Author Topic: Cracking the protection of Y2  (Read 4462 times)

Offline eidis

  • ThrobbingMember
  • *****
  • Posts: 1200
Cracking the protection of Y2
« on: July 01, 2014, 01:52:58 am »
Ladies and Gentleman,

 Due to popular demand I present to you the start of cracking Y2.

Get it here:
http://nfggames.com/x68000/Uploads/Y2.Lzh

Here is what I have found out so far:

1) A user who goes by the name Delicious in Tokugawa Corporate Forums has found a way of making the ship appear on the screen.

Full story here:
http://fullmotionvideo.free.fr/phpBB3/viewtopic.php?f=2&t=773

2) I found out that the main game.x file is compressed with LZX and decompressed it using LHES built in command (highlight a compressed file and press F8 to activate)

3) The contents of his mentioned address #5890A begin in GAME.X at offset #90EA.

     Original contents are:
Code: [Select]
23 FC 00 00 42 C6 00 00 07 60
    The game changes them in memory, when launched, to this:
Code: [Select]
23 FC 00 05 3B 26 00 04 FF C0 = MOVE.L #$00053B26, $0004FFC0
4) I was very tempted to replace the original code with 4E 71 (NOP) but it did not work because only 23 FC 00 part stays modified but the rest is generated by some algorithm.

The solution: Fools luck :D

I modified the first three bytes to 4E 71 02 and surprisingly the game starts, but only from pure DOS. Running it from LHES will give you a nasty error. The ship is visible and 1st level is fully playable.

However, there is a problem. The game does not allow you to continue playing if you lose a life or complete the level. The screen fades and game gets caught in some kind of infinite loop.

I noticed that the game tries to access the floppy drive when launched. This could be linked to the protection.

Right now I am asking for your help. Please anyone who can teach me how to crack this nasty game, give some words of advice. I have the time but don't have the knowledge.

Keep the scene alive !
Eidis

Update: Sorry AnnaWu and thank you 98pacecar
« Last Edit: July 01, 2014, 07:51:22 pm by eidis »
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

Offline sharp

  • SmallMember
  • **
  • Posts: 47
Re: Cracking the protection of Y2
« Reply #1 on: July 01, 2014, 08:11:09 am »
I have some info not publicly available towards passing the copy protection... I couldnt figure it out though...

I will send you a PM when I find the time to get the information.

Offline eidis

  • ThrobbingMember
  • *****
  • Posts: 1200
Re: Cracking the protection of Y2
« Reply #2 on: July 01, 2014, 08:30:55 am »
 Hi Sharp !

 Thank you for your generous offer.

Keep the scene alive !
Eidis
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

Offline sharp

  • SmallMember
  • **
  • Posts: 47
Re: Cracking the protection of Y2
« Reply #3 on: July 01, 2014, 08:53:36 am »
Hey eidis,

It is a pleasure!  ;D

Offline 98pacecar

  • BigMember
  • ***
  • Posts: 57
Re: Cracking the protection of Y2
« Reply #4 on: July 01, 2014, 09:04:31 am »
Dear imaginary Ladies and very real Gentleman,

Slightly off topic, but I think Annawu has made it very clear that she is in fact, a lady. Is it worth risking offending her/him and losing their valuable input for a laugh??

Back on topic, this is really cool and I wish that the few cracking skills I have would translate to what is being done here. I wish the best of luck to those that are involved in this as it will take the HDD image to the next level!

Offline SuperDeadite

  • MassiveMember
  • ****
  • Posts: 344
Re: Cracking the protection of Y2
« Reply #5 on: July 01, 2014, 10:45:55 am »
This game will happily run off HDD, in fact it recommends so.  However you must have the original key disk inserted into the drive, or it makes the ship disappear.  The check occurs during the black screen between the introduction sequence and the title screen.  If it passes the check you can then remove the disk and the game will function fine until you reset.

The protection is pure software, the game comes on standard home-written disks.  The author must have come up with his own special disk mastering software, as any attempt to image my original comes out with data in tact, but always fails the protection check.

Even my original copy will fail the protection check 1 out of 20 times or so.  It is extremely sensitive.

This game came out after games such as Daimakaimura were hacked, and it's creator was a coding master.  The readme file contains a paragraph that basically translates to ''If you are a pirate, just give up.''

I think you are going to have a lot of difficulty without the help of the original creator...



Offline 98pacecar

  • BigMember
  • ***
  • Posts: 57
Re: Cracking the protection of Y2
« Reply #6 on: July 01, 2014, 11:46:45 am »
Maybe it's something like data written to a track outside of the normal 77-78. Have you ever had it read by a kryoflux or something similar to see what it turns up?

Offline SuperDeadite

  • MassiveMember
  • ****
  • Posts: 344
Re: Cracking the protection of Y2
« Reply #7 on: July 01, 2014, 11:53:30 am »
according to every x68k disk utility ive ever used, its a standard 2hd format.  I do not have a kyroflux, too expensive.  Id be happy to try one if someone wants mail me one though.

Offline eidis

  • ThrobbingMember
  • *****
  • Posts: 1200
Re: Cracking the protection of Y2
« Reply #8 on: July 01, 2014, 04:24:13 pm »
 Hi SuperDeadite !

 Glad to see you back ! Standard 2HD floppy disk format, which we are used to, has 8 sectors. Here is the list of formats supported by the 9sc driver.

0 - 2HS      (9sec/trk 1440k)
1 - 2HD      (8sec/trk 1232k) Standard X68000 format
2 - 2HDE     (9sec/trk 1440k)
3 - 2HC      (15sec/trk 1200k)
4 - 2HT       (1599k)
5 - 2DD/9    (9sec/trk 720k)
6 - 2DD/8    (8sec/trk 640k)
B - 2HQ       (18sec/trk 1440k) IBM 1.44MB 2HD format
Z - 2HDE98  (FDISK.SYS v0.98 compatible)
7 - Initialize FAT
8 - Initialize IPL

As you can see, there are plenty to choose from. Most of the disks tracks can have standard 8 sectors but one track can have 9 or more. Sector sizes could differ too. There are plenty of possible scenarios. It could be that floppy disk is partially formatted in more formats.

Keep the scene alive !
Eidis
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

Offline kamiboy

  • ThrobbingMember
  • *****
  • Posts: 542
Re: Cracking the protection of Y2
« Reply #9 on: July 01, 2014, 05:34:26 pm »
A simple check would be very easy to crack since you can just modify the code to skip it.

What I would do is hide an essential piece of the code, or several, in that sector so the game is just incomplete without it. Maybe a piece of code that modifies the game present in memory or some such.

In the case of the former anyone with basic cracking skills should be able to do it, the latter could be a pain in the ass though.

Offline eidis

  • ThrobbingMember
  • *****
  • Posts: 1200
Re: Cracking the protection of Y2
« Reply #10 on: July 01, 2014, 05:37:33 pm »
 Hi Kamiboy !

 No pain, no gain !

Quote
In the case of the former anyone with basic cracking skills should be able to do it, the latter could be a pain in the ass though.

Let's find out ;)

Keep the scene alive !
Eidis
« Last Edit: July 01, 2014, 07:02:57 pm by eidis »
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

Offline kamiboy

  • ThrobbingMember
  • *****
  • Posts: 542
Re: Cracking the protection of Y2
« Reply #11 on: July 01, 2014, 09:34:49 pm »
If I knew a local coding master who could show me the ropes I am sure I could eventually reach a level where contribution might be a possibility, alas...

As I mentioned, I tried to look at the debug function of XM6, it was a very humbling experience. It took all of a few seconds for me to realize thay I had no bloody idea what the deuce I was doing.

You may as well as have handed a hyper rubik's cube to a brain damaged chimp.

Offline eidis

  • ThrobbingMember
  • *****
  • Posts: 1200
Re: Cracking the protection of Y2
« Reply #12 on: July 01, 2014, 10:05:08 pm »
 Hi Kamiboy !

 Brains tend to self repair and self upgrade. Let's search for answers and sooner or later we will find them.

Keep the scene alive !
Eidis
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

Offline SuperDeadite

  • MassiveMember
  • ****
  • Posts: 344
Re: Cracking the protection of Y2
« Reply #13 on: July 01, 2014, 10:16:42 pm »
I know nothing of coding myself, but if someone has an idea where to look, I can run the disk through a hex editor and take screen pics...   As I stated already the check only happens between the intro and the title screen, once it passes it never checks again.

From my understanding the Kyroflux in raw mode dumps all data as pure wav files.  If someone can send me one of these I should be able to reproduce the original, wont affect the copy check but it will allow more people access to the game and mess around at least....

One other hint delicious was only able to get past the protection using the B disk.  However both disks have the key on them.  The manual clearly states you can use either when launching off HDD, and I can confirm both work. I typically launch with the A disk.  Since the check always occurs at the same spot, checking the code at that point on both disks might be useful....

Offline vampirefrog

  • SmallMember
  • **
  • Posts: 24
Re: Cracking the protection of Y2
« Reply #14 on: July 08, 2014, 08:17:49 pm »
Is the protection the reason I can't run it in XM6 TypeG? I can start the game, but no ship. My suggestion is to compile XM6 with floppy access logging, and see what the game accesses.

Offline eidis

  • ThrobbingMember
  • *****
  • Posts: 1200
Re: Cracking the protection of Y2
« Reply #15 on: July 08, 2014, 09:23:04 pm »
 Hi Vampirefrog !

 That is correct. The ship is not drawn due to the protection. The game tries to access the floppy disk right before the main menu is shown. You can see what happens in the attached picture.

Keep the scene alive !
Eidis
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

Offline vampirefrog

  • SmallMember
  • **
  • Posts: 24
Re: Cracking the protection of Y2
« Reply #16 on: July 10, 2014, 03:11:03 am »
I have also taken a look at the debug windows, including the FDD window that you showed me, however I have no idea what I'm looking at.

I did find this interesting info: http://youtu.be/HjEbpMgiL7U?t=2m50s

Also, it seems that not only the ship is not drawn, it is not present at all. The homing bullets go to the middle of the left side of the screen, and the keyboard and joystick input is ignored. But I suppose that doesn't really matter.

Some clue might be provided by scanning the original floppy with kryoflux, then comparing the result with the existing img file.

Otherwise, it looks like it is necessary to disassemble the code and check the code that generates the fade, then see where that is called and what is called after that. (Sadly I'm not good with 68000 disassembly, only a bit of intel).

Also, I haven't managed to use the debugger functions of XM6, there should be a function that allows you to step and execute instructions one by one, but I haven't found it.

Offline zazi77

  • SmallMember
  • **
  • Posts: 2
Re: Cracking the protection of Y2
« Reply #17 on: March 06, 2017, 02:00:36 am »
Hi,  I'm new here in the forum. Nice to meet  you. I would ask a favour to you, I read on this post that the only way to play Y2 is trough some savestes, but the link is broken, could you reupload please?

Offline neko68k

  • MassiveMember
  • ****
  • Posts: 287
Re: Cracking the protection of Y2
« Reply #18 on: March 06, 2017, 11:52:49 am »
Since we were already talking about this on Facebook I'll follow up here. This game is using self modifying code even for non-protection related stuff :( For example, it checks for the presence of some things like ZMusic and actually modifies a pointer in a really big jump table depending on what it finds :(( I haven't managed to get it to fire up in the debugger yet. I'll poke at it some more maybe. I kinda want to play it. ~shrug~

Offline X-Col

  • MassiveMember
  • ****
  • Posts: 171
Re: Cracking the protection of Y2
« Reply #19 on: March 14, 2017, 12:20:34 am »
Since we were already talking about this on Facebook I'll follow up here. This game is using self modifying code even for non-protection related stuff :( For example, it checks for the presence of some things like ZMusic and actually modifies a pointer in a really big jump table depending on what it finds :(( I haven't managed to get it to fire up in the debugger yet. I'll poke at it some more maybe. I kinda want to play it. ~shrug~

Good luck! I hope you crack it  ;)

I would love to play this on real hardware too. Judging by Superdeadite's video, it looks like a great game!