(bad?) DMK/PDI dump of Gize!/XIX - need advice...

Page 2/8
1 | | 3 | 4 | 5 | 6 | 7

By max_iwamoto

Champion (464)

max_iwamoto's picture

16-07-2019, 07:25

I haven't had so much fun in a long time. Very interesting protection with multiple encryption. I was thinking I will never get to the end of it...

Here is the first image:

I will try to make a clean version tomorrow since it almost 1:30 am here... Also would be nice to have a complete dump of disk 1 (4096 bytes are missing from it, it should be 720KB instead of 716).

Here is the selection menu:

And this is part of the intro:

By max_iwamoto

Champion (464)

max_iwamoto's picture

16-07-2019, 07:42

Looks like images in actual game have some issues.

But title screen is OK:

---

Game can be also started from DISK B. If you start game from DISK C, it will ask you to insert DISK A. DISK C also used to save the data.

So in my opinion the game is OK, we just need to have a good DSK dump. after that we need to remove protection on DISK A & B that should be similar and after that game will be 100% playable. I suspect the image issues in-game are because of missing 4096 bytes from DISK A.

Here one more sexy picture :)

---

Now we just need to translate the game to see what is happening there...

By shram86

Expert (88)

shram86's picture

16-07-2019, 08:23

Wow, amazing max. Fast too. The other 4kb should be present in all the other files. I'll try to dump a dsk with dsk tool as well, just in case.

Edit:
Here they are. Also any information you can give on this would be appreciated - I know that Cosmic Psycho more than likely uses the same, if not identical protection, and I find this sort of stuff fascinating.

By ImATrackMan

Expert (87)

ImATrackMan's picture

16-07-2019, 08:31

YES YES YES FINALLY MY COPY OF COSMIC PSYCHO ISN’T A SCARY PAPERWEIGHT

By Manuel

Ascended (15600)

Manuel's picture

16-07-2019, 09:57

Can you please explain how the protection works, Max?

By saccopharynx

Master (135)

saccopharynx's picture

16-07-2019, 12:44

Hey Max, nice work!!!

As a software security researcher, I would love to read a bit more about this protection. Please let us know! From what you mentioned, in regard to multiple encryption, it has just reminded me the Red Point boot/tape loaders, which had several encrypted blocks that were decrypted sequentially at run-time.

It is not clear yet why the disks Shram86 bought do not work, unless, perhaps, such disks are not original (or did you also find some damaged sectors?).

Cheers,
S

By max_iwamoto

Champion (464)

max_iwamoto's picture

16-07-2019, 15:37

shram86 wrote:

Wow, amazing max. Fast too. The other 4kb should be present in all the other files. I'll try to dump a dsk with dsk tool as well, just in case.

Edit:
Here they are. Also any information you can give on this would be appreciated - I know that Cosmic Psycho more than likely uses the same, if not identical protection, and I find this sort of stuff fascinating.

Thank you for the updated files! I will make IPS patches for them. I will post detailed information about protection here. There is still some stuff I do not understand.

By max_iwamoto

Champion (464)

max_iwamoto's picture

16-07-2019, 15:38

ImATrackMan wrote:

YES YES YES FINALLY MY COPY OF COSMIC PSYCHO ISN’T A SCARY PAPERWEIGHT

could you dump your copy? Looks like they can have a similar protections...

By max_iwamoto

Champion (464)

max_iwamoto's picture

16-07-2019, 16:26

Manuel wrote:

Can you please explain how the protection works, Max?

I will, there is still some parts I do not understand, I am now doing detailed research. But in short, the boot sector loaded to C000h and executed at C01Eh. The code there looks like that:

RET NC
LD SP,97FFh
LD A,(FCC1)
INC SP
INC SP
RET NZ

So, obviously stack equal 9801h and flag set to NZ. So it reads from stack data at 9801... and data there are FFFFh all day long... So PC jump to address FFFFh. So it's not same on all MSX computers and depends on where RAM is located. I assume game is meant for Turbo R, because at boot time it contains F7h (code for RST 30h) at the address FFFFh. So it reads address where to jump from ROM address 00001h and it is 6BC3h.... And on 6BC3h loacted POP HL + RET... So very interesting path but there is nothing inside stack to return to the code at the address C028h that is after RET NZ... And this is where we need to be. So the 1st thing we need to remove 2 INC SP & RET NZ. After that ganme starts. If we just remove RET NZ, stack will be at 9801h and when game load code to 9800h we will see the next crash.

So, now we pass this issue and the next one is to remove protection check and encryption...

To be continued...

By max_iwamoto

Champion (464)

max_iwamoto's picture

16-07-2019, 16:25

saccopharynx wrote:

Hey Max, nice work!!!

As a software security researcher, I would love to read a bit more about this protection. Please let us know! From what you mentioned, in regard to multiple encryption, it has just reminded me the Red Point boot/tape loaders, which had several encrypted blocks that were decrypted sequentially at run-time.

It is not clear yet why the disks Shram86 bought do not work, unless, perhaps, such disks are not original (or did you also find some damaged sectors?).

Cheers,
S

Well, protection on MSX is usually very basic and not even encrypted. They just checking bad sector, usually sector 0Eh and hang the game if they can read from it. looks like this game have a bad sector at the end of the disk that in my opinion is bad since not all drives can read well at the end of the disk. Having it at the beginning is way safer. Would be nice to see original disks pictures than we can understand if they original or copies. In my opinion they are original since they have a damaged sector. The issue here I suspect maybe some other piece of code or hardware to put correct data in stack around 9800h area or code needs to be redirected in some other area where it will return to C028h. So I still have to investigate this thing.

Regarding protections in general, the most sophisticated protections are on ZX-Spectrum and Amiga from my experience. On Spectrum you have huge protections based on register R and usually harder to decrypt or takes long time. Also before without emulators it was way harder. For Amiga, the most interesting is MFM protections since their controller allow to do amazing things with floppy disk. I remember one of them where they changed amount of sectors on the disk and you had to read all disk from original, copy to standard Amiga disk and adjust code to multiple by correct amount of sectors on the disk.

Page 2/8
1 | | 3 | 4 | 5 | 6 | 7