Post Ax4kuimsym40Chz0FM by StompyRobot@mastodon.gamedev.place
(DIR) More posts by StompyRobot@mastodon.gamedev.place
(DIR) Post #Ax4RLbwuVupljNDUBs by foone@digipres.club
2025-08-11T20:01:15Z
0 likes, 0 repeats
oh hello copy protection, fancy meeting you here
(DIR) Post #Ax4RTljc10qwOet0iG by foone@digipres.club
2025-08-11T20:02:49Z
0 likes, 0 repeats
@49016 NOT THAT MFM
(DIR) Post #Ax4SLXagomiiASLxgG by foone@digipres.club
2025-08-11T20:12:43Z
0 likes, 0 repeats
oh hey that's fun. this game has two layers of copy protection! if I hack the "check weird sector" code to always return 0 (for found-it), it tells me "Diskette/version out of phase"
(DIR) Post #Ax4SdG9OOotLI32BDE by foone@digipres.club
2025-08-11T20:15:57Z
0 likes, 0 repeats
they call the copy protection on two different sectors, and throw the out-of-phase error if they give the same result, I think
(DIR) Post #Ax4SgGiElZHXtyldLc by foone@digipres.club
2025-08-11T20:16:23Z
0 likes, 0 repeats
so you can't just overwrite check_copyprotection_sector with ret 0
(DIR) Post #Ax4SsOvM3sbGqQgjCK by foone@digipres.club
2025-08-11T20:18:36Z
0 likes, 0 repeats
oh god they overwrite the DOS interrupt 1E in the middle, to make DOS think it's a different kind of floppy disk.
(DIR) Post #Ax4SwMLjZkHA1BukpU by foone@digipres.club
2025-08-11T20:18:44Z
0 likes, 0 repeats
@psiie Rogue
(DIR) Post #Ax4cMOF046En07FfXc by foone@digipres.club
2025-08-11T22:04:55Z
0 likes, 0 repeats
okay I now know HOW to crack the game, I just gotta write the x86 assembly.
(DIR) Post #Ax4cQ90AfLoutb6cHA by foone@digipres.club
2025-08-11T22:05:25Z
1 likes, 0 repeats
normal people don't do this. normal people don't write 16bit DOS assembly in 2025.
(DIR) Post #Ax4cz5bHIwVATv7ppY by vfig@mastodon.gamedev.place
2025-08-11T22:11:54Z
0 likes, 0 repeats
@foone seems perfectly normal to me. its only a few weeks ago that i was writing some 16 bit assembly in debug . com so i could call absolute it from qbasic . com
(DIR) Post #Ax4d4XlE23IBGeNYGG by Legit_Spaghetti@mastodo.neoliber.al
2025-08-11T22:12:49Z
1 likes, 0 repeats
@foone "Normal" went out the window a long time ago around here.
(DIR) Post #Ax4d8edaPFhLknlYG0 by foone@digipres.club
2025-08-11T22:13:20Z
0 likes, 0 repeats
I have 37 bytes. this won't be hard
(DIR) Post #Ax4dfivtSQPsdE67P6 by petherfile@beige.party
2025-08-11T22:19:36Z
0 likes, 0 repeats
@foone don't be normal. Totally overrated.
(DIR) Post #Ax4dj9zTJWq7Q0PU3M by philpem@digipres.club
2025-08-11T22:20:08Z
0 likes, 0 repeats
@foone Fun people on the other hand...
(DIR) Post #Ax4eVKniQNG6qWslvc by foone@digipres.club
2025-08-11T22:28:54Z
0 likes, 0 repeats
and... it doesn't work.tertiary copy protection?
(DIR) Post #Ax4eZpVcC7YbFBYkwy by foone@digipres.club
2025-08-11T22:29:42Z
0 likes, 0 repeats
I think they might be depending on the value of the weird sector elsewhere. like they're loading it SOMEWHERE, maybe they overwrite some code?
(DIR) Post #Ax4f7IPfkajSRdjoGm by f4grx@chaos.social
2025-08-11T22:35:35Z
0 likes, 0 repeats
@foone why
(DIR) Post #Ax4fTqvE7ydjqLFkXo by NuclearOatmeal@beige.party
2025-08-11T22:39:48Z
0 likes, 0 repeats
@foone Security via obscurity is a _type_ of security.
(DIR) Post #Ax4fX36PIXEOUM0TSa by Sentry23@infosec.exchange
2025-08-11T22:40:11Z
0 likes, 0 repeats
@foone Remind me so much of old 68k protections on late ST games. Jay it works. Wait, why can't I control anything on level 2...
(DIR) Post #Ax4fn8pvkJ2suFyPKq by kawa@mas.to
2025-08-11T22:43:23Z
0 likes, 0 repeats
@foone True. Last time I wrote 16 bit DOS assembly was last year.It was to detect sound cards.
(DIR) Post #Ax4gctOaOsu84irNjc by foone@digipres.club
2025-08-11T22:52:47Z
0 likes, 0 repeats
I need a comparative DOS CPU tracer. Like, load two copies of the same EXE, and run until the execution diverges
(DIR) Post #Ax4hMlGQxuEqB0v1sG by _thegeoff@mastodon.social
2025-08-11T23:00:58Z
0 likes, 0 repeats
@foone Cosmic ray detection?
(DIR) Post #Ax4hamZctQw2IBa7w8 by avatastic@avatastic.uk
2025-08-11T23:03:24Z
0 likes, 0 repeats
@foone well that's significantly more complex than my cracking of X-Wing (or was it Tie Fighter?) by using XTree Gold's hex viewer to search for known copy protection keywords, and replacing them all with 'cheese'** it probably wasn't cheese, but that'd be what it would be if I did this in 2025.
(DIR) Post #Ax4kuimsym40Chz0FM by StompyRobot@mastodon.gamedev.place
2025-08-11T23:40:38Z
0 likes, 0 repeats
@foone actually that would be pretty rad!
(DIR) Post #Ax4lm24tzJFRNepYg4 by bloognoo@retro.pizza
2025-08-11T23:50:23Z
0 likes, 0 repeats
@foone sync function stepping between two DOS boxes and xor the output?
(DIR) Post #Ax4lrlIfHUBx5903uq by DenJohn@mas.to
2025-08-11T23:51:25Z
1 likes, 0 repeats
@foone Your reference point for normal people seems to have become like https://xkcd.com/2501/
(DIR) Post #Ax4mkCIL8CIWRTnxTc by foone@digipres.club
2025-08-12T00:01:10Z
0 likes, 0 repeats
@Sentry23 THEY CHECKSUM THE FIRST 16KB OF EXECUTABLE RAM?
(DIR) Post #Ax4mqBgGKMsKH6qnlw by foone@digipres.club
2025-08-12T00:01:24Z
0 likes, 0 repeats
THEY CHECKSUM THE FIRST 16KB OF EXECUTABLE RAM?
(DIR) Post #Ax4nAPANtgTrtNa3BQ by foone@digipres.club
2025-08-12T00:06:04Z
0 likes, 0 repeats
I patched the EXE to have the right value, but then they checksum it, and now the value is wrong!
(DIR) Post #Ax4nDQs80paG3CU7pQ by foone@digipres.club
2025-08-12T00:06:11Z
1 likes, 0 repeats
insert pop-team-epic "you are motherfucker" here
(DIR) Post #Ax4nJicKwsgQpA61MO by foone@digipres.club
2025-08-12T00:07:32Z
0 likes, 0 repeats
they checksum memory MORE THAN ONCE!?
(DIR) Post #Ax4nZIc3OuRAo1OR28 by jpm@aus.social
2025-08-12T00:10:25Z
0 likes, 0 repeats
@foone they were VERY serious about their anti-piracy and anti-cheat measures.
(DIR) Post #Ax4nd3ASlboO3vHBsO by mmu_man@m.g3l.org
2025-08-12T00:10:28Z
0 likes, 0 repeats
@foone 🎶 Too many sums, too many sums… Too many sums, too many sums…
(DIR) Post #Ax4nhyO9xkzegj1w4O by foone@digipres.club
2025-08-12T00:12:08Z
0 likes, 0 repeats
I patched out the checksumming and I think I've got it.
(DIR) Post #Ax4nsfjheXAY1XD0CG by womble@infosec.exchange
2025-08-12T00:14:02Z
0 likes, 0 repeats
@foone I am behind seven checksums, I am uncrackable.
(DIR) Post #Ax4orvNM7TzyC3xmeu by foone@digipres.club
2025-08-12T00:25:07Z
0 likes, 0 repeats
okay, so, the copy protection:1. It checks for a sector that should not exist: Track 38, sector 113. It's on a single-sided double density floppy (160kb), so there's supposed to be 8 sectors per track. But as we saw in this post:https://digipres.club/@foone/115011910054706753this disk DOES have a sector 113.
(DIR) Post #Ax4oyXoU7fJX8voEro by RandamuMaki@mstdn.social
2025-08-12T00:26:15Z
0 likes, 0 repeats
@foone They probably studied at the California Institute of the Arts: https://en.wikipedia.org/wiki/A113
(DIR) Post #Ax4p9UgU63MeckHwAK by foone@digipres.club
2025-08-12T00:28:18Z
0 likes, 0 repeats
so step one to bypassing the copy protection is hack that function to return "yes the sector exists". EXCEPT THAT WON'T WORK. For two reasons. The first I'll get to later. The second is that the actual value of that sector matters, it gets read into memory and the bytes at 0x7-0x8 are checked later. so I make sure those 2 bytes in memory are set. Easy!
(DIR) Post #Ax4pv6Yl5vD9hdNRxo by foone@digipres.club
2025-08-12T00:36:51Z
0 likes, 0 repeats
the next phase of copy protection checks another sector: track 39, sector #25. Another sector that doesn't exist, but it does, and it's 128 bytes long, and... they're doing evil things to DOS to make this readable. They switch the DOS format in memory, reset the disk IO system, and try to successfully read a 128byte sector. Somehow, apparently, this works?
(DIR) Post #Ax4pzPCJjyuIfLvnYO by foone@digipres.club
2025-08-12T00:37:36Z
0 likes, 0 repeats
Here's what track 39 looks like.
(DIR) Post #Ax4qaf7vTlxKmfduPw by foone@digipres.club
2025-08-12T00:44:22Z
0 likes, 0 repeats
I think there's another layer of protection that I bypassed on accident
(DIR) Post #Ax4rXdgkTE8rPO3LH6 by Dianora@ottawa.place
2025-08-12T00:54:58Z
0 likes, 0 repeats
@foone I remember writing a TSR for an ATARI that would intercept the disk I/O calls to fake the right data returned. 128 byte sector eh? oh boy.
(DIR) Post #Ax4vjivVDm8WwfyJU0 by foone@digipres.club
2025-08-12T01:41:59Z
0 likes, 0 repeats
trying to figure out this possible third layer of protection before I continue.today's scores- emulators crashed:1. DOSBOX: 2 times2. MartyPC 1 time3. 86Box: 0 times
(DIR) Post #Ax4wEBRhkdiC5HYgnQ by foone@digipres.club
2025-08-12T01:47:31Z
0 likes, 0 repeats
okay, tracked it down: it's just coming from the same sector 113 as loaded in step one. Anyway, if this isn't loaded properly, we'll trigger a "Diskette/Version out of phase" error. I fix this by just never checking if it's loaded: I NOP'd that part out
(DIR) Post #Ax4wHDiXlIt5zwsn8y by foone@digipres.club
2025-08-12T01:48:02Z
0 likes, 0 repeats
but if you apply these two patches, it'll STILL not work! But it won't work silently. It'll pretend to work.
(DIR) Post #Ax4wUVlBzUc3imSXfk by foone@digipres.club
2025-08-12T01:50:29Z
0 likes, 0 repeats
But at the end of the game, it'll change your tombstone, and not save your score:It'll call you "Software Pirate" and say you were killed by the "Copy Protection Mafia"
(DIR) Post #Ax4wcExqK0LTwj3uOO by foone@digipres.club
2025-08-12T01:51:48Z
0 likes, 0 repeats
that's because the checksum failed. it checksums the the code segment, starting at 1000:0082 and going to 1000:4082 (16 kilobytes)
(DIR) Post #Ax4wvZWg662bDgZe0u by foone@digipres.club
2025-08-12T01:55:16Z
0 likes, 0 repeats
fun fact: this code is self modifying! not for copy-protection reasons, but for generic-interrupt reasons. x86 doesn't have an INT r8 instruction, only INT imm8. So to generically call an interrupt, you have to either:1. do a lookup to a bunch of INT 00h, INT 01h, INT 02h, INT 03h instructions, OR...2. just rewrite your own code at runtime. overwrite the second byte of the "INT 00" instruction and bam, dynamic interrupts
(DIR) Post #Ax4wym1M6AECqARwJs by foone@digipres.club
2025-08-12T01:56:01Z
0 likes, 0 repeats
but luckily for everyone, the call_interrupt function is at 1000:e3b6 so it's outside the checksummed 16kb
(DIR) Post #Ax4x5NUZh5canEGY9A by composerjk@typo.social
2025-08-12T01:57:01Z
0 likes, 0 repeats
@foone I rather appreciate that you end up being able to play and still get noticed as breaking the copy protection, shown at the end.
(DIR) Post #Ax4xCaJ0S6y2YnI7fs by foone@digipres.club
2025-08-12T01:58:27Z
0 likes, 0 repeats
so, step 3: The checksums.I hack out the checksum function so that when it's called, it just writes the "correct" answer into the return value. I do it at the point where checksum_memory() is implemented, not where it's called, as there's two visible calls to the checksumming function, there may be more. this way it'll always return the right value.(assuming they always checksum the same part of memory! a fun trick would be doing different chunks of RAM... but not here)
(DIR) Post #Ax4xMoZaGGwJhnvJXE by foone@digipres.club
2025-08-12T02:00:17Z
0 likes, 0 repeats
so I have a hack that works: I don't think I trust it though. I'm going to change it so the right memory gets into RAM at the right places, just to make sure there's no additional side effects. There's random values in this sector, after all: what if the game is using them to multiple enemy damage or something?
(DIR) Post #Ax4xZQh4M5ZtPTRKls by foone@digipres.club
2025-08-12T02:02:31Z
0 likes, 0 repeats
rather than hack my way into having a disk that'll work when mounted in DOSBox, I'm just going to make it work properly if the files are copied to DOS? I'll stick the information from those sectors into a file, and swap the raw-sector interrupts out for a simple DOS read-file-data routine. in fact, I might be able to steal one from elsewhere in the EXE
(DIR) Post #Ax4xlDiQQw0gdMhEsC by foone@digipres.club
2025-08-12T02:04:39Z
0 likes, 0 repeats
weird. I can't find any DOS file interrupts. I know this is for DOS 2.x, but it's gotta load files somehow... there's a high score file!
(DIR) Post #Ax4xoHSMys3t6ae6E4 by foone@digipres.club
2025-08-12T02:05:19Z
0 likes, 0 repeats
oh wait I searched on "int 21h". but there's a generic interrupt mechanism here, I just described it. I'm an idiot
(DIR) Post #Ax4y65ENAsqKOsaVgO by NuclearOatmeal@beige.party
2025-08-12T02:08:32Z
0 likes, 0 repeats
@foone Rude.
(DIR) Post #Ax4yUAVLDcWxhr0dua by foone@digipres.club
2025-08-12T02:12:53Z
0 likes, 0 repeats
btw, the game (Rogue, if I didn't mention that before) is written in C, and uses Lattice C 2.00.Ghidra mostly decompiles it properly. The function arguments sometimes confuse it: Lattice seems to add some padding between arguments sometimes? I'm not sure why exactly.
(DIR) Post #Ax4z5srVGHSNzdMM3E by timjclevenger@infosec.exchange
2025-08-12T02:19:39Z
0 likes, 0 repeats
@foone The only version I have (and had back then) is cracked so it's interesting to hear how they got there.
(DIR) Post #Ax4z97D2NJWDMKyNNo by rotopenguin@mastodon.social
2025-08-12T02:19:42Z
0 likes, 0 repeats
@foone the way you solve TOCTOU is to add more TOC
(DIR) Post #Ax4zTfSgjd1hNo5rea by foone@digipres.club
2025-08-12T02:24:01Z
0 likes, 0 repeats
this game is so old it doesn't support directories
(DIR) Post #Ax507Ib9A0hO3XwoSG by RueNahcMohr@infosec.exchange
2025-08-12T02:31:04Z
0 likes, 0 repeats
@foone so just make the last instructions in the checksum code return the value they want, or NOP the branch that would say otherwise.
(DIR) Post #Ax54kIIGcsTqDpxzSC by RueNahcMohr@infosec.exchange
2025-08-12T03:22:51Z
0 likes, 0 repeats
@foone I am here reading your posts. I hear and understand.
(DIR) Post #Ax57Zzip7V9XadAVfs by foone@digipres.club
2025-08-12T03:54:43Z
0 likes, 0 repeats
okay I understand enough of the IO system to write this code, but I haven't done it yet. but I have been working on this for, uh, 10 hours? so I should probably take a break.
(DIR) Post #Ax57qb7Xq9LEDHeHZI by commodork@digipres.club
2025-08-12T03:57:40Z
0 likes, 0 repeats
@foone ...And a nap.
(DIR) Post #Ax5yu4opAuhQl9R7T6 by Canageek@wandering.shop
2025-08-12T13:52:05Z
0 likes, 0 repeats
@foone Oh I remember asking you about this ages ago, you said it was really rare! Very cool that you found an example in the wild!
(DIR) Post #Ax69XPRXQWevYnwF6G by foone@digipres.club
2025-08-12T15:51:09Z
0 likes, 0 repeats
@gloriouscow sadly not. I had it running on my secondary monitor and I think the HDMI flickered, so the screen reset? and when it came back, MartyPC crashed.
(DIR) Post #Ax6NP2FHBrzmeh6Vxw by brouhaha@mastodon.social
2025-08-12T18:26:35Z
0 likes, 0 repeats
@foone Can you make the Unicorn more friendly?
(DIR) Post #Ax6qqzj339cJcSiKDg by ity@estradiol.city
2025-08-12T23:56:40Z
0 likes, 0 repeats
@foone I write 16bit BIOS assembly in 2025 does that countIt's close enough rightRight :neocat_floof_pleading: ?
(DIR) Post #Ax6qtmiJsqpO8IhgbQ by foone@digipres.club
2025-08-12T23:57:07Z
0 likes, 0 repeats
@ity yeah, close enough!
(DIR) Post #Ax6r0Tlsi5GLPWYtGq by ity@estradiol.city
2025-08-12T23:58:25Z
0 likes, 0 repeats
@foone what about PCBox
(DIR) Post #Ax6r8konDJPIb6rxWy by foone@digipres.club
2025-08-12T23:59:47Z
0 likes, 0 repeats
@ity haven't used it. I've already got 86box and I don't know if PCBox does anything different that'd really help me with what I'm emulating
(DIR) Post #Ax6rGuntyHLnssLOOO by ity@estradiol.city
2025-08-13T00:01:28Z
0 likes, 0 repeats
@foone ah, fair nuff :3
(DIR) Post #Ax7UdfjG58UY0F0x6m by thorsummoner@ibite.lol
2025-08-13T07:22:21Z
0 likes, 0 repeats
@foone oh God that padding isn't just general stack space being used (interleaved with argument) to like, express fat pointers or other stack variables, is it? Or, maybe are all locals names being hashed and their position on the stack allocated in hash table order. So long as the call site knew what offset to overwrite, that would be just fine