About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Microsoft Adventure DRM Protection Bypass- 547

Jimmy MaherPosted 4 Years Ago
  • Digital Rights Management (DRM) is meant to prevent illegal usage of software. Commonly, it is used in order to prevent the copying of software.
  • Microsoft Adventure was a text based adventure game released in 1979. It was a re-implementation of the original text based adventure game that ran on mainframes. The game came on a single floppy disk.
  • Microsoft knew that hackers would attempt to duplicate the floppy drivers. In order to prevent this, they added complicated obfuscation to the disk. The floppy disk was chosen because of the ability to quickly go to random spots on the disk quickly, unlike tape on a cassette drive.
  • On a floppy disk, there are rings on it; these rings are known as tracks. A standard disk has 36 tracks (0-35). Track 0 was used as the boot sector for the floppy disk. This code was used to tell the computer how to start loading everything.
  • The obfuscation was done by changing the track numbers. Normally, the listed tracks are 0-35. However, the bootloader changes the numbers to 127-61 with decrements of 2 (127, 125,...61). Because of this, disk copiers did not know how to copy the drive and believed it was corrupted.
  • The author of this post discusses that a teenager built a custom disk formatter that knew how to read the odd sector information. Eventually, the author just renamed the sectors as well, to make copying even easier.
  • Ultima III used a similar type of protection on the Apple II. The Apple II disks had the boot block on track 17. However, the Read Write Track Sector function was edited to use sector 7 instead of sector 17. Because the 17th sector was not formatted at all, this made disk copiers crash and burn.
  • Ultima III has an additional protection as well: Group Code Recording (GCR) obfuscation. Storage of data was done with data and address fields where there were prologue and epilogue values to denote specific values. Ultima III rewrote these values where the values were stored in the custom RWTS. Damn, that is hardcore!
  • In order to crack this, the custom RWTS can be read by pausing the execution of the boot process. Then, the translation can occur in order to make this storage information usable again.
  • There are a few more copy protections in here that are worth the read! At the end of the day, there are simply obfuscation that would all eventually fall to attackers. It's interesting to see how companies tried to protect their IP back in the day.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed