Jump to content
IGNORED

Straight cracks from Farb's ATX-Torrent


DjayBee

Recommended Posts

Here is my release of Electronic Arts titles that use the Sector skew alignment copy protection. This style of EA copy protection has three distinct memory layouts (Types) that use the same structure and the same copy protection routine data. The commands are even located on the same disk sectors in the same place. The memory location where the copy protection routine gets stored and executed is different, depending on the type.

There actually is a fourth type (sort of...) of this copy protection, those titles are the older OS (Atari 800) compatible titles. Murder On The Zinderneuf and Worms are the only titles that I know of that have this fourth type of layout. These titles have a copy protection routine that is structurally different from the other types, so I’m not sure if I’d consider this another “Type” or if I’d consider it a similar but DIFFERENT copy protection routine. These titles have been covered in Types A, B, C anyways... and these are the newer OS (Atari 130XE) compatible versions, so they are not being covered in this release.

The titles included are (12 Total)

(Type A)

Archon
M.U.L.E
Music Construction Set

(Type B)

Axis Assassin
D-Bug
Financial Cookbook
Hard Hat Mack
Pinball construction set
Seven Cities Of Gold (first edition – black disk)
Word Flyer

(Type C)

Murder On The Zinderneuf
Worms?

ALL of the titles include the ORIGINAL EA LOADING SCREEN, and load (almost) like a genuine disk including going through ALL of the copy protection routines and performing all the checks.( I have never seen cracked EA software that preserves the original loading screen). These titles defeat the double sector check and the sector skew alignment check. All titles have been tested on Altirra 2.60 emulator using an .atx “blank” that has random sector skew alignment. These titles SHOULD be able to be written to a floppy with a regular drive (Atari 1050) and played on genuine Atari hardware. Hopefully somebody can test this out, as I don’t have any genuine Atari hardware.

This will be my FINAL release of these titles, unless somebody points out some flaws that I am unaware of.

This release includes:

Cracked .atr versions.

Cracked .atx versions (with random sector skew alignment)

Unaltered .atx versions with copy protection intact

ALL MY NOTES! With complete details of about this copy protection and how it works. This includes all of the memory locations specific to the various types. All of the code and extra subroutines are listed and explained. This contains all the data and where to place it, so a person with Disk Wizard II could crack it themselves. The code is set up in such a way that it can be copy / pasted right into Disk Wizard II right from the notepad.

This crack is unusual in most ways compared to more “classic” disk cracking methods. This crack is essentially a “stealth” crack. It patches memory locations “on-the-fly” cracking the disk (in memory) each time the disk is booted. It is also unusual because only 2 bytes of the copy protection routine is actually changed on the disk itself. (a JMP command altered) Restoring this jump command will completely “un-crack” the disk and restore original function. All the other data necessary for the crack is “stow-away” on unused portions of disk sectors, and does not actually modify the copy protection routine data directly.

On most cracked software, the protection routine that checks the disk, for double sectors, bad sectors or sector skew alignment has been removed or skipped. If the check has not been removed, usually the code that interprets the results of the check is patched to allow a copied disk to boot.

This crack takes a different approach, as it does not remove the checks or patch the code that interprets the results. Instead this crack patches what sectors get read DURING the check, so that the results of the check comply with what the copy protection routine is expecting to see on a genuine disk.

This crack also does not remove or patch the copy protection data check routine. The data check routine checks the data contained in the copy protection routine and will crash if it detects any alterations. Instead of removing the data check, this crack uses timing to avoid it. The crack also “covers up its tracks” by patching alterations to the disk (in memory) BEFORE that location gets checked.

My goal in these cracks was to preserve as much of the original data as possible. I wanted it to boot just like a genuine disk with the EA loading screen and all the checks. As proud as I am about doing this, I didn’t want to “shit it up” with a crack screen or custom intro, although that might be a fun project as well.

I DID, however, add a little secret “Easter Egg” to the loading screen. I HAD to add a little something for a “signature”. If using an emulator, disable the D: patch (Disk SIO), so the disk loads at normal speed. When loading, hold down the START, SELECT, or OPTION button BEFORE the point that the EA logo turns dark blue. You’ll know when you get it. Hope everybody enjoys this release.

I might start to tackle the EA super-tracks copy protection titles next!

EA 40 sector boot skew align.zip

  • Like 13
  • Thanks 1
Link to comment
Share on other sites

My goal in these cracks was to preserve as much of the original data as possible. I wanted it to boot just like a genuine disk with the EA loading screen and all the checks. As proud as I am about doing this,

You have accomplished an important goal that made you proud of it.

That is what counts

madi

Link to comment
Share on other sites

Lol! by "easter egg" I just mean hidden feature. Not a litteral easter egg, I just thought the black background and changing color EA logo looked cool.

 

P.S. Glad that Murder On The Zinderneuf works on genuine hardware though. I'm quite sure all of these titles will work on genuine hardware.

Thanks for testing!

 

Oh I wish I had never let my ex-wife dispose of my old Atari setup...sigh. (given to Goodwill) That's one of the reasons she's an ex!

  • Like 2
Link to comment
Share on other sites

P.S. I would NOT be offended in any way if these EA cracks that I've done were to "find their way" onto any other Atari sites or ROM sites (hint hint?)

I've done them with the intent of sharing my work with the Atari 8 bit community at large. I don't have any connection to Atari sites, but I'm sure SOME of you do.

I used to do some Atari 8 bit cracking back in the 80's. I wasn't really that good. I was never famous or part of any known group and I'm pretty sure nobody outside the city I live in has heard of me.

Regardless, I spent a ton of hours on the local Atari BBS systems uploading titles on a 300 baud modem. Lol! Those were the days...

  • Like 2
Link to comment
Share on other sites

I have started work on the EA super-tracks copy protected titles.

 

I've fixed the graphic glitch on the EA logo. I still don't understand WHY there is a glitch, but it's patched now anyways.

 

I'm currently working on seting up an "easter egg" mode to alter the look of the loading screen (similar to my release of EA sector skew protected titles).

 

The next step will be to "map" the commands that I have changed to their location on the disk. This will allow me to "port" this crack to other titles that use the EA super-tracks copy protection.

 

Yes, just like the EA sector skew copy protection, the EA super-tracks copy protection has multiple memory layouts or (Types) as well.

  • Like 3
Link to comment
Share on other sites

 

You can extend this article by roughly 15 titles published by SSI which have the exact same protection - even code-wise.

Let me know if you want the list.

 

Interesting, I didn't know it used the same code. The list could be interesting as well, but be aware that SSI was fond to release the same title with multiple protections. Many SSI titles exist in something like three different variants, each one with a different protection.

Link to comment
Share on other sites

 

Interesting, I didn't know it used the same code. The list could be interesting as well, but be aware that SSI was fond to release the same title with multiple protections. Many SSI titles exist in something like three different variants, each one with a different protection.

 

Here is the list of what I found so far:

 

Battalion Commander (1985)(SSI)(US)

Battle of Antietam v1.3 (1985)(SSI)(US)(Side A)(Scenario Disk)

Colonial Conquest v1.0 (1985)(SSI)(US)

Computer Ambush v1.2 (1984)(SSI)(US)

Field of Fire v1.00 (1984)(SSI)(US)(Side A)(Game & Editor)[!]

Gettysburg - The Turning Point v1.2 (1986)(SSI)(US)(Side A)(Scenarios)

Imperium Galactum v1.0 (1984)(SSI)(US)(Side A)[p]

Imperium Galactum v1.1 (1984)(SSI)(US)(Side A)[p]

Kampfgruppe v1.0 (1985)(SSI)(US)(Side A)(Scenario)

Mech Brigade v1.0 (1985)(SSI)(US)(Side A)(Scenario)

NAM v1.0 (1985)(SSI)(US)(Side A)(Game)

Operation Market Garden v1.0 (1985)(SSI)(US)(Side A)

Panzer Grenadier (1985)(SSI)(US)(Side A)(Game)

Shiloh - Grant's Trial in the West (1987)(SSI)(US)(Side A)

Six-Gun Shootout v1.0 (1985)(SSI)(US)[!]

Warship (1986)(SSI)(US)(Side A)(Scenario Disk)

Wizard's Crown v1.0 (1986)(SSI)(US)(Disk 1 of 2 Side A)(Game Disk)

 

Air Rescue I (1984)(MicroProse Software)(US)[Chopper Rescue re-release]

Conflict in Vietnam (1986)(MicroProse Software)(US)

Crusade in Europe (1985)(MicroProse Software)(US)[!]

Decision in the Desert (1985)(MicroProse Software)(US)

F-15 Strike Eagle (1984)(MicroProse Software)(US)

Solo Flight (1983)(MicroProse Software)(US)

Top Gunner Collection (1986)(MicroProse Software)(US)(Side B)(Mig Alley Ace + Air Rescue)[!]

 

And in a similar way but with its own SIO-implementation:

Gemstone Warrior (1985)(SSI)(US)

 

Link to comment
Share on other sites

Hmmm...You are totally correct Firestorm! When you said you get a "REMOVE CARTRIDGE" message, I at first thought it could be an issue that could be solved with a translator disk. That, however, is not the case.

 

I investigated and found some copy protection code in the title screen. After pressing START (but not OPTION) there is a double sector check before loading. (this seems to be unique to Seven Cities Of Gold) This double sector check is unlike the other double sector check during the boot process (occurs before the sector skew alignment check). The code is similar to the 3rd double sector check present on EA super-tracks copy protected titles (Archon II).

 

I think that I have it figured out though. If I extend the data that gets copied into memory location $0100 during the first part of the crack, I can include a subroutine to defeat the SECOND double sector check. This subroutine could be accessed by patching the disk (somewhere?) between sectors 55-127. I've figured out which line of code to mod. It's "virtually" cracked, meaning pausing Altirra emulator and manipulating memory locations and code by hand. I've just got to locate the physical location of that code on the disk. I also need to test the memory location I'm planning on using to store the extra subroutine to make sure it's safe from being overwritten.

 

I must thank you again Firestorm for doing all this testing. I appreciate your efforts, even if it's bad news for me (your crack doesn't work...) Good news or bad, you rock! Keep up the good work!

  • Like 3
Link to comment
Share on other sites

Due to a "heads-up" from firestorm (thanks again!) I realized that Seven Cities Of Gold has a SECOND double sector check on the title screen. The check fails…the disk crashes and gives a “REMOVE CARTRIDGE” message…end of story. Sorry about that, perhaps I should test these titles a little bit more thoroughly BEFORE releasing them.

 

Anyways…This SECOND double sector check is activated when START is pressed on the title screen, before loading the game data.

I have defeated this check by adding a subroutine to memory location $0114 during the first part of the crack. This subroutine “mimics” the data that would be read during the double sector check on a genuine disk. (Luckily, I had already reduced the length of PATCH 3, so I was easily able to fit the extra subroutine in place to be copied to memory location $0114)

 

This subroutine is accessed by making a patch to SECTOR #56. The only problem is that the data in this area is ENCRYPTED. I have not really figured out the decryption routine. I know that it is more than a simple trick. It is NOT something as simple as increasing the value of all the bytes in a memory area by a certain value (ex. increase all values by $20). I have found that the manner in which the data is decrypted seems to be dependent on the memory location (different memory areas decrypt differently). It could also be dependent on which “cycle” or step of the decryption process is running when a particular byte is decrypted. (perhaps there is a repeating pattern of decryption?) If some of the encrypted data is copy / pasted to a DIFFERENT memory location (before the decryption process) the results of the decryption will be DIFFERENT in that memory location. For example, changing the value of memory location $0860 from ($38 $4A $EA) TO ($54 $07 $0F) will result in memory location $0860 being decrypted to ($4C $14 $01) - JMP - Jump to line $0114. Doing the SAME modification to memory location $084E will NOT have the same results after decryption.

 

I “got around” the encryption / decryption problem by trial and error. I made multiple patches to memory location $0860, $0861, and $0862 BEFORE the decryption and studied the results after decryption. By using a “brute force” method combined with an “educated guess” method, I was able to figure out how to patch SECTOR #56 to give me the results I needed AFTER the decryption process. This combined method was actually fairly quick. I was able to figure out the patch in under an hour. I made this task a little quicker by turning ON the disk load acceleration patch on Altirra emulator.

 

Here is my updated release of Seven Cities of Gold (first edition – black disk). Both the .atr version and the .atx version have been tested on Altirra emulator and are able to get to the game play.

 

This release contains:

 

Cracked .atr image

 

Cracked .atx image (with random sector skew)

 

Updated notes including the info about the SECOND double sector check.

 

 

I hope this works on genuine hardware (fingers crossed)

 

Seven Cities Of Gold.zip

  • Like 4
Link to comment
Share on other sites

It works!

 

Thank you Diaperboy, hope you had some fun cracking this one.

 

After more than 30 years this isn't piracy anymore just the way to protect programs on fading media.

 

I like the idea of minimal cracks preserving original programs.

 

It's pity that there is no other way of coping original disks to a brand new (just 30 years old stock) floppy's.

 

med_gallery_31396_730_1053316.jpg

 

The Seven Cities of Gold still awaits its own label

Edited by firestorm
  • Like 1
Link to comment
Share on other sites

Has anybody had trouble booting Lords Of Conquest using Altirra emulator? I have an .atx image with copy protection intact. I've also tried a couple of cracked images and they don't boot either.

It gets past the copy protection, then shows a text screen with info about the game. After a second or two, the background behind the text turns black...then it sits. I've tried pressing START, Enter, joystick buttons, etc. but nothing seems to help.

 

I'm nearly ready to tackle the EA super-tracks copy protected titles. As far as I can tell...there are only 2 memory layouts or (Types) of the EA super-tracks copy protection. Of these types, not all are created equal.

 

For example...in Archon II it is CRITICAL to re-direct the double sector reads to the correct double sector image. The read order of each double sector image (which image is read first) is also CRITICAL. The data in the double sectors is used? (it builds some code a byte at a time) At the very least, the data is checked.

 

In contrast...Racing Destruction Set can be booted (into gameplay) by re-directing every second double sector read to sector #1. The data in the double sector doesn't matter, as long as the first read doesn't match the second read. An unmodified .atr copy of RDS will boot on Altirra emulator with a cheat code at memory location $B51F writing the value $01.

  • Like 1
Link to comment
Share on other sites

To firestorm,

Glad it works...and YES I had fun with it. To me the crack is far more fun than the game itself.

 

I think it would be really cool to see some reproductions done for some titles. The EA stuff had some pretty cool packaging (kinda like a vinyl record). I don't think it would be too difficult to print boxes and disk lables...even just for personal use. I imagine finding genuine working Atari 8 bit software could be pricy depending on the title

  • Like 1
Link to comment
Share on other sites

Update regarding EA super-tracks copy protected titles!

 

I've cracked another title in that series (Mail Order Monsters). This is significant because I can use that code to crack all the other ones (that I have) in that series EXCEPT Lords Of Conquest (Lords Of Conquest uses the same code as Archon II).

 

I may not do Lords Of Conquest because I can't make it boot on Altirra emulator (tried everything I could think of) I also don't have a copy of Movie Maker to work on. I'm fairly sure that's the only title missing from that series.

 

I also have not found a copy of Copy & Paste (I think this would have EA sector skew copy protection.

 

More work tonight...can't wait!

  • Like 1
Link to comment
Share on other sites

My third batch which brings the whole close to 350 titles.

  • Original Epyx-releases of Ballblazer and Rescue on Fractalus with their load-screens
  • Dropzone
  • Catch-up with July-torrent from Farb (Adv. Intl., Broderbund, Datasoft, MicroProse, some more)
  • New publishers:
    Artworx, Atari, Cosmi, Gebelli, SSI, Main Street Publishing (re-releases), Value-U-Line (re-releases)
  • and the following educational publishers:
    Carousel, Davka, DLM, JMH, Learning Company, MECC, Milliken, Mindscape, Scarborough, Scholastic, Unicorn

Have fun

ATXcracks03.zip

Edited by DjayBee
  • Like 7
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...