English Amiga Board


Go Back   English Amiga Board > Main > Nostalgia & memories

 
 
Thread Tools
Old 27 May 2019, 21:03   #1
AmigaHope
Registered User
 
Join Date: Sep 2006
Location: New Sandusky
Posts: 173
Laziest crack you ever did that still worked?

Some godlike crackers could dig into the most convoluted protections and produce truly fixed versions -- but not everyone is that good, and sometimes we took shortcuts just to get something working -- a dumb hack but it still worked. What's yours?

My example: I wanted a cracked Delitracker that didn't use a stolen key -- the right way to do it would be to remove all the protection checks, and barring that, reverse-engineer the key to produce a keygen. When I disassembled it I tried patching the key checks to always succeed, but there were additional checks that hashed the code (including itself) to detect cracked versions, etc. I was about to resign myself to fixing it, and then finding any other key checks.

Then I noticed that the hashing checks only checked the code hunks and not the data hunks, and the demo mode that let the program run for 5 minutes without a key was full-featured (aside from the notice that it was unregistered). The timeout was in seconds, in an integer variable in the data hunks -- so I just changed the timeout to $FFFFFFFF and was left with a fully featured program, other than the word unregistered in the window title, and the knowledge that it would eventually time out if I somehow managed to leave it running for the better part of a century without quitting or rebooting.

i.e. I cheesed my way out of a proper crack with a simple changed longword.
AmigaHope is offline  
Old 27 May 2019, 21:06   #2
jotd
This cat is no more
jotd's Avatar
 
Join Date: Dec 2004
Location: FRANCE
Age: 47
Posts: 3,044
nice. I once unpacked a modified exe-cruncher for Nightshift game: the disk protection was hidden in the modified decruncher routine.

I realized that I had cracked the game after I had cracked it ... with XFDDecrunch

Another "lame" technique with password protections is to locate the random routine and make it tell the same thing everytime. Now change the password entry text with the proper word to enter: "please enter "pasta"" : done (but lame)
jotd is offline  
Old 27 May 2019, 21:15   #3
AmigaHope
Registered User
 
Join Date: Sep 2006
Location: New Sandusky
Posts: 173
Quote:
Originally Posted by jotd View Post
nice. I once unpacked a modified exe-cruncher for Nightshift game: the disk protection was hidden in the modified decruncher routine.

I realized that I had cracked the game after I had cracked it ... with XFDDecrunch

Another "lame" technique with password protections is to locate the random routine and make it tell the same thing everytime. Now change the password entry text with the proper word to enter: "please enter "pasta"" : done (but lame)
Sounds like that Nightshift protection was added as a complete afterthought. xD Like the original programmer just handed off his code and then the publisher added the protection but couldn't work it into the game since they didn't have access to the source.

Regarding manual lookup protection, I'm reminded of the SSI Gold Box games. Early ones stored the manual lookup answers in plaintext in the code and I just replaced them with null strings. Straightforward. Later ones (like Pools of Darkness) tried to get creative and encrypted the manual check, but there was no need to reverse the encryption because if you just replaced the encrypted data with nulls the decryptor would break and just return a null thus eliminating the check.
AmigaHope is offline  
Old 27 May 2019, 21:23   #4
Galahad/FLT
Going nowhere

Galahad/FLT's Avatar
 
Join Date: Oct 2001
Location: United Kingdom
Age: 45
Posts: 7,204
Quote:
Originally Posted by jotd View Post
Another "lame" technique with password protections is to locate the random routine and make it tell the same thing everytime. Now change the password entry text with the proper word to enter: "please enter "pasta"" : done (but lame)
Not lame. If the end result is the user can successfully get past the protection entry with no issues other than typing the correct word, then you've done the crack.

I tackled Operation Stealth v4.0 and Robinson's Requiem in a slightly different manner, knowing they were interpreters, and its very easy to screw up other functions by getting it wrong, I simply hacked the game to be able to divert to my own screen come protection entry time with the correct page, line, word and protection codes listed so the user can get past the protection, thus ensuring that any checks in the interpreter code are undisturbed and will always complete properly.

I also did Archipelagos where it printed onscreen at the protection what word to type in to proceed.
Galahad/FLT is offline  
Old 27 May 2019, 21:38   #5
AmigaHope
Registered User
 
Join Date: Sep 2006
Location: New Sandusky
Posts: 173
Quote:
Originally Posted by Galahad/FLT View Post
Not lame. If the end result is the user can successfully get past the protection entry with no issues other than typing the correct word, then you've done the crack.

I tackled Operation Stealth v4.0 and Robinson's Requiem in a slightly different manner, knowing they were interpreters, and its very easy to screw up other functions by getting it wrong, I simply hacked the game to be able to divert to my own screen come protection entry time with the correct page, line, word and protection codes listed so the user can get past the protection, thus ensuring that any checks in the interpreter code are undisturbed and will always complete properly.

I also did Archipelagos where it printed onscreen at the protection what word to type in to proceed.
I would say that "lame" is not the right word, but how about "inelegant". It's not a *bad* crack as long as it works, it's just not really an elegant fully complete crack.

In modern terms it's like cracking a Denuvo-protected game by causing the Denuvo encryption to always succeed vs. improving the game by removing Denuvo entirely... ...or bypassing the issue entirely by loading the game data by modifying a non-Denuvo demo version of the game to work with the data files of the final release. i.e. you've cracked the game to where it works -- it's a "good" crack insofar that it works with no ill effects. Hence what I mean by a "lazy" crack because you never actually removed the protection.

It's not meant as an insult, as being lazy effectively is a creative process in its own way!
AmigaHope is offline  
Old 27 May 2019, 22:07   #6
jotd
This cat is no more
jotd's Avatar
 
Join Date: Dec 2004
Location: FRANCE
Age: 47
Posts: 3,044
Agreed, lazy is good. And "lame" was quoted, because when it works, well, it's smart.

And those lazy cracks can be very helpful for someone wanting to improve them (for example to bypass the screen completely or to make all input correct) and not having the manual handy. I remember Prince of Persia potion screen displaying the letter of the potion to drink. I could figure out the flag telling "no need to display this screen anymore" thanks to this crack, having never seen the manual before.

As a comparison, I cracked Operation Stealth 4.0 not knowing it was running on an interpreter, just analyzing/following the program when wrong or correct codes were entered, using A500 + Action Replay.

It took me around 3 days / 10 hours of work and I absolutely don't remember how I pulled this out but it still works perfectly now I wouldn't call that lazy, and I definitely won't do like this again.
jotd is offline  
Old 27 May 2019, 22:12   #7
Galahad/FLT
Going nowhere

Galahad/FLT's Avatar
 
Join Date: Oct 2001
Location: United Kingdom
Age: 45
Posts: 7,204
Quote:
Originally Posted by AmigaHope View Post
I would say that "lame" is not the right word, but how about "inelegant". It's not a *bad* crack as long as it works, it's just not really an elegant fully complete crack.

In modern terms it's like cracking a Denuvo-protected game by causing the Denuvo encryption to always succeed vs. improving the game by removing Denuvo entirely... ...or bypassing the issue entirely by loading the game data by modifying a non-Denuvo demo version of the game to work with the data files of the final release. i.e. you've cracked the game to where it works -- it's a "good" crack insofar that it works with no ill effects. Hence what I mean by a "lazy" crack because you never actually removed the protection.

It's not meant as an insult, as being lazy effectively is a creative process in its own way!
Is it my fault that thinking outside the box means I didn't have to spend hours on cracking it where playtesting is an issue?

This isn't quite like Denuvo, as Denuvo has been known to affect performance of a game, hence why its always been essential to remove it completely, my solution causes no performance hit to the game whatsoever.

And I am lazy, Interpreter protections can sometimes be the most difficult to tackle because of the possibility of affecting other game functions and crippling the game.
Galahad/FLT is offline  
Old 27 May 2019, 22:15   #8
Galahad/FLT
Going nowhere

Galahad/FLT's Avatar
 
Join Date: Oct 2001
Location: United Kingdom
Age: 45
Posts: 7,204
Quote:
Originally Posted by jotd View Post
Agreed, lazy is good. And "lame" was quoted, because when it works, well, it's smart.

And those lazy cracks can be very helpful for someone wanting to improve it (for example to bypass the screen completely or to make all input correct) and not having the manual handy.

As a comparison, I cracked Operation Stealth 4.0 not knowing it was running on an interpreter, just analyzing/following the program when wrong or correct codes were entered, using A500 + Action Replay.

It took me around 3 days / 10 hours of work and I absolutely don't remember how I pulled this out but it still works perfectly now I wouldn't call that lazy, and I definitely won't do like this again.
Ha ha, been there done that.... my solution took me 25minutes to colour in the protection screen in Dpaint and 10 minutes to examine the game code to insert my handiwork.

Whereas some of the Level 9 interpreter games I did on Amiga and ST were really quite easy to do, I think my first one took two hours, and then the rest were so similarly coded that I was able to do them in minutes as the interpreter protection hadn't changed, it was just a case of "injecting" the correct details to force a certain page/line/word/ result.
Galahad/FLT is offline  
Old 27 May 2019, 22:25   #9
AmigaHope
Registered User
 
Join Date: Sep 2006
Location: New Sandusky
Posts: 173
Quote:
Originally Posted by Galahad/FLT View Post
Is it my fault that thinking outside the box means I didn't have to spend hours on cracking it where playtesting is an issue?

This isn't quite like Denuvo, as Denuvo has been known to affect performance of a game, hence why its always been essential to remove it completely, my solution causes no performance hit to the game whatsoever.

And I am lazy, Interpreter protections can sometimes be the most difficult to tackle because of the possibility of affecting other game functions and crippling the game.
True, although going back and doing interpreter-level cracks seems to be more popular now that a lot of stuff is being actively reverse-engineered anyway for stuff like ScummVM.

What really makes me wonder though is how to properly crack well-designed protection like in Infocom Z-Machine interpreter games where the "protection" is actually made to be *FUN*. Like sometimes you might want to remove stuff like A Mind Forever Voyaging's codewheel, but at the same time they made it like the codewheel was part of the game vs. just a copy protection (sort of like what Rocket Ranger tried to do but way more immersive). Infocom were really good at making their protection checks immersive and the copy protection tat/fluff/junk from the box actually fun to play with.

I think that might be why I saved up my meager elementary-school allowance to buy more Infocom originals than from any other publisher.
AmigaHope is offline  
Old 28 May 2019, 15:20   #10
Daedalus
Registered User

Daedalus's Avatar
 
Join Date: Jun 2009
Location: Dublin, then Glasgow
Posts: 3,959
I remember there was an Amiga Format cover-mounted demo of Wordworth 7 at one point. It appeared more or less fully featured, including saving. The only thing that made it a demo was a prominent watermark diagonally across every page saying "Amiga Format Demo" or something. I searched the executable for that string using a hex editor, replaced it with spaces, et voilĂ  no more (visible) watermark!
Daedalus is online now  
Old 28 May 2019, 18:10   #11
mark_k
Registered User
 
Join Date: Aug 2004
Location:
Posts: 3,075
Quote:
Originally Posted by AmigaHope View Post
What really makes me wonder though is how to properly crack well-designed protection like in Infocom Z-Machine interpreter games where the "protection" is actually made to be *FUN*. Like sometimes you might want to remove stuff like A Mind Forever Voyaging's codewheel, but at the same time they made it like the codewheel was part of the game vs. just a copy protection (sort of like what Rocket Ranger tried to do but way more immersive). Infocom were really good at making their protection checks immersive and the copy protection tat/fluff/junk from the box actually fun to play with.
Many years ago I figured out how to crack several Infocom games by looking at the Z-code disassemblies. The patched versions always asked the same question.
mark_k is offline  
Old 28 May 2019, 19:39   #12
nogginthenog
Amigan

 
Join Date: Feb 2012
Location: London
Posts: 752
Dune 1. Opened it in MonAm and searched for references to the text for the manual check (enter word on page 3, paragraph 2 etc). Replaced a single BNE with a NOP. Amazingly it worked.

There may have been more checks but I never progressed far
nogginthenog is offline  
Old 28 May 2019, 20:59   #13
jotd
This cat is no more
jotd's Avatar
 
Join Date: Dec 2004
Location: FRANCE
Age: 47
Posts: 3,044
No, Dune protection was lame enough. No extra checks. I cracked the MS-DOS version by making random fixed and change the text prompt. But I did that by using register zeroing of the executable depacker, which made the work much harder (if only I had run UNP.EXE on the executable...)

the advantage of fixing random is that if the game checks that protection is okay later in the game, this second check is completely defeated. But I still prefer removing those nag screens completely, even if it's more difficult/risky.
jotd is offline  
Old 29 May 2019, 21:07   #14
nogginthenog
Amigan

 
Join Date: Feb 2012
Location: London
Posts: 752
Quote:
Originally Posted by jotd View Post
No, Dune protection was lame enough.
Are you suggesting I'm not a l33t hacker
Never added a cracktro so you're probably right.
nogginthenog is offline  
Old 29 May 2019, 21:25   #15
jotd
This cat is no more
jotd's Avatar
 
Join Date: Dec 2004
Location: FRANCE
Age: 47
Posts: 3,044
I did some cracktros but they sucked so much I wish I had never wrote them. Fortunately they were never widely released and I lost them now (I kept the soundtrack of one of them though, the better bit)
jotd is offline  
Old 30 May 2019, 12:30   #16
Megol
Registered User

Megol's Avatar
 
Join Date: May 2014
Location: inside the emulator
Posts: 367
Entered a cheatcode in a free demo of some game, made it fully playable. Crack? Dunno.
Megol is offline  
Old 30 May 2019, 14:30   #17
RedskullDC
Digital Corruption
RedskullDC's Avatar
 
Join Date: Jan 2007
Location: Sydney/Australia
Age: 55
Posts: 322
"Backbone" game design system.

One byte change to the main EXE would make it encode/write the keyfile out to disk.

Still enjoyed by many Amiga users today.

Cheers,
Red
RedskullDC is offline  
Old 30 May 2019, 21:10   #18
jotd
This cat is no more
jotd's Avatar
 
Join Date: Dec 2004
Location: FRANCE
Age: 47
Posts: 3,044
Magic Pockets NTSC has level codes and a manual check at the end of the first completed level. You can play all the levels without entering the code (just reboot in between or quit the current game just before completing the level)
jotd is offline  
 


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Similar Threads
Thread Thread Starter Forum Replies Last Post
WinUAE 3.5.0 crashes with config that worked in 3.4.0 Reth support.WinUAE 13 22 October 2017 20:39
Was David Whittaker the laziest musician on Amiga? Galahad/FLT Nostalgia & memories 62 30 January 2014 15:25
Know anyone who worked as game dev for the Commodore Amiga? Jonathan Drain Amiga scene 1 21 December 2009 05:11
If the Workbench TOSEC database is still being worked on... MethodGit project.TOSEC (amiga only) 4 05 July 2007 14:20
Team 17 worked on Lemmings? sittingduck Amiga scene 1 20 December 2005 11:05

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 14:58.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.
Page generated in 0.08753 seconds with 14 queries