Ways to bypass protection using a key disk

There are several ways to bypass the protection using the key disk. The easiest way is to copy the key disk. Recall that most traditional methods are designed to make it impossible for a standard copier program to create a copy of a key disk. However, along with standard copiers, there are also special programs that copy a disk using the "bit-to-bit" method - the so-called bitwise copiers. When copying, such programs do not depend on standard formatting parameters, that is, they do not check either the total number and numbering of tracks, nor the number and numbering of sectors on the track, nor other features of the disk organization. They directly play one track after another bitwise, ignoring the unformatted tracks. Thus, all methods using non-standard formatting of the key disk can be "bypassed" using bitwise copiers. Currently, special equipment for analog disk copying is also available (for example, bitwise copying boards).

Another way to remove protection using a key disk, which can be used if the bitwise copier does not cope with the task of creating a copy of the disk, is to simulate accesses to the key disk.

The idea is to simulate a key disk. A special simulator program is built in such a way that, being resident launched during the operation of a protected program, it returns the necessary termination and error codes to protection requests by means of substitution of hardware interrupts.

This method is usually used to remove, for example, the protection of disks with physical damage to the surface. Similar modeling bypasses the protection of disks containing pseudo-contiguous clusters. For example, by reading disk sectors, you can pre-determine the numbers of pseudo-contiguous clusters, and then create a simulator program that returns the necessary sector numbers to the protection mechanism.

Traditional protection mechanisms (we emphasize that they are mainly used when working under the DOS operating system) can also be hacked using such a technique as copying a program from memory. The idea of this technique is based on the fact that DOS “allows” copying the contents of RAM to disk.

The mechanism of the so-called docking protection is easy to implement. This mechanism is based on supplementing the protected program with a special module that performs all the necessary checks, and in case the answers match the reference ones, transfers control to the main program. Unfortunately, the simplicity of implementation is often the criterion for the author's choice of a protection mechanism, so this type of protection is still widespread. But the docking protection is also easy to remove, for example, by copying the program from memory. To do this, it is enough to wait for the moment when the protection module has worked and transferred control to the main program. Obviously, the executable program code is already in RAM at such a moment without protection. Now you need to get a memory dump (using a utility that saves the contents of RAM to disk), and from it the code of a defenseless program.

Note that this method of removing protection will no longer work in the case of so-called built-in protection. When implementing the built-in protection mechanism, it is necessary to perform checks (for example, a key comparison) not once before the start of the program, but repeatedly during the execution of the program.

Ways to bypass protection using a key disk