Laura’s Preschool 2 (Lauras Vorschule 2) – pictures about 800KB

Blog entry Gallery
Well… how to start this? This blog entry is about a learning game I bought today with a bunch of other stuff. “Three CDs for 1€!” With CD they meant everything from audio CD to video DVD and PC games as well as PlayStation 2.
Laura_game.JPG

Admittedly it looks like I’m finally a case for the loony bin: An adult playing with a game for preschool children? Time to call an ambulance and get LittleSinchen brought to hospital? Not quite. This entry can be considered a continuation of those two where I have been playing around with non-standard discs:
Another blog about CDs
Better very late then never – SecuRom 4.8 backup on CD-R


Now, again, this is a software for little children. The packaging explicitly states that the user does not even have to be able to read. But the heavy protection makes it seem, that kindergarten kids who haven’t learned to read yet (and their parents) are the most piracy-orientated section of the population! Of all the copy protected games I tested in the last few weeks, this one turned out to be the most aggressive of all. If the ProtectDisc driver version 9 finds anything remotely connected to CD emulation software, it wets it’s virtual pants. Even the infamous StarForce in one of it’s last iterations (StarForce Keyless, disc from 2009) didn’t get a hysteric panic attack just because Alcohol 120% is present on the system.

This thing does. Not even the original CD works. “Emulator active”. Listen up, DRM makers: There are plenty of legitimate areas of application for CD emulation software. Especially since modern laptops do not even have an optical drive anymore.
Emu.png

"Error on checking the CD or DVD: The disc could not be identified as a valid original. Please insert the original CD or DVD and restart the program.
Emulator active: info…" (clickable link)


In the case of learning software like this, it is double unfortunate:
  1. There is really no importance concerning technological advancement with this kind of game. If kids enjoyed this back in 2006, so will four-year-olds in 2021 and 2045. Stuff like this doesn’t get obsolete in a few years. I advise against installing it on modern Windows. If you want, you can search for acedrv09.sys and bluescreen. Hopefully your Windows XP computer is still up and running if you want to use software protected with this.
  2. I guess the chances to find a crack for things like this are as good as the survival chances of a snowman in the middle of Sahara.
But wait, there is more. On one try I got a different error, asking me to start the system without the debugger. I don’t even had a debugger running. I’m not a developer! I’m not a reverse engineer (sadly, else I would try to crack this &§%$)! What made this piece of sh.. DRM software think I’m using a debugger? Well. I found out eventually. It was Process Explorer (which is set to replace the limited Task Manager). Seriously: The protection module refuses to even start the CD check when Process Explorer is running. They really want to impose their will on the users. They claim the right to dictate which software may be running on the computer of a paying customer. They don’t allow Process Explorer. A perfectly normal tool that should be on any Windows computer.
DBG.png

"Please start the system without debugger"
If I want to use Process Explorer is none of your business!



Lastly, the most important question. How did the protection fare? Did the aggressive DRM at least do it's job: Stopping piracy or – in my case – lawful backup? No, it didn’t:
  • Remove the ProtectDisc driver version 9
  • Reboot
  • Click on game → Driver gets reinstalled and doesn’t complain about an active emulator… and starts the game with a copy on CD-RW in the drive.
Practical solution? Write a short script that uninstalls the ProtectDisc driver on each shutdown, so the game has to reinstall it. It runs without the legit disc in the drive:
Running_without_legit_disc.JPG

Once again: Dear DRM makers, Mission accomplished!
Piracy protection? → Not really.
Boss around the paying customer, insult them and drive them nuts? → Full 100%

This is one of the few occasions where I would want to additionally blog in German language rather than English only: To make this potentially more visible for the intended audience: German parents. If you are a parent and consider this for your child: I advise against buying it – unless you still have a working Windows XP computer. The game will not run without the CD and I had (so far) no success in trying to hide Alcohol from ProtectDisc. I don’t know if the publisher Tivola regularly used the products from “PROTECT Software” to secure their applications against illegal copies. As you can see in the error messages, the program states "Lauras Vorschule CD1 und CD2". In a short search I've found that disc/part 2 (which I have), will also start disc/part 1 (which I don't have).

Thank goodness I don't have children (it would wreck my nerves with things like this) and thank goodness I only paid 33ct for this.

There is surprisingly little information about "Lauras Stern" on Wikipedia, but I'll leave the link anyway. Use deepl.com for translation if you don't understand German.
https://de.wikipedia.org/wiki/Lauras_Stern



Some interesting Strings with anti-debugger messages
SomeStrings.png


The program didn't output an awful lot of information. Didn't really know what to do with it. There was some anti-debug found.
DetectItEasy_Screenshot.png
  • Like
Reactions: 7 people

Comments

Luca91
This is a great way to get into RE!
Install a debugger and start to have fun.. nobody still cares about such old software, so there is no "moral" issues here ;)

Oh, I never had the luck to get a ProtecDisc sample, so I'm really interested to read your debugging adventure with it :)
 
  • Like
Reactions: 2 people
KleinesSinchen
@Luca91 Reverse engineering is beyond my capabilities.
ProtectDisc seems rather obscure, but it is actually my second disc with it. The other one is from 2009 using acedrv11.sys (which supposedly fixed the bluescreen problem on newer Windows). The newer version is less aggressive, doesn't care for emulators and happily boots from legit disc, copied disc and emulated drive without any workarounds. No idea if the anti-emulation features were cut in the newer version or if this particular game simply doesn't use it (maybe it cost extra).

@Flofflewoffle I don't care for the artwork here. If DRM starts rising my blood pressure, the nicest pictures in the world will not help me. Playing this "game" is painful anyway.
 
  • Like
Reactions: 3 people
Sono
I would be interested in trying to crack it.

Is this considered old enough to be not illegal to share it? You have a legal copy, but can't use it, so pretty sure it's legal in the EU to do reverse engineering in order to adapt it to your own environment to be able to use it.
 
  • Like
Reactions: 3 people
Luca91
@KleinesSinchen Oh ok. I understand. I'd like to know more about ProtectDisc tho. Is the executable actually packed? Is encryption/decryption involved? Can you try to boot the game from a debugger and see what happens? If no, can you at least share a screenshot of die.exe report?

Thanks :)
 
  • Like
Reactions: 1 person
KleinesSinchen
@Sono I'd rather not risk anything. Uploading stuff is always dangerous, even if one could say it is completely worthless (and it is in this case)
That is the problem with being in contact only online. In real life I would gladly give this CD away.

@Luca91
Please explain a bit more. What should I do? What do you mean with "die.exe report"? Remember that I'm an absolute noob in these things. I downloaded an old free edition of IDA that works on Windows XP. The disassembler complains when opening LaurasVorschule.exe
The imports segment seems to be destroyed. This MAY mean that the file was packed or otherwise modified to make it more difficult to analyze.
Click to expand...


Not a big surprise. If I understood this correctly, more or less all of the disc based DRM schemes work like this:
  • Main game.exe is encrypted
  • Only part of the protection module is unecrypted – the part that needs to be started first
  • This thing can do additional checks before the disc check (ProtectDisc does check for debuggers and emulators and maybe even virtual machines)
  • If it is satisfied, it starts searching for the attributes that the genuine CD/DVD has, but a copy shouldn't and decrypts the game only in case of success.
And all of this gets thrown into some kind of obfuscator, self-checks… to make reverse engineering harder.

No idea if "PROTECT Software" is better or worse than competing products. All websites of DRM makers brim over with self-praise of how good their protection is, impossible to crack with a gazillion layers of packing and encryption and checks and…
 
  • Like
Reactions: 1 person
Luca91
@KleinesSinchen
The disassembler complains when opening LaurasVorschule.exe
Click to expand...
Yes, it is packed. You need to unpack it before doing some actual RE.

What do you mean with "die.exe report"?
Click to expand...
DIE (also known as Detect It Easy) is a free tool that check an executable file for any known drm patterns. It can tell you if your exe is packed, the name of the packer used and any additional drm/obfuscator/encryptor used.

If I understood this correctly, more or less all of the disc based DRM schemes work like this:
  • Main game.exe is encrypted
  • Only part of the protection module is unecrypted – the part that needs to be started first
  • This thing can do additional checks before the disc check (ProtectDisc does check for debuggers and emulators and maybe even virtual machines)
  • If it is satisfied, it starts searching for the attributes that the genuine CD/DVD has, but a copy shouldn't and decrypts the game only in case of success.
Click to expand...
Yes, more or less this is accurate. I saw many CD based DRM decrypting the main exe using informations only present on original disc. I'm not talking about good old cd checks here that can be bypassed by nopping a conditional jump or two, but actual decryption.. so good luck in unpacking it without the original game disc..

I'm interested in oldskoold drm software (not in current one) anyway.

EDIT:
Oh, forgot to say: in some situations, once the exe is decrypted and loaded in memory, you can directly dump it (well, you might need to fix the IAT, and so on..)

EDIT 2: an example of a DRM that uses data derived from the CD is the PSX Libcrypt: on burned disc, something is missing, and the checksum will be different. In this case it is possibile to just nop/bypass libcrypt check, but it would be more easy to dump the actual value from and original disc (stored in COP0 register IIRC) and just patch it by injecting a couple of line of asm in the executable.

EDIT3:
@Sono I just found a list of protected games here: https://www.gameburnworld.com/protectedgameslist.shtml
you can check "Protect CD" and see if you own any of these games.
 
  • Like
Reactions: 1 person
KleinesSinchen
I have attached the screenshots of Detect It Easy in a spoiler at the end of the blog entry.
Just noticed: This game installed itself by default right into the root of drive C:\


About that list: It is very, very old and doesn't contain games after 2003 or so.
 
  • Like
Reactions: 1 person
Luca91
About that list: It is very, very old and doesn't contain games after 2003 or so.
Click to expand...
Yes, but IMO is is also good to start with previous revision of the same drm to gather knowledge before attempting to study a more recent iteration. But I agree, that list is extremely old.

Yes, but IMO is is also good to start with previous revision of the same drm to gather knowledge before attempting to study a more recent iteration.
Click to expand...
Nice, I can see that at least a section is packed. AHAHAH Softice was a ring 0 (extremely powerful) debugger back in the day of W98/ME. About the strings, you could also use them to reference where they are called in the code, to get an idea where the checks are located (for example).

Anyway that's all from my side, without the protected game/disc (or a knoledge of that drm) I can't do much more.
Thanks for the fun!
 
  • Like
Reactions: 1 person
RichardTheKing
  1. I guess the chances to find a crack for things like this are as good as the survival chances of a snowman in the middle of Sahara.
    Click to expand...
Doesn't it get quite cold in deserts, at night? As I understand it, deserts get extremely hot during the day, but at night that flips to becoming very chilly.
 
KleinesSinchen
At this point it is hard for me to avoid vulgar words. Rather than a silent update as I do sometimes on blog entries, I will put a comment here with the update.

Executing the following as a batch script on shutdown removes the ProtectDisc driver (version 9) and forces any software using ProtectDisc to reinstall it when started.
Code: 
reg delete HKLM\System\CurrentControlSet\Services\acedrv09 /f
reg delete HKLM\System\CurrentControlSet\Services\acehlp09 /f
reg delete "HKEY_CURRENT_USER\Software\Protect Software GmbH" /f

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}" /v LowerFilters /f

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ProtectDisc Driver" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProtectDisc Driver" /f
del C:\WINDOWS\system32\drivers\acedrv09.sys
del C:\WINDOWS\system32\drivers\acehlp09.sys
del "C:\Programme\ProtectDisc Driver Installer\Uninstall.exe"
rd  "C:\Programme\ProtectDisc Driver Installer\

The isolated line with "{4D36E965-E325-11CE-BFC1-08002BE10318}" /v LowerFilters /f" was the most puzzling of all and it took me a while to find it. LowerFilters contains (the string?) acehlp09 and deleting the rest of the things without removing the LowerFilters thing results in all optical drives being missing after a reboot. The hexadecimal class is CD/DVD drives. I hope this value is the same on other machines. I'm not familiar with Windows and have no real idea what I'm doing here.

This script has the following benefits:
  • The driver isn't loaded at each boot. Why would we want it unless we use a protected program? acedrv09.sys is said to cause random bluescreen errors on newer Windows – even while not playing a protected game (didn't experience this myself – only tried on Windows XP so far and since those errors don't need to happen it could be hard to investigate.)
  • As mentioned in the blog entry: The anti-emulation functions seem to only work fully when the driver is loaded at boot time. It (sadly) detects virtual (Alcohol 120%) drives in any case, but doesn't detect RMPS emulation for CD-R in real drive.
  • Daemon Tools 7.0 (last version supporting XP) should be able to successfully start protected games from virtual IDE drive with this method. I tested a ProtectDisc DVD using acedrv10.sys this morning and had no trouble using an mds/mdf image. In this case I used the official uninstaller+reboot

=================
Why do I have trouble avoiding vulgar words? I have no idea what this protection has been searching for when it decides to say: "Emulator aktiv". I got it even after uninstalling any software remotely connected to CD emulation (+ reboot). I searched the registry and drive C:\ for remnants of those applications, deleted everything I could think of (+ reboot). Still I got with physical drive containing legit disc → "Emulator aktiv"
The anti-emulation of this protection is intrusive, aggressive and throws lots and lots of false positives.

Searching for ProtectDisc and "Emulator aktiv" brings up some old thread on myce (formally cdfreaks) where people unsuccessfully tried to get around the problem while some stated it worked for them with attaching a virtual drive to a physical one. I can only repeat: It works for me until I reboot with the driver being already installed. The above mini-script allows me to start protected applications with legit discs and with backups.

Maybe this results can be helpful for somebody finding this comment.

If any other software is using "LowerFilters" filter drivers for optical drives this script isn't usable and would have to be adjusted to just remove the acehlp09 part instead of deleting the value. Looks like some burning software uses such drivers.

ProtectDisc? F… off, you piece of sh..!!
 

Blog entry information

Author
KleinesSinchen
Views
616
Comments
24
Last update

More entries in Personal Blogs

More entries from KleinesSinchen

Share this entry

General chit-chat
Help Users
  • BigOnYa @ BigOnYa:
    I went to auction at a mom/pops video game store few months ago that was closing, and bought 11 slims for $200, 1 was DOA but 10 work fine. so hella deal. Already rgh3'ed 8 of them. But most younger kids don't even want anymore, unless it plays stupid "fortnight", or newer shit.
  • K3Nv2 @ K3Nv2:
    Think I'm gonna use my giftcard balance on a nice pair of headphones but $100 is still limited
  • K3Nv2 @ K3Nv2:
    Soundcore q30s are nice but they leak so much sound it sounds like speakers
  • Psionic Roshambo @ Psionic Roshambo:
    Ken spend the 100 on a gun and skii mask, wait for a jogger at the park jewelry money and headphones!
     +1
  • K3Nv2 @ K3Nv2:
    If only Amazon sold guns
  • K3Nv2 @ K3Nv2:
    Fucking dick heads think it's a bad idea to get a gun 2 days later
  • BigOnYa @ BigOnYa:
    Wait, I thought you were the dickhe...nvm
  • K3Nv2 @ K3Nv2:
    I got balls on my chin and two dicks on my forehead sir
     +1
  • BigOnYa @ BigOnYa:
    Sorry, no offense there double dickhead chinballs.
  • K3Nv2 @ K3Nv2:
    Chicks still love it
     +1
  • BigOnYa @ BigOnYa:
    "Mommy, look, what is that?". "That's your soon to be daddy."
     +1
  • K3Nv2 @ K3Nv2:
    That you'll only see once
     +2
  • Veho @ Veho:
    Double dickhead chinballs is still better than double dickhead eyeballs.
  • Veho @ Veho:
    As in, the balls will grow in your eye sockets.
  • K3Nv2 @ K3Nv2:
    I paid 5 grand to get them moved to my chin
     +1
  • Veho @ Veho:
    This you?
  • Veho @ Veho:
    Ballchinian_alien.jpg
    +1
  • K3Nv2 @ K3Nv2:
    My hair can't be that cool
  • BigOnYa @ BigOnYa:
    :rofl2:
  • K3Nv2 @ K3Nv2:
    https://infimobile.com/details/plans-5734270 this is kinda tempting
  • Sonic Angel Knight @ Sonic Angel Knight:
    JOE! :P
  • K3Nv2 @ K3Nv2:
    https://youtube.com/shorts/w7P9fmRc1WI?si=3iQ4Eo21fT-zQ4Yy
  • Veho @ Veho:
    Ah, yes, portrait mode, surely the best way to film a row of people. If only there were some way to fit a wider shot, at the expense of height... if only...
  • K3Nv2 @ K3Nv2:
    4k portrait mode?
     +1
  • K3Nv2 @ K3Nv2:
    https://youtu.be/Rx-KuevU4h4?si=1MoSvL-y5fFFHf58 Damn kinda sad for Iran
    K3Nv2 @ K3Nv2: https://youtu.be/Rx-KuevU4h4?si=1MoSvL-y5fFFHf58 Damn kinda sad for Iran