SafeDisc / SecuROM emulation for games

[ghost]

I know this is kinda a tough request, but I was wondering if it would be possible at all to still be able to play win9x games (i.e. Grand Theft Auto 2, Diablo II, FIFA 2000 and many others) that are protected by SafeDisc or SecuROM by means of improving the IDE code or something? Under Windows 95 & 98 I've tried installing virtual clone drive 5.4.5.0 without using the IDE emulation at all but for some reason it still will not allow for this. Tried everything form Daemon tools to just the simple already-built-in IDE emulation.

It makes me wonder that even if DOSBox-X's Win9x Guest could use host/actual CD-ROM drives, it still would not work because the emulation in DOSBox-X code isn't there to begin with? Because Win9x on actual hardware handles this of course. Or does virtual clone drive not support this under 9x? (Daemon tools just quits and says "could not access image file", probably because of compatibility with the newer versions of tools to make CD Images)

This should be a worthwhile issue to address, especially since the only remaining solution to being able to play these titles is illegal (cracking the game).

[joncampbell123]

I'm thinking the obvious first step would be to add support for IDE "passthrough" to the emulation. On Linux, that would mean accepting IDE ATAPI commands as an emulated CD-ROM drive, then passing the ATAPI commands more or less directly to the Linux SG IO ioctl interface for the CD-ROM drive on the host (usually /dev/sr0). ATAPI is basically a way to send CD-ROM SCSI commands over the IDE bus anyway. I'm also aware of similar interfaces to send SCSI directly to the drive in Mac OS X and Windows NT-based systems (both ASPI and NT SCSI DeviceIoControl).

The second suggestion, is to figure out what SafeDisc and SecuROM does to the CD-ROM disc, then write a program to capture whatever inherent "signature" is read by the copy protection and then begin adding code that can fake that signature in the ISO/BIN/CUE based CD-ROM emulation. From what I've read about CD-ROM copy protection there are several known tricks that are used:

• deliberate bad sectors (off the top of my head, my copy of Age of Empires II does this)
• repeating sectors close together in the CD-ROM spiral (the same sectors numbers can return different data depending on where you seek the CD-ROM head this way, a straight copy will copy only one of the two and trigger the copy protection)
• subtle modifications to the burn that cause noticeable timing delays. the copy protection would measure how long it takes for specific reads. A copy would have little to deviation in read timing.
• data patterns that, if run through a CD burner (and therefore the CD-ROM data scrambling + EFM modulation) would cause a bad sector. The source disc would have been burned with the right EFM merging bits to prevent the source from exhibiting the bad sector, only the burned copy would end up with the bad sector (unless I am remembering this wrong!). It has to do with the concept of minimizing DC bias (roughly equal number of pits and lands) so the laser can track the CD-ROM spiral more reliably (which is what the data scrambling and EFM modulation is mean to ensure).

What does virtual clone and Daemon tools say in Windows 9x?

[ghost]

Virtual Clone Drive is the only one at least willing to mount the image at all (with safedisc .iso), but doesn't offer any copy-protection emulation services like it does when installed on windows 7. I'm not sure if this is because of dosbox only or limited virtual clone's features under 9x. Therefore the game fails to start.

Daemon tools just says "cannot access image file" for some reason, with my securom .mds/.mdf image file made with Alcohol 120%. I've tried older versions of alcohol but to no success. I don't think I was able to mount a safedisc .iso in Daemon if I remember, but even if I did it still acted like virtual clone drive. It's been awhile (well over a year) since I used Damon due to the long install requirements. :)

I also noticed that when attempting this with the built-in IDE cd-rom emulation, the console window said "unknown ATAPI command/call" or something.

Anyway, thanks for the info and your research regarding all the types of CD-ROM protections! I'm glad you have an idea of what steps to take, I'm sure in the future this new feature will line up with VirtualBox's/VMware's capabilities with running/supporting these kinds of disc protections.

[aybe]

TL;DR

IIRC and if it hasn't been pruned from original DOSBox, using https://www.dosbox.com/wiki/MOUNT with IOCTL against an Alcohol 120 virtual drive allows such scenarios (without any change in DOSBox)

[DSN9990]

I recently tried one game just only for testing purposes, NFS High Stakes, which appears to be protected by SafeDisc v1 (as PCGamingWiki says) and it simply will not load at all, no matter if I mount a virtual Daemon Tools drive (this does not seem to work for me in Win9x, e.g. if I use "mount d e: -t cdrom -usecd 0 -ioctl" it simply does not appear in Win98 for some reason, unlike the usual ISO mounting method), so this is caused by Dosbox-x not emulating such kind of copy protection scheme, though. @joncampbell123 Is it possible to implement these annoying protection methods as you mentioned above? As far as I can see, until now Dosbox-x doesn't seem to handle this in its own IDE emulation correctly at all.

[DSN9990]

As mentioned in the first post, this should be a worthwhile issue to address, though.

[mirh]

If you don't have any native way to make ISOs work, then the only path forward seems passthrough from real drives.
I mean, there are probably tons of way to bust and unpack and tamper the drm (just check gameburnworld & co) but that sounds tangential to the aims of an emulator.

Also.. wouldn't alcohol and daemon work for such games on XP?
In this sense you could just use them for testing.

[shadowcat-1]

SecuROM 1 - 4.6 does something like this:

- QuerySizeInformationVolume to check for CD drive
Probably looks at 2048 bytesPerSector


- Loops on IOCTL_STORAGE_CHECK_VERIFY to verify drive is ready


- IOCTL_SCSI_PASS_THROUGH to read hardware information
in = 0x2c, out = 0x74

out @ 2ch = ?? 24h bytes
out @ 50h = 05 80 02 02
out @ 58h = name of device


- Reads Sector 16 (PVD) from disc
  Runs checksum and disc check fails if not genuine


- IOCTL_CDROM_READ_TOC
first track, last track - track mode, track # or AA for lead-out, misc, msf

  If track size not genuine, disc check fails
 

- IOCTL_STORAGE_MEDIA_REMOVAL to lock drive


- Reads 1 random CD sector


- IOCTL_SCSI_PASS_THROUGH to reposition disc head ??
in = 28h bytes, out = 00h bytes

in @ 20h = a0 88
in @ 20h = a0 7f
in @ 20h = a0 81
in @ 20h = a0 7f
in @ 20h = a0 81
in @ 20h = a0 7f
in @ 20h = a0 81
..
..
46 times total


- IOCTL_SCSI_PASS_THROUGH to read subchannel data
in = 28h bytes, out = 60h bytes  [same buffer]

out @ 54h = 0c -- 01 14 01 01 00 09 0a 06 00 09 08 06
out @ 54h = 0c -- 01 14 01 01 00 09 09 43 00 09 07 43
out @ 54h = 0c -- 01 14 01 01 00 09 09 31 00 09 07 31
out @ 54h = 0c -- 01 14 01 01 00 09 09 48 00 09 07 48
out @ 54h = 0c -- 01 14 01 01 00 09 09 45 00 09 07 45
out @ 54h = 0c -- 01 14 01 01 00 09 09 2f 00 09 07 2f
out @ 54h = 0c -- 01 14 01 01 00 09 09 4a 00 09 07 4a
out @ 54h = 0c -- 01 14 01 01 00 09 09 43 00 09 07 43
out @ 54h = 0c -- 01 14 01 01 00 09 09 31 00 09 07 31
out @ 54h = 0c -- 01 14 01 01 00 09 09 48 00 09 07 48
..
..
46 times total


Repeat above procedure 3 more times


- IOCTL_STORAGE_MEDIA_REMOVAL to unlock drive


- Runs OEP decrypt based on disc information

SecuROM 4.7 adds topology timing checks, like StarForce 1. I think there's patents on this DPM subject from creators of Daemon Tools
https://patents.google.com/patent/WO2007026297A2
https://patents.google.com/patent/US20070047393

I think there are goofy stuff like Mode2 discs or bad sectors, but the software doesn't care outside of track lengths or tampered discs.

No special tricks other than low-level cdrom commands. Most SecuROM 1 + 2 software have some file sharing mode bug with its NT drivers that will fail reading the SubQ data.