The box in the closet

I found a box of PC games at a garage sale last month. SimCity 4, Need for Speed Underground, The Sims — the entire Electronic Arts 2002-2005 catalog, basically. $15 for the whole box.

Brought them home, popped SimCity 4 into my optical drive (yes, I still have one), installed it. Double-clicked the executable.

Nothing.

Not a crash. Not an error dialog. Just... nothing. The process would spawn, live for about 200ms, and die. No logs, no dump.

So naturally I had to figure out why.

What killed these games

The answer is SafeDisc, a copy protection system developed by Macrovision (later Rovi Corporation). It was the industry standard DRM for PC games from roughly 1998 to 2006. EA, Activision, Ubisoft — everyone used it.

The core idea is elegant in a brutal sort of way: SafeDisc exploits physical properties of pressed CD-ROMs that consumer CD-R burners can't replicate.

When a factory presses a retail disc, SafeDisc introduces weak sectors — areas where the data is intentionally degraded. A real pressed disc reads these sectors with specific, predictable error patterns. A burned copy either reads them cleanly (wrong) or fails entirely (also wrong). The DRM checks for that exact signature of controlled imperfection.

The three layers

SafeDisc doesn't just check the disc once. It's a layered system:

Layer 1 — The digital signature. The game executable is wrapped in a SafeDisc stub. Before any game code runs, this stub verifies a digital signature embedded in the .icd and .016 files that ship alongside the executable. If the signature check fails, the process exits immediately. This is what was killing my SimCity 4.

Layer 2 — The weak sector check. If the signature passes, SafeDisc reads specific sectors from the disc and analyzes the error patterns. It's looking for that fingerprint of controlled degradation that only a factory-pressed disc can produce. This is the part where your CD-ROM drive would make those distinctive clicking and grinding sounds — it was deliberately reading damaged sectors over and over.

Layer 3 — The kernel driver. SafeDisc installs secdrv.sys, a kernel-mode driver on Windows, which handles the low-level disc authentication. The driver communicates directly with the CD-ROM drive's firmware, bypassing Windows' normal I/O abstraction layer. This is also why these games don't work on modern Windows — Microsoft disabled secdrv.sys in Windows 10 because a kernel driver from 2003 with ring-0 access is, as it turns out, a massive security liability.

Into IDA

I loaded the SimCity 4 executable into IDA Pro to see what was happening. The entry point was immediately suspicious — instead of jumping to the game's WinMain, it redirected to a SafeDisc initialization routine at the top of the .stxt section.

The routine follows a predictable pattern:

1. Decrypt the real entry point (XOR with a rolling key derived from the digital signature)
2. Check for debugger presence (calling IsDebuggerPresent and timing-based checks)
3. Load secdrv.sys and establish a communication channel via DeviceIoControl
4. Issue the disc authentication request through the driver
5. If everything passes, decrypt the game code and jump to the real entry point

The anti-debugging was interesting but basic by modern standards. The timing check measures the gap between two rdtsc instructions — if you're single-stepping through the code in a debugger, the delta is orders of magnitude too large. Easy to patch: just NOP out the conditional jump after the comparison.

The bypass

Knowing the structure, the fix was straightforward. The core authentication lives in a single function that returns a boolean. In the original binary, the flow looks like this:

call    SafeDisc_Authenticate
test    eax, eax
jz      exit_process        ; authentication failed
; ... continue to game init

The fix:

mov     eax, 1              ; always succeed
nop
nop
nop
nop
nop
jz      exit_process        ; never taken

Five bytes patched. That's it. SimCity 4 boots.

But I wanted to understand why it was failing in the first place, beyond just "Windows 10 removed the driver." So I dug deeper.

Why it actually fails

The immediate cause is that secdrv.sys no longer loads. But even if you manually load the driver (which you can, with some effort), the authentication still fails on modern systems. Here's why:

Modern optical drives handle error correction differently. The firmware in a 2003 CD-ROM drive would faithfully report the raw error patterns from weak sectors. Modern drives, especially USB ones, aggressively correct errors before the OS ever sees them. The controlled degradation that SafeDisc relies on gets silently fixed by the drive's own ECC pipeline.

So even with the driver running, the weak sector fingerprint doesn't match. The disc is real, but the drive is too good at its job.

There's a certain poetry to that. The DRM was designed around hardware limitations that no longer exist. The copy protection didn't get cracked by pirates — it got obsoleted by progress.

Reflections

SafeDisc was clever engineering solving a problem that didn't have a good solution. Physical media DRM is inherently a losing game because you're trying to make something readable but not copyable, which is a contradiction.

The industry moved on to online activation, then always-online, then streaming. Each generation trades a different kind of user freedom for a different kind of publisher control.

But there's something I respect about SafeDisc's approach. It was an analog solution in a digital world — using the physical properties of the medium itself as the lock. No servers to shut down, no accounts to manage. Just physics.

Of course, it also means that in 2026, a box of perfectly legal games is effectively bricked. So maybe the physics approach wasn't perfect either.

SimCity 4 runs great now, though.