How to crack tape games and convert them to disk

[Curlypaul]

I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.

The specific method I'm trying to break has a loader written in basic, unprotected so I can just LIST it, but all I see are REM statements. Doesn't appear to be anything hidden in line 0, no obvious GOTOs jumping over invalid lines.

I've read all the revelant bits at https://www.sean.co.uk/books/amstrad/amstrad3.shtm and while interesting, appear to be too easily defeated to be used in any games or demos that I've looked at. 

What am I missing? How can I make these loaders give up their secrets?

[eto]

Recently I stumbled across a loader, where they were tampering with the length of BASIC lines. Everything seemed to be visible but the line that was starting the game was just not there. The length of the previous line was changed in RAM, so that it was equal the length of both lines. The relevant line then disappears from the listing, but will still be executed. 

[roudoudou]

I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.
What am I missing? How can I make these loaders give up their secrets?

the oldway cracking was most of the time brutal => multiface or mirage imager then you have a kind of snapshot, then you just have to load your snap with a simple loader
the newway cracking let you trace the code at low level, step by step then you can explain many hiddent things quickly
which path do you choose?

[Curlypaul]

Ah so they'd just create software that could load the multiface dump without an actual multiface, makes sense!

I guess I choose the harder, low level path, it's going to be more interesting.

That line length hack seems a likely candidate, I'll have a look ot it, thank you

[BSC]

I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.
What am I missing? How can I make these loaders give up their secrets?

the oldway cracking was most of the time brutal => multiface or mirage imager then you have a kind of snapshot, then you just have to load your snap with a simple loader
the newway cracking let you trace the code at low level, step by step then you can explain many hiddent things quickly
which path do you choose?

You forgot to mention that there also was the oldest way cracking, when the Multiface et al was simply not available or way too expensive. We are talking about 1985 to '87 here and even though the direction was mostly disk to tape (in the beginning) or disk to disk (later on), that process was pretty much unique to each game or type of loader or copy-protection. One would analyze the loader, which was not necessarily written in BASIC, using a machine-language monitor like the awesome Super Monitor (https://cpcrulez.fr/applications_coding-supermon_cpc-1002-happy_computer.htm) in my case. This included e.g. disassembling the loader code, putting breakpoints to reverse engineer what the loader was actually doing and attaching a save(-to-disk) routine (and often some routine to restore Amsdos) to it so that the game code was written to tape or disk after it was loaded. Mind you, all the code I had to add was written as hex-codes using SMon's built in tools. This was the *real* way ;-) Don't know if that helps Curlypaul, though

[Curlypaul]

I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.
What am I missing? How can I make these loaders give up their secrets?

the oldway cracking was most of the time brutal => multiface or mirage imager then you have a kind of snapshot, then you just have to load your snap with a simple loader
the newway cracking let you trace the code at low level, step by step then you can explain many hiddent things quickly
which path do you choose?

You forgot to mention that there also was the oldest way cracking, when the Multiface et al was simply not available or way too expensive. We are talking about 1985 to '87 here and even though the direction was mostly disk to tape (in the beginning) or disk to disk (later on), that process was pretty much unique to each game or type of loader or copy-protection. One would analyze the loader, which was not necessarily written in BASIC, using a machine-language monitor like the awesome Super Monitor (https://cpcrulez.fr/applications_coding-supermon_cpc-1002-happy_computer.htm) in my case. This included e.g. disassembling the loader code, putting breakpoints to reverse engineer what the loader was actually doing and attaching a save(-to-disk) routine (and often some routine to restore Amsdos) to it so that the game code was written to tape or disk after it was loaded. Mind you, all the code I had to add was written as hex-codes using SMon's built in tools. This was the *real* way ;-) Don't know if that helps Curlypaul, though

Amazing info thank you!

So you'd run the original loader to unpack and make sense of the actual game, makes sense, beats fully reverse engineering it all

[Curlypaul]

That seems to be literally the only page on the Web about that device, and it's not in a language I understand  lol

[Axelay]

You forgot to mention that there also was the oldest way cracking, when the Multiface et al was simply not available or way too expensive. We are talking about 1985 to '87 here and even though the direction was mostly disk to tape (in the beginning) or disk to disk (later on), that process was pretty much unique to each game or type of loader or copy-protection. One would analyze the loader, which was not necessarily written in BASIC, using a machine-language monitor like the awesome Super Monitor (https://cpcrulez.fr/applications_coding-supermon_cpc-1002-happy_computer.htm) in my case. This included e.g. disassembling the loader code, putting breakpoints to reverse engineer what the loader was actually doing and attaching a save(-to-disk) routine (and often some routine to restore Amsdos) to it so that the game code was written to tape or disk after it was loaded. Mind you, all the code I had to add was written as hex-codes using SMon's built in tools. This was the *real* way ;-) Don't know if that helps Curlypaul, though

Hah, I did a few games from tape to disk 'like' that. Except I was using Zedis II, and I didn't really understand what the more complicated/protected loaders were doing, because I was still learning assembly at that time.  I just identified where the loader was 'done' with the loading and would display the loading screen or jump to the code, put in some save to disk code there instead and crossed my fingers.  Sometimes it worked!  But I think my brother had more success just using Transmat and Bonzo's Blitz.

[martin464]

I remember being defeated by the speedlock ones and being amazed at the code doing all these OUTS totally confused (and defeated!). The more simple protected basic and ones using firmware to load a binary.. find out the details and let you load the binary even if no amsdos header and return to basic then save to disk. But the speedlocks were these mysterious and alien objects. what i didn't know back then was there was a level under the firmware and they were talking directly to it. i thought the firmware was the lowest level because it was in rom!

[BSC]

I just identified where the loader was 'done' with the loading and would display the loading screen or jump to the code, put in some save to disk code there instead and crossed my fingers.

This is more or less exactly the kind of "reverse engineering" that I did  

[BSC]

I remember being defeated by the speedlock ones and being amazed at the code doing all these OUTS totally confused (and defeated!). The more simple protected basic and ones using firmware to load a binary.. find out the details and let you load the binary even if no amsdos header and return to basic then save to disk. But the speedlocks were these mysterious and alien objects. what i didn't know back then was there was a level under the firmware and they were talking directly to it. i thought the firmware was the lowest level because it was in rom!

Speedlock was a mystery indeed. I don't remember managing to crack a lot of those, there just went over my head ..

[zhulien]

lots of multiload games, you can turn the memory around so that (#c2?)  and you should hear the cpc beep from basic when pressing del key as normal but you can't see what you type, then you run the game and it should crash just after the decoding - or... you can press the reset button just after loading (e.g. when you hear title music) - you won't necessarily see the game - as it's in the 2nd 64kb bank - but, after the reset, it is still in the 2nd 64kb bank - so using hackit or similar, save it.

[Maniac]

lots of multiload games, you can turn the memory around so that (#c2?)  and you should hear the cpc beep from basic when pressing del key as normal but you can't see what you type, then you run the game and it should crash just after the decoding - or... you can press the reset button just after loading (e.g. when you hear title music) - you won't necessarily see the game - as it's in the 2nd 64kb bank - but, after the reset, it is still in the 2nd 64kb bank - so using hackit or similar, save it.

Interestingly that's only supported with Hackit when using a 464/664 with a memory expansion. The facility to do this doesn't work on a 6128 or 6128+. I even checked with Siren Software when I bought one!

[zhulien]

I never actually tried on a 6128 or a plus as at that time we had a 664 and 464 (both with 6128 roms though).  What happens on a real 6128?

[Maniac]

I never actually tried on a 6128 or a plus as at that time we had a 664 and 464 (both with 6128 roms though).  What happens on a real 6128?

I can't remember exactly as it's been a while but effectively nothing. You can run the command but it's not functional.

[Squeekboxandj]

I'm sure you're right of course but where's the fun in that?

Maybe the unpicking and reverse engineering of the various protection protocols is just for the knowledge and understanding of how these things were done.

Don't forget, we're taking about 40 year old technology.

I'm sure also the discussion that preceded your post was just theoretical anyway. 

[Jean-Marie]

I think you're answering to a bot 
I would be surprised a young Indian would venture in a forum dedicated to an old european 8 bit computer.

[Squeekboxandj]

I think you're answering to a bot 
I would be surprised a young Indian would venture in a forum dedicated to an old european 8 bit computer.

Oh man, caught out again.

I did wonder as there are so many things wrong with his post. It wasn't even ironic. 

[zhulien]

Still even if a bit, it is a semi intelligent answer. Maybe its chatgpt

[GUNHED]

Hello this is Gulshan Negi
Well, it would not be ethical or legal to do so without the permission of the original creators. If you want to obtain a legitimate copy of a game or software, you can purchase it from the publisher or developer or look for legal and free alternatives.
Thanks

So you never ever used a pirate copy, right?

[BSC]

Hello this is Gulshan Negi
Well, it would not be ethical or legal to do so without the permission of the original creators. If you want to obtain a legitimate copy of a game or software, you can purchase it from the publisher or developer or look for legal and free alternatives.
Thanks

It's great to hear that you completed your engineering in Computer Science & Engineering and are currently working as a Web & App developer. It's important to have hobbies outside of work, and it's great that you enjoy playing cricket and volleyball. Exploring new places is also a wonderful way to broaden your horizons and gain new experiences. Keep up the great work in both your personal and professional life!

[SRS]

And Gulshan Negi also is very engaged in a LOT of forums all through the internet. SQL Specialist, AI professional, Spokesman, python game developer ...

With such a multiexpert at cpcwiki we will see a LOT of up to date software soon. maybe even yesterday !

[scruss]

But I think my brother had more success just using Transmat and Bonzo's Blitz.

I don't know if anyone's archived them, but Colin Harris's Bonzo News newsletters for Nemesis's software had quite a bit on "here's how this protection works". There were so many different systems: some clever (Harvey Headbanger's very slow but musical block loader), some simple (I'll never forget how chuffed I was when I first worked out that a game had used CAS WRITE instead of the standard method) and some surprisingly evil (Southern Belle: used a standard loader, but expected a tiny block of tones after the program loaded).

The 6128's bank switch / reset / restore snapshot method was a real game changer.

[pelrun]

I don't know if anyone's archived them

I scanned and uploaded them years ago (I do wonder if anyone has the original issues 1-7 though, I only have the condensed version of those.)

https://www.cpcwiki.eu/index.php/Bonzo_News

[darkhalf]

@pelrun someone did upload Bonzo's Scrapyard onto Archive.org. I've added links on the wiki
https://www.cpcwiki.eu/index.php/Bonzo%27s_Scrapyard#Issues