Alice Averlong🏳️⚧️oh hello copy protection, fancy meeting you here
oh hey that's fun. this game has two layers of copy protection! if I hack the "check weird sector" code to always return 0 (for found-it), it tells me "Diskette/version out of phase"
they call the copy protection on two different sectors, and throw the out-of-phase error if they give the same result, I think
so you can't just overwrite check_copyprotection_sector with return 0
oh god they overwrite the DOS interrupt 1E in the middle, to make DOS think it's a different kind of floppy disk.
okay I now know HOW to crack the game, I just gotta write the x86 assembly.
normal people don't do this. normal people don't write 16bit DOS assembly in 2025.
I have 37 bytes. this won't be hard
and... it doesn't work.
tertiary copy protection?
tertiary copy protection?
I think they might be depending on the value of the weird sector elsewhere. like they're loading it SOMEWHERE, maybe they overwrite some code?
I need a comparative DOS CPU tracer.
Like, load two copies of the same EXE, and run until the execution diverges
THEY CHECKSUM THE FIRST 16KB OF EXECUTABLE RAM?
I patched the EXE to have the right value, but then they checksum it, and now the value is wrong!
insert pop-team-epic "you are motherfucker" here
they checksum memory MORE THAN ONCE!?
I patched out the checksumming and I think I've got it.
okay, so, the copy protection:
1. It checks for a sector that should not exist: Track 38, sector 113.
It's on a single-sided double density floppy (160kb), so there's supposed to be 8 sectors per track. But as we saw in this post:https://digipres.club/@foone/115011910054706753
this disk DOES have a sector 113.
Foone🏳️⚧️ (@[email protected])
Attached: 1 image oh hello copy protection, fancy meeting you here
so step one to bypassing the copy protection is hack that function to return "yes the sector exists".
EXCEPT THAT WON'T WORK. For two reasons. The first I'll get to later. The second is that the actual value of that sector matters, it gets read into memory and the bytes at 0x7-0x8 are checked later.
so I make sure those 2 bytes in memory are set. Easy!
the next phase of copy protection checks another sector: track 39, sector #25.
Another sector that doesn't exist, but it does, and it's 128 bytes long, and... they're doing evil things to DOS to make this readable. They switch the DOS format in memory, reset the disk IO system, and try to successfully read a 128byte sector. Somehow, apparently, this works?
I think there's another layer of protection that I bypassed on accident
trying to figure out this possible third layer of protection before I continue.
today's scores- emulators crashed:
1. DOSBOX: 2 times
2. MartyPC 1 time
3. 86Box: 0 times
okay, tracked it down: it's just coming from the same sector 113 as loaded in step one. Anyway, if this isn't loaded properly, we'll trigger a "Diskette/Version out of phase" error. I fix this by just never checking if it's loaded: I NOP'd that part out
but if you apply these two patches, it'll STILL not work!
But it won't work silently. It'll pretend to work.
But at the end of the game, it'll change your tombstone, and not save your score:
It'll call you "Software Pirate" and say you were killed by the "Copy Protection Mafia"
that's because the checksum failed. it checksums the the code segment, starting at 1000:0082 and going to 1000:4082 (16 kilobytes)
fun fact: this code is self modifying! not for copy-protection reasons, but for generic-interrupt reasons.
x86 doesn't have an INT r8 instruction, only INT imm8. So to generically call an interrupt, you have to either:
1. do a lookup to a bunch of INT 00h, INT 01h, INT 02h, INT 03h instructions, OR...
2. just rewrite your own code at runtime. overwrite the second byte of the "INT 00" instruction and bam, dynamic interrupts
but luckily for everyone, the call_interrupt function is at 1000:e3b6 so it's outside the checksummed 16kb
so, step 3: The checksums.
I hack out the checksum function so that when it's called, it just writes the "correct" answer into the return value.
I do it at the point where checksum_memory() is implemented, not where it's called, as there's two visible calls to the checksumming function, there may be more. this way it'll always return the right value.
(assuming they always checksum the same part of memory! a fun trick would be doing different chunks of RAM... but not here)
Jeff Kellem@foone I rather appreciate that you end up being able to play and still get noticed as breaking the copy protection, shown at the end.
Nuclear Oatmeal
psf@foone Another one for the death generator?
Canageek@foone Oh I remember asking you about this ages ago, you said it was really rare! Very cool that you found an example in the wild!
gloriouscow@foone is this repeatable? i'd like to fix any crashes :)
@gloriouscow sadly not.
I had it running on my secondary monitor and I think the HDMI flickered, so the screen reset? and when it came back, MartyPC crashed.
I had it running on my secondary monitor and I think the HDMI flickered, so the screen reset? and when it came back, MartyPC crashed.
@foone oh yeah that's a wgpu error. not much I can do about that :(
ity [unit X-69] - VIOLENT FUCK@foone what about PCBox
@ity haven't used it. I've already got 86box and I don't know if PCBox does anything different that'd really help me with what I'm emulating
@foone ah, fair nuff :3
Lili@foone @ity PCBox is a fork of 86Box that started because 86Box devs didn't want Pentium III emulation interested. The reason for that is that there's no host CPU that can emulate the strongest Pentium II yet and SSE is another layer of complexity. It's not solving any problems, it's creating new ones if anything as it's actively synced with 86Box, so it has all potential 86Box problems and then some.
On less technical ground, Leah Rowe (the Libreboot person), on 5-6th June 2025, sent a bunch of mails to everyone they could find vaguely related (I'm AUR maintainer of 86Box) and Fedi posts (https://mas.to/@libreleah/114607733244403715). The email chain is called 'PCBox maintainer is a pedophile and child abuser' and it's about the main contributor on GitHub, fuel-pcbox. Admittedly, I haven't read it myself because the way Rowe tells stuff is usually drastic (I assume the link I posted has no CWs either), but from my friends that have read it, the accusations are grounded and started back in 2019. I can't really recommend trying PCBox for that reason.
On less technical ground, Leah Rowe (the Libreboot person), on 5-6th June 2025, sent a bunch of mails to everyone they could find vaguely related (I'm AUR maintainer of 86Box) and Fedi posts (https://mas.to/@libreleah/114607733244403715). The email chain is called 'PCBox maintainer is a pedophile and child abuser' and it's about the main contributor on GitHub, fuel-pcbox. Admittedly, I haven't read it myself because the way Rowe tells stuff is usually drastic (I assume the link I posted has no CWs either), but from my friends that have read it, the accusations are grounded and started back in 2019. I can't really recommend trying PCBox for that reason.
Leah Rowe ist kein Roweboter (@[email protected])
Attached: 1 video I don't post this lightly. It is for public safety: Melody Goad, age 26, formerly Melissa/Darius Goad, nickname "fuel" (formerly qeeg, and formerly "mooch") of Texas, lead developer of PC emulator "PCBox" (a fork of 86box) is a pedophile, who grooms and engages in sexual acts online with teenagers. I've unfriended her. Please ban her from your communities. She told me, confessing everything on video chat. I've recorded the calls. I will be reporting her to the FBI. This is her, in the photos.
Dianora (Diane Bruce)@foone I remember writing a TSR for an ATARI that would intercept the disk I/O calls to fake the right data returned. 128 byte sector eh? oh boy.
jmj
Maki 🔻 🌹@foone They probably studied at the California Institute of the Arts: https://en.wikipedia.org/wiki/A113
Gemini6Ice@foone checkmor, if you will
I love this, so I@foone they were VERY serious about their anti-piracy and anti-cheat measures.
mmu_man@foone 🎶 Too many sums, too many sums… Too many sums, too many sums…
Matt Palmer@foone I am behind seven checksums, I am uncrackable.
Athena L.M.@foone copies protected
Rue Mohr@foone so just make the last instructions in the checksum code return the value they want, or NOP the branch that would say otherwise.
dr. fennec 
@foone as a treat
Geoff 🏴@foone Cosmic ray detection?
Aaron Sawdey, Ph.D.@_thegeoff @foone 🤣 Exactly what I was going to post: "You're inventing a particle detector"
Very Human Robot@foone actually that would be pretty rad!
Bloognoo@foone sync function stepping between two DOS boxes and xor the output?
Sentry23@foone Remind me so much of old 68k protections on late ST games.
Jay it works. Wait, why can't I control anything on level 2...