Question about WINE and adding the "low-level" CD access
APIs...
Mike Hearn
m.hearn at signal.qinetiq.com
Mon Jul 14 08:37:04 CDT 2003
> I don't know much about SecureRom other than that some Blizzard games use it.
> (and others)
OK, so I got a bit bored at work and did some research :)
SecuRom looks like a very advanced kind of protection technology but
thankfully one that shouldn't be very hard to emulate in Wine. Most of
the information out there on it is obviously related to cracking it, or
removing it from games. However, I did find one article that showed in
detail how it was reverse engineered.
So, how does this thing work? Well, basically Sony have a special
(patented) technique used at the CD factory. They somehow encode a
digital signature or key into the CDs in a way that normal CD copiers
cannot duplicate. That prevents nasty pirates from copying the CD.
When the game is run, it reads the CD to get this encryption key, then
uses it to decrypt parts of the game. Pretty similar to SafeDisc in
fact.
The hard parts of these systems for poor old Wine is always the
anti-reverse-engineering traps they put in. For instance with SafeDisc
they loaded a kernel driver to try and prevent people attaching
debuggers.
Well, it seems that luckily SecuRom doesn't do this. To read the CD, it
doesn't even try and control the CD drivers, instead it interrupts down
into MSCDEX:
I spare you the effort of finding how the program accesses the
cdrom: it uses INT 31 with AH=03 (DPMI 0.9+ - SIMULATE REAL MODE
INTERRUPT) to call MSCDEX interrupt.
Wine already has some DOS emulation in it, so I think that wouldn't be
too hard to do, maybe it already works.
Exactly how it retrieves the key from the CD is something of a mystery,
however other articles I found refer to performing various analyses upon
the disk and getting graphs etc out of it, so presumably it is a bit
like stenography. Luckily I don't think we don't care about that.
The rest of this article, which you can find here:
http://216.239.39.104/search?q=cache:vauzwpy1P9AJ:www.woodmann.com/fravia/securom1.htm+securom&hl=en&ie=UTF-8
is mostly about how to remove the protection. Although SecuRom is very
complex, like I said, mostly it's there to stop reverse engineering. One
technique it uses is to replace every call instruction in the code with
a call to a jump table. It unwinds the stack to figure out where it was
called from, then rewrites that part of the code before actually
performing the call. It's a bit like the ELF PLT.
I believe either current or future versions use something called
"Metamorphosis" which dynamically rewrites and shuffles the code,
basically it's a code obfustucator, it might even do it at runtime! The
idea is to stop you disassembling the code (obviously).
So, there we go. I expect it would not be all that hard to make Wine
work with SecuRom at least, you just need to make the mapping between
MSCDEX and the Linux low level CD routines.
Unfortunately SafeDisc is a lot more popular, it seems.
--
Mike Hearn <m.hearn at signal.qinetiq.com>
QinetiQ - Malvern Technology Center
More information about the wine-devel
mailing list