Although not as popular as its predecessor, the PlayStation 3 did almost as much to bring Blu-ray discs into the mainstream as the PlayStation 2 had done for DVDs. Every system came with a disc drive and flat screen HDTVs were also affordable by the time system sales began to pick up with the Slim revision of the console. When I picked up mine in 2010, I bought it more as a Blu-ray player than for games. I knew that at some point the console was hacked and jailbroken, but I did not want to continually switch between official firmware updates and iffy custom firmware that could end up bricking one of the only ways I had to play high definition discs. For many years I got by with ripping DVDs and Blu-rays and streaming content via the media server, but that tended to take up a lot of hard drive space and time when I could just simply run the discs I had legitimately purchased. I have as many UK DVDs than US DVDs and a fair number of UK Blu-rays. Now that the PS3 has been discontinued and the console is essentially on life support in terms of firmware updates, I finally decided to investigate what it would take to get my PS3 working as a Universal DVD and Blu-ray disc player. It turned out to be quite a journey.
Showing posts with label Copy Protection. Show all posts
Showing posts with label Copy Protection. Show all posts
Sunday, August 23, 2020
Tuesday, April 7, 2015
IBM Character Fonts
IBM used several fonts during the life of the IBM PC line and soon thereafter. Eventually the font support would be finalized into the standard VGA font, but there was quite an evolution to get there.
The first font set is found in the IBM PC BIOS, starting at address FFA6E. In PC BIOSes, whether from IBM or from another publisher like Phoenix, Award or AMI, you will always find a font beginning at this address. This address contains the dot patterns, or glyphs, for the first, basic 128 ASCII characters. The font is always in an 8x8 pattern and essentially acts like a fallback for programs using graphics modes. You could only find the glyphs for the second, extended 128 ASCII characters on the display adapters themselves.
Note the extra pixel in the diamond character in the first row. This is unique to the first IBM PC Model 5150 BIOS revision. That pixel will be gone in the PC BIOS dated 10-19-81 and every other BIOS thereafter. Note that the second 128 characters do not exist in the PC BIOS's ROM.
MDA & Hercules
MDA and Hercules-brand graphics cards share the same glyph patterns. Their text mode uses a 9x14 text cell and you were strictly limited to the 256 characters contained in the Character Generator ROM on the display adapter. If you wanted to use non-IBM characters with a basic Hercules Graphics Card, you would use the graphics mode. A Hercules Graphics Card Plus or Hercules InColor Card can redefine the characters in text mode. Here is what the demo screen looks like on an MDA or Hercules :
Interestingly, the MDA's Character Generator is an 8KB ROM chip, even though its font only takes 4KB. The other 4KB contain the two CGA fonts described in the next section. Apparently it was easier to use one ROM for both cards. The IBM Part number on the chip is 6359300 or 5788005 and the ROM is a 9264 type, so it cannot be dumped or replaced by an EPROM without a pin adapter. The Character Generator ROMs cannot be read by the system, so the glyph patterns are obtained via a ROM dump.
CGA & PCjr.
CGA text modes always use an 8x8 text cell and typically uses a thick, double-dot font. A true IBM CGA card also has a thin, single-dot font. This can be selected by bridging two solder pads just below the MC6845, but IBM did not provide a pair of pins to make this easy for end users. The thick font was suitable in 40-column mode for TVs, but the thin font shows a lot of color fringing, a.k.a. artifacts. IBM probably thought that the thin font was not such an important feature that it should be made accessible to end users. Otherwise, many users would have probably complained that the text was too difficult to read on their TVs.
This is what the standard thick font looks like :
Note that there are four characters with minor differences between the Character Generator ROM font and the BIOS font. They are listed as "8x8 different between card and BIOS" in the screenshot.
Here is the thin font, which may have been IBM's first attempt at ISO compliance :
The PCjr. fonts should be identical to the CGA fonts, but the thin font is not available.
Tandy 1000
The Tandy 1000 contains a Character Generator ROM that is mostly similar to IBM's CGA double-dot font, but there are some differences :
In the original 1000, the Character ROM is embedded in the Video Gate Array chip. After the original 1000s, the Tandy integrated the Video Gate Array and MC6845s into a large VLSI chip. This applies to the EX, SX, HX and TX. Internal to these chips is a 2K Character Generator ROM. In the above screenshot, the first 128 characters are correct because they are duplicated in the Tandy BIOS at address FFA6E. It is very difficult to extract the patterns for the second 128 characters because they are not in an accessible or dumpable ROM. Here is what the characters truly look like :
By the time of the TL and SL, Tandy was using the Tandy Video II chip and an external 16KB Character ROM with the 8x8 font and a 9x14 font that may or may not be identical to IBM and Hercules. The Video Controller in the TL and SL and their successors could emulate MDA and Hercules text and graphics.
The Tandy default text mode uses a 8x9 text cell, but usually an 8x8 text cell can be used. For most characters, the extra row is blank, but for some the ninth pixel row is a repeat of the eighth pixel row.
EGA
With the EGA, MCGA and VGA adapters, the Character Generator ROM would no longer be found on a separate ROM chip accessible only to the CRT Controller. Instead, multiple character sets would be contained in the BIOS Extension ROM (for EGA and VGA) or within the BIOS (for MCGA). As these adapters supported redefinable character sets in text mode, DOS could upload its own character set for display.
The EGA BIOS supports an 8x8 text font when displayed on 200 line monitors, an 8x14 text font when displayed on 350 line color monitors and a 9x14 text font when displayed on a monochrome 350 line monitor. The 9x14 characters are identical to the MDA characters, but many are shifted a pixel one direction or another to produce a more pleasing spacing (kerning) than MDA. The 8x14 characters are mostly identical to the 9x14 characters, but there are differences. The first 128 8x8 characters are identical to the PC BIOS and the second 128 8x8 characters are identical to the CGA thick text font. All these fonts are stored, uncompressed, in the EGA 16KB BIOS extension.
This is the EGA and VGA and (for the first 128 characters) the standard PC BIOS 8x8 text font :
Here is the EGA and VGA 8x14 text font :
And the EGA and VGA 9x14 text font :
MCGA
MCGA includes a 8x8 and an 8x16 text font. Actually, the MCGA, in addition to the standard 8x16 font, also contains four more 8x16 fonts, none of which ever obtained popularity. These may have been IBM's attempt to be ISO compliant.
This is the standard 8x16 font for MCGA and VGA :
In addition, PS/2 Model 30s with a revision 0 BIOS contained an earlier version of the 8x16 font. In this font, the zero character has a slash instead of a dot.
VGA
VGA supports the EGA 8x8, 8x14, 9x14 fonts and 8x16 and 9x16 fonts. These are all found in the VGA BIOS ROM extension, which can be 24KB-32KB. With 8x14 and 9x14 or 8x16 and 9x16, with EGA and VGA the glyphs are mostly the same and only one set is stored in the ROM unless there is a substitution for a particular glyph. The BIOS adjusts for the ninth pixel column, for most characters the column will be blank; for others, the ninth column will repeat whatever is in the eighth.
Here is the final, standard 9x16 VGA font :
DOS Code Pages
The PC was originally designed by and intended for English speaking countries. Support for other languages was a cumbersome exercise in the early days of MDA and CGA. Eventually, DOS 3.3 introduced Code Pages, which when combined with an EGA or VGA card, allowed the user to set his PC to his country's symbols. English language users would generally be content with the default DOS code page, 437, or the alternate English code page, 850. Code Page 850 is more friendly to Western European languages than 437 but loses some of the drawing characters. DOS's .CPI files would contain character sets for several code pages, each of which had character sets for 8x8, 8x14 and 8x16. EGA.CPI contains 437, 850, 852, 860, 863, 865. Here are 437 and 850 :
While the Tandy Video II chip found in the TL and SL does not support software redefinable fonts, it has support for 512 characters instead of just 256. (EGA can also support 512 characters). The first 256 are the characters in Code Page 437, the second 256 characters are those of Code Page 850. However, as Tandy 1000s after the original can be upgraded to EGA or VGA, Tandy MS-DOS 3.3 supports Code Pages in 8x8, 8x9 and 8x14 text cell sizes.
ISO.CPI contains an English-language character sets suitable for ISO-compliant fonts :
Special thanks to NewRisingSun for all his help with this blog entry.
The first font set is found in the IBM PC BIOS, starting at address FFA6E. In PC BIOSes, whether from IBM or from another publisher like Phoenix, Award or AMI, you will always find a font beginning at this address. This address contains the dot patterns, or glyphs, for the first, basic 128 ASCII characters. The font is always in an 8x8 pattern and essentially acts like a fallback for programs using graphics modes. You could only find the glyphs for the second, extended 128 ASCII characters on the display adapters themselves.
Note the extra pixel in the diamond character in the first row. This is unique to the first IBM PC Model 5150 BIOS revision. That pixel will be gone in the PC BIOS dated 10-19-81 and every other BIOS thereafter. Note that the second 128 characters do not exist in the PC BIOS's ROM.
MDA & Hercules
MDA and Hercules-brand graphics cards share the same glyph patterns. Their text mode uses a 9x14 text cell and you were strictly limited to the 256 characters contained in the Character Generator ROM on the display adapter. If you wanted to use non-IBM characters with a basic Hercules Graphics Card, you would use the graphics mode. A Hercules Graphics Card Plus or Hercules InColor Card can redefine the characters in text mode. Here is what the demo screen looks like on an MDA or Hercules :
Interestingly, the MDA's Character Generator is an 8KB ROM chip, even though its font only takes 4KB. The other 4KB contain the two CGA fonts described in the next section. Apparently it was easier to use one ROM for both cards. The IBM Part number on the chip is 6359300 or 5788005 and the ROM is a 9264 type, so it cannot be dumped or replaced by an EPROM without a pin adapter. The Character Generator ROMs cannot be read by the system, so the glyph patterns are obtained via a ROM dump.
CGA & PCjr.
CGA text modes always use an 8x8 text cell and typically uses a thick, double-dot font. A true IBM CGA card also has a thin, single-dot font. This can be selected by bridging two solder pads just below the MC6845, but IBM did not provide a pair of pins to make this easy for end users. The thick font was suitable in 40-column mode for TVs, but the thin font shows a lot of color fringing, a.k.a. artifacts. IBM probably thought that the thin font was not such an important feature that it should be made accessible to end users. Otherwise, many users would have probably complained that the text was too difficult to read on their TVs.
This is what the standard thick font looks like :
Note that there are four characters with minor differences between the Character Generator ROM font and the BIOS font. They are listed as "8x8 different between card and BIOS" in the screenshot.
Here is the thin font, which may have been IBM's first attempt at ISO compliance :
The PCjr. fonts should be identical to the CGA fonts, but the thin font is not available.
Tandy 1000
The Tandy 1000 contains a Character Generator ROM that is mostly similar to IBM's CGA double-dot font, but there are some differences :
In the original 1000, the Character ROM is embedded in the Video Gate Array chip. After the original 1000s, the Tandy integrated the Video Gate Array and MC6845s into a large VLSI chip. This applies to the EX, SX, HX and TX. Internal to these chips is a 2K Character Generator ROM. In the above screenshot, the first 128 characters are correct because they are duplicated in the Tandy BIOS at address FFA6E. It is very difficult to extract the patterns for the second 128 characters because they are not in an accessible or dumpable ROM. Here is what the characters truly look like :
By the time of the TL and SL, Tandy was using the Tandy Video II chip and an external 16KB Character ROM with the 8x8 font and a 9x14 font that may or may not be identical to IBM and Hercules. The Video Controller in the TL and SL and their successors could emulate MDA and Hercules text and graphics.
The Tandy default text mode uses a 8x9 text cell, but usually an 8x8 text cell can be used. For most characters, the extra row is blank, but for some the ninth pixel row is a repeat of the eighth pixel row.
EGA
With the EGA, MCGA and VGA adapters, the Character Generator ROM would no longer be found on a separate ROM chip accessible only to the CRT Controller. Instead, multiple character sets would be contained in the BIOS Extension ROM (for EGA and VGA) or within the BIOS (for MCGA). As these adapters supported redefinable character sets in text mode, DOS could upload its own character set for display.
The EGA BIOS supports an 8x8 text font when displayed on 200 line monitors, an 8x14 text font when displayed on 350 line color monitors and a 9x14 text font when displayed on a monochrome 350 line monitor. The 9x14 characters are identical to the MDA characters, but many are shifted a pixel one direction or another to produce a more pleasing spacing (kerning) than MDA. The 8x14 characters are mostly identical to the 9x14 characters, but there are differences. The first 128 8x8 characters are identical to the PC BIOS and the second 128 8x8 characters are identical to the CGA thick text font. All these fonts are stored, uncompressed, in the EGA 16KB BIOS extension.
This is the EGA and VGA and (for the first 128 characters) the standard PC BIOS 8x8 text font :
Here is the EGA and VGA 8x14 text font :
And the EGA and VGA 9x14 text font :
MCGA
MCGA includes a 8x8 and an 8x16 text font. Actually, the MCGA, in addition to the standard 8x16 font, also contains four more 8x16 fonts, none of which ever obtained popularity. These may have been IBM's attempt to be ISO compliant.
This is the standard 8x16 font for MCGA and VGA :
In addition, PS/2 Model 30s with a revision 0 BIOS contained an earlier version of the 8x16 font. In this font, the zero character has a slash instead of a dot.
VGA
VGA supports the EGA 8x8, 8x14, 9x14 fonts and 8x16 and 9x16 fonts. These are all found in the VGA BIOS ROM extension, which can be 24KB-32KB. With 8x14 and 9x14 or 8x16 and 9x16, with EGA and VGA the glyphs are mostly the same and only one set is stored in the ROM unless there is a substitution for a particular glyph. The BIOS adjusts for the ninth pixel column, for most characters the column will be blank; for others, the ninth column will repeat whatever is in the eighth.
Here is the final, standard 9x16 VGA font :
DOS Code Pages
The PC was originally designed by and intended for English speaking countries. Support for other languages was a cumbersome exercise in the early days of MDA and CGA. Eventually, DOS 3.3 introduced Code Pages, which when combined with an EGA or VGA card, allowed the user to set his PC to his country's symbols. English language users would generally be content with the default DOS code page, 437, or the alternate English code page, 850. Code Page 850 is more friendly to Western European languages than 437 but loses some of the drawing characters. DOS's .CPI files would contain character sets for several code pages, each of which had character sets for 8x8, 8x14 and 8x16. EGA.CPI contains 437, 850, 852, 860, 863, 865. Here are 437 and 850 :
While the Tandy Video II chip found in the TL and SL does not support software redefinable fonts, it has support for 512 characters instead of just 256. (EGA can also support 512 characters). The first 256 are the characters in Code Page 437, the second 256 characters are those of Code Page 850. However, as Tandy 1000s after the original can be upgraded to EGA or VGA, Tandy MS-DOS 3.3 supports Code Pages in 8x8, 8x9 and 8x14 text cell sizes.
ISO.CPI contains an English-language character sets suitable for ISO-compliant fonts :
Special thanks to NewRisingSun for all his help with this blog entry.
Sunday, December 21, 2014
The Wringer - Breaking PC DOS Game Copy Protection
Copy Protection is the bane of the PC Gamer's existence. It ranges from "You must insert your ORIGINAL disk into drive a:" whenever you play the game to "Find the fifth word in the third paragraph on page eight in your manual" and "Type in the name of this planet at coordinayes x 645 and y 743". However, if you want to enjoy games from their original media, it is necessary to deal with it. It stinks when you buy a PC game from a thift store or on ebay and it is missing the code wheel or the map or the manual. If you do not want to deal with it, there are several programs you can use to break the protection. In this blog post, I will identify these programs, point out some special cases and generally help people play their games without the original documentation. Let me start with a group of cracking programs I call, collectively, "The Wringer".
The Wringer
The Wringer consists of eight DOS programs. All these programs have a text-based GUI that allows you to select your game from a list. There is undoubtedly considerable overlap among these programs, but I have not the time or the patience to create a spreadsheet identifying which program has a crack for which game. It is an unusual game that cannot be cracked by one of these programs. Unfortunately, this means that you may not find a crack for your game until the fifth or sixth program you try. DOSBox is excellent for going those these programs and applying their patches quickly.
NoGuard R6.0 by Central Point Software
This program is the oldest, dated 10/11/1990. It says it can break the SuperLok, ProLok and EverLock disk-based protections and Sierra Online's protections. It then has a list of individual games and programs. It can also detect some protection schemes.
Central Point Software was the publisher of CopyIIPC, and versions of CopyIIPC would include NoGuard for people to make hassle free backups and fully hard drive functional installations. It also included the NoKey program for certain disks for which CopyIIPC could not make a working backup.
The executable is NOGUARD.EXE.
The Patcher v6.5 by Michael Caldwell
This program has a file date of 05/09/1995. It supports 171 distinct games. The executable is PATCHER.EXE
CrackAid v3.39 by Rawhide
This program supports 323 entries, but some games have more than one entry. This is because they have multiple versions. The file date is 11/05/1993 and the executable is CRACKAID.EXE. It should be kept in its own subdirectory.
Crock v2.32 by Firebug & Eryx
This program is good when you want to crack CGA or Tandy versions of some games. It has 624 cracks and some cheats as well. It also comes with UNP, (see below).
The files date from 01/16/1995 and the executable is CROCK2.EXE. It should be kept in its own subdirectory.
Locksmith v1.31 by REM Software
This program is by far the most annoying of the bunch. If you move the subdirectory, you must reinstall the program again. You need to mount the install files to a floppy drive and you need a serial number. If you download it where indicated, the serial will be included. The executable is LOCK.EXE. The program is dated 07-17-1994 and consists of 792 entries. It does include a Hex Editor and will tell you what each crack does.
NeverLock by Copyware Inc.
This version is from Spring, 1996, dated 03/30/1996 and has a nag screen or two. It can search for some commercial copy protections. It has 424 protections divided into a Modern and a Classic Collection. The executable is NEV_UNIV.EXE. The executable NEV_BUSI.EXE is for commercial programs.
Dprotector v3.1 by Tim Trahan
This program was compiled on 12/10/1993. It has libraries for Classic and Modern games, a TSR loader library (see below). One really nice feature is that the program will tell you exactly what it does for each game. Annoyingly, there is a nag screen when the program starts. The executable is DPRO3DOS.EXE and it requires its own subdirectory.
Rawcopy PC v1.0 from "MSI"
Program date is 1992-1993. This supports 476 entries. The executable is RAWCOPY.EXE.
Where to Find
You can find all the programs I have identified here : http://retro.icequake.net/dob/#soft
Limitations
The cracks contained in these programs tend to be of varying quality. They may not work on every version of a game, may only work on a narrow range of systems, or may work to get into the game but do not defeat protection checks later on.
Special Cases
Cracked by the Publisher
When companies started to release their floppy disk titles on CDs, they would have to break the copy protection to get them to run. Sierra did this for their AGI games on their Anniversary and Collection CDs. However they included the necessary information for the SCI games in the manual for the collection, so those games had intact copy protection. LucasArts cracked their games, even for floppy compilations, but they did not release every version in a Collection, so there are versions that need to be cracked manually. Origin and Sir-Tech cracked the games that relied on disk based protection like Sierra, but included full documentation for all their games because the later games used a manual-lookup protection. SSI included code wheels for compilations that included their early Gold Box games, even with compilations released in the late 1990s and early 2000s.
The "SUP" Sierra Unprotection Program v2.01 by Anders M. Olsson
This is a special but important case, it only deals with Sierra floppy games that use the SuperLok v3.2 disk-based protection system. This includes all v2 AGI DOS games and a few others. It does not work with any other AGI Sierra games such as the booter versions of King's Quest and King's Quest II, the Black Cauldron or Donald Duck's Playground. It is not needed with v3 AGI DOS games. The list of games which it supports are as follows :
3-D Helicopter Simulator
Black Cauldron, The (comes in v2 and v3 AGI versions, v3 is unprotected)
King's Quest I, II and III
Leisure Suit Larry
Space Quest I & II
Police Quest (most versions are not protected)
Thexder
The program can be found here : http://www.sierrahelp.com/GeneralHelp/FloppyDiskBackupProblems.html
The program requires the original disk 1 from the game, it reads the encryption string from the disk, inserts it into the Sierra .COM loader and patches the floppy disk error checks so that the loader will decrypt the AGI file, which is the real executable file.
CD-ROM Protection
CD versions of games rarely had copy protection. In the early and mid-90s, the cost of duplicating a CD was well out of reach and CD-Rs were not really available. In the late 1990s, burners and writable CDs had become affordable and publishers again looked to disc-based methods to protect their games, but this was typically after the DOS era. However, there are DOS games like Orion Burger and Championship Manager 2 series, which rely on an early version of the LaserLok CD protection system. This is not an issue if you are trying to run these games on real hardware or have a CD image and a burner that can support this protection. However, with DOSBox, you will need patches, found here :
http://pferrie.host22.com/misc/dosbox.htm
Some CD-ROM versions of Warcraft: Orcs and Humans will ask for a word from the manual in order to install and use the game. I believe this is a holdover from the floppy disk version, which has the same protection. Once the game has passed the SETUP.EXE, which selects the sound devices, it can be played freely without needing to look up a word in the manual. If you have the combo MS-DOS and Macintosh CD (with CD-Audio tracks used only by the Mac executable), then you won't encounter this problem.
If your CD has files in the root directory with 05/02/1995 dates, you will encounter the protection. If your CD has 11/03/1994 or 09/06/1996 root directory files (the latter is the CD-Audio version), then you won't have to deal with the protection.
Compressed Executables
To save space, and to prevent instant debugging, several programs compressed their executables with a program like LZEXE In order to crack them, these executables have to be uncompressed with a program like UNP v3.31, then have the crack applied.
Loaders
There are some games that simply could not be easily cracked. This is because they encrypt or otherwise obfuscates that portion of the program that controls the protection. In this case, a .COM loader may be provided that will intercept the protection and allow you to get past it. The .COM may be loaded as a TSR or simply run in place of the game's actual executable.
Documents Required (No Crack Known)
Finally, some games had protection that could not be broken easily. You will not find a ready crack for King's Quest V, for example. KQ5's protection does not occur on startup. In fact, it often does not popup until you have progressed through a substantial portion of the game. The protection requires you to enter four symbols found on a particular page of the manual. Because the protection is buried within the SCI engine files, it was not something that could be broken with a few bytes. In this case, its usually easier just to get a scan of the manual, but back in the day, people used ASCII art and paint program printouts to display the symbols. Fortunately, scans for the most popular games can be found. Here are some good places to look for them :
http://www.replacementdocs.com/news.php
http://www.mocagh.org/index.php
http://www.sierragamers.com/aspx/m/634055
In addition, there are versions of games or obscure games for which no crack may be available. The cracks contained in The Wringer for King's Quest IV, for example, only work with the early versions.
Other Resources
The Textfiles site contains many files with unprotection instructions for DOS games. You can find them here : http://www.textfiles.com/piracy/ You can also search the site for cracking information located elsewhere.
Other sites with cracking information include :
http://www.oocities.org/gammadragon/Cracks2.html
http://www.mmnt.net/db/0/0/ftp.gamers.org/pub/archives/uwp-uml/romulus/cracks/
Scene Releases
If there is no other choice, and you must play a game and you can't find a crack for it, then you may want to look for scene releases by warez groups. Typically scene releases game with softdocs, which is the manual information in plain text. Otherwise they would come with a crack or pre-cracked. The game Dyna Blaster for DOS comes with a unique copy protection method, it requires you to use an Atari-style joystick with a parallel port adapter, which came with the game, to make menu selections. The Wringer does not contain a crack for that obscure, Europe-only game, so you will have to play the cracked version if you do not have the dongle.
The Wringer
The Wringer consists of eight DOS programs. All these programs have a text-based GUI that allows you to select your game from a list. There is undoubtedly considerable overlap among these programs, but I have not the time or the patience to create a spreadsheet identifying which program has a crack for which game. It is an unusual game that cannot be cracked by one of these programs. Unfortunately, this means that you may not find a crack for your game until the fifth or sixth program you try. DOSBox is excellent for going those these programs and applying their patches quickly.
NoGuard R6.0 by Central Point Software
This program is the oldest, dated 10/11/1990. It says it can break the SuperLok, ProLok and EverLock disk-based protections and Sierra Online's protections. It then has a list of individual games and programs. It can also detect some protection schemes.
Central Point Software was the publisher of CopyIIPC, and versions of CopyIIPC would include NoGuard for people to make hassle free backups and fully hard drive functional installations. It also included the NoKey program for certain disks for which CopyIIPC could not make a working backup.
The executable is NOGUARD.EXE.
The Patcher v6.5 by Michael Caldwell
This program has a file date of 05/09/1995. It supports 171 distinct games. The executable is PATCHER.EXE
CrackAid v3.39 by Rawhide
This program supports 323 entries, but some games have more than one entry. This is because they have multiple versions. The file date is 11/05/1993 and the executable is CRACKAID.EXE. It should be kept in its own subdirectory.
Crock v2.32 by Firebug & Eryx
This program is good when you want to crack CGA or Tandy versions of some games. It has 624 cracks and some cheats as well. It also comes with UNP, (see below).
The files date from 01/16/1995 and the executable is CROCK2.EXE. It should be kept in its own subdirectory.
Locksmith v1.31 by REM Software
This program is by far the most annoying of the bunch. If you move the subdirectory, you must reinstall the program again. You need to mount the install files to a floppy drive and you need a serial number. If you download it where indicated, the serial will be included. The executable is LOCK.EXE. The program is dated 07-17-1994 and consists of 792 entries. It does include a Hex Editor and will tell you what each crack does.
NeverLock by Copyware Inc.
This version is from Spring, 1996, dated 03/30/1996 and has a nag screen or two. It can search for some commercial copy protections. It has 424 protections divided into a Modern and a Classic Collection. The executable is NEV_UNIV.EXE. The executable NEV_BUSI.EXE is for commercial programs.
Dprotector v3.1 by Tim Trahan
This program was compiled on 12/10/1993. It has libraries for Classic and Modern games, a TSR loader library (see below). One really nice feature is that the program will tell you exactly what it does for each game. Annoyingly, there is a nag screen when the program starts. The executable is DPRO3DOS.EXE and it requires its own subdirectory.
Rawcopy PC v1.0 from "MSI"
Program date is 1992-1993. This supports 476 entries. The executable is RAWCOPY.EXE.
Where to Find
You can find all the programs I have identified here : http://retro.icequake.net/dob/#soft
Limitations
The cracks contained in these programs tend to be of varying quality. They may not work on every version of a game, may only work on a narrow range of systems, or may work to get into the game but do not defeat protection checks later on.
Special Cases
Cracked by the Publisher
When companies started to release their floppy disk titles on CDs, they would have to break the copy protection to get them to run. Sierra did this for their AGI games on their Anniversary and Collection CDs. However they included the necessary information for the SCI games in the manual for the collection, so those games had intact copy protection. LucasArts cracked their games, even for floppy compilations, but they did not release every version in a Collection, so there are versions that need to be cracked manually. Origin and Sir-Tech cracked the games that relied on disk based protection like Sierra, but included full documentation for all their games because the later games used a manual-lookup protection. SSI included code wheels for compilations that included their early Gold Box games, even with compilations released in the late 1990s and early 2000s.
The "SUP" Sierra Unprotection Program v2.01 by Anders M. Olsson
This is a special but important case, it only deals with Sierra floppy games that use the SuperLok v3.2 disk-based protection system. This includes all v2 AGI DOS games and a few others. It does not work with any other AGI Sierra games such as the booter versions of King's Quest and King's Quest II, the Black Cauldron or Donald Duck's Playground. It is not needed with v3 AGI DOS games. The list of games which it supports are as follows :
3-D Helicopter Simulator
Black Cauldron, The (comes in v2 and v3 AGI versions, v3 is unprotected)
King's Quest I, II and III
Leisure Suit Larry
Space Quest I & II
Police Quest (most versions are not protected)
Thexder
The program can be found here : http://www.sierrahelp.com/GeneralHelp/FloppyDiskBackupProblems.html
The program requires the original disk 1 from the game, it reads the encryption string from the disk, inserts it into the Sierra .COM loader and patches the floppy disk error checks so that the loader will decrypt the AGI file, which is the real executable file.
CD versions of games rarely had copy protection. In the early and mid-90s, the cost of duplicating a CD was well out of reach and CD-Rs were not really available. In the late 1990s, burners and writable CDs had become affordable and publishers again looked to disc-based methods to protect their games, but this was typically after the DOS era. However, there are DOS games like Orion Burger and Championship Manager 2 series, which rely on an early version of the LaserLok CD protection system. This is not an issue if you are trying to run these games on real hardware or have a CD image and a burner that can support this protection. However, with DOSBox, you will need patches, found here :
http://pferrie.host22.com/misc/dosbox.htm
Some CD-ROM versions of Warcraft: Orcs and Humans will ask for a word from the manual in order to install and use the game. I believe this is a holdover from the floppy disk version, which has the same protection. Once the game has passed the SETUP.EXE, which selects the sound devices, it can be played freely without needing to look up a word in the manual. If you have the combo MS-DOS and Macintosh CD (with CD-Audio tracks used only by the Mac executable), then you won't encounter this problem.
If your CD has files in the root directory with 05/02/1995 dates, you will encounter the protection. If your CD has 11/03/1994 or 09/06/1996 root directory files (the latter is the CD-Audio version), then you won't have to deal with the protection.
Compressed Executables
To save space, and to prevent instant debugging, several programs compressed their executables with a program like LZEXE In order to crack them, these executables have to be uncompressed with a program like UNP v3.31, then have the crack applied.
Loaders
There are some games that simply could not be easily cracked. This is because they encrypt or otherwise obfuscates that portion of the program that controls the protection. In this case, a .COM loader may be provided that will intercept the protection and allow you to get past it. The .COM may be loaded as a TSR or simply run in place of the game's actual executable.
Documents Required (No Crack Known)
Finally, some games had protection that could not be broken easily. You will not find a ready crack for King's Quest V, for example. KQ5's protection does not occur on startup. In fact, it often does not popup until you have progressed through a substantial portion of the game. The protection requires you to enter four symbols found on a particular page of the manual. Because the protection is buried within the SCI engine files, it was not something that could be broken with a few bytes. In this case, its usually easier just to get a scan of the manual, but back in the day, people used ASCII art and paint program printouts to display the symbols. Fortunately, scans for the most popular games can be found. Here are some good places to look for them :
http://www.replacementdocs.com/news.php
http://www.mocagh.org/index.php
http://www.sierragamers.com/aspx/m/634055
In addition, there are versions of games or obscure games for which no crack may be available. The cracks contained in The Wringer for King's Quest IV, for example, only work with the early versions.
Other Resources
The Textfiles site contains many files with unprotection instructions for DOS games. You can find them here : http://www.textfiles.com/piracy/ You can also search the site for cracking information located elsewhere.
Other sites with cracking information include :
http://www.oocities.org/gammadragon/Cracks2.html
http://www.mmnt.net/db/0/0/ftp.gamers.org/pub/archives/uwp-uml/romulus/cracks/
Scene Releases
If there is no other choice, and you must play a game and you can't find a crack for it, then you may want to look for scene releases by warez groups. Typically scene releases game with softdocs, which is the manual information in plain text. Otherwise they would come with a crack or pre-cracked. The game Dyna Blaster for DOS comes with a unique copy protection method, it requires you to use an Atari-style joystick with a parallel port adapter, which came with the game, to make menu selections. The Wringer does not contain a crack for that obscure, Europe-only game, so you will have to play the cracked version if you do not have the dongle.
Monday, May 13, 2013
Hardcore Computist - Hardcore IBM PC Game Hacking?
The magazine Hardcore Computist was a magazine dedicated to cracking on the Apple II platform. Every month users would submit their cracks or "softkeys" allowing a user to break the copy protection on commercial software and freely copy that software to disk. Naturally the magazine only claimed to assist users in making legitimate backup copies of their software, but too frequently programs would be widely distributed anyway. The magazine also offered hacks to cheat at games, reviews, technical articles and the like.
All issues of Hardcore Computist and related items can be found here : http://computist.applearchives.com/ It is less known that eventually, around issue 48, the magazine started to invite IBM PC software cracks and hacks. At first, they were slow in coming. Some issues did not have any, and other issues only had applications, not games. For these cracks, all that was usually needed was a hex editor and DEBUG, but the cracks varied widely in quality.
Some of these cracks can be found on textfiles.com, and many more can also be found there.
All issues of Hardcore Computist and related items can be found here : http://computist.applearchives.com/ It is less known that eventually, around issue 48, the magazine started to invite IBM PC software cracks and hacks. At first, they were slow in coming. Some issues did not have any, and other issues only had applications, not games. For these cracks, all that was usually needed was a hex editor and DEBUG, but the cracks varied widely in quality.
Some of these cracks can be found on textfiles.com, and many more can also be found there.
| Game | Version | Publisher | Issue# | Protection |
| The Dam Busters | Accolade | 89 | Disk | |
| Chessmaster 2000 | 1.01 | Software Toolworks | 89 | Disk |
| The Faery Tale Adventure: Book I | CGA & EGA | MicroIllusions | 87 | Document |
| Ancient Art of War, The | Broderbund | 87 | Disk | |
| Grave Yardage | Activision | 87 | Disk | |
| Gun Boat | Accolade | 87 | Disk | |
| Gauntlet | Mindscape | 87 | ? | |
| Astrilis | Shaman Games | 87 | ? | |
| Space Harrier | SEGA Enterprises, Ltd. | 86 | Disk | |
| Heat Wave | Accolade | 86 | Document | |
| Hoverforce | EGA & VGA, 03-19-91 | Accolade | 86 | Document |
| Carrier Command | Microplay | 85 | Document | |
| Where in the U.S.A. is Carmen Sandiego | Broderbund | 85 | Disk | |
| Colonel's Bequest, The | Sierra On-line | 85 | Document | |
| Continuun | 11/29/90 | Data East | 85 | Document |
| Crime Wave | 1.1 & Unknown | Access Software | 85 | Document |
| Curse of the Azure Bonds | Strategic Simulations, Inc. | 85 | Document | |
| Dragon's Lair II | Readysoft Incorporated | 85 | Document | |
| Dragon's Lair | Sullivan Bluth Interactive Media, Inc. | 85 | ? | |
| Earthrise | Intersel Corp. | 85 | Document | |
| Escape from Hell | Electronic Arts, Inc. | 85 | Document | |
| Earl Weaver's Baseball | 1.5 | Electronic Arts, Inc. | 85 | Document |
| F-15 Strike Eagle II | MicroProse | 85 | Document | |
| Gunship | MicroProse | 85 | Document | |
| Caveman Ugh-Lympics | Electronic Arts, Inc. | 85 | Document | |
| Firehawk : Thexder II | 09/24/90 | Sierra On-line | 85 | Document |
| Battle Chess II : Chinese Chess | Electronic Arts, Inc. | 84 | Document | |
| Battlehawks 1942 | Lucasfilm Games LLC | 83 | Document | |
| Alley Cat | IBM | 83 | Disk | |
| Jordan vs Bird: One on One | Electronic Arts, Inc. | 83 | Document | |
| Grand Slam Bridge | Electronic Arts, Inc. | 83 | Disk | |
| Bargames | Access Software | 83 | Document | |
| Archipelagos | FanFare | 83 | Document | |
| California Games | 1.01 02-23-88 | Epyx | 83 | ? |
| Balance of Power | 1.1 | Mindscape | 83 | Disk |
| Where in the World is Carmen Sandiego | 2.0 12-11-89 | Broderbund | 83 | Disk |
| Where in Time is Carmen Sandiego | Broderbund | 83 | Disk | |
| Dragon's Lair | Sullivan Bluth Interactive Media, Inc. | 83 | Disk | |
| Battlehawks 1942 | 10/06/88 | Lucasfilm | 82 | Document |
| Centurion | Electronic Arts, Inc. | 82 | Document | |
| Champions of Krynn | Strategic Simulations, Inc. | 82 | Document | |
| Command HQ | MicroProse | 82 | ? | |
| Indianapolis 500 | Electronic Arts, Inc. | 82 | Document | |
| Jack Nicklaus' Greatest 18 Holes of Major Championship Golf | CGA, TGA, EGA, HGC | Accolade | 82 | ? |
| Lowblow Boxing | Electronic Arts, Inc. | 82 | Document | |
| Might and Magic: Book One - Secret of the Inner Sanctum | 11/18/87 | New World Computing | 82 | ? |
| Might and Magic II: Gates to Another World | New World Computing | 82 | ? | |
| Railroad Tycoon | MicroProse | 82 | Document | |
| Silpheed | 2.2 | Sierra On-line | 82 | Document |
| Street Rod | California Dreams | 82 | Document | |
| M1 Tank Platoon | MicroProse | 82 | Document/Disk (Document Only) | |
| Test Drive II | EGA & CGA | Accolade | 82 | ? |
| Vette | Spectrum Holobyte | 82 | Document | |
| ABC Monday Night Football | Data East | 82 | ? | |
| Abrams Battle Tank | Electronic Arts, Inc. | 82 | Document | |
| Bob'n Wrestle | Mindscape | 82 | ? | |
| Nuclear War | New World Computing | 82 | Document | |
| Pipe Dream | Lucasfilm Games LLC | 82 | Document | |
| Red Storm Rising | MicroProse | 82 | Document/Disk (Document Only) | |
| Wing Commander | Origin | 82 | Document | |
| Populous | Electronic Arts, Inc. | 82 | ? | |
| Life & Death II: The Brain | Software Toolworks | 81 | Disk | |
| Crime Wave | Access Software | 81 | Document | |
| Stunt Driver | Spectrum Holobyte | 81 | Document | |
| Gauntlet II | Mindscape | 81 | Document | |
| Wing Commander | Origin | 81 | Document | |
| Thexder II : Firehawk | Sierra On-line | 81 | Document | |
| Welltris | 10/03/89 | Spectrum Holobyte | 80 | Document |
| Serve and Volley | Accolade | 80 | Disk | |
| Where in Time is Carmen Sandiego | Broderbund | 78 | Disk | |
| Indianapolis 500 | Electronic Arts, Inc. | 77 | Document | |
| Ultima V : Warriors of Destiny | Origin | 77 | Disk | |
| Where in Time is Carmen Sandiego | Broderbund | 77 | Disk | |
| Interlude II | ? | 76 | Disk | |
| Rack'Em | Accolade | 76 | Disk | |
| Mean Streets | Access Software | 76 | Document | |
| Red Storm Rising | MicroProse | 75 | Document/Disk (Disk Only) | |
| Pete Rose Pennant Fever | Gamestar | 75 | Document | |
| Silpheed | 1.0 | Sierra On-line | 75 | Document |
| Paperboy | CGA, TGA & EGA, PAPERxxx.EXE = 06/17/88 | Mindscape | 75 | ? |
| Zany Golf | Electronic Arts, Inc. | 75 | Document | |
| Pool of Radiance | Strategic Simulations, Inc. | 75 | Document | |
| Paladin | Omnitrend Software, Inc. | 75 | Document | |
| Welltris | WELLTRIS.EXE = 10/03/89 | Spectrum Holobyte | 74 | Document |
| Batman | Data East | 74 | ? | |
| Motocross | CGA & EGA, Possibly TGA & HGC | Gamestar | 74 | Document |
| Populous | Electronic Arts, Inc. | 74 | Document | |
| SimCity | Broderbund | 74 | Document | |
| Their Finest Hour: The Battle of Britain | Lucasfilm Games LLC | 74 | Document | |
| Battle Chess | Interplay | 72 | Document | |
| Chuck Yeager's Advanced Flight Simulator | 1.0 | Electronic Arts, Inc. | 72 | Disk |
| Battlehawks 1942 | Lucasfilm Games LLC | 72 | Document | |
| 688 Attack Sub | Electronic Arts, Inc. | 72 | Document | |
| Shinobi | SH.EXE = 9/23/89 | SEGA Enterprises, Ltd. | 72 | ? |
| Zany Golf | Electronic Arts, Inc. | 71 | Document | |
| Mean 18 + Arch | GOLF.EXE = 89375 bytes, ARCH.EXE = 49631 | Accolade | 70 | Disk |
| The Last Ninja | Activision | 70 | Disk | |
| The Games: Winter Edition | Epyx | 70 | Disk | |
| Jack Nicklaus' Greatest 18 Holes of Major Championship Golf | Accolade | 70 | Document | |
| Defender of the Crown | Mindscape (Cinemaware) | 70 | Disk | |
| Infiltrator | Mindscape | 70 | ? | |
| Perfect College | Mindscape | 70 | ? | |
| Gold Rush! | Sierra On-line | 70 | Document | |
| F-19 Stealth Fighter | 10/15/88 | MicroProse | 70 | Disk |
| Police Quest II: The Vengeance | Sierra On-line | 70 | Document | |
| Leisure Suit Larry Goes Looking for Love (In Several Wrong Places) | Sierra On-line | 70 | Document | |
| Apollo 18: Mission to the Moon | Accolade | 70 | ? | |
| Mean 18 + Arch | 03/29/88 | Accolade | 68 | Disk |
| Bop 'n Wrestle | Mindscape | 68 | ? | |
| Willow | Mindscape | 68 | Disk | |
| Ancient Art of War, The | Broderbund | 68 | ? | |
| Chuck Yeager's Advanced Flight Trainer 2.0 | 1.2 | Electronic Arts, Inc. | 68 | ? |
| The Games: Summer Edition | Epyx | 68 | ? | |
| California Games | Epyx | 68 | ? | |
| Trivia Master | ? | 68 | ? | |
| Gato | Spectrum Holobyte | 68 | ? | |
| The Last Ninja | Activision, Inc. | 68 | Disk | |
| Rampage | Activision | 68 | Disk | |
| Leisure Suit Larry Goes Looking for Love (In Several Wrong Places) | Sierra On-line | 68 | Document | |
| Fast Break | Accolade | 68 | Disk | |
| 4th & Inches | Accolade | 68 | Disk | |
| Test Drive | Accolade | 68 | Disk | |
| The Three Stooges | Cinemaware Corp | 68 | Disk | |
| King's Quest IV: The Perils of Rosella | 09-19-88, 09-24-88 | Sierra On-line | 68 | Document |
| F-15 Strike Eagle | MicroProse | 68 | Disk | |
| Reader Rabbit | The Learning Company | 66 | Disk | |
| Balance of Power | Mindscape | 64 | Disk | |
| Trivia Fever | Professional Software | 64 | Disk | |
| Mean 18 + Arch | EGA | Accolade | 64 | Disk |
| Ultima II: Revenge of the Enchantress | .COM | Sierra On-line | 63 | Disk |
| Chuck Yeager's Advanced Flight Simulator | 1.0 | Electronic Arts, Inc. | 63 | Disk |
| Test Drive | CGA 10/26/87, 11-17-87 (Not EGA, see Issue 65) | Accolade | 61 | Disk |
| Mind Prober | The Human Edge | 60 | Disk | |
| Zork II: The Wizard of Frobozz | Infocom | 56 | Disk | |
| Zork: The Great Underground Empire | Infocom | 56 | Disk | |
| Sargon III | Hayden Software Co. | 54 | Disk | |
| Pool 1.5 | Innovative Design Software | 53 | Disk | |
| Zork III: The Dungeon Master | Infocom | 53 | Disk | |
| Flight Simulator | 1.00 | Microsoft | 52 | Disk |
Friday, March 29, 2013
Exposing the Code Wheels - PC Game Document Copy Protection at its "Most Advanced"
In the mid to late 80's, computer gamer players were beginning to get fed up with playing games strictly off floppies. The market, at least in the United States was clearly gravitating to the IBM PC platform. That platform, which at best supported 16-color graphics and few sound choices, had one huge advantage over the more technically impressive Commodore Amiga & Atari ST machines, standardized support for hard drives. As MS-DOS came with virtually every clone PC and offered standardized methods for interfacing with hard and floppy drives, combined with prices that made hard drives within reach of consumers and smaller businesses, game companies started to realize that the days of floppy-only games were coming to an end. At first, several game companies like Sierra tried to compromise by allowing a game to be installed to the hard drive, but requiring a copy-protected "key disk" to be in the floppy drive when playing the game.
Consumers still complained because floppy disks were fragile and they wanted to make backups of their games. Thus came the next evolution of copy protection, the document based check. Now disks were wholly unprotected and could be backed up as many times as the consumer liked. However, at some point in the game, the game would ask a question that could only be answered by referring to the game's documents. The most simple version of this form of protection would be "Enter the third word in the fifth paragraph on page seven of the manual". King's Quest IV, Leisure Suit Larry II and Police Quest II all use this, although the latter two incorporate graphics to make the protection codes harder to disseminate. Its probably the most common form too.
However, some publishers did not like the simple approach. First of all, it was too obvious and dull. Second, although most homes did not have a photocopier in these days, the local library usually did. Several alternate approaches were tried. One was to publish codes in a separate code book and make the resulting codes difficult or impossible to copy. Maniac Mansion had a codebook that in the original Commodore 64, Apple II and IBM PC releases, was made difficult to copy by using dark red paper and black ink for the codes. However, apparently this was not deemed secure enough, so when Lucasfilm games re-released the game in a high resolution PC version and for the Amiga and ST, they used white paper, printed the codes in blue and printed the words "Maniac Mansion" in red over the codes, requiring a red gel filter to read the codes. A decent color printer or scanner can beat either of these forms of protection, a little photoshop helps.
Other games use included unusual items like maps, which not only were used as a selling point but also served as copy protection when the game would ask the coordinates for a particular area on a map. Maps, especially color ones, were often found in role playing games and games requiring trading. Still, a photocopier would work here.
The main focus of this article is the Codewheel, the most intricate form of copy protection offered in PC Games. The first known codewheel was included in the Infocom Text Adventure A Mind Forever Voyaging. Here it is :
It had an inner and an outer ring, turning the ring would reveal a color which corresponded to a pair of numbers. The inner ring concealed sixteen different colors. While the codewheel may seem more complex due to small marks and large marks and 32 numbers on the inner and outer ring, the inner ring window is the double the width of the distance between two numbers on the code wheel. Naturally therefore, you would think that there are only therefore sixteen possible options. However, one color can correspond to thirty two combinations of numbers. Since the game gave you the color and the inner number, you had to respond with the outer number. As you had to know which inner number corresponded to which other number, the total possible combinations would be 512 (16 colors x 32 number pairs)
Today, with a scanner, this codewheel can be fully represented with fifteen images. Put them in order in a pdf and the resulting page flipping will resemble the user actually moving the codewheel. It can also be turned into a table, like this :
Numbers, colors, letters and words are easy to describe in text, so publishers that came after Infocom used more complex code wheels. Electronic Arts used a three-wheel codewheel in The Bard's Tale III, SSI used a two-wheel codewheel with multiple windows cut into the inner codewheel for Pool of Radiance, and Interplay used a codewheel with symbols in Out of this World.
Out of this World/Another World's codewheel was used in every early disk based release for the game. Some games would use document based protection for the IBM PC and disk-based protection for the Atari ST and Commodore Amiga, but this was not one of them. At first, this Codewheel looks rather daunting :
After a few startups, however, the player would learn that the game never seemed to ask for a symbol sequence more than three symbols in length. That means only windows G, H, I, L, N, O and U were likely to house the correct symbols. Even so, twenty scans of this wheel would give a full representation of its contents. The game did not care which order you input the symbols. You may notice that the symbols are not fixed-width, which makes it difficult to easily count how many symbols are printed on the outer ring.
Here is a famous codewheel :
Most of the time, by the time the game made its way into slash releases or compilation CDs, the company would crack the codewheel protection. The Gold Box games, Pool of Radiance, Curse of the Azure Bonds and Hillsfar were frequently re-released but always had paper codewheels included. I bought a Gamefest : Forgotten Realms Classics CD and all three codewheels were included. Pool and Curse shared a Codewheel in that one side of the outer ring had the Pool codes printed on it, the other had the Curse codes, and each side had an inner ring. Hillsfar was on a separate codewheel. They need not have bothered, as Pool and Hillsfar use the exact same codes on their codewheel. Pool/Hillsfar and Curse share the same letters in the same position in the 1st ring, as the translation idea requires. Thirty six scans are required fully represent these codewheels.
Now suppose you wanted to spread your newly acquired game over your local BBS, but lacked the cracking skills to beat the codewheel protection. How would you manage this :
While the place names and the dates are easy to type, unless you were a dynamite ASCII artist, you would need to provide text descriptions of the faces. Skull, fat faced pirate with skullcap, female pirate with eyepatch, blond pirate, (Guybrush) wavy haired pirate, monkey, female pirate (Elaine), pirate with two eyepatches, masked cannibal, pirate with hat (LeChuck), pirate with widows peak and goatee, dead pirate with cutlass in forehead, dead pirate with scar, bald old man, pirate with knife between teeth. It may take the user a few times since the game mixes and matches the upper facial features with the lower facial features. There are 105 possible codes here, but the game can throw 225 possible upper/lower face combinations at you. Fifteen scans will fully represent this codewheel.
The most complex codewheels are the ones with a third, middle ring. This ring may have the code or it may have a window to point to the code on the outer ring. Accolade loved these things and used them in most of their games from 1989-1992. Here is a deconstructed example (not to true scale) :
Although the outer wheels use symbols, at least it is team logos. There are 72 codes on the outer ring and 66 on the inner ring for a total of 138 codes. In order to fully capture this codewheel, you would need to scan it 144 times! You would need to turn the inner ring 12 times for each turn of the middle ring. Clearly, scanning is not the ideal method to capture the properties of this wheel. Not only that, there are 1,728 possible combinations of questions the game could ask you. A table would be huge, and a separate program to generate the code would have been useless in a single task operating system like DOS. Even so, I doubt the game actually asked more for a code from more than 30-40 combinations, because size constraints on floppy disk games also tend to scale down the ambitions of the copy protectionists.
The solution was to destroy a codewheel and let it be photocopied, or to crack the game. Codewheel games seemed especially prone to cracking. Its as if the challenge invited hackers to test their mettle against the latest and greatest in technology.
As the industry transitioned to CD-ROM, codewheels became less common, even for floppy games. Most floppy games from 1992 to 1995 either used simpler document checks or neglected to implement copy protection at all, relying on the sheer number of disks to deter pirating.
Consumers still complained because floppy disks were fragile and they wanted to make backups of their games. Thus came the next evolution of copy protection, the document based check. Now disks were wholly unprotected and could be backed up as many times as the consumer liked. However, at some point in the game, the game would ask a question that could only be answered by referring to the game's documents. The most simple version of this form of protection would be "Enter the third word in the fifth paragraph on page seven of the manual". King's Quest IV, Leisure Suit Larry II and Police Quest II all use this, although the latter two incorporate graphics to make the protection codes harder to disseminate. Its probably the most common form too.
However, some publishers did not like the simple approach. First of all, it was too obvious and dull. Second, although most homes did not have a photocopier in these days, the local library usually did. Several alternate approaches were tried. One was to publish codes in a separate code book and make the resulting codes difficult or impossible to copy. Maniac Mansion had a codebook that in the original Commodore 64, Apple II and IBM PC releases, was made difficult to copy by using dark red paper and black ink for the codes. However, apparently this was not deemed secure enough, so when Lucasfilm games re-released the game in a high resolution PC version and for the Amiga and ST, they used white paper, printed the codes in blue and printed the words "Maniac Mansion" in red over the codes, requiring a red gel filter to read the codes. A decent color printer or scanner can beat either of these forms of protection, a little photoshop helps.
Other games use included unusual items like maps, which not only were used as a selling point but also served as copy protection when the game would ask the coordinates for a particular area on a map. Maps, especially color ones, were often found in role playing games and games requiring trading. Still, a photocopier would work here.
The main focus of this article is the Codewheel, the most intricate form of copy protection offered in PC Games. The first known codewheel was included in the Infocom Text Adventure A Mind Forever Voyaging. Here it is :
It had an inner and an outer ring, turning the ring would reveal a color which corresponded to a pair of numbers. The inner ring concealed sixteen different colors. While the codewheel may seem more complex due to small marks and large marks and 32 numbers on the inner and outer ring, the inner ring window is the double the width of the distance between two numbers on the code wheel. Naturally therefore, you would think that there are only therefore sixteen possible options. However, one color can correspond to thirty two combinations of numbers. Since the game gave you the color and the inner number, you had to respond with the outer number. As you had to know which inner number corresponded to which other number, the total possible combinations would be 512 (16 colors x 32 number pairs)
Today, with a scanner, this codewheel can be fully represented with fifteen images. Put them in order in a pdf and the resulting page flipping will resemble the user actually moving the codewheel. It can also be turned into a table, like this :
Numbers, colors, letters and words are easy to describe in text, so publishers that came after Infocom used more complex code wheels. Electronic Arts used a three-wheel codewheel in The Bard's Tale III, SSI used a two-wheel codewheel with multiple windows cut into the inner codewheel for Pool of Radiance, and Interplay used a codewheel with symbols in Out of this World.
Out of this World/Another World's codewheel was used in every early disk based release for the game. Some games would use document based protection for the IBM PC and disk-based protection for the Atari ST and Commodore Amiga, but this was not one of them. At first, this Codewheel looks rather daunting :
After a few startups, however, the player would learn that the game never seemed to ask for a symbol sequence more than three symbols in length. That means only windows G, H, I, L, N, O and U were likely to house the correct symbols. Even so, twenty scans of this wheel would give a full representation of its contents. The game did not care which order you input the symbols. You may notice that the symbols are not fixed-width, which makes it difficult to easily count how many symbols are printed on the outer ring.
Here is a famous codewheel :
Most of the time, by the time the game made its way into slash releases or compilation CDs, the company would crack the codewheel protection. The Gold Box games, Pool of Radiance, Curse of the Azure Bonds and Hillsfar were frequently re-released but always had paper codewheels included. I bought a Gamefest : Forgotten Realms Classics CD and all three codewheels were included. Pool and Curse shared a Codewheel in that one side of the outer ring had the Pool codes printed on it, the other had the Curse codes, and each side had an inner ring. Hillsfar was on a separate codewheel. They need not have bothered, as Pool and Hillsfar use the exact same codes on their codewheel. Pool/Hillsfar and Curse share the same letters in the same position in the 1st ring, as the translation idea requires. Thirty six scans are required fully represent these codewheels.
Now suppose you wanted to spread your newly acquired game over your local BBS, but lacked the cracking skills to beat the codewheel protection. How would you manage this :
While the place names and the dates are easy to type, unless you were a dynamite ASCII artist, you would need to provide text descriptions of the faces. Skull, fat faced pirate with skullcap, female pirate with eyepatch, blond pirate, (Guybrush) wavy haired pirate, monkey, female pirate (Elaine), pirate with two eyepatches, masked cannibal, pirate with hat (LeChuck), pirate with widows peak and goatee, dead pirate with cutlass in forehead, dead pirate with scar, bald old man, pirate with knife between teeth. It may take the user a few times since the game mixes and matches the upper facial features with the lower facial features. There are 105 possible codes here, but the game can throw 225 possible upper/lower face combinations at you. Fifteen scans will fully represent this codewheel.
The most complex codewheels are the ones with a third, middle ring. This ring may have the code or it may have a window to point to the code on the outer ring. Accolade loved these things and used them in most of their games from 1989-1992. Here is a deconstructed example (not to true scale) :
Although the outer wheels use symbols, at least it is team logos. There are 72 codes on the outer ring and 66 on the inner ring for a total of 138 codes. In order to fully capture this codewheel, you would need to scan it 144 times! You would need to turn the inner ring 12 times for each turn of the middle ring. Clearly, scanning is not the ideal method to capture the properties of this wheel. Not only that, there are 1,728 possible combinations of questions the game could ask you. A table would be huge, and a separate program to generate the code would have been useless in a single task operating system like DOS. Even so, I doubt the game actually asked more for a code from more than 30-40 combinations, because size constraints on floppy disk games also tend to scale down the ambitions of the copy protectionists.
The solution was to destroy a codewheel and let it be photocopied, or to crack the game. Codewheel games seemed especially prone to cracking. Its as if the challenge invited hackers to test their mettle against the latest and greatest in technology.
As the industry transitioned to CD-ROM, codewheels became less common, even for floppy games. Most floppy games from 1992 to 1995 either used simpler document checks or neglected to implement copy protection at all, relying on the sheer number of disks to deter pirating.
Subscribe to:
Posts (Atom)