I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.
The specific method I'm trying to break has a loader written in basic, unprotected so I can just LIST it, but all I see are REM statements. Doesn't appear to be anything hidden in line 0, no obvious GOTOs jumping over invalid lines.
I've read all the revelant bits at https://www.sean.co.uk/books/amstrad/amstrad3.shtm (https://www.sean.co.uk/books/amstrad/amstrad3.shtm) and while interesting, appear to be too easily defeated to be used in any games or demos that I've looked at.
What am I missing? How can I make these loaders give up their secrets?
Recently I stumbled across a loader, where they were tampering with the length of BASIC lines. Everything seemed to be visible but the line that was starting the game was just not there. The length of the previous line was changed in RAM, so that it was equal the length of both lines. The relevant line then disappears from the listing, but will still be executed.
Quote from: Curlypaul on 14:08, 28 November 22I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.
What am I missing? How can I make these loaders give up their secrets?
the oldway cracking was most of the time brutal => multiface or mirage imager then you have a kind of snapshot, then you just have to load your snap with a simple loader
the newway cracking let you trace the code at low level, step by step then you can explain many hiddent things quickly
which path do you choose? :P
Ah so they'd just create software that could load the multiface dump without an actual multiface, makes sense!
I guess I choose the harder, low level path, it's going to be more interesting.
That line length hack seems a likely candidate, I'll have a look ot it, thank you
Quote from: roudoudou on 14:42, 28 November 22Quote from: Curlypaul on 14:08, 28 November 22I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.
What am I missing? How can I make these loaders give up their secrets?
the oldway cracking was most of the time brutal => multiface or mirage imager then you have a kind of snapshot, then you just have to load your snap with a simple loader
the newway cracking let you trace the code at low level, step by step then you can explain many hiddent things quickly
which path do you choose? :P
You forgot to mention that there also was the oldest way cracking, when the Multiface et al was simply not available or way too expensive. We are talking about 1985 to '87 here and even though the direction was mostly disk to tape (in the beginning) or disk to disk (later on), that process was pretty much unique to each game or type of loader or copy-protection. One would analyze the loader, which was not necessarily written in BASIC, using a machine-language monitor like the awesome Super Monitor (https://cpcrulez.fr/applications_coding-supermon_cpc-1002-happy_computer.htm) in my case. This included e.g. disassembling the loader code, putting breakpoints to reverse engineer what the loader was actually doing and attaching a save(-to-disk) routine (and often some routine to restore Amsdos) to it so that the game code was written to tape or disk after it was loaded. Mind you, all the code I had to add was written as hex-codes using SMon's built in tools. This was the *real* way ;-) Don't know if that helps Curlypaul, though :D
Quote from: BSC on 18:13, 28 November 22Quote from: roudoudou on 14:42, 28 November 22Quote from: Curlypaul on 14:08, 28 November 22I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.
What am I missing? How can I make these loaders give up their secrets?
the oldway cracking was most of the time brutal => multiface or mirage imager then you have a kind of snapshot, then you just have to load your snap with a simple loader
the newway cracking let you trace the code at low level, step by step then you can explain many hiddent things quickly
which path do you choose? :P
You forgot to mention that there also was the oldest way cracking, when the Multiface et al was simply not available or way too expensive. We are talking about 1985 to '87 here and even though the direction was mostly disk to tape (in the beginning) or disk to disk (later on), that process was pretty much unique to each game or type of loader or copy-protection. One would analyze the loader, which was not necessarily written in BASIC, using a machine-language monitor like the awesome Super Monitor (https://cpcrulez.fr/applications_coding-supermon_cpc-1002-happy_computer.htm) in my case. This included e.g. disassembling the loader code, putting breakpoints to reverse engineer what the loader was actually doing and attaching a save(-to-disk) routine (and often some routine to restore Amsdos) to it so that the game code was written to tape or disk after it was loaded. Mind you, all the code I had to add was written as hex-codes using SMon's built in tools. This was the *real* way ;-) Don't know if that helps Curlypaul, though :D
Amazing info thank you!
So you'd run the original loader to unpack and make sense of the actual game, makes sense, beats fully reverse engineering it all
That seems to be literally the only page on the Web about that device, and it's not in a language I understand :( lol
Quote from: BSC on 18:13, 28 November 22You forgot to mention that there also was the oldest way cracking, when the Multiface et al was simply not available or way too expensive. We are talking about 1985 to '87 here and even though the direction was mostly disk to tape (in the beginning) or disk to disk (later on), that process was pretty much unique to each game or type of loader or copy-protection. One would analyze the loader, which was not necessarily written in BASIC, using a machine-language monitor like the awesome Super Monitor (https://cpcrulez.fr/applications_coding-supermon_cpc-1002-happy_computer.htm) in my case. This included e.g. disassembling the loader code, putting breakpoints to reverse engineer what the loader was actually doing and attaching a save(-to-disk) routine (and often some routine to restore Amsdos) to it so that the game code was written to tape or disk after it was loaded. Mind you, all the code I had to add was written as hex-codes using SMon's built in tools. This was the *real* way ;-) Don't know if that helps Curlypaul, though :D
Hah, I did a few games from tape to disk 'like' that. Except I was using Zedis II, and I didn't really understand what the more complicated/protected loaders were doing, because I was still learning assembly at that time. I just identified where the loader was 'done' with the loading and would display the loading screen or jump to the code, put in some save to disk code there instead and crossed my fingers. Sometimes it worked! But I think my brother had more success just using Transmat and Bonzo's Blitz. :laugh:
I remember being defeated by the speedlock ones and being amazed at the code doing all these OUTS totally confused (and defeated!). The more simple protected basic and ones using firmware to load a binary.. find out the details and let you load the binary even if no amsdos header and return to basic then save to disk. But the speedlocks were these mysterious and alien objects. what i didn't know back then was there was a level under the firmware and they were talking directly to it. i thought the firmware was the lowest level because it was in rom!
Quote from: Axelay on 11:42, 29 November 22I just identified where the loader was 'done' with the loading and would display the loading screen or jump to the code, put in some save to disk code there instead and crossed my fingers.
This is more or less exactly the kind of "reverse engineering" that I did :D
Quote from: martin464 on 13:01, 29 November 22I remember being defeated by the speedlock ones and being amazed at the code doing all these OUTS totally confused (and defeated!). The more simple protected basic and ones using firmware to load a binary.. find out the details and let you load the binary even if no amsdos header and return to basic then save to disk. But the speedlocks were these mysterious and alien objects. what i didn't know back then was there was a level under the firmware and they were talking directly to it. i thought the firmware was the lowest level because it was in rom!
Speedlock was a mystery indeed. I don't remember managing to crack a lot of those, there just went over my head ..
lots of multiload games, you can turn the memory around so that (#c2?) and you should hear the cpc beep from basic when pressing del key as normal but you can't see what you type, then you run the game and it should crash just after the decoding - or... you can press the reset button just after loading (e.g. when you hear title music) - you won't necessarily see the game - as it's in the 2nd 64kb bank - but, after the reset, it is still in the 2nd 64kb bank - so using hackit or similar, save it.
Quote from: zhulien on 20:43, 30 November 22lots of multiload games, you can turn the memory around so that (#c2?) and you should hear the cpc beep from basic when pressing del key as normal but you can't see what you type, then you run the game and it should crash just after the decoding - or... you can press the reset button just after loading (e.g. when you hear title music) - you won't necessarily see the game - as it's in the 2nd 64kb bank - but, after the reset, it is still in the 2nd 64kb bank - so using hackit or similar, save it.
Interestingly that's only supported with Hackit when using a 464/664 with a memory expansion. The facility to do this doesn't work on a 6128 or 6128+. I even checked with Siren Software when I bought one!
I never actually tried on a 6128 or a plus as at that time we had a 664 and 464 (both with 6128 roms though). What happens on a real 6128?
Quote from: zhulien on 23:51, 01 December 22I never actually tried on a 6128 or a plus as at that time we had a 664 and 464 (both with 6128 roms though). What happens on a real 6128?
I can't remember exactly as it's been a while but effectively nothing. You can run the command but it's not functional.
I'm sure you're right of course but where's the fun in that?
Maybe the unpicking and reverse engineering of the various protection protocols is just for the knowledge and understanding of how these things were done.
Don't forget, we're taking about 40 year old technology.
I'm sure also the discussion that preceded your post was just theoretical anyway. ;D
I think you're answering to a bot :)
I would be surprised a young Indian would venture in a forum dedicated to an old european 8 bit computer.
Quote from: Jean-Marie on 18:19, 30 March 23I think you're answering to a bot :)
I would be surprised a young Indian would venture in a forum dedicated to an old european 8 bit computer.
Oh man, caught out again.
I did wonder as there are so many things wrong with his post. It wasn't even ironic.
Still even if a bit, it is a semi intelligent answer. Maybe its chatgpt
Quote from: gulshan212 on 15:54, 30 March 23Hello this is Gulshan Negi
Well, it would not be ethical or legal to do so without the permission of the original creators. If you want to obtain a legitimate copy of a game or software, you can purchase it from the publisher or developer or look for legal and free alternatives.
Thanks
So you never ever used a pirate copy, right?
Quote from: gulshan212 on 15:54, 30 March 23Hello this is Gulshan Negi
Well, it would not be ethical or legal to do so without the permission of the original creators. If you want to obtain a legitimate copy of a game or software, you can purchase it from the publisher or developer or look for legal and free alternatives.
Thanks
It's great to hear that you completed your engineering in Computer Science & Engineering and are currently working as a Web & App developer. It's important to have hobbies outside of work, and it's great that you enjoy playing cricket and volleyball. Exploring new places is also a wonderful way to broaden your horizons and gain new experiences. Keep up the great work in both your personal and professional life!
And Gulshan Negi also is very engaged in a LOT of forums all through the internet. SQL Specialist, AI professional, Spokesman, python game developer ...
With such a multiexpert at cpcwiki we will see a LOT of up to date software soon. maybe even yesterday !
Quote from: Axelay on 11:42, 29 November 22But I think my brother had more success just using Transmat and Bonzo's Blitz. :laugh:
I don't know if anyone's archived them, but Colin Harris's Bonzo News newsletters for Nemesis's software had quite a bit on "here's how this protection works". There were so many different systems: some clever (Harvey Headbanger's very slow but musical block loader), some simple (I'll never forget how chuffed I was when I first worked out that a game had used
CAS WRITE instead of the standard method) and some surprisingly evil (Southern Belle: used a standard loader, but expected a tiny block of tones after the program loaded).
The 6128's bank switch / reset / restore snapshot method was a real game changer.
Quote from: scruss on 21:01, 31 March 23I don't know if anyone's archived them
I scanned and uploaded them years ago :laugh: (I do wonder if anyone has the original issues 1-7 though, I only have the condensed version of those.)
https://www.cpcwiki.eu/index.php/Bonzo_News
@pelrun someone did upload Bonzo's Scrapyard onto Archive.org. I've added links on the wiki
https://www.cpcwiki.eu/index.php/Bonzo%27s_Scrapyard#Issues (https://www.cpcwiki.eu/index.php/Bonzo's_Scrapyard#Issues)
There isn't a huge amount on getting past speedlock from searching these forums. So I've also put the Your Sinclair sections on How To Hack covering speedlock decryption here (issues 61-65 from Archive.org)
https://drive.google.com/file/d/1xit6DrgQHjPs0p1s33mzQXf7XNksvhEY/view?usp=drive_link (https://drive.google.com/file/d/1xit6DrgQHjPs0p1s33mzQXf7XNksvhEY/view?usp=drive_link)
And a translated copy of Amstrad User Magazine (Issue 4 pages 50-55) of cracking Android One. The whole magazines are worth a read btw, and they are in the same folder
https://drive.google.com/file/d/1YljxAYwm6d2XraVvUU4fAkffIZyt96QG/view?usp=drive_link (https://drive.google.com/file/d/1YljxAYwm6d2XraVvUU4fAkffIZyt96QG/view?usp=drive_link)
Here you will find guide to crack Dizzy protected with speedlock.
https://muckypaws.com/2024/01/29/speedlock-1987/
The write-
Quote from: Johnny Olsen on 10:46, 23 February 24Here you will find guide to crack Dizzy protected with speedlock.
https://muckypaws.com/2024/01/29/speedlock-1987/
This was a really interesting read, highly recommended!