Disk Nibbling

[msh5150]

Hi everyone - it's my first time on this board...

I've been wondering what exactly "nibble copying" is and how it works.

I'm a coder and know the normal usage of DSKSYNC etc and how NDOS trackloaders work (I've coded a few myself) - but I've been getting more into cracking/copy protection (just for my own amusement - not spreading 'warez') since the CAPS images became more available.

It seems to me the biggest problems are finding the tracksync mark (especially if it's not $4489) and working out how long the track is?  :-o

As long as those problems are solved there is no reason to decode the MFM?

Any help would be great guys...

[Zac67]

msh5150 wrote:

I've been wondering what exactly "nibble copying" is and how it works.

The difference is that you don't use the standard MFM->data de- and encoding but either non at all (see below) or custom routines.

It seems to me the biggest problems are finding the tracksync mark (especially if it's not $4489) and working out how long the track is?  :-o

That's the art of coping with protection schemes. If you can't analyse several 'identical' disks, you're much left to guessing. But the choice of sync words in MFM is limited.

As long as those problems are solved there is no reason to decode the MFM?

If you can't find out the right sync mark, chances are high that you mess up the track (some bits are always lost). Furthermore, if you don't de- and reencode MFM (or whatever is used!) minor read errors will get duplicated, too and add up from generation to generation.
Since Amy's doing channel en/decoding in software, you're not limited to MFM (like on Wintel), but can also do GCR or something completely different! As long as Paula can sync to the data stream there's no limit. ;-)

[Piru]

@Zac67

That's the art of coping with protection schemes. If you can't analyse several 'identical' disks, you're much left to guessing.

Actually you're not. All the custom disk format protected disks must somehow decode the tracks themselves, and thus you can easily find the loader routine: It's normally located either in the bootblock itself, or the blocks loaded by the bootblock. Just save this code instead of executing it, and then disassemble it (by using ReSource or similar tool).

Naturally it takes lot of analysis skills and practice to figure out what the assembly code is doing and why, but in the end you will be able to figure out the disk format. It gets really interesting when the loader code has been obfuscated with some code scrambler, and some decoy code/loaders are inserted to fool the analyser. Also, later some anti-singlestep, anti-breakpoint and anti-resource methods were used aswell.

Often it was race against time: If the game could be sold for few days/weeks without a working crack, it would be making some profit. If the protection was trivial to crack, the illegal copies would seriously hurt the sales.

In a semi-related note: By just talking about these things I'll be commiting a crime in about month when the new finnish copyright law gets in effect.

[Zac67]

That's what I was going to say: this is where it's getting illegal. ;-) I understood the question more like: how do I write a universal copy algorithm and not how do I crack this game...

[SHADES]

@Zac67

I see what you are getting at. You want to preserve the original game and any copy protection but you want to be able to make a copy of it for backup purposes which is not illeagle at all if it is not distrubted.

I can't code so I'm of no hope but ther were some devices made to help do exactly that. PerfectCopy was one such program that had some hardware you plugged in between the disk drive and computer. I think it made it a more direct drive to drive copy or something like that. There were other software programs that used paramater files that told the copy program how the program was recorded to the disk and therfore how to read it and duplicate it. I believe PerfectCopy and some other programs also did this. I still have a copy at home of the programs somewhere, I bought it in Australai as it was an Austrailian product and I did this when I bout a copy of Captain Blood. The disk stopped working and it was an $80 game at the time, I couldn't afford to get another copy so from then on I decided to back up games and only ever play the backup copies and leave the originals safe in a box somewhere.

I wish you good luck making a copy program for these reasons.

[msh5150]

Thanks for your advice guys.  I did a similar post to this one on English Amiga Board and didn't get a single reply  :-(   But then I heard that the more 'techy' users hang out on this board so I tried my luck  :-D

@Zac67
Yes, exactly. I am interested in the mechanics of copying  :-)

I know longtracks can't be written on standard Amy hardware (you'll need a cyclone and some luck for that!). I'm interested in creating something that would copy MFM protected disks... and from your advice that sounds like quite an artform  ;-)

[Zac67]

Well, I guess your experience grows with every protection scheme you analyse. ;-)

Of course there are methods that a standard drive can only read but not write, like long tracks (=slightly higher bit rate) or weak bits (=bits that may be read as 0 or 1 by chance), but fortunately these were expensive to produce and therefore quite rare. :-P

It's a shame there isn't a good Wikipedia article on MFM or floppy disk formats (little technical detail for my taste), but there's probably plenty resources around this topic on the net somewhere.

[Ferry]

In a semi-related note: By just talking about these things I'll be commiting a crime in about month when the new finnish copyright law gets in effect.

Wow!! Is it restricted to national Finnish forums or will Finnish police prosecute nationals on international forums, if they can prove he/she's a Finnish national? OMG, I could even understand the part about coding tools for circunventing copy protections, but talking about it??!??!!! Unbeliable, this starts to look like "1984"... :¬/

Saluditos,

Ferrán.

[MarkAshley]

Hello

This may be a little off topic as I don't fully understand what you're all talking about :-) Sorry if this is a stupid question but it is something I have always wondered:

I don't understand why disk copy protection works. I understand that the disk may use a custom bootblock, custom loader, custom format etc. But at the lowest level, the data on that disk is still made up of 1s and 0s, right? So surely if the exact same pattern of 1s and 0s is duplicated on another disk, the bootblock, loader, disk format etc would all be preserved? So why does the copy protection have to be cracked before the disk can be copied?

[Piru]

@MarkAshley

I don't understand why disk copy protection works. I understand that the disk may use a custom bootblock, custom loader, custom format etc. But at the lowest level, the data on that disk is still made up of 1s and 0s, right?

Correct so far.

So surely if the exact same pattern of 1s and 0s is duplicated on another disk, the bootblock, loader, disk format etc would all be preserved?

Sure, if it was possible, but it isn't. You can't make bit exact copy of a disk with normal computers at least. Something like Catweasel might allow it, but in worst cases you need some really expensive hardware for this.

So why does the copy protection have to be cracked before the disk can be copied?

See above.

[msh5150]

@MarkAshley

>"So surely if the exact same pattern of 1s and 0s is duplicated on another disk"...

But that's the tricky part.  Let's take a typical Amiga disk protection - the "longtrack".

A longtrack has slightly more data on the disk than can be written by a normal Amiga drive. This is achieved by using some special hardware copier (or a modded Amiga). It works by slowing the drive spin-speed down a little (15% or so)- this has the effect of making the disk slightly higher 'density' if you like.  This disk track will now contain more data than a standard track. Hence why it's called a 'longtrack'.

Now, the Amiga disk controller is quite good natured and will read this longtrack no problem. But as the Amiga cannot control the disk spin speed it is unable to WRITE an identical copy.

The protection code on the disk will be able to tell this isn't the original track - ie. GAME OVER  :-)

That is why the game needs to be cracked - to stop the game realising it's not an original disk  :-D

[zipper]

Or use a hardware dongle assisted copier like Syncro Express I had. It tries to synchronize both drives to make a 1:1 copy and did also - with not quite identically running drives it could take a long time. It advertized to make a copy in 15 mins, but with my drives it could take one hour in worst circumstances. But it copied everything I threw into it - at least superficially working copies.

[jkirk]

or the backup buddy from the makers of maverick that worked in tandem with said software. it had an adjustment screw to adjust speed to allow copies of protected disks.

[msh5150]

Hardware copiers didn't produce 'perfect' copies.  They might have been good enough to fool the protection code, but the aren't usually identical.

CAPS (SPS) have an artical about it here:
http://www.softpres.org/?id=glossary:hardware_copier

It appears that they copy the data in a more analog way and so degrade with each generation.