Want early access to new videos and some behind the scenes content? Consider becoming a channel member ruclips.net/channel/UCQvW_89l7f-hCMP1pzGm4xwjoin ☕ - I also have coffee | 0xcoffee.com - ☕
Use VirtualBox. I don't know if it's better or worse, but I know it's far less of a headache. I used to use VMWare all the time, but they kept changing it on each stupid revision, and modifying the configuration files, and then when you imported an older VM into a newer player, you couldn't go back to an older player, which made sharing a single VM among multiple real machines a nightmare.
just want to mention that not to long ago, i decided to no-cd crack a game from my childhood after watching a bunch of your videos. i got lucky, turned out i just had to change a single jmp to skip straight to the success branch after the cd check and it works flawlessly. love these videos, please make them for the remainder of all time, thank you.
I thought I managed something similar a few years back when I bypassed the CD key check for Din's Curse. Turns out they had additional checks that caused crashes and other unexpected behavior if you do that lol.
i can confirm that if you change the JWZ to JZ in Thomas Railway Adventures (2001), it makes the CD popup go away and cracks the game. but that game also doesn't have proper DRM which is why it is so easy.
@@SarahC2 They broke WinXP video acceleration on 17.6 and removed features like printer passthrough on 17.5. Thus everytime you click the print button it takes 30sec to initialize the network printer freezing your app. Even just trying to register and report the issues to their forums is broken. Broadcom = Literal trash
This is insane. The fact that the program judges how long some code runs, and throws you elsewhere if it's taking too long because it KNOWS you're using a debugger. That's just dirty lol. This kind of stuff is way above my current knowledge, but I love it.
It was already being done with the ZX Spectrum. There was an auto-incrementing register ("R" for "refresh") that programs normally had no use for - so imagine one's surprise when seeing a debugged program load a value in it then compare it to another a few instructions later - just to see if it was running in real time or stepping through a debugger, obviously...
On the bright side, if this is a standard technique used by SecuROM then applying the same debug techniques should work across multiple games protected by SecuROM.
Debug checks are a funky one. The big DRM of the day today doesn't use them but they're still pretty standard. Only really an annoyance now: they get worked around pretty quickly 😊
This earned a sub. I once cracked a dongle based drm on an application with... a NOP. This was DOS days; I found where the instructions branched in assembly, tried it, it worked, so I changed the binary with a hex editor. Seeing you changing exactly one instruction to reverse the logic made me remember that.
I'm convinced that's what made me the better programmer I am today. I started with patches I'd find on *P*. Then I found an x86 disassembler. Once I could read the assembly, I would look up the mnemonics to understand what the code was doing... without a debugger. Then when I found the comparisons and jumps, I knew I was in the ballpark. Using a hex editor, usually Norton Disk Editor (I think?), I got to the point where I could recognize the opcodes and knew that that 0x74 or 0x75 probably needed to be an 0xEB or 0x90.
Once had to crack a disk recovery tool because I was poor and couldn't find anything better. The demo only let you recover files under 64K. I was able to increase the limit but that caused some other issue (I forget now). So I made it set the limit to the size of the current file, and it worked perfectly.
Elite for the Sinclair ZX Spectrum took some effort: The hard part was getting a memory image at the point of the completion of tape loading, as the tape loader would overwrite itself several times during the load! Once that was done, it wasn't too hard to find the Lenslok check. And that was defeated by changing a single bit ! BE [CP (HL)] -> BF [CP A] 'Frontier' Elite 2 for the Amiga was a joke! I had that broken in under 15 minutes! It asked for a word from page/paragraph/line ... and the list was in the binary ... in plain ASCII !!! I told a friend who had the PC version and he confirmed it also used the same wet-paper-bag protection! :D
@Lord-Sméagol regarding the word check, I came up with a similar crack for Rampart I think it was; maybe X-Wing. I found a section of plaintext which had what seemed like the copy protection answers tightly squished together. I replaced them all with NULL (0x00) which I guess made a comparison if NULL == NULL. When it would ask me to type something, I would just press the Enter key. There was probably a more elegant patch which would have also skipped the question, but my solution was quick with little work.
Securom and Safedisc ... the 2 game DRM's of the late 90s, early 2000s ... When W32DASM and SoftICE were the tools of choice. Brings me back sometimes. (Still remembered GetDriveTypeA with 5 being CD-Rom ... and will probably remember the most important Hex Values 74,75,EB and 90 ;) ) Great Video btw: your last patching results in the .exe now showing the message box if you have the CD inserted I guess ;). Would have been rejected by other groups back in the day.
@@vlc-cosplayer In the end, in Assembler, it will always be goto. The cpu will always have to jump around. It's for higher languages that goto should be avoided.
@@MrBunt What? Now, it has been a fair minute since I dealt with any asm. But most architectures' asm does have some semblance of a `call` instruction. It's not "always" goto.
Shout out to yates!! I just want to mention that you don't need the cd to obtain the key to decrypt the code. Securom could even be nocd's with one clever byte patch while debugging but I cant remember the details for that. If you do want more information on the encryption side of things for knowledge sake however let me know and I'll try and reach out to you. This was an awesome video and it brought back many old memories!
I very well remember Sacred 1's DRM, it was genius, bypassing the CD requirement must have been easy, because cracks were available soon after release. However, while the game was running, it added a nice "feature" if it was launched without CD, a few hours in whenever you entered a cave, house, whatever, it had a roughly 75% chance of teleporting you to a remote island with no way of getting back (except for reload and retry). The dev's had their fun with people coming to the official forum, being stuck on that very island, unknowingly outing themselves as having illegitimate copies of the game.
Whenever I watch your videos I always think "I wish these videos were around when I was learning all of this". Thanks for taking the time to make your content, as someone who has always liked taking things apart to see how they work I appreciate how long it takes to get to the final outcome (and then on top of that you make enjoyable content talking though it all). Thanks for sharing knowledge (and being able to keep it entertaining!)
The last patch should be JMP (EB) instead of JE/JZ (74), or you might run into problems if the CD is accidentally present. Or you could NOP (90) the whole if branch including the trailing JMP at 0x00484390.
I'm surprised that you didn't go in expecting the import table to be mangled in the dump. That is very, very common. There was one game with StarForce DRM that hadn't had a crack released for over a year, and I managed to get a good dump of the code and a good OEP, but I could not get a good import table dump, so I had started rebuilding it by hand. Two days into writing down addresses and I decided to check if someone had finally released a crack, and they had. You see I had bought the online version of the game that only allowed for one activation. Eventually I had to reinstall Windows, and then the game could no longer be activated. Ubisoft support ignored me, of course, so I went on the high C's. There were ways to play it with a virtual disc, but those didn't work until I removed a PCIe capture card I had.
I've been watching these for a while, but I really like this one. The different techniques used to get at the obfuscated game code will be really helpful for me when I'm trying to track down process errors on my computer (mostly from running modded Minecraft lol).
Fun to see how people approach "the classics" all these years later - without tools like imhotep, imprec, procdump, nticedump and whatnot ;-) Sent me down memory lane (ah, the good old EFnet days), and got me looking through my archives for an old paper - but it turned out it was for safedisc, not secu-rom. I wonder if "The twilight of Safedisc" is still available somewhere... so much old stuff is not readily available online anymore.
So the reason the game likely didn't work after inserting the CD, because of SecuROM and Microsoft. The short story is, SecuROM does weird things to the host machine to get their DRM.... DRMing. This is basically a rootkit. Microsoft released an update to Windows 7 which basically bricked the SecuROM DRM/rootkit making any game using DRM unplayable. While the update was for Windows 7, later OS version also wont play SecuROM games, obviously.
@ Stop being hyperbolic. They haven't "hacked" and screaming "ILLEGAL" at such petty things really takes the winds out of the sails of future arguments. My own usage of rootkit is a bit hyperbolic.
No sane person will do that, last i checked it was a clusterfuck and the cherry on top is that it's always used with some other DRM doubling the misery.
@@pvim Gotta start somewhere. The sooner people start working on Denuvo the sooner it can be deafeated. Think of the number of games that we could free from its control. This is something that really should be done.
I remember trying to defeat the new SafeDisc 2 DRM used by Red Alert 2, thinking I had done it fairly quickly, only for everything to self-destruct after 30 seconds
I remember I used to use game cracks for games I owned, just because I found the whole disk swapping bit tedious. I later found out that for Beyond Good & Evil they'd made it so you got half way through the game and a particular key puzzle was impossible because they'd detected the crack. And the save games from the cracked and uncracked versions were incompatible too. Seems whoever did the crack missed that there were other checks going on.
My SOP was always to buy a game, use Alcohol 120% to rip it to an image file, then put the disc back in its case, and on a shelf, where it would live from that day on. I have no problem with buying software. I have a big, big problem with not being able to use the software I bought. (And I didn't care much for disc swapping. Much faster and easier to just run-from-NAS.)
The "A" variants are actually "ANSI" variants. The distinction is that unlike ASCII, which is 7 its and has only one "flavour", the characters are 8 bits and there are many ANSI codepages (encodings). You probably know this but some viewers may not.
My favorite personal crack of mine... Well I have a few, but high on the list was cracking the Windows 95 OSR2 installer. You could only use the installer to install a fresh install of Windows because it was intended for OEM use only. I used Soft ICE to find that it was exiting the installer after detecting that there was a krnl386.exe file in the Windows System directory. I renamed this rather critical file when the installer was performing this check, and it allowed me to upgrade the existing Windows 95 installation I had. Probably my biggest regret moving to an NT based OS was leaving that tool behind. An honorable second place was figuring out you could bypass the Spear of Destiny copy protection with "Joshua." The game would respond with "Greetings Professor Falken, would you like to play a game of Spear of Destiny?" Not until the Wolf3D source did I ever see anyone offer that bypass.
requiring you to have the physical key to play a game you paid for is just awful the key may have gotten damaged, your machine may not support the physical connector the key is using or your OS may not support the verification driver and yes, CD is a "physical key" in this case and what was all that for? so you had to pay a third party seller and the company got not even a cent from that transaction! smart
I dunno about this specific game; but you should play the game for a while to be sure since some games got traps for pirates and make cracked copies unplayable, unfair, annoying, unfinishable, or at the very least tell the player in some way they are not playing an authorized copy.
Great content. I'm a dev but haven't really worked at all with stuff like this. Great intro into the tools and techniques used to defeat DRM. I'll play around with this for sure
This is really well explained. I appreciate your Ghidra content specifically because its particularaly hard to explain. The way you show it feels like I get a peak into your brain as you debug it.
Based. Since it's abandonware and this is apparently a common issue, you should upload your patched EXE so that other people can experience a mediocre Jurassic Park game for free. Even mediocre to shitty games deserve to be archived and properly playable!
@@takemyhandtakemymind1337 Send it privately to someone who lives in DMCA ignored country like russia or iran and let him upload it. In those countries Sony's legal letters would go straight to trash.
@@integerofdoom69fym “shush” bro sorry for not wanting my ear drums destroyed bc a youtuber doesn’t know how to master audio??? insane ps. - to the creator, it wasn’t THAT bad, but definitely something to improve for the future :) amazing vid otherwise!
@zxphvr I'm not a creator, but I'm curious. Is their a standard we can follow? Like, a broadcast standard for loudness? I know youtube will display average content loudness but will not compensate for it.
Apologies! I’m not an audio engineer so all my edits end up as “sounds good to my ears” I try to make it each video better than the last, so that means I get to learn some new skills (:
I remember looking on some BBS' in the 80's how to bypass the manual check in Sierra Online games. I owned them, but it was a pain to always do it. They were all pretty much making a copy of the exe/cmd program and doing a manual debug to have it skip the word check.
I LOVE THIS GUY AND HIS CONTENT! I have learned so much from you and I think you're a modern day hero. Keep up the good work, you're saving the world with each video like this. And when the day inevitably comes that these corporations lobby congress enough to make anti-DRM tampering illegal, you will have prepared an entire generation of passionate script kiddies and full-blown programmers for the great cyber of war of all-time.
Bro I can barely do this kind of debugging on code that ISN'T obfuscated*, you're an absolute chad. *Technically, all code written by my coworkers is obfuscated by virtue of them writing it... =\
A company can spent 1 million dollars making a DRM but not designing a website so that you can just hit the download button but instead have to use a guide to download it on their own website.
I know assembly and a bunch of different ISA, I hacked into compilers, assemblers, linkers, debuggers... I did my own share of poking around and patching binaries, even for fun. But this is some next level stuff.
And I was happy because I made a NoCD patch for Tomb Raider (1-5) series (without audio track of course) 😭 (In my defense, I had to write a bit of custom ASM code to modify the memory while running) Each of yours videos is like a "popcorn time" for me
You should either JMP or NOP out that JNZ opcode. As you patched it, it will only play with the disc removed. In this case you want to always JMP so it never shows the Message Box dialog.
Also, initterm does stuff like initializes global statics. Malware uses this sometimes to write their second stage out, somewhere. This is called in the CRT startup, which you probably need to remove, for your technique with the smashing of two binaries. It also will require some patching, so that the loader can reload the IAT. Probably better of just getting a proper dump.
Reminds me of that time I had to crack a software I bought because they didn't send me the serial key, only for me to later find the sticker hidden in plain eyesight
Whenever I come across your videos I end up deeply amazed how different a perspective this offers on software. And every time I'm incredibly glad I don't have to deal with this and deeply fascinated by it.
Damn... Jurassic Park Operation Genesis... I had that game as a child and back then I tried to copy it by just opening the disk in the Windows Explorer, copying those files to the hard drive and then burning those files to another blank disk... needless to say that did not work XD
Hey Nathan, love your videos. One question for ya: is Ghidra safe to use? I'm wary to download something put out by the NSA. I mean part of me figures that it must be safe given that 1. it's open source and 2. reverse engineering people are an amazingly bad choice of target for a backdoor, given that they're uniquely equipped to find it. Idk though
Ghidra was released in 2019 and it is hugely popular for reverse engineers i would expect in the past 5 years someone would find a backdoor if u dont trust it because its form the nsa use it in a vm without network
Honestly, I'm not smart enough to understand half of what just happened. Unfortunately. But at least you made it entertaining enough for me to stick through it.
Now we're in the age of kernel drivers that detect debuggers and would either prevent attaching or would just produce garbage in the disassembly (cough cough Anti-cheat cough). If the developer is a smaller size (i.e. they can't afford to make a kernel driver) they'll just use virtualization now instead of obfuscation. There's still the static aspect of it like unpacking, but now you'll need tools like VTIL or LLVM to lift the VM instructions. A real headache.
This is absolutely awesome! Thanks a *whole bunch* for showcasing your journey! I also have a few games that I bought and that can no longer run on modern laptops because there's no DVDROM drive anymore. One is TR Legend, which is protected with Securom v7, apparently. Will this technique work, knowing that I don't have a windows machine but am using Wine under Linux?
Doubt it's that easy. The key might as well be encoded as defective data. I don't know what dd is doing with defective data, if it's just skipping over or changing them to (valid) 00's.
Okay, so I don't know code which means I barely understand a word you're saying, but I love watching these because there's something cathartic about watching someone successfully eradicate the DRM that's been plaguing software for so long
Why are Brittish people so good at assymbly stuff? Is it because they had access to the Zed X Spectrum in the 80's, while the rest of the world only had the Zee X Spectrum? I think that might be it. Must have propagated culturally from there.
Ah yes VMware downloads... we use VMware at work and when the IT department forgets to link the download link to standard software like "VMware View" the pain starts...
Dude, trying to find VMware downloads is absolutely ridiculous. I don’t understand how they let it be this bad. THEY DONT EVEN LINK TO THE DOWNLOAD ON THE BLOG TALKING ABOUT THE CHANGES ON THEIR NEW VERSION RELEASE!!! WTF?!? Don’t even get me started about kernel headers. There’s a reason why VMware is decreasing in popularity in favor of others. Rant over. Sorry about that. lol Love your videos!
Hey Nathan! Amazing video as always. As far as the dumping thing goes, did you by chance find memory mirror? A tool made by my friend Chainfailure, and I have contributed to it a bit, myself. If you wanna investigate that further, I'm pretty experienced with the process. Wouldn't mind helping you debug why the dump isn't producing a valid binary. ❤
Mate, this is just another day in the office for you. I’ll buy you a pint if I ever meet you lol. But, other then completely running a app on a server for the ultimate in crack proofing, what would you say is the most securest way a developer can try to protect their apps/games that is installed on a local machine in 2025? Thanks for another great video.
I love these videos.... So many things I wouldn't even think of until I've noticed them or someone spells them out for me the first time (The Exe is basically dropping the DLL at load time.... Sure,! Why not! Would I have figured that out on my own? Maybe after like 3 weeks of pounding my head on the wall going "It's too old to be downloading it, have I checked EVERY file in the %path%?, Where is this file!????). Hopefully I can actually remember it when it comes up.
Love your content, just subscribed. As c#-er I have to ask, does reading assembly get better? Do you automatically see the jump instructions and structure?
Want early access to new videos and some behind the scenes content? Consider becoming a channel member ruclips.net/channel/UCQvW_89l7f-hCMP1pzGm4xwjoin
☕ - I also have coffee | 0xcoffee.com - ☕
Use VirtualBox. I don't know if it's better or worse, but I know it's far less of a headache. I used to use VMWare all the time, but they kept changing it on each stupid revision, and modifying the configuration files, and then when you imported an older VM into a newer player, you couldn't go back to an older player, which made sharing a single VM among multiple real machines a nightmare.
fuzzywzhe its worse. It's just better to use VMWare 12 (latest is 17)
This is not just a game crack; this is an educational case study in defeating obfuscation, runtime decryption, and DRM il-logic.
DRM "logic" 😂
With a touch of fun 🎉 Very entertaining ❤
@@bfth121Yes because DRM isn't random, it has logic, it's structured...
Glad you enjoyed it (:
Wait until we get to byte snatching, that one's a doozie too.
just want to mention that not to long ago, i decided to no-cd crack a game from my childhood after watching a bunch of your videos. i got lucky, turned out i just had to change a single jmp to skip straight to the success branch after the cd check and it works flawlessly. love these videos, please make them for the remainder of all time, thank you.
Sometimes we just get lucky (:
I thought I managed something similar a few years back when I bypassed the CD key check for Din's Curse. Turns out they had additional checks that caused crashes and other unexpected behavior if you do that lol.
what game was it?
i can confirm that if you change the JWZ to JZ in Thomas Railway Adventures (2001), it makes the CD popup go away and cracks the game. but that game also doesn't have proper DRM which is why it is so easy.
Shogo mobile armor division is another game where a single byte change bypassed the CD-ROM check.
It's a crime what Broadcom did to VMWare, but luckily, the CDS is still up, and accessible.
i hate them, it's all broken now since ~17.5
@@St0RM33 Why? What happened!?
Why not use virtualbox?
delete vmware install virtualbox
@@SarahC2 They broke WinXP video acceleration on 17.6 and removed features like printer passthrough on 17.5. Thus everytime you click the print button it takes 30sec to initialize the network printer freezing your app. Even just trying to register and report the issues to their forums is broken. Broadcom = Literal trash
This is insane. The fact that the program judges how long some code runs, and throws you elsewhere if it's taking too long because it KNOWS you're using a debugger. That's just dirty lol. This kind of stuff is way above my current knowledge, but I love it.
I wonder if you can spoof that information as it runs somehow? @nathanbaggs
It was already being done with the ZX Spectrum. There was an auto-incrementing register ("R" for "refresh") that programs normally had no use for - so imagine one's surprise when seeing a debugged program load a value in it then compare it to another a few instructions later - just to see if it was running in real time or stepping through a debugger, obviously...
On the bright side, if this is a standard technique used by SecuROM then applying the same debug techniques should work across multiple games protected by SecuROM.
well that was the hot shit in 2003...
Debug checks are a funky one. The big DRM of the day today doesn't use them but they're still pretty standard. Only really an annoyance now: they get worked around pretty quickly 😊
This earned a sub. I once cracked a dongle based drm on an application with... a NOP. This was DOS days; I found where the instructions branched in assembly, tried it, it worked, so I changed the binary with a hex editor. Seeing you changing exactly one instruction to reverse the logic made me remember that.
I'm convinced that's what made me the better programmer I am today. I started with patches I'd find on *P*. Then I found an x86 disassembler. Once I could read the assembly, I would look up the mnemonics to understand what the code was doing... without a debugger. Then when I found the comparisons and jumps, I knew I was in the ballpark. Using a hex editor, usually Norton Disk Editor (I think?), I got to the point where I could recognize the opcodes and knew that that 0x74 or 0x75 probably needed to be an 0xEB or 0x90.
Once had to crack a disk recovery tool because I was poor and couldn't find anything better. The demo only let you recover files under 64K. I was able to increase the limit but that caused some other issue (I forget now). So I made it set the limit to the size of the current file, and it worked perfectly.
Elite for the Sinclair ZX Spectrum took some effort: The hard part was getting a memory image at the point of the completion of tape loading, as the tape loader would overwrite itself several times during the load!
Once that was done, it wasn't too hard to find the Lenslok check. And that was defeated by changing a single bit !
BE [CP (HL)] -> BF [CP A]
'Frontier' Elite 2 for the Amiga was a joke! I had that broken in under 15 minutes!
It asked for a word from page/paragraph/line ... and the list was in the binary ... in plain ASCII !!!
I told a friend who had the PC version and he confirmed it also used the same wet-paper-bag protection! :D
@Lord-Sméagol regarding the word check, I came up with a similar crack for Rampart I think it was; maybe X-Wing. I found a section of plaintext which had what seemed like the copy protection answers tightly squished together. I replaced them all with NULL (0x00) which I guess made a comparison if NULL == NULL. When it would ask me to type something, I would just press the Enter key. There was probably a more elegant patch which would have also skipped the question, but my solution was quick with little work.
Securom and Safedisc ... the 2 game DRM's of the late 90s, early 2000s ...
When W32DASM and SoftICE were the tools of choice.
Brings me back sometimes. (Still remembered GetDriveTypeA with 5 being CD-Rom ... and will probably remember the most important Hex Values 74,75,EB and 90 ;) )
Great Video
btw: your last patching results in the .exe now showing the message box if you have the CD inserted I guess ;). Would have been rejected by other groups back in the day.
(don't forget OllyDbg)
I looked up what those values mean, I'm sure game publishers agree with Dijkstra when he said that goto statements are considered harmful 👀
Softice, w32dasm, pvdasm, ollydbg... so much fun back then
@@vlc-cosplayer In the end, in Assembler, it will always be goto. The cpu will always have to jump around. It's for higher languages that goto should be avoided.
@@MrBunt What? Now, it has been a fair minute since I dealt with any asm. But most architectures' asm does have some semblance of a `call` instruction. It's not "always" goto.
Sony installed malware on computers with Coldplay X&Y album
hey i like that record it’s got some good songs on it
Shout out to yates!! I just want to mention that you don't need the cd to obtain the key to decrypt the code. Securom could even be nocd's with one clever byte patch while debugging but I cant remember the details for that. If you do want more information on the encryption side of things for knowledge sake however let me know and I'll try and reach out to you. This was an awesome video and it brought back many old memories!
I very well remember Sacred 1's DRM, it was genius, bypassing the CD requirement must have been easy, because cracks were available soon after release. However, while the game was running, it added a nice "feature" if it was launched without CD, a few hours in whenever you entered a cave, house, whatever, it had a roughly 75% chance of teleporting you to a remote island with no way of getting back (except for reload and retry). The dev's had their fun with people coming to the official forum, being stuck on that very island, unknowingly outing themselves as having illegitimate copies of the game.
What a video and an amazing ending. Definitely worth the hard work! Some real devious techniques used in this one. Overall extremely impressive
Whenever I watch your videos I always think "I wish these videos were around when I was learning all of this". Thanks for taking the time to make your content, as someone who has always liked taking things apart to see how they work I appreciate how long it takes to get to the final outcome (and then on top of that you make enjoyable content talking though it all).
Thanks for sharing knowledge (and being able to keep it entertaining!)
The last patch should be JMP (EB) instead of JE/JZ (74), or you might run into problems if the CD is accidentally present. Or you could NOP (90) the whole if branch including the trailing JMP at 0x00484390.
Good point! I was just happy it worked
Hahaha, yup. I made the same comment. Obviously someone else who went to the same trade school as me. 😂
@@R.B. Yea, I literally snapped instantly and yelled NOOOO! XD
I'm curious of what happen if the CD is present with the cracked .exe 🤔
@@SilverLays it would ask for cd
I'm surprised that you didn't go in expecting the import table to be mangled in the dump. That is very, very common. There was one game with StarForce DRM that hadn't had a crack released for over a year, and I managed to get a good dump of the code and a good OEP, but I could not get a good import table dump, so I had started rebuilding it by hand. Two days into writing down addresses and I decided to check if someone had finally released a crack, and they had.
You see I had bought the online version of the game that only allowed for one activation. Eventually I had to reinstall Windows, and then the game could no longer be activated. Ubisoft support ignored me, of course, so I went on the high C's. There were ways to play it with a virtual disc, but those didn't work until I removed a PCIe capture card I had.
I've been watching these for a while, but I really like this one. The different techniques used to get at the obfuscated game code will be really helpful for me when I'm trying to track down process errors on my computer (mostly from running modded Minecraft lol).
What a mess of obfuscation and anti-debugging techniques. Kudos for navigating through that successfully!
imagine some madman takling denuvo and documenting the entire thing from scratch.
Fun to see how people approach "the classics" all these years later - without tools like imhotep, imprec, procdump, nticedump and whatnot ;-)
Sent me down memory lane (ah, the good old EFnet days), and got me looking through my archives for an old paper - but it turned out it was for safedisc, not secu-rom. I wonder if "The twilight of Safedisc" is still available somewhere... so much old stuff is not readily available online anymore.
DRM Makers: "DRM has no performance impact" ....... yeahhhhhhhh sure...
So the reason the game likely didn't work after inserting the CD, because of SecuROM and Microsoft.
The short story is, SecuROM does weird things to the host machine to get their DRM.... DRMing. This is basically a rootkit. Microsoft released an update to Windows 7 which basically bricked the SecuROM DRM/rootkit making any game using DRM unplayable.
While the update was for Windows 7, later OS version also wont play SecuROM games, obviously.
Which sounds to me like the DRM illegally hacking your computer.
@@hanelyp1 yup. but hey it was the 2000's and 90's
@@hanelyp1 it's only illegal if you aren't a corporation
The company responsible for SecuROM was Russian on top of that
@ Stop being hyperbolic. They haven't "hacked" and screaming "ILLEGAL" at such petty things really takes the winds out of the sails of future arguments. My own usage of rootkit is a bit hyperbolic.
Now do it with Denuvo please
lol
No sane person will do that, last i checked it was a clusterfuck and the cherry on top is that it's always used with some other DRM doubling the misery.
@@pvim Gotta start somewhere. The sooner people start working on Denuvo the sooner it can be deafeated. Think of the number of games that we could free from its control.
This is something that really should be done.
Sorry, only the most mentally deranged crackers will actually devote their time to cracking denuvo
I remember trying to defeat the new SafeDisc 2 DRM used by Red Alert 2, thinking I had done it fairly quickly, only for everything to self-destruct after 30 seconds
I remember I used to use game cracks for games I owned, just because I found the whole disk swapping bit tedious. I later found out that for Beyond Good & Evil they'd made it so you got half way through the game and a particular key puzzle was impossible because they'd detected the crack. And the save games from the cracked and uncracked versions were incompatible too. Seems whoever did the crack missed that there were other checks going on.
So the idea was 'you have to restart if you buy the game'. Which makes no scene for me.
@@enosunim No, the idea is probably more like, you can't just use a legit copy to give you a saved game file that you can use to get around it.
My SOP was always to buy a game, use Alcohol 120% to rip it to an image file, then put the disc back in its case, and on a shelf, where it would live from that day on.
I have no problem with buying software. I have a big, big problem with not being able to use the software I bought. (And I didn't care much for disc swapping. Much faster and easier to just run-from-NAS.)
The "A" variants are actually "ANSI" variants. The distinction is that unlike ASCII, which is 7 its and has only one "flavour", the characters are 8 bits and there are many ANSI codepages (encodings). You probably know this but some viewers may not.
Honestly I always found scrolling through the assembly easier than the psuedo C back in the day (when you had to use SICE to crack IDA 😅)
Sometimes it still is easier
intel style assembly is definitely easier to read then C
That's quite a feat cracking ida with softice
My favorite personal crack of mine... Well I have a few, but high on the list was cracking the Windows 95 OSR2 installer. You could only use the installer to install a fresh install of Windows because it was intended for OEM use only. I used Soft ICE to find that it was exiting the installer after detecting that there was a krnl386.exe file in the Windows System directory. I renamed this rather critical file when the installer was performing this check, and it allowed me to upgrade the existing Windows 95 installation I had. Probably my biggest regret moving to an NT based OS was leaving that tool behind.
An honorable second place was figuring out you could bypass the Spear of Destiny copy protection with "Joshua." The game would respond with "Greetings Professor Falken, would you like to play a game of Spear of Destiny?" Not until the Wolf3D source did I ever see anyone offer that bypass.
If you are assembly coder then yes. Looks like you are if you understand assembly easier.
15:12 You couldn't leave a reference to that out of the video XD
The fact this game didnt bring up wayne knight saying ah ah ah when you try to run the game with no disc is a travesty.
requiring you to have the physical key to play a game you paid for is just awful
the key may have gotten damaged, your machine may not support the physical connector the key is using or your OS may not support the verification driver
and yes, CD is a "physical key" in this case
and what was all that for? so you had to pay a third party seller and the company got not even a cent from that transaction! smart
BuT nO, DrM pRoTeCtS tHe DeVeLoPeR aNd ThE sTuDiO, iT iS gOoD.
AlSo No PeRfOrMaNcE iMpAcT!!!!1!
The moment you displayed the directory with the 30+ "SimJP_test2_patched2" binaries... dang I really felt that.
My graveyard of broken dreams
This is why I'm subbed, videos like this. Hopefully, all DRM will cease to exist in the future, but until then, we've always got videos like this.
14:25 Man, I can relate to that file naming scheme more than I'd like to admit.
I dunno about this specific game; but you should play the game for a while to be sure since some games got traps for pirates and make cracked copies unplayable, unfair, annoying, unfinishable, or at the very least tell the player in some way they are not playing an authorized copy.
This level of malice should be a criminal offense.
I'm 100% with you. what's fun is the puzzle/journey, not that we can now play a 25yo video game.
yeah lol I couldn't care less about the game honestly
Such an advanced DRM for a game with such goofy menu music
Great content. I'm a dev but haven't really worked at all with stuff like this. Great intro into the tools and techniques used to defeat DRM. I'll play around with this for sure
Fuck yeah, I love cracking vids. It brings me back to my time on windows manually extending my trials...
This is really well explained. I appreciate your Ghidra content specifically because its particularaly hard to explain. The way you show it feels like I get a peak into your brain as you debug it.
0:45 Omnissa's finest work.
"Well let's take a step back"
*proceed to literally take a step back
The joke was so funny, firstNamefirstName1234 had to repeat it.
I remember playing a rented copy of this on my OG Xbox as a kid! Tranquilizing a loose T-Rex from a helicopter was the most memorable bit for me.
Based. Since it's abandonware and this is apparently a common issue, you should upload your patched EXE so that other people can experience a mediocre Jurassic Park game for free. Even mediocre to shitty games deserve to be archived and properly playable!
Knowing Sony they would sue his ass to bankruptcy. xD
@@takemyhandtakemymind1337 better leak on some p2p without any reference to him.
@@takemyhandtakemymind1337 Send it privately to someone who lives in DMCA ignored country like russia or iran and let him upload it. In those countries Sony's legal letters would go straight to trash.
@@takemyhandtakemymind1337 don't say who you are
there was a cracked exe in the download already tho
Please don't make the clips and sound effects much louder than your voice.
Shush
@@integerofdoom69fym “shush” bro sorry for not wanting my ear drums destroyed bc a youtuber doesn’t know how to master audio??? insane
ps. - to the creator, it wasn’t THAT bad, but definitely something to improve for the future :) amazing vid otherwise!
@zxphvr I'm not a creator, but I'm curious.
Is their a standard we can follow?
Like, a broadcast standard for loudness? I know youtube will display average content loudness but will not compensate for it.
Apologies! I’m not an audio engineer so all my edits end up as “sounds good to my ears”
I try to make it each video better than the last, so that means I get to learn some new skills (:
@@nathanbaggsGood Rule of thumb: any Clip/VFX always atleast 3db quieter than your voice
Wow. You must have spent an insane amount of time on this. Fantastic job. I really enjoy these videos.
You were so preoccupied with whether or not you could, You didn’t stop to think if you should...
Wow! So the DRM was not terrible in quality, but terribly tricky to defeat. Very well done!
That's the music that plays when you die and are seeing your whole life in front of your eyes
I'm not gonna pretend I understand what's going on, but I'm here for it
I remember looking on some BBS' in the 80's how to bypass the manual check in Sierra Online games. I owned them, but it was a pain to always do it.
They were all pretty much making a copy of the exe/cmd program and doing a manual debug to have it skip the word check.
wait what.. you installed ghidra on your hostmachine? some true balls of steele there.
keep up the very good educational work. thanks!
Love your step by step commentary on this. Debugging and reverse engineering these kinds of things is both fascinating and educational.
What a nostalgic trip in the 1st few seconds with this main menu. 100% going to be a great video!
severely underrated channel
I LOVE THIS GUY AND HIS CONTENT! I have learned so much from you and I think you're a modern day hero. Keep up the good work, you're saving the world with each video like this. And when the day inevitably comes that these corporations lobby congress enough to make anti-DRM tampering illegal, you will have prepared an entire generation of passionate script kiddies and full-blown programmers for the great cyber of war of all-time.
Bro I can barely do this kind of debugging on code that ISN'T obfuscated*, you're an absolute chad.
*Technically, all code written by my coworkers is obfuscated by virtue of them writing it... =\
A company can spent 1 million dollars making a DRM but not designing a website so that you can just hit the download button but instead have to use a guide to download it on their own website.
I know assembly and a bunch of different ISA, I hacked into compilers, assemblers, linkers, debuggers... I did my own share of poking around and patching binaries, even for fun. But this is some next level stuff.
Guys, we found Empress.
i've always heard industry people pronoucne SecuROM as "SECK-you-rom"
Thats strange. I always thought it was "FECK-u-Rom" because no one likes DRM.
Potato tomato
+1 for the clean modern c++23 code
It was not clean code by the end…
YESSSSSS
I LOVE THIS GAME, i would usually use some online cracked version, but seeing you do a video, magnificent
And I was happy because I made a NoCD patch for Tomb Raider (1-5) series (without audio track of course) 😭
(In my defense, I had to write a bit of custom ASM code to modify the memory while running)
Each of yours videos is like a "popcorn time" for me
A true British explorer of the Cyber Realm
You should either JMP or NOP out that JNZ opcode. As you patched it, it will only play with the disc removed. In this case you want to always JMP so it never shows the Message Box dialog.
Also, initterm does stuff like initializes global statics. Malware uses this sometimes to write their second stage out, somewhere.
This is called in the CRT startup, which you probably need to remove, for your technique with the smashing of two binaries. It also will require some patching, so that the loader can reload the IAT.
Probably better of just getting a proper dump.
I would have never believed that they went into such lengths even back in a day.
Reminds me of that time I had to crack a software I bought because they didn't send me the serial key, only for me to later find the sticker hidden in plain eyesight
Whenever I come across your videos I end up deeply amazed how different a perspective this offers on software. And every time I'm incredibly glad I don't have to deal with this and deeply fascinated by it.
Damn... Jurassic Park Operation Genesis... I had that game as a child and back then I tried to copy it by just opening the disk in the Windows Explorer, copying those files to the hard drive and then burning those files to another blank disk... needless to say that did not work XD
This is the only channel, if I see a video, I watch it all the way through.
Loved this video! Your dry humour made me laugh.
There is drm that goes even deeper, by loading different files for the story arc or spawn position or even unique immortal enemies.
Hey Nathan, love your videos.
One question for ya: is Ghidra safe to use? I'm wary to download something put out by the NSA. I mean part of me figures that it must be safe given that 1. it's open source and 2. reverse engineering people are an amazingly bad choice of target for a backdoor, given that they're uniquely equipped to find it. Idk though
Ghidra was released in 2019 and it is hugely popular for reverse engineers i would expect in the past 5 years someone would find a backdoor if u dont trust it because its form the nsa use it in a vm without network
it is, but if you are worried there is plenty of similar (free) programs.
use IDA if you dont trust ghidra
@@L3ngenDairy that makes sense, thanks dawg!
Honestly, I'm not smart enough to understand half of what just happened. Unfortunately.
But at least you made it entertaining enough for me to stick through it.
Now we're in the age of kernel drivers that detect debuggers and would either prevent attaching or would just produce garbage in the disassembly (cough cough Anti-cheat cough).
If the developer is a smaller size (i.e. they can't afford to make a kernel driver) they'll just use virtualization now instead of obfuscation. There's still the static aspect of it like unpacking, but now you'll need tools like VTIL or LLVM to lift the VM instructions. A real headache.
This is absolutely awesome! Thanks a *whole bunch* for showcasing your journey!
I also have a few games that I bought and that can no longer run on modern laptops because there's no DVDROM drive anymore. One is TR Legend, which is protected with Securom v7, apparently. Will this technique work, knowing that I don't have a windows machine but am using Wine under Linux?
This is totally Level 500 Dark Witchcraft
jump if zero is OP AF :D. bro, video was cool as hell
Time to put this into my youtube archive for when this likely gets taken down
This entire video went over my head, but it was still interesting.
4:51 can't you use dd on linux to dump all the raw data from the disc, presumably including the key?
Linux and windows have the same functionality.
Doubt it's that easy. The key might as well be encoded as defective data. I don't know what dd is doing with defective data, if it's just skipping over or changing them to (valid) 00's.
Okay, so I don't know code which means I barely understand a word you're saying, but I love watching these because there's something cathartic about watching someone successfully eradicate the DRM that's been plaguing software for so long
I have no idea what you're saying but your delivery is impeccably British and I can respect that
Why are Brittish people so good at assymbly stuff? Is it because they had access to the Zed X Spectrum in the 80's, while the rest of the world only had the Zee X Spectrum? I think that might be it. Must have propagated culturally from there.
🇬🇧
Would be interesting to see the differences with the crack that’s provided if possible
Ah yes VMware downloads... we use VMware at work and when the IT department forgets to link the download link to standard software like "VMware View" the pain starts...
Dude, trying to find VMware downloads is absolutely ridiculous. I don’t understand how they let it be this bad. THEY DONT EVEN LINK TO THE DOWNLOAD ON THE BLOG TALKING ABOUT THE CHANGES ON THEIR NEW VERSION RELEASE!!! WTF?!? Don’t even get me started about kernel headers. There’s a reason why VMware is decreasing in popularity in favor of others.
Rant over. Sorry about that. lol Love your videos!
Remember, It's not cracking or hacking, It GOG-ification.
Impressive!
Would be interesting to see you compare your method to the old crack.
Top notch work indeed.. paying attention, learning ..
We’ll beat the check up for it.
Hey Nathan! Amazing video as always.
As far as the dumping thing goes, did you by chance find memory mirror? A tool made by my friend Chainfailure, and I have contributed to it a bit, myself.
If you wanna investigate that further, I'm pretty experienced with the process. Wouldn't mind helping you debug why the dump isn't producing a valid binary.
❤
Mate, this is just another day in the office for you. I’ll buy you a pint if I ever meet you lol. But, other then completely running a app on a server for the ultimate in crack proofing, what would you say is the most securest way a developer can try to protect their apps/games that is installed on a local machine in 2025? Thanks for another great video.
This guy needs to be a lecturer. Quality education here.
I love these videos.... So many things I wouldn't even think of until I've noticed them or someone spells them out for me the first time (The Exe is basically dropping the DLL at load time.... Sure,! Why not! Would I have figured that out on my own? Maybe after like 3 weeks of pounding my head on the wall going "It's too old to be downloading it, have I checked EVERY file in the %path%?, Where is this file!????). Hopefully I can actually remember it when it comes up.
I've been trying to reverse engineer the old Ivona Amy TTS system and this was very helpful!
I remember playing the shit outta that game as a child. Very happy to see it getting preserved while still learning things that are relevant to me:3
Love your content, just subscribed. As c#-er I have to ask, does reading assembly get better? Do you automatically see the jump instructions and structure?
Like all things, with practice you start to recognise patterns. I still don't find it easy though (:
I thought the phrase "terrible DRM" is like saying "dead corpse".
Haha this video is fanastic. Love the music and your skits. I used to play this game on xbox back in the day
Ah ah ah. You didnt say the magic word
consistently amazing, so glad to have found your channel