The Brillanter the Hack, the Faster the Crack



  • Not so much a WTF as a cautionary tale with no moral. 

    Mycroft, fresh out of Maine Institute of Technology (all names have been changed), started a company named FlowerGarden to develop and sell commercial software for Acme's new Gladiolus computer.  This was more than 20 years ago, but FlowerGarden is still in business and Gladiolus computers are still around.

    Mycroft's business strategy worked quite well.  Before working on the "serious" products that are the main focus of the company's business, he and his employees quickly produced the first non-Acme product for the Gladiolus:  "Ferret Frenzy," a video game.  Ferret Frenzy was well-produced with attractive packaging.  For a few weeks it was the ONLY game on the computer-store shelf for the Gladiolus. 

    And it was a good game.  It sold well and made the FlowerGarden brand well-known.

    Like all games at the time, it came on a floppy disk.  So, like all games at the time, the disk had to be copy-protected.  But Mycroft knew that it would only be a matter of time before CopyThreeDEC (the program that could copy any copy-protected DEC tape) was ported to the Gladiolus.  So while his employees developed the game, he developed an unbreakable copy-protection scheme.

    It was brilliant.  The original Gladiolus floppy disk drive was controlled by a combination of hardware and software.  You could poke different values into the control register and make it turn at different speeds.  He devised a series of bits to be written on a control track (individually written for each disk, as the last step in manufacture) which would read as the correct value only if they were written and read back at a certain non-standard speed.  Disk-copying programs read and write at normal speed, so the copy was guaranteed to have the incorrect pattern.

    This was all done in assembly language, of course.  The beginning of Ferret Frenzy in pseudocode would look something like this:

      Start:
          allocate Key of 1000 bytes;
          pull constant data from here and there into Key;
          perform a bunch of complicated convolutions on Key;
          set disk drive to non-standard speed;
          allocate Buffer of 1000 bytes;
          read from disk into Buffer;
          set disk drive to normal speed;
          perform a bunch of (different) complicated convolutions on Buffer;
         
      // Now Key and Buffer have the same value ONLY if the track was
      // read correctly.

          compare Key to Buffer;
          if not equal then:
             eject disk;
             beep;
             shut down;
          end if

       PlayGame:
           ...

    If you attempted to copy the game with a normal disk copy, or even with CopyThreeGladiolus, which did appear shortly after Ferret Frenzy, the copy would only eject itself, beep and shut down.

    But even before CopyThreeGladiolus appeared, somewhere in Arcady a teenager named Iolanthe made a copy of the disk and cracked it in a couple of hours.

    Iolanthe knew how to read Gladiolus machine code.  She knew the machine code for "if not equal."  She knew the machine code for "eject disk".  She changed one byte of machine code on the copy, and now it read:

          compare Key to Buffer;
          if equal then:
             eject disk;
             beep;
             shut down;
          end if

       PlayGame:
           ...

    Mycroft still doesn't know about this, nor would he care at this point, but Iolanthe and her friends have the only version of Ferret Frenzy that runs on the Gladiolus II, the Power Gladiolus, the Gladiolus PowerBook, the iGladiolus ...

     



  • An excellent crack.  And, might I add, a beautiful story; almost
    poetic in its anonymization.  You could give Alex a run for his
    money.



  • Very interesting method of key "encryption".

     

    And where's this Maine Institute of Technology anyway? If I had known about it, maybe I would have gone there instead of the University of Maine.



  • Now, we get to 'crack' the anonymization code. Or try to.

    As much as Gladiolus sounds like the Amiga, my guess is that it must be Apple. After all, there was no Amiga Powerbook (* sob *), or iAmiga... But the PITA copy protection sounds a lot like stuff that Amiga software producers would come up with.

    If this were the Amiga, I might try to guess the software house. As it stands, I really don't have a clue.

     




  • @R.Flowers said:

    Now, we get to 'crack' the anonymization code. Or try to.

    As much as Gladiolus sounds like the Amiga, my guess is that it must be Apple. After all, there was no Amiga Powerbook (* sob *), or iAmiga... But the PITA copy protection sounds a lot like stuff that Amiga software producers would come up with.

    If this were the Amiga, I might try to guess the software house. As it stands, I really don't have a clue.


    Easy peasy. Gladiolus == Macintosh, Acme == Apple, FlowerGarden == Mark of the Unicorn, FerretFrenzy == Mouse Stampede. (Do a Google search for the string "Mouse Stampede" "copy protection" and you'll get one result -- a page noting that CopyIIMac couldn't make a bootable Mouse Stampede disk!)

    (Since I wasn't using Macs back then, at first I thought it was Crystal Quest and Cassady & Greene, except that Cassady & Greene has been gone for years now, more's the pity.)

    (Oh, also: either Iolanthe leaked the hacked version or else later versions don't have this form of copy protection. A little searching will find a copy of Mouse Stampede which can be copied and played freely, if you have an older Mac.)



  • @R.Flowers said:

    But the PITA copy protection sounds a lot like stuff that Amiga software producers would come up with.


    Indeed. In my days as a games programmer I had a publisher who insisted that I come up with a copy protection scheme for an Amiga game. Given that the Amiga's disks were controlled in software, to the extent that you had to do your own MFM encoding and decoding if you didn't rely on the kernel, it was easy to come up with something which defeated all then-current disk cracking software.

    Unfortunately, the disk-duplication plant couldn't copy it either :-)



  • I named her Iolanthe after Gilbert & Sullivan's opera of course.  Iolanthe the fairy is condemned to death for having married a mortal.  The fairy law is quite clear:  "Every fairy shall die who marries a mortal."  But when all the other fairies fall in love with various members of Parliament, the entire group is in danger until the Lord Chancellor makes one tiny change in the law:  "Every fairy shall die who don't marry a mortal."

     



  • Nice, but this is a rather common hack. Spend a lot of time futzing with a key, and have a small subroutine that's easily compromised. I recall one cracker group (A) flaming another cracker group (B) over something like this. Group B's hack involved replacing the "jump to copy-protection check" instruction with NO-OP. Fine and dandy, except that right before run-time certain sections of the program would have their values incremented by the OS, so "jump to address 0x1000" would be "jump to address 0x1234", since the program started at 0x0234. The NO-OP instruction would, consequently, be changed, to an undefined instruction, and at best cause a core dump (and at worst execute halt-and-catch-fire). The correct method to crack the program, then, was to simply replace the contents of the copyprotection routine to NOOPs themselves, as they wouldn't be modified (except for the return instruction).

    I think alex is tinkering with the forum software post code; this looks different from yesterday, and isn't word-wrapping where it should :(

    (edit)
    Sigh. Damnit alex, I don't need my post to be in the exact form that I wrote it. Can you please turn that off, or give me the option? This is obnoxious.


Log in to reply