| |
KPKilburn
Account closed
Registered: Sep 2010
Posts: 4 |
Old Electronic Arts Cracks
I wasn't a scener and wasn't very adept at cracking copy protection back in the day, but a friend and I managed to crack some of the earlier EA games -- Hard Hat Mack and One on One (there was another, but I'm not sure which one it was).
I know that the crack was simply changing a JMP in the loader program to a BRK. I came up with the idea and he executed it. Somehow, we traced through the loader program, found the part that started the game, and changed it.
When we tested it, surprisingly it worked better than we had expected. The program broke out to a READY prompt after the load and copy protection check. Just out of curiosity, we typed LIST and it showed 10 SYS 2064 (or whatever the actual number was).
We then just SAVEed the file to disk and voila! A single file with the copy protection removed.
I found a disassembly of the EA loader here:
http://c64preservation.com/files/EaLoader.txt
After reading through it, I realized that there was no way we cracked this one (we had tried on some other games - Archon comes to mind - but our method didn't work with those).
So, I'm assuming that the loader we worked on was much simpler. I got a .g64 of Hard Hat Mack and One on One and looked at the "loader" and "main loader". I can post them here or provide the G64 if anyone is interested (I'm sure everyone already has them though).
Does anyone remember the crack to these games and perhaps could explain what we did? (my friend doesn't remember). Knowing what I know now, we had to manipulate the loader file from the original disk (or a copy that happened to have the fat tracks properly written) and somehow use it to load the program. Changing the file and writing it back to the disk doesn't seem like it is what we did (because of the way the main file is stored -- as a user file that isn't visible from a directory listing).
Thanks. |
|
| |
Count Zero
Registered: Jan 2003
Posts: 1882 |
And whenever someone was able to reveal this mystery he could start helping me to remember how I did some cracks I don't remember anything about anymore. I wouldn't ask for the "how" at all even - just the "why" and "state of mind" would suffice.
/cz
|
| |
AlexC
Registered: Jan 2008
Posts: 298 |
If you would work on tape loader than I'd suspect something similar to Novaload. Since you are however talking about disk copy protection methods the one thing that comes to my mind is that you used AR or other cartridge with freeze option. Another theory would be that BRK had installed some kind of handler routine that broke the rest of copy protection scheme - otherwise BRK does nothing on standard system after reset. Haven't seen those originals you are referring so this is just a very long shot. Anyway CZ is right - sometimes the state of mind is unique that next day it completely gone and nobody remembers how it was done even with most detailed notes. |
| |
KPKilburn
Account closed
Registered: Sep 2010
Posts: 4 |
Definitely not cartridge or freeze option. I know it was simply replacing the part of the loader program that had a JMP with a BRK. The loader read in the user file (and whatever else it did -- newer versions had encryption) and then right before it ran, it simply exited. What surprised me was that a program was in memory with a BASIC line 10 SYS 2064 (or whatever the address was).
So no one kept records of how they broke various games? I've seen quite a few books and webpages on protection, but few address the specifics of certain games/programs.
Was "the scene" more about the intros to the cracks than the cracking process itself? I don't really remember seeing stand-alone demos back then, only the intros to cracked games. |
| |
Slator
Registered: Jan 2002
Posts: 273 |
I guess most crackers didn't do any notes for several possible reasons:
- you had far too many games to crack (no time for timeconsuming notes)
- you would not like to share your knowledge with competitors
- you threw everything away because you grew up :)
- you have asperger-syndrom and don't need any notes
|
| |
KPKilburn
Account closed
Registered: Sep 2010
Posts: 4 |
I guess I haven't grown up yet because I don't throw much away. :-) I'm a hoarder when it comes to documents and books. I've been in an archiving mood for the past few years -- scanning old college notes, Compute! magazines (thank god for bombjack.com -- saved me a lot of work). |
| |
Slator
Registered: Jan 2002
Posts: 273 |
I started to keep my notes some time ago, too.
It helps a lot if you look at the stuff later on and don't have to rethink everything again, like trainers, memory-positions etc. but I never had that "note down everything" symtome, maybe it would help me now :D
|
| |
Jon
Account closed
Registered: Apr 2005
Posts: 247 |
I am not a cracker or a coder or anything like that, but those EA games you mention had several utilities that would back them up (crack them). Most notable is Arts Backup, but there are several parameter copiers around that also kills the copy protection.
Is it possible to look at those parameters and see what they do to the copy protection? If it's just a simple command swap, you should be able to see this in the parameter, I assume.
I know Art's Backup is here in the DB,and I know all sorts of Fast Hackems, Renegades and Kracker Jax are too. If you don't mind doing a little research and legwork, you may be able to solve this mystery by looking at these utilities.
J |
| |
KPKilburn
Account closed
Registered: Sep 2010
Posts: 4 |
Quote: I am not a cracker or a coder or anything like that, but those EA games you mention had several utilities that would back them up (crack them). Most notable is Arts Backup, but there are several parameter copiers around that also kills the copy protection.
Is it possible to look at those parameters and see what they do to the copy protection? If it's just a simple command swap, you should be able to see this in the parameter, I assume.
I know Art's Backup is here in the DB,and I know all sorts of Fast Hackems, Renegades and Kracker Jax are too. If you don't mind doing a little research and legwork, you may be able to solve this mystery by looking at these utilities.
J
Yeah, I'll definitely check those out. Never heard of Art's Backup, but I have the Kracker Jax Trilogy I downloaded a while back. |
| |
Fungus
Registered: Sep 2002
Posts: 668 |
Strange this issue comes up... I have been working on this protection recently myself.
You did crack them with a simple brk, placed at $c26c in the second loader, which you probably wrote a short program to load it, as it has a special name on disk (45 41 22 9d).
This method only works on V1 of what I call EA Fat Tracks loader. There are 4 or 5 versions of it, and starting with V2 it does use encryption.
Interesting to note that the loader is using a crude virtual machine with pseudo code for much of it. While difficult to trace, especially on a real c64 with nothing but a monitor, it is do able.
The article you posted is interesting, he did a good job, but his mnemonics are named a bit weird, and some of the info is inaccurate, especially regarding the decryption of the entry point jmp. It also leaves out some of the stuff (see below). The version of the loader there is V4 or V5.
Something else about this loader is it leaves "bread crumbs" which most of the games use to check integrity that it has been loaded by the real disk. It's sticks values into zp, under kernal, fills mem with a certain sequence of bytes, messes with dd03, and various other things.
It is still quite easy to crack compared to later EA protections like Pirate Busters/Slayer and PRODOS.
I keep extensive notes for everything so I only have to crack a protection once, and I even code tools to autocrack that protection for me, if I find it is used several times on other games. Mostly with tape games, but certainly a few disk ones as well. |
