
Copy protection scheme that was used for Dungeon Master on Atari ST and Amiga - bigbugbag
http://dmweb.free.fr/?q=node/210
======
kabdib
I wrote some copy protection code for a couple of game cartridges (the idea
was to prevent people from trivially copying them into RAM).

One cart protected itself with checksums, computed over time from interrupt
code, that were the key to decrypt a piece of code that did the "am I running
from RAM instead of ROM?" check. Took me two weeks to write (I had two weeks
of hanging around waiting for play testing to finish).

The software pirate who lived in my apartment complex knew I worked at Atari,
and we were chatting one day when I mentioned that I'd written that particular
cartridge. He lit up. "Yeah, that was a hard one. Took us three days to
crack."

Copy-protection can be useful, but it's definitely an asymmetric game.

~~~
rando3826
I'm sceptical that the person hacking your console lived in the same apartment
complex.

~~~
kabdib
175 Calvert Drive in Cupertino. Kind of a dump in the early 80s, probably all
condos now [checks . . . nope, still there. Yuck].

I think one of us noticed the other carrying some Atari equipment in the
parking lot, and we started chatting. Sure, a bit unlikely, but this _was_
Silly Valley. I think the guy worked for Lockheed and cracking software was a
hobby.

I kind of had this fellow in mind when I wrote the protection code. I figured
it wouldn't stand up very long, and in fact, three days was a moral victory as
far as I was concerned. I think he had as much fun with the code as I did :-)

~~~
rando3826
> Silly Valley

Fair enough. I suppose that term will stay in my head now.

------
raintrees
This brings back memories... I worked at a company that used special
duplication devices. We assisted with duplication of the game Rogue, and
secured it with the main trick of making one of the sectors on the 5 1/4
floppy (might have been sector 8 or maybe 2, I don't remember which track)
only half sized, while keeping the sector's recorded stats set to normal
sizing (in the FAT? Not sure).

During game load, the executable would get the PC drive to do some kind of
absolute positioning to read the "hidden" half sector, which would exist on
these specially created discs.

Any subsequent copies made on normal PCs and copying equipment would copy the
half sector as a normal full sector, missing the hidden part.

I remember talk about "fuzzy bits" at the time, but I cannot recall if we used
them, and whom for...

------
ekidd
Another copy-protection classic was _Spyro: Year of the Dragon_ :
[http://www.gamasutra.com/view/feature/131439/keeping_the_pir...](http://www.gamasutra.com/view/feature/131439/keeping_the_pirates_at_bay.php)

This used a multi-layered copy protection scheme. The first layers would show
a dialog and quit. Later layers got progressively more vicious:

1\. They'd remove 1 out of 10 gems needed to complete a certain level.

2\. They'd randomly corrupt data.

3\. They'd change the UI language at runtime.

Read the post-mortem I linked above; it's really fun. The basic idea was to
require crackers to play the entire game very carefully, looking for subtle
side effects that broke game play.

Ultimately, the protection was a success: It took almost 2 months to crack the
game, resulting in a full Christmas season's worth of sales IIRC.

~~~
TillE
> a success: It took almost 2 months

This is all based on the idea that people who pirate games (or movies, etc)
are also very impatient. I'm sure that's true for a certain percentage, but I
don't know if it's that significant.

A current example is Dragon Age: Inquisition, which took a few extra weeks but
still got cracked. But the game still has a ton of issues on PC (even for
legitimate owners), so it's probably worth waiting another month or so for
patches anyway.

~~~
TeMPOraL
From the linked article:

> _Two months may not seem like a long time, but between 30 and 50 percent of
> most games ' total sales occur in that time. Approximately 50 percent of the
> total sales of Spyro 2, up to December 2000, were in the first two months.
> Even games released in the middle of the year rather than the holiday
> season, such as Eidetic's Syphon Filter, make 30 percent of their total
> sales in the first two months._

------
w0wbagger
I remember back in the day I used to crack Commodore 64 software, and some of
the best protection I remember was when code was written and executed to the
RAM in the _disk drive_ , using the intelligent 1541 drive to verify the
original disk was in the drive. It was brilliant, and took me longer than any
other program to crack. It required the used of a disk memory disassembler,
really obscure stuff.

Sierra software used to use multiple encryptions of the original disk-
verification code, if I remember correctly. I feel some residual guilt about
it now, but I was 14, and honestly, I learned more 6502 assembler cracking
code than I ever did writing it. It was like a puzzle. Sorry, Oil's Well
developers.

------
zamalek
Reminds me of my run-in with Starforce 5 in my youth (when I couldn't afford
games).

It measures how many sectors there are in the rings on the disk. This number
was validated against a portion of your CD key. At the time only a specific
line of Plextor drives were able to create physical replications (this still
might be the case). The Starforce driver prevented use of drive emulation.
Removing the protection from the game (cracking it) wasn't simple, they
advertise C++ obfuscation and thus likely inlined the protection routine in
multiple places.

Two years after its launch the specific game I wanted (Track Mania Sunrise)
could still only be pirated if you owned a Plextor.

------
wpietri
Nice. If I were writing an emulator, I would naively write a virtual disk
drive that always worked. It would never occur to me that some programs would
depend on certain reads being inconsistent.

I do wonder, though, if anybody has studied the ROI of antipiracy schemes like
this. The only time I bothered to pirate software like this was when I was a
penniless kid. And it's clear from this that the crackers were willing to put
in absurd amounts of effort to break encryption; if one's opponents aren't
rational economic actors, I'd think it would be easy to spend far more on copy
protection than would ever get paid back in additional sales.

~~~
bunderbunder
I suspect (but cannot prove) that it was greater back then.

This was before the Internet was really a thing, so even after the copy
protection was cracked pirating software was still a hassle. Pirate BBSes took
some effort to discover, and often had download quota systems you'd have to
play along with. Even after that, you couldn't download a file without tying
up the phone line and if a local BBS didn't exist you'd need to pay long
distance charges, both of which risked the wrath of your parents.

So the "dedicated attackers" needed to be somewhat more dedicated, and were
therefore rather less common. You could get a lot further by just preventing
casual floppy copying, which was sometimes sufficient to discourage friends
copying a game instead of buying a copy for each of themselves.

By contrast, warez present essentially zero hassle nowadays. That dramatically
alters the equation.

~~~
bussiere
How to say that in english ...

I was very young at this area , but we exchanged a lot of pirated game in
school when we was 10 :)

We even find way to copy password manual protection by copying the disk or
tunning the photocopier for the password manual in red.

During the school recreationnal time we talked a lot about games and we
exchanged games, there was always someones who had a cousin or an uncle.

Great time, i owe a lot to this time and games.

I buy it now as much as i can (gog , re edition etc ...)

I get the atari at this time , and a lot of my friends too. I remember that i
may have buy only one game or two with my pocket money because the package and
manual were awsome. At this time the box and manuals was what makes me buy
games more than pirate then :)

------
Ecio78
on the other hand sometimes protections are (were) lame. I remember probably
16-18 years ago "cracking" a CAD software worth thousands of dollars by just
modifying the script used for the installer: the software was using a
protection scheme based on some hard drive serial number, so that the
activation code cannot be reused on a different system. The problem (for them)
is that they implemented this in the installer too and the installer was using
some kind of simil-VB scripting for doing the check. I modified it to print
the activation code instead of just verifying it and pronto the installer
became a keygenerator :D

It had been a great satifaction..

------
andsmi2
This was a fascinating read. Somewhere in the late 80s/early 90s I picked up a
floppy with a guide to cracking at a local computer store. I was then able to
crack a few games with help of turbo debugger and Norton disk editor (file
editor?) -- I mostly remember looking for int 16 (ah 02?) and then replacing
the next few lines with nop's or changing jni to jmp -- I knew little of what
I was doing but it was a blast. I was aware of certain protection that read
bad sectors on a disk but if you did an exact floppy copy you could usually
copy bad sectors-- different than this article. I do remember spending a few
days on my cousins copy of altered beast and being very confused by it. I
think it decrypted the game from disk or u compressed from disk into me,Roy so
I could see the code I wanted to change in the debugger but not on the disk.
This may have led to a failed attempt at a TSR to alter the code during
runtime. I thi I i e eventually gave up. I also remember finding bible verses
in the caveman ugh-lympics dump I think. Fond memories.

~~~
andsmi2
I think this or part of this is what was on that shareware disk I got at the
computer fair
[http://www.textfiles.com/piracy/CRACKING/act-13.txt](http://www.textfiles.com/piracy/CRACKING/act-13.txt)
the Buckaroo Bonzai Cracking the IBM PC sounds real familiar.

------
Kiro
> while most copy protections are defeated in a matter of hours or days by
> experimented hackers

I'm very amazed by this. How can this even be possible? Is there a standard
formula that breaks every copy protection out there?

~~~
stevekemp
Quite often these checks are just so simple and half-hearted that once you
have even a little experience they're obvious.

A most basic protection, for example, might make the user enter a serial
number to register a piece of software. If you enter the correct number then
all is OK, if you enter the wrong number a message-box might appear saying
"Sorry registration number is invalid".

Displaying that message-box almost immediately makes the cracking job 80%
simpler. Disassemble the program, look for the reference to the text-string.
Then look for a "compare + jump" that goes to that area of the code. 99% of
the time the comparison will be "Is the serial number OK?" and if you remove
the jump, or invert it ("jmpz -> jumpnz"), you're done.

If you want to read more you can find mirrors of +fravias documentation and
demonstration site online which were live back in the day and introduce this
stuff, and lots more:

[http://71.6.196.237/fravia/academy.htm](http://71.6.196.237/fravia/academy.htm)

~~~
spiritplumber
Wow. I made dinner for Fravia and crew once. Basically they just showed up at
my place, and I was so honored that I raided the pantry.

~~~
stevekemp
I got into hacking/coding by virtual of wanting infinite lives for the games I
played on my ZX Spectrum. That taught me all about reverse engineering, the
R-register, copy protections and similar.

Most of Fravias work was easily understandable, and pretty obvious, from that
background. But he really was an interesting character and I was genuinely
saddened to learn of his death.

I wish I could have met him.

------
userbinator
_In order to prevent disk copy, the games make use of "fuzzy bits", also known
as "weak bits" or "flakey bits"_

Reminds me of the "weak sector" protection used on CDs, of which there was
much technical information written on a few years ago; sadly a lot of that has
somehow disappeared, but I managed to find one explanation of that scheme:

[http://web.archive.org/web/20090603002402/http://sirdavidguy...](http://web.archive.org/web/20090603002402/http://sirdavidguy.coolfreepages.com/SafeDisc_2_Technical_Info.html)

(The explanation there is not _completely_ correct - the problem with more 0s
than 1s or vice-versa is DC bias, since the signal from the read head is AC-
coupled; here is another article that might help to explain that better:
[http://ixbtlabs.com/articles2/magia-
chisel/](http://ixbtlabs.com/articles2/magia-chisel/) )

------
rnhmjoj
I have never heard of fuzzy bits. I have found this if someone else is
interested in it. [http://www.atari-
forum.com/viewtopic.php?t=9012](http://www.atari-
forum.com/viewtopic.php?t=9012)

------
Karunamon
What do people use for drop-in debugging nowadays? SoftICE's original company
went away a long time ago, and last I checked, the company that bought the
code (and rebranded it something like Driver Studio) is also no more.

------
deng
I wonder: which software is the hardest to crack nowadays? As a hobby
musician, I know that Ableton Live and Cubase seem to have excellent
protection mechanisms, as this topic turns up regularly in forums. Especially
Ableton seems to be nasty, as it is often usable for many hours before the
protection kicks in. I think this is pretty clever, since it not only makes it
harder for the cracker, but the user might be more inclined to buy the
software after he has invested many hours in some music he cannot load anymore
(Disclaimer: I own Ableton Live, and it is worth every penny.)

~~~
bigbugbag
bitwig is better imho, on the single point that it doesn't lock user to a
specific OS.

------
zak_mc_kracken
Some of the most painful games I've had to crack were those that used
obfuscated assembly (usually by xor'ing entire sections of code). This had the
annoying effect of making it impossible to put breakpoints too far ahead of
the code because assembly debuggers put breakpoints by modifying the opcodes
(usually calling an interrupt) so by the time the unrolling routine comes
along, it will decode the wrong bytes and you'll get garbage (and usually, a
nice lock up or reboot).

The only way around that was to painfully go stage by stage, which was very
time consuming.

------
ihenriksen
Remember that from when I was a teen, the first crack took months after the
initial release and came on like 20 disks, while the retail game was on 10
disks. Kevin R. Kachikian is the name on the patent, currently he is CTO at
Amuse Inc. according to his LinkedIn page - must be a very smart guy.

------
AlyssaRowan
Mm, it didn't take all _that_ long to crack, when I did it for fun. My patched
version of Mon had a reference search, and the code in the graphics.dat stuck
out because I was single-stepping from interesting places. That trick makes
deadlisting harder, but live debugging there's no real difference.

Side note: it kept the XBIOS/GEMDOS keyboard/mouse drivers in place, tried to
unlink a debugger and wipe the RAM - but it forgot to patch out the good old
Alt-Help "screen print" vector! So if you hide a routine in low memory, just
above the vector tables, but below where it wiped, around $200-$400 ish from
memory… <g> (Oh, and a Syncro Express would just duplicate the thing cold,
even on Express mode, but that's no fun~!)

Chaos Strikes Back was bloody difficult as a game! Wonderful work, all around,
it's a masterpiece. I bought more than one copy (and actually played Dungeon
Master _after_ CSB). I never did finish CSB!

On a similar thematic note, the later, futuristic first-person dungeon crawler
_Captive_ has much more interesting copy protection; the author (ratt) wrote
his own disk routines (internally called RATTDOS). That was a _tough_ one.
It's very Amiga-ified inside, so I wouldn't be surprised if the Atari version
shared most of the code. It has procedurally-generated levels, although I
think it may be impossible to complete after a certain point.

The Atari ST version of Sid Meier's Civilization is also well worth checking
out as a historian; it was written in C, and they left all the debugging
symbols in! Fascinating; you can see the original "nuke-happy Gandhi" bug
underflow first-hand, and the world maps were really just planar bitmaps, so
when you'd figured out how they were stored, it wasn't hard to knock up an
editor.

I also have fond memories of Wayne Smithson's _Anarchy_ and its disk's Rob
Northen exotic copy-protection's space-filling rant, although I suppose there
are only a few people who even know what I mean about that. If you can find an
original copy intact anywhere, break out a sector editor, and start reading.
The format gets harder the further on in the disk you go. :)

To the person below who had trouble with Elite II: Frontier - um, perhaps your
platform was harder? The executable we all seemed to have on the Atari was
standalone, was one $4E75 RTS away from skipping the manual protection, and
had absolutely no checksums in it at all (to my immense glee - I had lots of
fun modding it)! I'm having some fun downtime playing its recently-released
sequel Elite: Dangerous, too - but that's online, so of course I'm playing
clean! (I did test a couple of cheats during the alpha, and reported to help
the devs patch some of the most obvious gamebreakers.)

Other than online stuff, I honestly don't think they've discovered any
particularly new tricks since those days. There's a lot of lost gems that get
reinvented. The very best, newest, "anti-tamper" techniques are essentially,
just bits of obfuscated code interleaved with checksums. Underwhelming,
really. It boggles my mind that people still do that stuff - just make it
easier to buy games, and it's hard to get easier than Steam! (My opinion of
the "strong" obfuscation technique that bloats simple 32-condition IF
statements to multi-gigabyte sizes is also pretty poor, as it stands at the
moment, although the state-of-the-art could always improve.)

~~~
bigbugbag
Hey! thanks for this instructive comment.

I too had not managed to finish CSB at the time, but when it got ported to
PC[1] with a feature to record your games, it spawned a speed run competition
and I was shocked to learn that it can be defeated in less than 30 minutes,
actually best time is 00h10m37s[2].

I gave it another try and manage to beat it after a few attempts, there's much
trickery in how the dungeon is designed with falling traps on top of others
and teleporters, but once you get your head your head around it and understand
the diabolical demon director, it gets better.

Then there's the custom dungeons, and conflux is the real challenge, CSB is
walk in the park in comparison.

[1]: [http://dmweb.free.fr/?q=node/851](http://dmweb.free.fr/?q=node/851)

[2]: [http://dmweb.free.fr/?q=node/856](http://dmweb.free.fr/?q=node/856)

~~~
AlyssaRowan
Agreed, it has a number of very interesting features in how it gets around
limitations in its own engine!

And 10 minutes? Heavens above. _Tell_ me that's tool-assisted.

~~~
bigbugbag
Yes but in a limited way, the rules says you are allowed to load your savegame
in dmute to find the location of the necessary items that are random.

So you can start a number of games and check the location of those items until
you get one that suits you and play that game, which usually leads to
finishing the games in a few hours.

------
qwerta
Some programs had embedded graphic subroutines executed when under debugger.
It would set CRT frequencies too high and blow up the display.

~~~
shultays
Sounds like a myth. No crt producer would allow such a case and even if it is
true, I would expect lots of law suits.

~~~
AlyssaRowan
I'm not sure, but I never saw it as a trap payload.

Rather, it's something that could go wrong when overclocking, since the Xtals
were often locked to the video sync rate (my Falcon's "Nemesis" was a real
bugger for it); maybe it'd try to change into a mode that actually didn't have
the clock it was expecting!

I don't know about "blowing up", but yes, if you put a bad signal into them,
some of them might break. I had (probably still have, actually, _somewhere_ ,
albeit modified for SCART with an LM1881 and my crappy soldering!) an Atari
SC1224 RGB monitor in which you fed the horizontal and vertical sync
frequencies separately (rather than composite - hence the LM1881 being needed
to split the sync). And at one point I had a Falcon, with Nemesis, and
Videlity. The monitor did _NOT_ like it if you fed it a horizontal sync
outside the 15.6-15.8KHz range (like, say, VGA's 31468.5Hz; oops!).

The result was the big transformer in the back (line output transformer?)
heating up and whining and the caps building up voltage, the screen's black
level warming to an alarming dull green… I don't think I'd have wanted to keep
the power on another few seconds! Although it'd probably only have burnt
something out, I didn't want to break anything.

Point is, some CRTs are a bit more… _direct_ than others. I hear the vector
monitors (as used in Tempest) are particularly hairy beasts.

------
SeanDav
If all that time, effort and brainpower had rather gone into making it a
better game, they likely would have done a whole lot better in terms of reach
and ultimately, profit. However copy protection was the standard method in
those days, so one can only speculate on what might have been.

~~~
waterlesscloud
It's rated as one of the top (if not _the_ top) games of its era. It was the
all-time top seller on the Atari ST platform in question.

They did great with the resource allocations they chose to make.

~~~
shmerl
What was great about wasting any resources on copy protection instead of using
them for something actually useful for users?

~~~
zak_mc_kracken
The game selling well in part thanks to its copy protection is what allowed to
finance sequels after that.

In that sense, the copy protection certainly benefited the users.

~~~
shmerl
I'm not sure how they could conclude that it was selling because of copy
protection and not because it was a good game.

The way I see it, games with DRM sell despite it, not because of it in any
way.

