How were games with level 2 interrupt check cracked?

LittleSandra88 · 12 January 2023, 22:44

Dear all =)

How Addams Family were cracked is a misery to me. The game checks for level 2 interrupts, so if you freeze the game, then it clears all memory when you return. Even the cracked version still have this intact.

The game uses some sort of Ocean OS and a custom cruncher (so repacking is not possible), so if one had to crack the game offline (without MK3), it would be a huge task.

The crack even perserves the original loader, where the game uses filenames when asking for data, which then gets translated to tracks and length on the disk.

Given the level 2 interrupt check is still there and the original loader, I am really curious to hear how an expert would go about this game.

Any ideas?

Hugs,
Sandra =)

StingRay · 12 January 2023, 22:49

Button pushing != cracking.

Addams Family can be cracked like any other game: disassemble the bootblock, check where/how the main code is loaded, disassemble the main code, remove protection checks (this is where the fun usually starts) and add some trainer options to be able to test the game to the end.

The end.

jotd · 12 January 2023, 22:51

you mean CIA read to detect Action Replay MK3 I suppose? IIRC this game used an anti-AR code. Or was it just detecting HRTMon? I'm not sure.

Maybe they just waited for the game to load, then disassembled it and found how copylock protection was checked. Then they removed the check. You don't need to interrupt the game when it's running to crack it.

If that wasn't possible, I guess that crackers could just do the same to remove CIA AR detection code, write a special version that can be debugged, then crack it using a monitor.

I see that Stingray just replied with the same thing. Sounds good.

You may be interested by a question I asked a few weeks ago

https://retrocomputing.stackexchange...ked-circa-1987

LittleSandra88 · 12 January 2023, 23:02

Quote:

Originally Posted by StingRay

Button pushing != cracking.

Addams Family can be cracked like any other game: disassemble the bootblock, check where/how the main code is loaded, disassemble the main code, remove protection checks (this is where the fun usually starts) and add some trainer options to be able to test the game to the end.

The end.

Ok, that is interesting! I wouldn't have expected that there were time for the academic approach, given it was important to be the first to release a crack.

Were that really the norm, or were it only the super experienced crackers that did it that way?

LittleSandra88 · 12 January 2023, 23:17

Quote:

Originally Posted by jotd

you mean CIA read to detect Action Replay MK3 I suppose? IIRC this game used an anti-AR code. Or was it just detecting HRTMon? I'm not sure.

Maybe they just waited for the game to load, then disassembled it and found how copylock protection was checked. Then they removed the check. You don't need to interrupt the game when it's running to crack it.

If that wasn't possible, I guess that crackers could just do the same to remove CIA AR detection code, write a special version that can be debugged, then crack it using a monitor.

I see that Stingray just replied with the same thing. Sounds good.

You may be interested by a question I asked a few weeks ago

https://retrocomputing.stackexchange...ked-circa-1987

From my testing it detected all monitors. AK3, HRTmon, Conan & Black Hawks monitor (which I can't remember the name of right now).

Interesting post you wrote! But without a monitor, wouldn't it be near impossible to crack a game which uses a code wheel (eg. Monkey Island 2)?

jotd · 12 January 2023, 23:29

As I explained, it would be done in 2 passes.

First create a version without the MK3 detection (to work on)

Then use MK3/whatever to debug it and crack the code. Once the code is cracked, there's no need to apply the patch to remove MK3 detection

I guess that they didn't even need to remove the MK3 detection or maybe didn't even notice that. They isolated the copylock code (an encrypted piece of code that checks for the protected track and does things), ran it from an empty program and checked what the keydisk returned (provided they had the original) / which parts of the memory it changed (for the most advanced copylock codes)

As a side note, Monkey Island and all virtual machine coded games (SCUMM, SCI, Delphine) are more difficult to crack because they're running an interpreter. So the protection code is indistinguishable from the game itself. First you have to see how the interpreter works. I could crack a few of those games without knowing how it worked, but just because they weren't sneaky enough and used unencypted numbers for the manual pages and all so memory reflected the page/code asked for.

LittleSandra88 · 12 January 2023, 23:52

Quote:

Originally Posted by jotd

As I explained, it would be done in 2 passes.

First create a version without the MK3 detection (to work on)

Then use MK3/whatever to debug it and crack the code. Once the code is cracked, there's no need to apply the patch to remove MK3 detection

I guess that they didn't even need to remove the MK3 detection or maybe didn't even notice that. They isolated the copylock code (an encrypted piece of code that checks for the protected track and does things), ran it from an empty program and checked what the keydisk returned (provided they had the original) / which parts of the memory it changed (for the most advanced copylock codes)

As a side note, Monkey Island and all virtual machine coded games (SCUMM, SCI, Delphine) are more difficult to crack because they're running an interpreter. So the protection code is indistinguishable from the game itself. First you have to see how the interpreter works. I could crack a few of those games without knowing how it worked, but just because they weren't sneaky enough and used unencypted numbers for the manual pages and all so memory reflected the page/code asked for.

Ok, now I get it. Very clever to use blank disk for the modified code during cracking.

In this process. How do you find the checksum routines in the case where the game would crash right away and when it would screw the game up later like Leander and Turrican 1 did? Is there a method to find checksum routines?

Ok, that's fun that the adventure games used their interpreter for the code wheel as well =)

StingRay · 13 January 2023, 00:04

Quote:

Originally Posted by LittleSandra88

Ok, that is interesting! I wouldn't have expected that there were time for the academic approach, given it was important to be the first to release a crack.

Were that really the norm, or were it only the super experienced crackers that did it that way?

Many approaches were used to crack games, some people used cartridges, others used nothing else but a disassembler/assembler and others used both. Ususally, the protections weren't that good anyway, so cracking them without cartridge did not take much time. As usual, there are exceptions to this rule, of course. I for one liked game coders who tried to defeat any and all cartridges using (sometimes quite clever) tricks.

Quote:

But without a monitor, wouldn't it be near impossible to crack a game which uses a code wheel (eg. Monkey Island 2)?

Every (!) game can be cracked without any any cartridge. Interpreter based protections require more work than "standard" protections with or without cartridge, at least if you want to crack them properly. And that means patching the byte code in the interpreter data to bypass/disable the protection check(s).

LittleSandra88 · 13 January 2023, 00:55

Quote:

Originally Posted by StingRay

Many approaches were used to crack games, some people used cartridges, others used nothing else but a disassembler/assembler and others used both. Ususally, the protections weren't that good anyway, so cracking them without cartridge did not take much time. As usual, there are exceptions to this rule, of course. I for one liked game coders who tried to defeat any and all cartridges using (sometimes quite clever) tricks.

Where there sometimes funny messages left in the game for the cracker to see?

Quote:

Every (!) game can be cracked without any any cartridge. Interpreter based protections require more work than "standard" protections with or without cartridge, at least if you want to crack them properly. And that means patching the byte code in the interpreter data to bypass/disable the protection check(s).

That reminds me of this PC game, where they didn't patch the correct byte code =)

[ Show youtube player ]

And fast forward to 35:58 .

Ups =)

lesta_smsc · 13 January 2023, 02:14

Quote:

Originally Posted by LittleSandra88

Where there sometimes funny messages left in the game for the cracker to see?

Yes, quite a lot of them actually. Some were pleasant, others quite aggressive. In fact, there is a thread on EAB for this too:

http://eab.abime.net/showthread.php?...messages+crack

LittleSandra88 · 13 January 2023, 02:21

Quote:

Originally Posted by lesta_smsc

Yes, quite a lot of them actually. Some were pleasant, others quite aggressive. In fact, there is a thread on EAB for this too:

http://eab.abime.net/showthread.php?...messages+crack

Thanks. There is so much information on this board!

meynaf · 13 January 2023, 07:25

Quote:

Originally Posted by LittleSandra88

Is there a method to find checksum routines?

There is nothing really bullet proof, but strange constants used in comparisons and pointers to code areas are usually a good indication.

12 January 2023, 22:44	#1
LittleSandra88 Registered User Join Date: Jan 2023 Location: Denmark Posts: 36	How were games with level 2 interrupt check cracked? Dear all =) How Addams Family were cracked is a misery to me. The game checks for level 2 interrupts, so if you freeze the game, then it clears all memory when you return. Even the cracked version still have this intact. The game uses some sort of Ocean OS and a custom cruncher (so repacking is not possible), so if one had to crack the game offline (without MK3), it would be a huge task. The crack even perserves the original loader, where the game uses filenames when asking for data, which then gets translated to tracks and length on the disk. Given the level 2 interrupt check is still there and the original loader, I am really curious to hear how an expert would go about this game. Any ideas? Hugs, Sandra =)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Why is a level 2 interrupt requested?	pushead	Coders. Asm / Hardware	5	07 November 2021 19:25
A2000/030 Level 7 Interrupt	DanScott	Coders. Asm / Hardware	6	06 April 2018 18:20
Trigger level 7 interrupt	geir	support.FS-UAE	2	15 August 2015 22:45
level 7 interrupt on A600	xc8	Hardware mods	1	26 October 2008 14:53
Level 7 interrupt	Kintaro	support.WinUAE	1	21 January 2004 17:31

12 January 2023, 22:49	#2
StingRay move.l #$c0ff33,throat Join Date: Dec 2005 Location: Berlin/Joymoney Posts: 6,863	Button pushing != cracking. Addams Family can be cracked like any other game: disassemble the bootblock, check where/how the main code is loaded, disassemble the main code, remove protection checks (this is where the fun usually starts) and add some trainer options to be able to test the game to the end. The end.

12 January 2023, 22:51	#3
jotd This cat is no more Join Date: Dec 2004 Location: FRANCE Age: 52 Posts: 8,174	you mean CIA read to detect Action Replay MK3 I suppose? IIRC this game used an anti-AR code. Or was it just detecting HRTMon? I'm not sure. Maybe they just waited for the game to load, then disassembled it and found how copylock protection was checked. Then they removed the check. You don't need to interrupt the game when it's running to crack it. If that wasn't possible, I guess that crackers could just do the same to remove CIA AR detection code, write a special version that can be debugged, then crack it using a monitor. I see that Stingray just replied with the same thing. Sounds good. You may be interested by a question I asked a few weeks ago https://retrocomputing.stackexchange...ked-circa-1987

12 January 2023, 23:29	#6
jotd This cat is no more Join Date: Dec 2004 Location: FRANCE Age: 52 Posts: 8,174	As I explained, it would be done in 2 passes. First create a version without the MK3 detection (to work on) Then use MK3/whatever to debug it and crack the code. Once the code is cracked, there's no need to apply the patch to remove MK3 detection I guess that they didn't even need to remove the MK3 detection or maybe didn't even notice that. They isolated the copylock code (an encrypted piece of code that checks for the protected track and does things), ran it from an empty program and checked what the keydisk returned (provided they had the original) / which parts of the memory it changed (for the most advanced copylock codes) As a side note, Monkey Island and all virtual machine coded games (SCUMM, SCI, Delphine) are more difficult to crack because they're running an interpreter. So the protection code is indistinguishable from the game itself. First you have to see how the interpreter works. I could crack a few of those games without knowing how it worked, but just because they weren't sneaky enough and used unencypted numbers for the manual pages and all so memory reflected the page/code asked for.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)