Jump to content
IGNORED

Straight cracks from Farb's ATX-Torrent


DjayBee

Recommended Posts

Right, Drelbs and Electricians are working when changing mode! I always forget to change my default setting when trying other versions where I know that game is working on PAL XL machine... ;)

Good to see that you're working on Atari Smash Hits - hope part 2 to 7 are following! :)

Link to comment
Share on other sites

Good to see that you're working on Atari Smash Hits - hope part 2 to 7 are following! :)

 

Unfortunately Farb's torrent only contains an ATX for part1 and a separate disk of Hijack!.

 

If you have disks for the other parts, then please dump them or let somebody dump them.

Link to comment
Share on other sites

Volume 1 is from our site. Fairly sure I had 2 and 3 but can't find the disks anymore :(

 

IIRC, only the first three volumes had a menu, you had individual disks after that.

 

As DjayBee wrote, please consider dumping the second and third volumes, they have to be out there. Clean cracks / copies are fine before we can find originals.

 

--

Atari Frog

http://www.atarimania.com

Link to comment
Share on other sites

  • 1 month later...

Second batch with these publishers:

Activision, English Software, Gamestar, MicroProse and a few other disks.

Updates and additions primarily for Broderbund, Epyx and Synapse.

 

Same disclaimer as last time:

Let me know if something does not work correctly because I only do a basic "gets-in-game check".

 

ATXcracks02.zip

  • Like 13
Link to comment
Share on other sites

  • 2 weeks later...

I'm looking forward to transferring these to my SIO2SD - it's always nice to have clean copies - sure there is history when it comes to cracked versions, but having both is just icing on the cake.

 

Great work, and many thanks for taking the time to do so! :D

  • Like 1
Link to comment
Share on other sites

Thanks for these uploads DJ. Like other, I prefer the "as original as possible" disk.

 

On a related note, not sure if anyone has tried copying any of these back to floppy so thought I would give it a go using Aspeqt connected to a mega-speedy enhanced 1050 and 800XL via SIO2USB.

 

I tried Dimension X and Pharaohs Curse.

 

Pharaohs Curse - loads perfectly when drive set to standard mode but fails half way through if set to speedy or mega speedy (think this is fairly usual for protected disks anyway so no worries really)

Dimension X -again loads perfect when set to standard mode but doesn't like speedy mode. THING TO NOTE: on first attempt i had the drive write protect mode switched off and once the loading screen appeared the game decided to format the disk. Presume this is something to do with the copy protection. Copied the disk again, set the write protect to on and game loaded fine.

 

Looking forward now to finding time to copy the rest back to floppy disks.

  • Like 1
Link to comment
Share on other sites

LOL on the loading screens. They ain't limited to classic computers...

 

I downloaded the No Intro N64 NTSC/JP ROMsets to my Everdrive v3 and booted Banjo Tooie and got a hacker demo with rather long winded text scroll. I downloaded BT ROMs from three sources and all displayed the effects screen. Finally loaded it in PC emulator and the cracker boot screen was non-existent. Turns out that was the one game in all of the N64 library that outright refused to work with the Everdrive v3 due to sophisticated security measures put in place by RARE, so Krikzz just dumped the cracker into the Everdrive OS patch directory.

 

Apparently someone went through great effort to crack the game, then went through even greater effort to let the world know how awesome a hacker he was by adding the loader screen complete with ticker text and dated looking (by 2000s standards) particle effects. :waving:

 

Yeah it uses some pretty crazy methods. Someone reverse engineered it into a table for emulators a while back that did not work quite right (intermittent lockups). Until years later when they realized there was a typo in the table! :lol:

 

Just thought I'd mention these nice load screens can easily be missed if hi-speed disk i/o is on in the emulator (assuming the game even manages to load). So don't forget to turn it off!

 

Edited by Shannon
Link to comment
Share on other sites

I tried Dimension X and Pharaohs Curse.

 

By intention I do only remove the code related to copy protection. My primary goals are to make the program run on SIO2PC / SIO2SD and to change as few as possible related to the program's run.

 

Therefore Dimension X still tries to format the disk.

 

Since I have no mega-speedy I cannot verify the behavior of Pharao's Curse.

Did you try the version from the 1st or 2nd ZIP? The 2nd one should not depend on any timing, the 1st one still does a little.

  • Like 1
Link to comment
Share on other sites

 

By intention I do only remove the code related to copy protection. My primary goals are to make the program run on SIO2PC / SIO2SD and to change as few as possible related to the program's run.

 

Therefore Dimension X still tries to format the disk.

 

Since I have no mega-speedy I cannot verify the behavior of Pharao's Curse.

Did you try the version from the 1st or 2nd ZIP? The 2nd one should not depend on any timing, the 1st one still does a little.

 

Not sure which one I tried to be honest. Its not an issue. To be honest it kind of better letting the disks load at the normal speed. I will keep you posted with regards to the rest of them as I intend over time to put most of them on floppies.

Link to comment
Share on other sites

  • 1 month later...

I have personally pulled off a crack on 3 EA games within the last year. These titles DO preserve the original EA loading screen, and in fact, go through the ENTIRE copy protection routine including the double sector checks. I only have written documentation regarding M.U.L.E. Archon II was a BITCH! There were 3 seperate protection routines and to top that off, there are data checks (modify the protection routine = crash the protection routine) However...when MY crack of Archon II finishes loading there is only ONE byte in memory which is different from a genuine copy

  • Like 1
Link to comment
Share on other sites

P.S. My Archon II crack involves "fooling" the protection routine into believing it got what it wanted. It involves timing to "patch in" modifications (to fool and redirect the protection routine). It also uses timing to "patch out" modifications (to fool the data checks into believing no modifications have been made). It is an overly complicated crack (could have been MUCH simpler) but DAMN is it sneaky!

Double sectors are 2 sectors with the same number. When a copy protection checks one it needs to see both sectors. This "redirect" patch lets the copy protection "see" both parts of the double sector. This tricks it into believing it's seeing a genuine disk.

  • Like 2
Link to comment
Share on other sites

To DjayBee:

I've tried some of your titles. Very good work! I would be interested in seeing any kind of documentation regarding these cracks. What did you do? How did you figure it out? I'd be especially interested in documentation on New York City and Electrition, as those titles boot with strange "random" looking sector access.

  • Like 1
Link to comment
Share on other sites

To DjayBee:

I've tried some of your titles. Very good work! I would be interested in seeing any kind of documentation regarding these cracks. What did you do? How did you figure it out? I'd be especially interested in documentation on New York City and Electrition, as those titles boot with strange "random" looking sector access.

 

Thanks. :)

 

Documentation will follow, I just did not have the time to go ahead with this recently.

 

Concerning NYC and Electrician I must admit that these cracks were done quit "lazy". I did not really crack them but found out that the disks have chained sectors (similar to Atari DOS, but obfuscated) and I only altered the chaining to no longer use duplicate sectors but new locations. There seems to be no real "protection" beside this chaining and the fact that they have lots of tracks with more than 18 sectors (all of these contain needed data).

Link to comment
Share on other sites

As some of you probably know, the software protection on EA titles (at least on the older ones like MULE, don't remember for sure about the newer ones like ARCHON II) is in pseudo code and uses some kind of interpreter.

 

I wonder if somebody has any information about the interpreter or pseudo code used. It is not exclusive to EA, it is also used by some Synapse protections.

 

 

Concerning NYC and Electrician I must admit that these cracks were done quit "lazy". I did not really crack them but found out that the disks have chained sectors (similar to Atari DOS, but obfuscated) and I only altered the chaining to no longer use duplicate sectors but new locations. There seems to be no real "protection" beside this chaining and the fact that they have lots of tracks with more than 18 sectors (all of these contain needed data).

 

At least one version of those titles has a weak sector. That's besides the double sectors.

Link to comment
Share on other sites

At least one version of those titles has a weak sector. That's besides the double sectors.

 

You are right - one should never answer just OTOH. ;)

 

Electrician has a bad CRC which is not verified.

Dimension X and NYC both have weak bits which are verified and "defeated" by my cracks.

Link to comment
Share on other sites

In regarding EA copy protection, I don't really know about pseudo code. I have pretty much figured it out (and will explain in greater detail in the future) As far as I can find, there are 2 main variations of EA copy protection.

The first type reads up to sector 40 before copy protection starts. It has 1 double sector (#41) which is read TWICE. It also "randomly" checks a bunch of regular sectors before loading the game. The sector number to be read is located in a memory location. The value gets updated after the previous sector has been read. When the double sector is checked, the value is written ONCE but gets read TWICE. I inserted a subroutine that changes the sector read value to 01. This subroutine is timed to write the value (01) after the original value has been read, and after the sector has been read, but before the value gets (correctly) updated. This does not effect reading regular sectors because the "patched" value gets over-written (correctly) before being read. It does not seem to matter what sector number the second read of sector 41 gets redirected to, as long as it doesn't match the first (true) read of sector 41. *There are at least 2 variations of this type, which use different memory layouts*

The second type reads up to sector 36 before copy protection starts. This type is much more complex, but relies on the same concept to defeat it. It randomly checks 1 of a possible 18 double sectors. It then loads some game data (sometimes a random amount) then checks ALL of the double sectors in a row. It then randomly checks one of the double sectors again before deciding the disk is legit. A big difference in this protection type is that the data read during the double sector checks is CRITICAL, and must be read in the correct order. This required the "other half" the double sectors (yes all 18 of them) to be mapped to an unused location of the disk. The first half of the double sector in the original location and the second half in a new location. Instead of patching the memory location containing the next sector to be read to 01 each time, it must be patched to the remapped "other half" of the double sector.

  • Like 1
Link to comment
Share on other sites

In regarding EA copy protection, I don't really know about pseudo code ...

Interesting. I disassembled the whole protection and seudo code interpreter long ago. Should have it ... somewhere. My purpose wasn't cracking, but having full details on the software requirements of the disk protection.

 

I have pretty much figured it out (and will explain in greater detail in the future) As far as I can find, there are 2 main variations of EA copy protection.

Yes. At the disk side, there are just two protections.

 

The older one, which covers the earlier titles including MULE, up to the first version of Seven Cities, is the famous EA "skew align" protection. The newer one, was known as "Supertracks".

 

The first protection can be copied with the Happy. So EA discarded and brought a new one. Those supertracks have more than 20 good sectors; overlapped sectors, of course, but without a CRC error. And can't be copied with a Happy or similar enhancements. It requires a custom controller, something like the Bit Writer at least.

 

The variations you see, IIRC, are just at the software side. The protection checks that you are not running a custom OS (such as Omnimon) that could be used to hack the game. The earlier versions didn't consider the newer XL OS, so they are not XL/XE compatible. Don't remember if they also adjusted the timing for PAL computers.

 

 

The first type reads up to sector 40 before copy protection starts. It has 1 double sector (#41) which is read TWICE. It also "randomly" checks a bunch of regular sectors before loading the game.

That's the skew align testing. It reads physical sector #1 of random tracks, and expect the timing to be almost the same.

 

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...