Cracking the protection of Y2

Started by eidis, July 01, 2014, 01:52:58 AM

Previous topic - Next topic

eidis

Ladies and Gentleman,

Due to popular demand I present to you the start of cracking Y2.

Get it here:
http://nfggames.com/x68000/Uploads/Y2.Lzh

Here is what I have found out so far:

1) A user who goes by the name Delicious in Tokugawa Corporate Forums has found a way of making the ship appear on the screen.

Full story here:
http://fullmotionvideo.free.fr/phpBB3/viewtopic.php?f=2&t=773

2) I found out that the main game.x file is compressed with LZX and decompressed it using LHES built in command (highlight a compressed file and press F8 to activate)

3) The contents of his mentioned address #5890A begin in GAME.X at offset #90EA.

     Original contents are:
23 FC 00 00 42 C6 00 00 07 60

    The game changes them in memory, when launched, to this:
23 FC 00 05 3B 26 00 04 FF C0 = MOVE.L #$00053B26, $0004FFC0

4) I was very tempted to replace the original code with 4E 71 (NOP) but it did not work because only 23 FC 00 part stays modified but the rest is generated by some algorithm.

The solution: Fools luck :D

I modified the first three bytes to 4E 71 02 and surprisingly the game starts, but only from pure DOS. Running it from LHES will give you a nasty error. The ship is visible and 1st level is fully playable.

However, there is a problem. The game does not allow you to continue playing if you lose a life or complete the level. The screen fades and game gets caught in some kind of infinite loop.

I noticed that the game tries to access the floppy drive when launched. This could be linked to the protection.

Right now I am asking for your help. Please anyone who can teach me how to crack this nasty game, give some words of advice. I have the time but don't have the knowledge.

Keep the scene alive !
Eidis

Update: Sorry AnnaWu and thank you 98pacecar
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

sharp

I have some info not publicly available towards passing the copy protection... I couldnt figure it out though...

I will send you a PM when I find the time to get the information.

eidis

 Hi Sharp !

Thank you for your generous offer.

Keep the scene alive !
Eidis
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

sharp


98pacecar

Quote from: eidis on July 01, 2014, 01:52:58 AM
Dear imaginary Ladies and very real Gentleman,

Slightly off topic, but I think Annawu has made it very clear that she is in fact, a lady. Is it worth risking offending her/him and losing their valuable input for a laugh??

Back on topic, this is really cool and I wish that the few cracking skills I have would translate to what is being done here. I wish the best of luck to those that are involved in this as it will take the HDD image to the next level!

SuperDeadite

This game will happily run off HDD, in fact it recommends so.  However you must have the original key disk inserted into the drive, or it makes the ship disappear.  The check occurs during the black screen between the introduction sequence and the title screen.  If it passes the check you can then remove the disk and the game will function fine until you reset.

The protection is pure software, the game comes on standard home-written disks.  The author must have come up with his own special disk mastering software, as any attempt to image my original comes out with data in tact, but always fails the protection check.

Even my original copy will fail the protection check 1 out of 20 times or so.  It is extremely sensitive.

This game came out after games such as Daimakaimura were hacked, and it's creator was a coding master.  The readme file contains a paragraph that basically translates to ''If you are a pirate, just give up.''

I think you are going to have a lot of difficulty without the help of the original creator...



98pacecar

Maybe it's something like data written to a track outside of the normal 77-78. Have you ever had it read by a kryoflux or something similar to see what it turns up?

SuperDeadite

according to every x68k disk utility ive ever used, its a standard 2hd format.  I do not have a kyroflux, too expensive.  Id be happy to try one if someone wants mail me one though.

eidis

 Hi SuperDeadite !

Glad to see you back ! Standard 2HD floppy disk format, which we are used to, has 8 sectors. Here is the list of formats supported by the 9sc driver.

0 - 2HS      (9sec/trk 1440k)
1 - 2HD      (8sec/trk 1232k) Standard X68000 format
2 - 2HDE     (9sec/trk 1440k)
3 - 2HC      (15sec/trk 1200k)
4 - 2HT       (1599k)
5 - 2DD/9    (9sec/trk 720k)
6 - 2DD/8    (8sec/trk 640k)
B - 2HQ       (18sec/trk 1440k) IBM 1.44MB 2HD format
Z - 2HDE98  (FDISK.SYS v0.98 compatible)
7 - Initialize FAT
8 - Initialize IPL

As you can see, there are plenty to choose from. Most of the disks tracks can have standard 8 sectors but one track can have 9 or more. Sector sizes could differ too. There are plenty of possible scenarios. It could be that floppy disk is partially formatted in more formats.

Keep the scene alive !
Eidis
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

kamiboy

A simple check would be very easy to crack since you can just modify the code to skip it.

What I would do is hide an essential piece of the code, or several, in that sector so the game is just incomplete without it. Maybe a piece of code that modifies the game present in memory or some such.

In the case of the former anyone with basic cracking skills should be able to do it, the latter could be a pain in the ass though.

eidis

#10
 Hi Kamiboy !

No pain, no gain !

QuoteIn the case of the former anyone with basic cracking skills should be able to do it, the latter could be a pain in the ass though.

Let's find out ;)

Keep the scene alive !
Eidis
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

kamiboy

If I knew a local coding master who could show me the ropes I am sure I could eventually reach a level where contribution might be a possibility, alas...

As I mentioned, I tried to look at the debug function of XM6, it was a very humbling experience. It took all of a few seconds for me to realize thay I had no bloody idea what the deuce I was doing.

You may as well as have handed a hyper rubik's cube to a brain damaged chimp.

eidis

 Hi Kamiboy !

Brains tend to self repair and self upgrade. Let's search for answers and sooner or later we will find them.

Keep the scene alive !
Eidis
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

SuperDeadite

I know nothing of coding myself, but if someone has an idea where to look, I can run the disk through a hex editor and take screen pics...   As I stated already the check only happens between the intro and the title screen, once it passes it never checks again.

From my understanding the Kyroflux in raw mode dumps all data as pure wav files.  If someone can send me one of these I should be able to reproduce the original, wont affect the copy check but it will allow more people access to the game and mess around at least....

One other hint delicious was only able to get past the protection using the B disk.  However both disks have the key on them.  The manual clearly states you can use either when launching off HDD, and I can confirm both work. I typically launch with the A disk.  Since the check always occurs at the same spot, checking the code at that point on both disks might be useful....

vampirefrog

Is the protection the reason I can't run it in XM6 TypeG? I can start the game, but no ship. My suggestion is to compile XM6 with floppy access logging, and see what the game accesses.

eidis

 Hi Vampirefrog !

That is correct. The ship is not drawn due to the protection. The game tries to access the floppy disk right before the main menu is shown. You can see what happens in the attached picture.

Keep the scene alive !
Eidis
X68000 personal computer is called, "X68K" or "no good good" is called, is the PC that are loved by many people today.

vampirefrog

I have also taken a look at the debug windows, including the FDD window that you showed me, however I have no idea what I'm looking at.

I did find this interesting info: http://youtu.be/HjEbpMgiL7U?t=2m50s

Also, it seems that not only the ship is not drawn, it is not present at all. The homing bullets go to the middle of the left side of the screen, and the keyboard and joystick input is ignored. But I suppose that doesn't really matter.

Some clue might be provided by scanning the original floppy with kryoflux, then comparing the result with the existing img file.

Otherwise, it looks like it is necessary to disassemble the code and check the code that generates the fade, then see where that is called and what is called after that. (Sadly I'm not good with 68000 disassembly, only a bit of intel).

Also, I haven't managed to use the debugger functions of XM6, there should be a function that allows you to step and execute instructions one by one, but I haven't found it.

zazi77

Hi,  I'm new here in the forum. Nice to meet  you. I would ask a favour to you, I read on this post that the only way to play Y2 is trough some savestes, but the link is broken, could you reupload please?

neko68k

Since we were already talking about this on Facebook I'll follow up here. This game is using self modifying code even for non-protection related stuff :( For example, it checks for the presence of some things like ZMusic and actually modifies a pointer in a really big jump table depending on what it finds :(( I haven't managed to get it to fire up in the debugger yet. I'll poke at it some more maybe. I kinda want to play it. ~shrug~

X-Col

Quote from: neko68k on March 06, 2017, 11:52:49 AM
Since we were already talking about this on Facebook I'll follow up here. This game is using self modifying code even for non-protection related stuff :( For example, it checks for the presence of some things like ZMusic and actually modifies a pointer in a really big jump table depending on what it finds :(( I haven't managed to get it to fire up in the debugger yet. I'll poke at it some more maybe. I kinda want to play it. ~shrug~

Good luck! I hope you crack it  ;)

I would love to play this on real hardware too. Judging by Superdeadite's video, it looks like a great game!

X-Col

This collection contains a partial decryption of Y2 (in the X68000 new additions, modifications archive):
https://mega.nz/#F!I8QH0KZK!_mr2-XFSN3ZPogNMoEONbQ
(link originally posted by caius)

At least you can play up until you die....

dlfrsilver

#21
Hello Guys,

One question, is the owner of this game able to send me the dump of this game in order to check what the protection look like disk wise ?

Thank you !

The game is mostly ridden with checksums i guess, hence the programmer's message......

PS : I have noticed that either the format D88 and also XDF can't contain any copy protections. This means that all the X68000 games in the tosec are cracks.

hoshikawa

FDX68 is able to record RAW flux density, perhaps the one known owner of this could be arsed to dump it. I doubt it though......

dlfrsilver


skpstmgs

Quote from: SuperDeadite on July 01, 2014, 11:53:30 AM
I do not have a kyroflux, too expensive.  Id be happy to try one if someone wants mail me one though.
I don't know if his offer still stands as this is an ancient post, but maybe if somebody offered to send the hardware required to dump it?

famiac

I've offered before and no luck

UD2

#26
Hi all,
I'm excited to announce that I've cracked Y2. As it turns out, the protection code is relatively simple, but well hidden. As far as I can tell, there are two protection checks, the first of which was defused earlier in this thread.

The first check attempts to read a nonstandard sector beyond the normal end of the disk, and validates that the read was successful (after first performing a read in a different format and verifying a specific error condition). Then, 3 longwords from the sector are checked for equality, and if all are equal, the check passes. Otherwise, a function pointer is patched so the player ship never shows up. Replacing the first instruction of this function with "RTS" stops the check from occurring and the game will start fine, but the ship will never respawn if the player dies. I'd like to note that the author made an attempt to camouflage the behavior of this function by temporarily moving the IOCS vector into TRAP #3 so the disassembler won't show any disk access calls on a quick inspection. Sneaky!

A few function calls after the first check, a graphics init routine copies a 16 color palette from work RAM to the TVRAM palette. Curiously, there is data beyond the end of the palette containing $4E75 (RTS), which made me very suspicious it might be a piece of disguised protection-related code. As it turns out, this was this missing piece required to get the ship to respawn! When the palette copy code returns, A6 points to the word immediately following the palette in work RAM, which is the start of our protection function. At the start of the next function, all the registers are pushed to the stack, but at the end, all but one are popped. This means that we end up returning not to the call-site, but to the register value left on the stack, in this case A6, the pointer to the hidden protection code. The protection code does another consistency check on the data read from the protection sector of the disk and if the check fails, patches out another location in RAM before it returns. Replacing the first instruction of this function with an RTS prevents the check/patch from occurring and the game now runs fine, with respawning working as expected.

I can't guarantee that I've caught everything, as I'm crap at shmups and couldn't get very far. That being said, it seems to run alright, and everything seemed to work fine when I let the game play itself all the way through via trace mode. If any of you find something odd, please let me know!

I've attached a patched version of GAME.x. I LZXed-it to make it as close to the original release as possible.

Enjoy!
Y2_patched.zip

kamiboy

Good code sleuthing job.

X-Col

This is amazing, thank you so much!!

hoshikawa

i modified the Y2 disk image with the patched game.x file here, great work!

hyrulebr