latest version of Alcohol 120% (1.9.6 build 4719) which added RMPS v2.
[edit] Vulnerabilities
SafeDisc installs its own Windows device driver to the user's computer, named secdrv.sys. In addition to enabling the copy protection, it grants ring 0 access to the running application. This is a potential security risk, since trojans and other malware could use the driver to obtain administrator access to the machine, even if the programs are running under a limited account.
Even worse is that (beside the default configuration on Windows XP), most installers don't set the security configuration appropriately, allowing every user to let the driver configuration point at an arbitrarily chosen executable which (at the next reboot) is started with administrator privileges.
