Friday, March 19, 2021

Breaking the Disk-Based Protection on Sierra On-line Key Disk Games - The Final Word

Sierra On-line was one of the first of the "big-box" computer game that supported installation of its games to a hard drive on a PC-compatible hard drive.  In the beginning, it required a "key disk" to be inserted in the drive whenever its games would be run.  In this article I will discuss the various ways to bypass this key disk check and explore the key disk check in more detail.

History of Sierra and IBM PC-Compatible Disk Based Copy Protection

Sierra was a very early publisher of PC games.  Its first game, Adventure in Serenia was a port of its popular Hi-res Adventure #2, Wizard and the Princess.  The port was developed while the IBM PC was in development and released soon after the release of the IBM PC in August of 1981.  Even though the release was by IBM, the disk was still copy protected.  

The copy protection on early Sierra titles was pretty basic, weird sector IDs, non-standard sector sizes and the like.  The copy protection did not nearly have to be sophisticated as on other systems at first because the IBM PC was a young computer and fairly expensive.  All it had to do was to break the DISKCOPY command and other copying methods with respected DOS rules.  Other early releases like Frogger, Crossfire and Ulysses and the Golden Fleecy used these kinds of simple in-house protections.

Eventually Sierra began relying on commercially sold copy protection schemes, especially as it started to gravitate toward DOS-reliant releases.  At first it favored Formaster Copylock, used with Ultima II (1983 release on 160KiB disk and 1984 release on 360KiB ), B.C.'s Quest for Tires (Sierra Release), Mr. Cool, King's Quest (IBM PC booter versions only), Sierra Championship Boxing (1984 Booter release), Troll's Tale and the PCjr. release of Wizard and the Princess.  However Formaster Copylock had its issues, it did not work at first with a DMA-less PC like the PCjr. and many early Tandy 1000 models (which is why those King's Quest booter versions do not use it) and it was speed sensitive, breaking on faster 286 machines.  It was also not impossible to copy disks via software methods. 

Because Formaster was not DMA-less Tandy 1000 compatible, Sierra wound up using a version of its own in-house protection for the Radio Shack/Tandy releases of B.C.'s Quest for Tires, Wizard of Ids WizType and King's Quest. It also used this unnamed protection in a release of King's Quest which combined the PC and PCjr/Tandy versions, but only on the latter's disk.

Another disk-based copy protection that was available was Softguard's Superlok.  When Formaster was slow to meet Sierra's needs, Superlok was not possible to reproduce without special hardware or an Option Board.  Superlok's protection schemes did not care about DMA or system speed.  When Sierra began using Superlok, it was at v2.3.  Sierra used Superlok for the booter King's Quest II, Donald Duck's Playground and The Black Cauldron.  Sierra also used Superlok for the DOS-based games Sierra's Championship Boxing (1985 release), Winnie the Pooh in the Hundred-Acre Wood, Mickey's Space Adventure (3.5" disk version only) and Ultima II (1985 360KiB release).  Even though these games required MS-DOS they could not be run when their files were copied to a hard drive.

Sierra was apparently so impressed with Superlok that it used it for all its other games which implemented disk-based copy protection.  One other important feature of Superlok is that it permitted games to be copied to and from a hard disk and would call its protection check program from the floppy disk.  Thus those lucky enough to own a hard drive from 1986 onward would be able to enjoy the faster loading speed from a hard drive as opposed to a floppy drive.  

The hard drive installable games protected by Superlok are King's Quest I, II & III, Space Quest I & II, Leisure Suit Larry I, The Black Cauldron (v2.1 only) Thexder and 3-D Helicopter Simulator. The first seven games use the AGI engine.  All the above games use v2.xxx AGI interpreters.  Although Mixed Up Mother Goose and Police Quest I also use v2.xxx AGI interpreters, they may never have had copy protection applied to them.  Eventually Sierra found that Superlok's was not uncrackable, that disk based copy protection was more trouble than it was worth and began switching to manual-based copy protection.  

Defeating Superlok - Three Methods

There are three general methods to defeat Superlok.  The first is to crack the game's .COM loader.  The second is to crack the game's true executable.  The third is to copy the Superlok track.

The way your supposed to load an AGI game installed to hard disk was to execute either the game's .BAT batch file, created by its hard disk installation program (also a batch file).  The batch file would run the .COM loader.  When you installed the game to a hard drive, the name of this loader would be the game's name, KQ.COM, SQ.COM etc.  Sometimes it is named SIERRA.COM.  

If you did not have a hard drive, you were instructed to make a "Play Disk".  You did this by using the command COPY *.* a: b:, not DISKCOPY A: B:  If you used the DISKCOPY command, DOS would quit and throw an error message when it encountered the protected track.

The COM file calls and executes a program called CPC.COM, a hidden file on the game's first floppy disk.  CPC.COM checked for the presence of the the Superlok-formatted track, which was for Sierra always (with one known exception), track 6, side 0.  If the check passed satisfactorily, CPC.COM would pass the 128-byte encryption key to SIERRA.COM.  SIERRA.COM would then use the encryption key to decrypt the file AGI.  AGI was an encrypted .EXE file which ran the intepreter which, once decrypted, in turn ran the game.  

A track on a 360KiB or 720KiB disk stores 4,608 data bytes.  The data on the Superlok track remained the same from game to game from 1985's Booter versions of King's Quest II to 1987's Space Quest II.  Each game would identify an offset in the data from which to derive its key.  Then this 128 byte key would be XORed with the first 128 bytes of the true executable, then the key is rotated by one bit, then XORed with the next 128 bytes of the executable, rotate and repeat until the executable is fully decrypted.

When Sierra began releasing budget versions of its copy protected games, usually to use up surplus manuals or boxes, it would remove the copy protection to permit for easier disk duplication.  It did this by cracking the .COM loader.  Three bytes, when NOPed out, were sufficient to bypass the call to CPC.COM.  The key that decrypted that executable would be present in the cracked .COM file on the disk instead of being copied to the .COM program running in RAM.  With the key present and a call to a program check for the presence of the copy protected track no longer present, the .COM loader will then decrypt AGI.  This method was also used when it introduced Collection CD-ROMs containing compilations of games of a series.  

The Sierra Unprotection Program by Anders M. Olsson was originally written in 1988-90.  It can crack any hard drive installable Sierra game with an original game disk.  It does not care which disk is used, as I explained above the data on any Sierra Superlok disk is identical.  It can crack all protected games installed to the hard drive and it can also crack .COM files located on "Play Disks".  However, this method has the disadvantage of requiring a protected disk track to perform its cracking.  

The second method decrypts the AGI file itself permanently.  The program, published by Cold Turkey, is called AGI Disk Free Decryptor.  The program embeds the contents of the Superlok track, looks for the offset in the .COM loader and then decrypts the AGI file.  The decrypted executable is called AGI.EXE and that will be used to run the game.  The program comes in three versions, a 16-bit DOS executable for DOS and DOSBox usage, a 32-bit DOS executable intended for early Windows and a modern 32-bit Windows command line utility, so it can be run on anything.

Unfortunately, there is one oversight caused by running AGI without the .COM loader preceding it.  These games tend not to run properly on the IBM PCjr. without the .COM loader doing its thing before transferring control of the system over to AGI.  The Sierra Christmas Card Demo from 1986 has a program called CONFIG.COM which does the tasks necessary to permit the decrypted AGI file to run these games properly on a PCjr.  

One of only two known exceptions to the above rule is Space Quest- The Sarien Encounter v1.0X, the first release of any AGI game which is installable to a hard drive.  This version of Space Quest requires a PCjr. memory manager to be loaded.  If you load a standard memory manager from IBM or Microsoft, this should not be an issue. If you load JRCONFIG, instruct the program not to make a RAM disk using the following CONFIG.SYS line: device=JRCONFIG.SYS /v32 /s0. One of the tasks of the SIERRA.COM loaders released after this version is to set up the PCjr. memory environment to be compatible with the game. These memory manager settings also work for the other known AGI exception, Police Quest : In Pursuit of the Death Angel v2.0A, which came with a deprotected AGI.EXE file. 

Thexder has four executables, MAIN, MAINEG, MAINJR, MAINPS.  THEXDER.COM calls the appropriate executable for the graphics hardware detected in the system.  MAIN is for CGA or Hercules, MAINEG is for EGA, MAINJR is for PCjr. and Tandy Graphics, MAINPS is for MCGA graphics.  3-D Helicopter's real executable is also called MAIN, which HELI.COM decryps.

The third method is to use a universal protection disk.  This disk, when properly produced, can bypass the check for any game.  You need a floppy disk or floppy disk image with the Superlok protection track present.  The disk need only contain the CPC.COM program and the following files : _BC.BAT, _KQ1.BAT, _KQ2.BAT, _KQ3.BAT, _LL.BAT, _SQ.BAT, _SQ2.BAT, HELI.COM, THEXDER.COM.  The reason why the game needs these files is that CPC.COM is always run off a floppy disk and AGI interpreter versions 2.4xx and above check for the game's corresponding batch file or .COM file on the floppy disk.  These files can be completely empty, only the file name is important.  You can use the disk for games installed off 5.25" or 3.5" disks.  If you are willing to modify an original disk, you can write all these files without taking up any additional space on the disk if they are all 0 bytes.  

This disk can also be used for running games off floppy disks.  Start by running SIERRA.COM off the game disk.  Then when the prompt asks for the ORIGINAL disk, insert the universal protection disk.  Then when the game asks for the PLAY disk, insert your game disk again and that is all that is required.  The benefit of this method is that you will see the original prompts that people saw when these games were new.

If you have a means of writing back multiple copies of a disk protected with Superlok, then you can make passable disk images of these games even if you only have a group of files.  For the first disk, copy AGI, the .COM loader, all .OVL files, HGC-FONT, LOGDIR, PICDIR, SNDDIR, VIEWDIR, OBJECT, WORDS.TOK, VOL.0 and VOL.1.  DOS will not copy over the Superlok track, it thinks those chunks are bad and not suitable for file storage.  3.5" images should be able to contain all VOL files except for King's Quest III and Space Quest II.  The second disk should have VOL.0, VOL.2, OBJECT and for 3.5" disks, VOL.3.  The third disk, if required, should have VOL.0, VOL.3 and OBJECT.

Finally, you can use this method for making disks for Sierra's Championship Boxing (1985 release), Winnie the Pooh in the Hundred-Acre Wood, Mickey's Space Adventure (3.5" disk version only).  They are DOS games, although they cannot be run off a hard drive.  Ultima II looks for Superlok on another track and will not work with this method.

5 comments:

  1. I have really old/vague memories, but I believe Sierra had an in house disk duplicator for the Suplerlock stuff and that the sector contents didnt change is because they didnt pay for it (they paid once for that one copy), which is why it stayed the same for so long.

    ReplyDelete
  2. Sierra had a Formaster Duplicator Series One, which implemented the original Formaster Copylock protection, and when that was no longer up to snuff, programmed the Duplicator to write the special track for Superlok. Taito also used Superlok, but the protected track contained the first portion of the executable, so protected disk tracks could not be used interchangeably.

    ReplyDelete
  3. This sentence seems to end abruptly, so I wonder if there's a part of that that's missing: "If you load JRCONFIG, then you must" [sic]

    ReplyDelete
    Replies
    1. use this config.sys entry : device=JRCONFIG.SYS /v32 /s0 (use JRCONFIG.SYS 3.10).

      Delete
  4. I've disassembled the Copylock protection in King's Quest's PC Booter version and it's really quite simple. It relies on a 512 byte sector (Cyl 6, Sector 1) with an N of 1 (256 bytes) to hide the second half of it. This sector has a bad data CRC, but it's not really relevant to the protection. First it checks that reading this sector fails with Read Data using an N of 2 (NO_DATA), then performs Read Track to access the entire 512 bytes, finally checking that the last byte of the sector @ 0x1FF is 0xF7 (this byte might have changed per title?)

    As far as DMA, it looks like they just didn't bother implementing it. The protection checks if DMA is enabled in the BIOS drive parameter table, and if it isn't, it just aborts.

    Similarly, the CPU timing sensitivity is not due to any sophisticated drive speed measurements - they simply used a LOOP to check the disk controller status, and faster CPU's effectively reduce the timeout window by looping faster. Given the sophistication of the Formaster duplication equipment, such oversights are surprising.

    I'm curious how you'd reproduce this special sector with software methods.

    ReplyDelete