How to crack tape games and convert them to disk

Started by Curlypaul, 15:08, 28 November 22

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Curlypaul

I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.

The specific method I'm trying to break has a loader written in basic, unprotected so I can just LIST it, but all I see are REM statements. Doesn't appear to be anything hidden in line 0, no obvious GOTOs jumping over invalid lines.

I've read all the revelant bits at https://www.sean.co.uk/books/amstrad/amstrad3.shtm and while interesting, appear to be too easily defeated to be used in any games or demos that I've looked at. 

What am I missing? How can I make these loaders give up their secrets?

eto

Recently I stumbled across a loader, where they were tampering with the length of BASIC lines. Everything seemed to be visible but the line that was starting the game was just not there. The length of the previous line was changed in RAM, so that it was equal the length of both lines. The relevant line then disappears from the listing, but will still be executed. 

roudoudou

Quote from: Curlypaul on 15:08, 28 November 22I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.
What am I missing? How can I make these loaders give up their secrets?

the oldway cracking was most of the time brutal => multiface or mirage imager then you have a kind of snapshot, then you just have to load your snap with a simple loader
the newway cracking let you trace the code at low level, step by step then you can explain many hiddent things quickly
which path do you choose? :P
use RASM, the best assembler ever made :p

I will survive

Curlypaul

Ah so they'd just create software that could load the multiface dump without an actual multiface, makes sense!

I guess I choose the harder, low level path, it's going to be more interesting.

That line length hack seems a likely candidate, I'll have a look ot it, thank you

BSC

Quote from: roudoudou on 15:42, 28 November 22
Quote from: Curlypaul on 15:08, 28 November 22I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.
What am I missing? How can I make these loaders give up their secrets?

the oldway cracking was most of the time brutal => multiface or mirage imager then you have a kind of snapshot, then you just have to load your snap with a simple loader
the newway cracking let you trace the code at low level, step by step then you can explain many hiddent things quickly
which path do you choose? :P

You forgot to mention that there also was the oldest way cracking, when the Multiface et al was simply not available or way too expensive. We are talking about 1985 to '87 here and even though the direction was mostly disk to tape (in the beginning) or disk to disk (later on), that process was pretty much unique to each game or type of loader or copy-protection. One would analyze the loader, which was not necessarily written in BASIC, using a machine-language monitor like the awesome Super Monitor (https://cpcrulez.fr/applications_coding-supermon_cpc-1002-happy_computer.htm) in my case. This included e.g. disassembling the loader code, putting breakpoints to reverse engineer what the loader was actually doing and attaching a save(-to-disk) routine (and often some routine to restore Amsdos) to it so that the game code was written to tape or disk after it was loaded. Mind you, all the code I had to add was written as hex-codes using SMon's built in tools. This was the *real* way ;-) Don't know if that helps Curlypaul, though :D
My SID player/tracker AYAY Kaeppttn! on github
Some CPC music and experiments
Other music
More music on scenestream (former nectarine)
Some shaders

My hardware:
- 1985 Schneider CPC 464 with GT65 (later replaced by CTM), dk'tronics 64k extension, 3" and 5,25 disk drives, A/B drive switch, Multiface 2, custom Amsdos-ROM with integrated SMon, switchable 6128 ROM, reset and pause switches
- Amstrad CPC 6128 with CTM (same as above) and M4 board

10 print"This is no signature.": goto 10

Curlypaul

Quote from: BSC on 19:13, 28 November 22
Quote from: roudoudou on 15:42, 28 November 22
Quote from: Curlypaul on 15:08, 28 November 22I know there is most likely an existing crack for any game that I'd like to play, but I'd like to know how it's done for my own amusement. I also know I can use my M4's mutliface feature to create a save state, but this is for the fun of doing it more than anything else and I don't plan on sharing anything I do manage to crack.
What am I missing? How can I make these loaders give up their secrets?

the oldway cracking was most of the time brutal => multiface or mirage imager then you have a kind of snapshot, then you just have to load your snap with a simple loader
the newway cracking let you trace the code at low level, step by step then you can explain many hiddent things quickly
which path do you choose? :P

You forgot to mention that there also was the oldest way cracking, when the Multiface et al was simply not available or way too expensive. We are talking about 1985 to '87 here and even though the direction was mostly disk to tape (in the beginning) or disk to disk (later on), that process was pretty much unique to each game or type of loader or copy-protection. One would analyze the loader, which was not necessarily written in BASIC, using a machine-language monitor like the awesome Super Monitor (https://cpcrulez.fr/applications_coding-supermon_cpc-1002-happy_computer.htm) in my case. This included e.g. disassembling the loader code, putting breakpoints to reverse engineer what the loader was actually doing and attaching a save(-to-disk) routine (and often some routine to restore Amsdos) to it so that the game code was written to tape or disk after it was loaded. Mind you, all the code I had to add was written as hex-codes using SMon's built in tools. This was the *real* way ;-) Don't know if that helps Curlypaul, though :D
Amazing info thank you!

So you'd run the original loader to unpack and make sense of the actual game, makes sense, beats fully reverse engineering it all

Curlypaul

That seems to be literally the only page on the Web about that device, and it's not in a language I understand  :( lol

Axelay

Quote from: BSC on 19:13, 28 November 22You forgot to mention that there also was the oldest way cracking, when the Multiface et al was simply not available or way too expensive. We are talking about 1985 to '87 here and even though the direction was mostly disk to tape (in the beginning) or disk to disk (later on), that process was pretty much unique to each game or type of loader or copy-protection. One would analyze the loader, which was not necessarily written in BASIC, using a machine-language monitor like the awesome Super Monitor (https://cpcrulez.fr/applications_coding-supermon_cpc-1002-happy_computer.htm) in my case. This included e.g. disassembling the loader code, putting breakpoints to reverse engineer what the loader was actually doing and attaching a save(-to-disk) routine (and often some routine to restore Amsdos) to it so that the game code was written to tape or disk after it was loaded. Mind you, all the code I had to add was written as hex-codes using SMon's built in tools. This was the *real* way ;-) Don't know if that helps Curlypaul, though :D

Hah, I did a few games from tape to disk 'like' that. Except I was using Zedis II, and I didn't really understand what the more complicated/protected loaders were doing, because I was still learning assembly at that time.  I just identified where the loader was 'done' with the loading and would display the loading screen or jump to the code, put in some save to disk code there instead and crossed my fingers.  Sometimes it worked!  But I think my brother had more success just using Transmat and Bonzo's Blitz. :laugh:

martin464

I remember being defeated by the speedlock ones and being amazed at the code doing all these OUTS totally confused (and defeated!). The more simple protected basic and ones using firmware to load a binary.. find out the details and let you load the binary even if no amsdos header and return to basic then save to disk. But the speedlocks were these mysterious and alien objects. what i didn't know back then was there was a level under the firmware and they were talking directly to it. i thought the firmware was the lowest level because it was in rom!

CPC 464 - 212387 K31-4Z

BSC

Quote from: Axelay on 12:42, 29 November 22I just identified where the loader was 'done' with the loading and would display the loading screen or jump to the code, put in some save to disk code there instead and crossed my fingers.
This is more or less exactly the kind of "reverse engineering" that I did :D 
My SID player/tracker AYAY Kaeppttn! on github
Some CPC music and experiments
Other music
More music on scenestream (former nectarine)
Some shaders

My hardware:
- 1985 Schneider CPC 464 with GT65 (later replaced by CTM), dk'tronics 64k extension, 3" and 5,25 disk drives, A/B drive switch, Multiface 2, custom Amsdos-ROM with integrated SMon, switchable 6128 ROM, reset and pause switches
- Amstrad CPC 6128 with CTM (same as above) and M4 board

10 print"This is no signature.": goto 10

BSC

Quote from: martin464 on 14:01, 29 November 22I remember being defeated by the speedlock ones and being amazed at the code doing all these OUTS totally confused (and defeated!). The more simple protected basic and ones using firmware to load a binary.. find out the details and let you load the binary even if no amsdos header and return to basic then save to disk. But the speedlocks were these mysterious and alien objects. what i didn't know back then was there was a level under the firmware and they were talking directly to it. i thought the firmware was the lowest level because it was in rom!
Speedlock was a mystery indeed. I don't remember managing to crack a lot of those, there just went over my head ..
My SID player/tracker AYAY Kaeppttn! on github
Some CPC music and experiments
Other music
More music on scenestream (former nectarine)
Some shaders

My hardware:
- 1985 Schneider CPC 464 with GT65 (later replaced by CTM), dk'tronics 64k extension, 3" and 5,25 disk drives, A/B drive switch, Multiface 2, custom Amsdos-ROM with integrated SMon, switchable 6128 ROM, reset and pause switches
- Amstrad CPC 6128 with CTM (same as above) and M4 board

10 print"This is no signature.": goto 10

zhulien

lots of multiload games, you can turn the memory around so that (#c2?)  and you should hear the cpc beep from basic when pressing del key as normal but you can't see what you type, then you run the game and it should crash just after the decoding - or... you can press the reset button just after loading (e.g. when you hear title music) - you won't necessarily see the game - as it's in the 2nd 64kb bank - but, after the reset, it is still in the 2nd 64kb bank - so using hackit or similar, save it.

Maniac

Quote from: zhulien on 21:43, 30 November 22lots of multiload games, you can turn the memory around so that (#c2?)  and you should hear the cpc beep from basic when pressing del key as normal but you can't see what you type, then you run the game and it should crash just after the decoding - or... you can press the reset button just after loading (e.g. when you hear title music) - you won't necessarily see the game - as it's in the 2nd 64kb bank - but, after the reset, it is still in the 2nd 64kb bank - so using hackit or similar, save it.
Interestingly that's only supported with Hackit when using a 464/664 with a memory expansion. The facility to do this doesn't work on a 6128 or 6128+. I even checked with Siren Software when I bought one!

zhulien

I never actually tried on a 6128 or a plus as at that time we had a 664 and 464 (both with 6128 roms though).  What happens on a real 6128?

Maniac

Quote from: zhulien on 00:51, 02 December 22I never actually tried on a 6128 or a plus as at that time we had a 664 and 464 (both with 6128 roms though).  What happens on a real 6128?
I can't remember exactly as it's been a while but effectively nothing. You can run the command but it's not functional.

Powered by SMFPacks Menu Editor Mod