Sunday, December 21, 2014

The Wringer - Breaking PC DOS Game Copy Protection

Copy Protection is the bane of the PC Gamer's existence.  It ranges from "You must insert your ORIGINAL disk into drive a:" whenever you play the game to "Find the fifth word in the third paragraph on page eight in your manual" and "Type in the name of this planet at coordinayes x 645 and y 743".  However, if you want to enjoy games from their original media, it is necessary to deal with it.  It stinks when you buy a PC game from a thift store or on ebay and it is missing the code wheel or the map or the manual.  If you do not want to deal with it, there are several programs you can use to break the protection.  In this blog post, I will identify these programs, point out some special cases and generally help people play their games without the original documentation.  Let me start with a group of cracking programs I call, collectively, "The Wringer".

The Wringer

The Wringer consists of eight DOS programs.  All these programs have a text-based GUI that allows you to select your game from a list.  There is undoubtedly considerable overlap among these programs, but I have not the time or the patience to create a spreadsheet identifying which program has a crack for which game.  It is an unusual game that cannot be cracked by one of these programs.  Unfortunately, this means that you may not find a crack for your game until the fifth or sixth program you try.  DOSBox is excellent for going those these programs and applying their patches quickly.

NoGuard R6.0 by Central Point Software

This program is the oldest, dated 10/11/1990.  It says it can break the SuperLok, ProLok and EverLock disk-based protections and Sierra Online's protections.  It then has a list of individual games and programs. It can also detect some protection schemes.

Central Point Software was the publisher of CopyIIPC, and versions of CopyIIPC would include NoGuard for people to make hassle free backups and fully hard drive functional installations. It also included the NoKey program for certain disks for which CopyIIPC could not make a working backup.

The executable is NOGUARD.EXE.

The Patcher v6.5 by Michael Caldwell

This program has a file date of 05/09/1995.  It supports 171 distinct games.  The executable is PATCHER.EXE

CrackAid v3.39 by Rawhide

This program supports 323 entries, but some games have more than one entry.  This is because they have multiple versions.  The file date is 11/05/1993 and the executable is CRACKAID.EXE.  It should be kept in its own subdirectory.

Crock v2.32 by Firebug & Eryx

This program is good when you want to crack CGA or Tandy versions of some games.  It has 624 cracks and some cheats as well. It also comes with UNP, (see below).

The files date from 01/16/1995 and the executable is CROCK2.EXE.  It should be kept in its own subdirectory.

Locksmith v1.31 by REM Software

This program is by far the most annoying of the bunch.  If you move the subdirectory, you must reinstall the program again.  You need to mount the install files to a floppy drive and you need a serial number.  If you download it where indicated, the serial will be included.  The executable is LOCK.EXE.  The program is dated 07-17-1994 and consists of 792 entries.  It does include a Hex Editor and will tell you what each crack does.

NeverLock by Copyware Inc.

This version is from Spring, 1996, dated 03/30/1996 and has a nag screen or two.  It can search for some commercial copy protections.  It has 424 protections divided into a Modern and a Classic Collection.  The executable is NEV_UNIV.EXE.  The executable NEV_BUSI.EXE is for commercial programs.

Dprotector v3.1 by Tim Trahan

This program was compiled on 12/10/1993.  It has libraries for Classic and Modern games, a TSR loader library (see below).  One really nice feature is that the program will tell you exactly what it does for each game.  Annoyingly, there is a nag screen when the program starts.  The executable is DPRO3DOS.EXE and it requires its own subdirectory.

Rawcopy PC v1.0 from "MSI"

Program date is 1992-1993.  This supports 476 entries.  The executable is RAWCOPY.EXE.

Where to Find

You can find all the programs I have identified here : http://retro.icequake.net/dob/#soft

Limitations

The cracks contained in these programs tend to be of varying quality.  They may not work on every version of a game, may only work on a narrow range of systems, or may work to get into the game but do not defeat protection checks later on.

Special Cases

Cracked by the Publisher

When companies started to release their floppy disk titles on CDs, they would have to break the copy protection to get them to run.  Sierra did this for their AGI games on their Anniversary and Collection CDs. However they included the necessary information for the SCI games in the manual for the collection, so those games had intact copy protection.    LucasArts cracked their games, even for floppy compilations, but they did not release every version in a Collection, so there are versions that need to be cracked manually.  Origin and Sir-Tech cracked the games that relied on disk based protection like Sierra, but included full documentation for all their games because the later games used a manual-lookup protection.  SSI included code wheels for compilations that included their early Gold Box games, even with compilations released in the late 1990s and early 2000s.

The "SUP" Sierra Unprotection Program v2.01 by Anders M. Olsson

This is a special but important case, it only deals with Sierra floppy games that use the SuperLok v3.2 disk-based protection system.  This includes all v2 AGI DOS games and a few others.  It does not work with any other AGI Sierra games such as the booter versions of King's Quest and King's Quest II, the Black Cauldron or Donald Duck's Playground.   It is not needed with v3 AGI DOS games.  The list of games which it supports are as follows :

3-D Helicopter Simulator
Black Cauldron, The (comes in v2 and v3 AGI versions, v3 is unprotected)
King's Quest I, II and III
Leisure Suit Larry
Space Quest I & II
Police Quest (most versions are not protected)
Thexder

The program can be found here : http://www.sierrahelp.com/GeneralHelp/FloppyDiskBackupProblems.html

The program requires the original disk 1 from the game, it reads the encryption string from the disk, inserts it into the Sierra .COM loader and patches the floppy disk error checks so that the loader will decrypt the AGI file, which is the real executable file.

CD-ROM Protection

CD versions of games rarely had copy protection.  In the early and mid-90s, the cost of duplicating a CD was well out of reach and CD-Rs were not really available.  In the late 1990s, burners and writable CDs had become affordable and publishers again looked to disc-based methods to protect their games, but this was typically after the DOS era.  However, there are DOS games like Orion Burger and Championship Manager 2 series, which rely on an early version of the LaserLok CD protection system.  This is not an issue if you are trying to run these games on real hardware or have a CD image and a burner that can support this protection.  However, with DOSBox, you will need patches, found here :

http://pferrie.host22.com/misc/dosbox.htm

Some CD-ROM versions of Warcraft: Orcs and Humans will ask for a word from the manual in order to install and use the game.  I believe this is a holdover from the floppy disk version, which has the same protection.  Once the game has passed the SETUP.EXE, which selects the sound devices, it can be played freely without needing to look up a word in the manual.  If you have the combo MS-DOS and Macintosh CD (with CD-Audio tracks used only by the Mac executable), then you won't encounter this problem.

If your CD has files in the root directory with 05/02/1995 dates, you will encounter the protection.   If your CD has 11/03/1994 or 09/06/1996 root directory files (the latter is the CD-Audio version), then you won't have to deal with the protection.

Compressed Executables

To save space, and to prevent instant debugging, several programs compressed their executables with a program like LZEXE  In order to crack them, these executables have to be uncompressed with a program like UNP v3.31, then have the crack applied.

Loaders

There are some games that simply could not be easily cracked.  This is because they encrypt or otherwise obfuscates that portion of the program that controls the protection.  In this case, a .COM loader may be provided that will intercept the protection and allow you to get past it.  The .COM may be loaded as a TSR or simply run in place of the game's actual executable.

Documents Required (No Crack Known)

Finally, some games had protection that could not be broken easily.  You will not find a ready crack for King's Quest V, for example.  KQ5's protection does not occur on startup.  In fact, it often does not popup until you have progressed through a substantial portion of the game.  The protection requires you to enter four symbols found on a particular page of the manual. Because the protection is buried within the SCI engine files, it was not something that could be broken with a few bytes.  In this case, its usually easier just to get a scan of the manual, but back in the day, people used ASCII art and paint program printouts to display the symbols.  Fortunately, scans for the most popular games can be found.  Here are some good places to look for them :

http://www.replacementdocs.com/news.php
http://www.mocagh.org/index.php
http://www.sierragamers.com/aspx/m/634055

In addition, there are versions of games or obscure games for which no crack may be available.  The cracks contained in The Wringer for King's Quest IV, for example, only work with the early versions.

Other Resources

The Textfiles site contains many files with unprotection instructions for DOS games.  You can find them here : http://www.textfiles.com/piracy/  You can also search the site for cracking information located elsewhere.

Other sites with cracking information include :

http://www.oocities.org/gammadragon/Cracks2.html
http://www.mmnt.net/db/0/0/ftp.gamers.org/pub/archives/uwp-uml/romulus/cracks/

Scene Releases

If there is no other choice, and you must play a game and you can't find a crack for it, then you may want to look for scene releases by warez groups.  Typically scene releases game with softdocs, which is the manual information in plain text.  Otherwise they would come with a crack or pre-cracked.  The game Dyna Blaster for DOS comes with a unique copy protection method, it requires you to use an Atari-style joystick with a parallel port adapter, which came with the game, to make menu selections.  The Wringer does not contain a crack for that obscure, Europe-only game, so you will have to play the cracked version if you do not have the dongle.

17 comments:

  1. There are also a couple of games that have built in ways to bypass the copy protection:

    In Spear of Destiny you have to answer a question before you can play the game. The answers can be found in the manual. But there are 5 or 6 responses that are always the considered right: a spoon?, bite me!, joshua, pelt, beta and snoops.

    In The Simpsons: Bart vs. the Space Mutants you can type the sentence I NEED HELP SO LET ME SKIP THE HEADS..... to skip the copy protection screen.

    The copy protection of Metal Gear can be bypassed by creating a file called delete.me in your Metal Gear directory which contains the letters CE. (The PC version of Metal Gear is programmed by Charles Ernst.) This will also enable the cheats for invincibility and free items.

    ReplyDelete
  2. ah yes i remember. i have a question, it's almost 2015.

    i've not had a tandy 1000 in over 20+ years.

    would those magnetic disks still work? i.e if i had a disk 5.25 from 80s could it still work in 2015?


    if i bought a tandy 1000tx from ebay is there any way to get old tandy 1000 specific 16 color 3 voice software and then transfer it to a tandy 1000 from a modern day pc? how about installing a ssd?

    ReplyDelete
  3. Hello,
    In this guide you mentioned that there was a crack for King's Quest IV but only for the earlier version (I'm assuming this is 1.000.111?).

    Which program actually contains this crack and how would I go about removing this copy protection with it?

    If it means anything, I would like to use the crack in conjunction with NewRisingSun's "definitive edition" mod.

    Thank you for your time.

    ReplyDelete
  4. Just about any of the programs in The Wringer will be able to crack the early versions (1.000.106 & 1.000.111) of KQ4. Try The Patcher v6.5.

    For later versions, the following crack works. Open resource.000 in a hex editor, look for the following sequence and change the indicated byte :

    C7 FF 8B 23 83 02 1A 30 0E 00 38 F7 00 78 38 BC
    -- -- -- -- -- 23 -- -- -- -- -- -- -- -- -- --

    ReplyDelete
  5. Thanks for the reply!
    Though what do you mean when you say "--"? I initially interpreted those characters as deleting those hex values, though that did not work.

    If you could explain this a bit more in detail that would be greatly appreciated.

    ReplyDelete
  6. Those -- are unchanged and are used as placeholders so you can change the right character. So change the 02 to 23.

    ReplyDelete
  7. Thanks for clarifying!
    It works now!:)

    Nice to see this game without any DRM...not even the GOG release removed it...

    ReplyDelete
  8. None of the versions of KQ4 I have have a resource.000? They all start at resource.001. Am I missing something?

    ReplyDelete
  9. Yes, you use resource.001, I mistyped the number above.

    ReplyDelete
  10. Thanks for the reply and this blog post! I tried searching through resource.001 but can't find the sequence. Oh well. It's KQ4 version 1.006.004, which is the latest version and the one from GOG.com that the other user mentioned. Seems strange that they could get it to work but I can't find it. I'm not sure what the deal is. Maybe they actually did the hack on a different version. Anyways if anyone has anymore tips I would love to see this hack work. Thanks again.

    ReplyDelete
  11. Actually, it is a bit more complex than I remembered to crack the later versions of KQ4. First, you have to extract script.701 from one of the resource.00x files. You can do this by using the utility sciget in NewRisingSun's KQ4 Improvement Patch. Find it here :
    http://www.vogons.org/viewtopic.php?f=7&t=41384

    To use sciget, type in sciget script 701 in the directory where KQ4 is. You will need to be in a 16 or 32 bit operating environment like MS-DOS, Windows 9x, Windows XP, Windows 7 32-bit or DOSBox for the program to work. This will put a script.701 file in your directory.

    Finally, open script.701 in your hex editor and look for this hex string :
    C7 FF 8B 23 83 02 1A 30

    Change the 02 to 23 and save the file. This script.701 will override the script.701 contained in resource.004 and will allow you to type anything into the copy protection screen and it will get past it.

    ReplyDelete
  12. I got it to work! Thanks so much GH for taking the time to reply and let me know how to do this :)

    I actually had been trying to figure out how to mess with the resources using the SCI Companion, so I used that to pull out the script.701 and edit the hex. It worked, the copy protect box pops up and when you press enter it moves on to the game.

    This technique gave me an idea that works even better though. Instead of pulling out script.701, pull out script.700. Place it in the game directory and rename it script.701. When you run the game it will completely skip the dialogue box and go straight into the game. Now you don't even have to think about the copy protection, just play the game. Also no hex editing needed.

    Hopefully someone else will find this useful. Thanks again!



    ReplyDelete
  13. You are a very persuasive writer. I can see this in your article. You have a way of writing compelling information that sparks much interest.

    ReplyDelete
  14. I found another game with a built in way to bypass its copy protection: Zool. At the options screen type in stretlamp and then at the copy protection screen press spacebar to skip it.

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete