Mon, 2005-10-24 02:00 — ChristopheF

General description

Version 1.4 - July 8, 2015

by ChristopheF

This document describes the copy protection scheme that was used for Dungeon Master and Chaos Strikes Back on Atari ST and Amiga.

These games used a very sophisticated copy protection. It took several months after the first release of Dungeon Master before the copy protection was correctly defeated, while most copy protections are defeated in a matter of hours or days by experimented hackers. That partially explains why they sold lots of copies! The main reason being, of course, that this is a great game!

The copy protection mechanism used for Dungeon Master was patented by Software Heaven, Inc. Check the US Patent #4849836 'Copy protection for computer discs' on Google Patent Search.

An expert speaks

Read what Andy The Arfling (a hacker once member of the BBC / Automation groups) says about the Dungeon Master copy protection in an Interview of a hacker talking about the Dungeon Master copy protection:

What's the best protection system you have ever seen?

Encryption routines were a silly game, so the best protection has to be Dungeon Master as far as I'm concerned. Law has mentioned a decryption routine I wrote running on the keyboard processor, but it was still beaten by hardware.

What's the best job of a game crack (ST) you have ever seen?

Dungeon Master. It seemed to be written in some kind of interpreted language which made it very difficult to fathom. It also had protection embedded throughout the game. Good protection is like good encryption, it can never be an afterthought, you can't buy it off the shelf, it has to be part of the fabric of the game. Apparently it had a protection check after the final boss, just so you couldn't see the end sequence. Hats off to them. Hats off to Was (Not Was) for cracking it.

Message posted by Doug Bell about the copy protection

Posted on 06/09/2008 at 16:55 on http://www.next-gen.biz/index.php?option=com_conte... (link is now dead)

Of course it is a difficult question to say how much more or less revenue a product would have earned with or without copy protection. The answer to the question is dependant on a number of factors including the effectiveness of the copy protection and availability of similar products at different price points with and without effective copy protection.

There are at least four different interest groups, with the lines between them blurred at times:

1) Software developers and publishers seeking to maximize the return on their efforts;

2) Paying customers interested in receiving value in exchange for their money;

3) Pirates interested in using the software while illegally minimizing or eliminating costs; and

4) Crackers interested in the technical challenge, notoriety and/or financial gain from circumventing the technical barriers to copying or pirating the software.

Each interest group offers up their own reasons and rationales to justify their actions. Crackers argue the copy protection is pointless because it can always be circumvented as if this somehow bestows their activities with some form of populist nobility. Pirates argue that they wouldn’t have paid for the product anyway, so their actions somehow don’t really amount to stealing from the developer. Paying customers are frustrated by paying for a product that is less functional or more cumbersome to use than the stolen version used by the pirate. Finally, the resources available to software developers to invest in creating software are limited by the revenue they earn and reduced by the resources invested in copy protection. All in all, this creates a tough situation to analyze.

However, as the developer of a must-have computer game (albeit from a couple of decades ago) that you had to actually buy, I may have the rare perspective to take a stab at the question. Back in 1988, cartridge games were rarely pirated while computer games were rampantly pirated. Most games were cracked within a week of being released, with probably significantly less than 1% of software remaining uncracked after two weeks. One notable exception during this period was the game Dungeon Master, which was the best selling game on several different personal computer platforms over a two-year period. Dungeon Master was first released on the Atari ST, and for the better part of a year the only way to play Dungeon Master was to own an Atari ST and to buy the game.

Dungeon Master exposed the fallacy in the claims of both the pirates and the crackers. The pirates who would never have paid for the game if they could steal it did pay for it. Despite a steadily growing bounty of fame and notoriety for cracking the game, the protection lasted more than a year. And the paying customer was rewarded with not just a minimally invasive copy protection scheme, but just as importantly, with the satisfaction of not feeling like a schmuck for paying for something that most people were stealing.

As the developer of both Dungeon Master and the software portion of its copy protection, I knew that eventually the copy protection would be broken, but that the longer it held out the less damage we would suffer when it was broken. We had the advantage of owning the patent on a floppy-disk copy protection scheme that required a $40,000 specialized hardware device to write the disks. It was impossible to create a disk image without this hardware, and the hardware itself was out of production. That meant that as long as there were enough layers on the copy protection, and these layers took long enough to crack, the only way to own the game was to buy it. The copy protection scheme took a couple of weeks to create, and while this added cost to the production without adding value for the customer, it was time well spent. The copy protection was based on many redundant, overlapping and isolated checks and cross checks. The copy protection was developed with the assumption that the cracker would be armed with a hardware emulator and developed with an awareness of the capabilities and limitations of the commonly available emulators of the time.

Dungeon Master had a greater than 50% market penetration on the Atari ST—that is, more than one copy of Dungeon Master was sold for each two Atari ST computers sold. That’s easily 10 times the penetration of any other game of the time on any other platform.

So what’s the lesson? That piracy does take significant money out the pocket of the developer and that secure anti-piracy schemes are viable.

Preventing floppy disk copy

In order to prevent disk copy, the games make use of "fuzzy bits", also known as "weak bits" or "flakey bits" as they are called at the Software Preservation Society (SPS, ex CAPS). Fuzzy bits have two important characteristics:

The value of a fuzzy bit seems random when read multiple times: sometimes it is read as a zero, sometimes it is read as a one.

It is NOT possible to write a fuzzy bit on a floppy disk by using standard hardware like the floppy disk drives and controllers found in personnal computers like Atari ST, Amiga, PC, Macintosh, etc... In order to write fuzzy bits to a floppy disk, you need specialized hardware that was very expensive back at the time.

There are multiple ways to create fuzzy bits, the method used in our case is described in detail on Technical Documentation - Dungeon Master and Chaos Strikes Back - Detailed analysis of Atari ST Floppy Disks.

If you copy your original Dungeon Master floppy disk using your favorite disk copier, the copy will not have the fuzzy bits but normal bits instead. The game can easily detect their presence by reading these bits several times: if it gets random results, then it assumes the disk is original. If it gets consistent results, it assumes the disk is a copy.

The only way to make perfect copies is to use advanced hardware like:

A Tracer disk duplicator machine like the ones that were probably used to produce the original disks. The problem is that this is VERY expensive hardware, so you'd better buy an original game!

A Discovery Cartridge, which is a hardware add-on for the Atari ST with its accompanying software. It contains an advanced floppy disk controller that allows full control over the disk writing process. If you have this piece of hardware, you can make a perfect and working copy of an original Dungeon Master floppy disk by using the following specifications for the tool:

DUNGEON MASTER by FTL GAMES/SOFTWARE HEAVEN INC. ! 0 : W 1 9 535 14 1 : R 10 R : 79 ) [Supplied by Jean Louis-Guérin]

The first command "W" instructs to read a portion of track "0" directly as flux transition spacings. In this track, "9" sectors are expected to have a good checksum. Synchronization type "1" means that the equivalent of "535" MFM bytes should be read as flux transition spacings sarting after the "14"th set of 3 sync marks ($A1). The 14th set of sync marks is the one indicating the start of the data field of sector #7 which contains the fuzzy bits.

The second command "1 : R 10" instructs to read an unprotected track containing 10 sectors

The third command "R : 79" instructs to repeat the previous command through track 79.

Note: Although it is not possible to make a perfect copy of these games with standard hardware, it is still possible to make perfect disk images of the floppy disks (both for Amiga and Atari ST floppies. ANY floppy disk, in fact) by using the dumping tool of the Software Preservation Society (SPS, ex CAPS).

Preventing software crack

Cracking a program means modifying the program so that it will bypass its copy protection check. In the case of Dungeon Master, that means removing or bypassing the test that checks for the presence of fuzzy bits.

The designers knew that software pirates would try to crack their games so they included a lot of tricks to make their task as difficult as possible.

Delayed results to failed tests

Today, most copy protections make a test to check if you have an original CD. If this is not the case, you immediately get an error message asking you to put the real CD in the drive.

In Dungeon Master, the copy protection is more vicious. If one of the multiple copy protection tests fails, the game will often not stop immediately. Instead you will be able to keep playing for several minutes (or even hours in certain cases). But ultimately, you will face the consequence in one way or another (see below). The fact that a pirate cannot immediately know if the crack he made is working fine in the long term requires lots of testing and time, and very careful inspection of what the program is doing. This makes the cracking process a lot harder.

Various results to failed tests

If the game detects a copied disk, this can produce different effects like:

Animation stops. Often soon after this the following message is displayed: "SYSTEM ERROR 60".

Instant death of the whole party. When this happens, you do not have the option to "Restart this game" as you usually have when your party is killed during combat.

Multiple checks

Most modern copy protections involve a single test when the game starts. It is relatively easy for pirates to find and remove these tests.

In the case of Dungeon Master and Chaos Strikes Back, the developers put several checks for the presence of fuzzy bits at various places in the program. For a "good" crack, you need to find and defeat them all.

Hidden code

In order to make things even harder, the designers put some hidden code pieces in the graphics.dat file. These program parts are encoded just like normal images. At some points while you play, these hidden code pieces are decoded in memory, executed and then cleaned from memory. A pirate looking only at the main program would miss these parts.

Checksums

A checksum is a computed value which depends on the contents of a block of data. Their main characteristic is that if you change anything in the data, then the checksum value will also change.

Dungeon Master uses checksums at several places in the program to ensure that the program itself has not been tampered with. If a pirate changes something in the code to remove one part of the copy protection, then the program is changed. The checksum of the program also changes so the program can itself detect the change and know that it has been cracked. Ultimately, it will also break and prevent you from playing the game normally.

That makes the cracking task harder, because you need to find and neutralize all these checksums, in addition to the other disk validation tests.

Copy protection issues

Although very sophisticated, that copy protection scheme has some drawbacks:

Installation on hard disk is not possible (note that there are tools and hacked versions that can run the games from a hard drive).

On Amiga, the copy protection is responsible for compatibility issues with some newer kickstart versions and some faster processors like 68030. That is probably one of the reasons why they removed the protection in the latest Psygnosis release (version 3.6). Note that even without the copy protection, this version cannot be installed on HD either because the name of the floppy disk is hard coded.

Some technical details

Boot sequences

This section describes the boot sequence of some of the games. Similar games use identical or similar boot sequences.

Dungeon Master Atari ST

In ST versions, the floppy disk boot sector runs SWOOSH.IMG. This program displays the FTL logo and plays the associated sound. Then it runs START.PRG which is a small program that uncompresses in memory the main program stored in START.PAK. The main program is then run in memory.

START.PRG is run with the "AUTO" command line parameter which is forwarded to the main program in START.PAK. That is another protection: you cannot run the program directly if you copied the files to your hard disk.

Dungeon Master for Amiga version 2.0 French

Unlike the Atari ST versions, the game is not run from the boot block but uses the standard startup-sequence script located in the folder "s" on the disk. This script runs a loader called "exec". This loader sets up a few things like display and memory reservations.

This program is "self detaching", which means that it detaches itself from the process that launched it. In fact, it creates a new process for itself and then terminates. In later versions (like in Chaos Strikes Back for Amiga version 3.1), the loader is called "bjeload_r" and does the same thing. It can be seen if you run it in a shell: the program seems to terminate immediately without doing anything, then the game starts.

The loader runs the "swoosh" program (displaying the FTL logo and playing the associated sound), and then the main program "dm". In fact, it runs "DungeonMaster:swoosh" and then "DungeonMaster:dm" because it refers to the floppy disk by its name. That is why you need to assign the name of the floppy disk to a hard disk folder if you want to play from hard disk.

Reading the fuzzy bits in the protection track

In Dungeon Master for Atari ST, the "fuzzy bits" are stored in sector 7 of track 0. This sector contains the first half of the file called BOOTER.

Dungeon Master reads the protection track containing the fuzzy bits periodically during gameplay (most often when changing levels). According to the code, if at least one fuzzy bit is found, then the disk is validated as an original. If, however, after several reads it still gets consistant results, it displays the "System Error #60" message. Note that this error is also present in the source code of Chaos Strikes Back for Windows with an associated error message: "Watchdog Timer Failure".

In the game, the protection is read in two cases:

During combat or creatures movement: it can display the "Insert Dungeon Master Disk" message even if it already is in the drive. In the end it can instantly kill your party.

When changing levels: it can stop animation and display the System Error #60 message. The message is a consequence of the animation stop and is probably a security against a buffer overflow.

In CSBwin, look in the file code17818.cpp, function "TenSecondUpdate" for the usage of the variable called "word11750". This portion of code decrements the variable. When it reaches 0, the whole party is killed and the player does not have the opportunity to restart from savegame:

if (d.Word11750) { d.Word11750--; if (d.Word11750 == 0) { d.CanRestartFromSavegame = 0; DamageAllCharacters(0x1000, 0, 0); }; };

For the first case, you need to play for a long time in one session, as the result of a protection check is often delayed.

The second case can easily and quickly be tested in the Chaos Strikes Back prison: Get a champion and go down to fight the mummies, climb up and repeat the process several times. The protection will soon be triggered.

How to detect an original or a copy?

On an Atari ST with 1 MB of memory (so that all the game fits in memory), you can know if the game is an original. If there are short disk accesses while playing (mostly when changing levels), that means the copy protection is probably still there. If you can play for several hours then you have an original.

You may be able to finish Dungeon Master even with a copied version if you save often. Chaos Strikes Back breaks faster than Dungeon Master because there are a lot more level changes.

A crack of Dungeon Master

This section details how to crack Dungeon Master for Amiga version 2.0 French. This nice work was done by Meynaf in his spare time between October 2003 and January 2004). It helps in understanding the protection mechanisms and how to bypass them. Maybe people inspired by this crack will be able to crack other versions.

Meynaf also cracked Dungeon Master for Atari ST and ported it to Amiga. He also cracked Chaos Strikes Back for Amiga and made it playable from hard disk. You can also download the Chaos Strikes Back for Atari ST version 2.1 assembler source code on Chaos Strikes Back for Atari ST. It is the disassembled source code of the original game (non cracked). People can study it if they want.

In the csb.s file, the following labels mark the checksum functions used by the copy protection: u3048, vcfae, w17ea. The last one is called from two places in the code. The save game routine has 3 out of the 4 checksums in the game, the programmers really did not want it to be modified as it contains a copy protection check.

Changes required to crack the game

Offset in file "DM" Replace XX

By YY Notes 22DD0 4E55 0000: In C language code, all functions start with 4E55 followed by 0000 or a negative value. This is a LINK instruction to create the stack frame.

7000 4E75: 70xx is moveq #val,D0, that means put the value in D0 register. 4E75 is a RTS (a return). So this returns the value 0. First protection read

After that the program runs until the presentation it switches on the floppy disk.

The original function directly accesses the floppy drive controller hardware and returns 0 if everything went fine, or stops the program if a copy is detected. This function is replaced by a simple "return 0" to bypass the test. 165F4 66: Conditional Branch

60: Unconditional Branch Checksum 17976 66: Conditional Branch

60: Unconditional Branch Checksum 18BE4 66: Conditional Branch

60: Unconditional Branch Checksum 1A29C 6600 00A8: Conditional Branch

4E71 4E71: NOP NOP (no operation) Checksum 1275A 4E55: LINK instruction to create the stack frame.

4E75: RTS (just a return) Hidden routine

The function that uses the graphic items as hidden protections is nearly identical, so it is easy to find. ACBC 6606: bne (Conditional Branch on code at +$06)

6010: Unconditional Branch A test that can display the "System error 60" message 1906C 63: Conditional Branch

60: Unconditional Branch A test that can display the "System error 60" message 1964E 4267 4878

6000 0290 Save game function

Note: Three of the four checksums are performed on the save game function.

Additional changes required to run the game from hard disk:

Because the program accesses files using the name of the floppy disk (which is "DungeonMaster"), you have to run the following command before running the game to map this name to the folder where you have the game files (you have to be in that folder before running this command):

assign DungeonMaster: "" The "swoosh" program checks the integrity of the master disk (it can display the message "Damaged master disk" if that fails) and then displays the FTL logo.

In the file "swoosh", at offset $36a, replace 4EBA 03F6 4A40 661a by 4E71 4E71 4E71 601A to neutralize this test.

4EBA 03F6: jsr (to a function located $3f6 bytes after that instruction)

4A40: tst.w d0

661a: bne (conditional branch to code at +$1a)

4E71: NOP

601A: Unconditional branch to code at +$1a. There is a function to ensure that the game disk is in the floppy drive. If it is not there, a message is displayed asking for it.

In the file "DM", at offset $15194, replace 4E55 FFB0 by 7001 4E75 to bypass this test (the function returns 1 if the disk is present in the drive).

Tips on cracking other versions

Other versions of the game require similar changes, but it is not very easy to find the offsets where you need to change some bytes.

You need a good debugger (like devpac), try to find all abnormal disk accesses and neutralize them with NOP or RTS instructions.

You can search for disk access routines by looking for floppy disk controller address FF8600 on Atari ST and address BFD100 on Amiga.

Often conditional branches (6x codes) are replaced by unconditional branches (code 60, BRA). For example, after computing a checksum, the program branches depending on the value of the checksum. Replacing the conditional branch by an unconditional branch can bypass the checksum test.

You also need to find all the checksums in the code and neutralize them.

To find the code for checksums, you have to search for "ADD.W (A?)+". One of the checksums is used on the dungeon.dat file so it can be ignored for the crack. For the others, you need to find which functions calls the checksum functions and which results they are looking for. Then you can neutralize the checksums by always giving the calling functions the results they want.

There is a word value "0C91" stored in binary item #558 in graphics.dat at offset 3234 which is used by the copy protection. In the program, a variable is compared to that value. Other values are written in the variable in case the protection fails which seem to cause the animation freeze. The variable is initialized with that value from the graphics.dat file.

To find the protections, some numerical constants are useful to search: 4ef9, 103e3, 88, 31e9, 22b, 459, c91, 1f4.

Some of them (88, 31e9, 22b, 459, c91) are arbitrary values only used to store the result of protection checks. Others (103e3, 1f4) are counter values: after these numbers of clock ticks, the game stops.

The 4ef9 value is the binary code for the JMP instruction. It is used by the checksum functions to ensure that they are working on the correct code. At the beginning of the program, there is a large list of JMP instructions that jump to various functions in the code. The checksum functions compare the first word of data of the function they have to check with the JMP code (4ef9) to ensure they are working on the function's real code and not the JMP table at the beginning of the program.

These values seem to be identical in all versions, some of them can be found in Chaos Strikes Back for Windows.

Hidden code in GRAPHICS.DAT

Technical Documentation - Dungeon Master and Chaos Strikes Back Graphics.dat: Hidden code

Special Thanks

I want to thank Philippe Guichardon (Meynaf) for his fantastic job and useful information. This page would have not been possible without him.

Also many thanks to Kieron Wilkinson from the CAPS Project for his help.

History of this document