Zemina's game protection

By saccopharynx

Expert (122)

saccopharynx's picture

18-07-2016, 15:55

I don’t know if this topic has already been addressed in the forum, but if not, I think it is worthwhile to bring it on board.

A few days ago, a colleague told me that he was having issues to load Zemina’s “The Three Dragon Story” using ROM loaders such as ODO. I examined the MSX memory pages when playing the game on an emulator and everything seemed to be normal: It was the classical distribution using pages 1 (#4000-#7FFF) and 2 (#8000-#BFFF) for a 32K game. Nothing strange to make ODO fail.

However, the game froze as soon as it started, which made me think that a sort of protection was doing the job. For an agile analysis, I created a couple of “bloadable” BIN files to get rid of ODO, which just produced the same results. After a long debugging session, I got nothing, so I took two memory snapshots and surprisingly there were differences in page 1 (which, when using a ROM, has read-only access permission). Technically, I found out that the game overwrites/corrupts itself when executing the routine that controls the collisions out of a ROM.

For example, it uses instructions such as the one below:

ld (hl), e
jp (hl)

At those points, “hl” could be any address like 4XXX. I “nopped” the “ld” instruction and the game continued working properly until I reached the first boss, when another similar security control froze the game. I bypassed the second control and it kept going that way several times until the end of the game. In total, I had to circumvent 6 security checks.

The protection is indeed simple, but in my opinion, it was very effective at the end of the 80’s in order to prevent the typical dumps of ROMs. The “ld” instruction had no effect when running a ROM as it is READ ONLY. However, as I demonstrated, the consequences are catastrophic when using dumped BINs or even ROM loaders. In the end, such behaviour is not surprising: Zemina “cloned” (for not saying pirated) others’ commercial games, so they certainly knew about piracy, and so, they developed their own protection method.

I wonder what would have been if Konami had implemented similar security mechanisms. Probably, many of us, who lived in countries where cartridges were not distributed, would not have seen many gems before the arrival of the Internet and emulators. Take into account that I was able to bypass these checks with today’s technology using emulators, taking memory snapshots, and debugging the game. But in the late 80’s, I’m now asking, was there any similar technology to ease the cracking task, apart from disassembly the binary? See that I could identify the instructions above after performing a dynamic analysis of memory and CPU registers while running the game, but the story would have been quite different by only examining static assembly code with instructions that don’t directly refer to the memory addresses that get overwritten. Could that be one of the reasons why illegal distribution of Zemina’s games didn’t go further (I didn’t actually know about Zemina before the Internet age).

Regarding Zemina’s Eagle 5, the game uses a page distribution that is not even compatible with ODO despite the fact that it is a 32K ROM: page 0 of the MSX holds the second segment of the ROM, and page 1 contains the first segment. Without a MegaFlashROM or the original cartridge, there is no even way to play the game (on a real MSX machine) unless it is dumped into binary files. But guess what? If you do so, there is a security control waiting for you, similar to the one used in “The Three Dragon Story”.

I don’t know if the distribution of these pirated ROMs is allowed in this website, so I only leave the link of the IPS for “The Three Dragon Story”. If these games have no copyright, I will later upload the patched BINs for Eagle 5 if someone is interested.

http://www.mediafire.com/download/j61js8e5c77raiz/

Cheers,
S

Login or register to post comments

By ricbit

Champion (410)

ricbit's picture

18-07-2016, 16:44

This is actualy common, a lot of games do that. I know for sure that Rambo does. Most of the BIN games distributed in the 80s had this protection knocked out with NOPs.

By tvalenca

Paladin (705)

tvalenca's picture

18-07-2016, 17:53

If I had my actual knowledge back then and access to this kind of software, I would come up with a contraption to halt the Z80 when it tries to write over the ROM (excluding MegaROM page flips) and display the address which contained that instruction. This definetely would be enough to knock every copy protection like this one.

By gdx

Prophet (2366)

gdx's picture

19-07-2016, 00:54

Thx Saccopharynx

By ~mk~

Master (222)

~mk~'s picture

19-07-2016, 01:13

Go Saccopharynx!!! Smile

By saccopharynx

Expert (122)

saccopharynx's picture

19-07-2016, 01:23

tvalenca wrote:

If I had my actual knowledge back then and access to this kind of software, I would come up with a contraption to halt the Z80 when it tries to write over the ROM (excluding MegaROM page flips) and display the address which contained that instruction. This definetely would be enough to knock every copy protection like this one.

That's exactly the point: a simple protection very resistant to "conventional" reverse engineering attacks as it demanded a hardware solution such as a contraption.

By Manuel

Ascended (14792)

Manuel's picture

19-07-2016, 21:35

AFAIK some Konami games also use the 'write to your own ROM' mechanism.

By tvalenca

Paladin (705)

tvalenca's picture

19-07-2016, 21:51

Manuel wrote:

AFAIK some Konami games also use the 'write to your own ROM' mechanism.

Indeed. but AFAIK, these Konami games only try to overwrite themselves at boot. Or was it periodically, like @saccopharynx is pointed that Zemina games does (at boot and before each boss for instance)?

I'm thinking how tedious would be to patch a MegaROM game that tries to overwrite itself on each page change...

My MSX profile