the disc check works by verifying various weak encoded sectors exist and then builds a decryption key, but their exist a couple of 4kb backup keys in memory which can be reinjected, these are then used to form the final 32bit TEA decryption key for decrypting the game code. it was common for people to create loaders that hooked the disc check and injected these keys into memory to create a simple bypass
@@test-rj2vl in CD sectors, 8bits of data are encoded into 14bit streams, know as EFM, eight to fourteen moduluation, this is done to space out the physical pits for readability. a form of copyprotection that safedisc uses is to press discs with a certain data pattern in the sectors that causes issues for CD burners to duplicate this exact pattern 100% but however have the original sectors read ok. so trying to read and write these specially crafted sectors gives drive some issues so they are referred to as weak-sectors :) there are many other kinds of signatures that other copyprotections used but safedisc is know for using this EFM manipulation trick (-: /R.
Watching you debug at such a low level puts me in a calm meditative state. I thoroughly enjoy your practical application of decompiling and debugging to old Windows games. It provides for great storytelling. Many thanks.
I predict that in the future we'll have software archeologists whose sole job is to get old stuff working again. It's crazy how much source code gets lost over time, or how stuff just gets abandoned and you can't use it anymore without some obnoxious requirements (such as having the original 20+ year old CD). Nothing pisses me off more though than companies sitting on source code for ancient games for decades and not doing anything with it because MUH IP.
Agree. I still play Sims 2 nowadays for nostalgic reasons, but with each year the sims 2 community gets increasingly pissed off with EA. The game appears to have tremendous problems on newer systems/OS that render it almost unplayable and no one really knows why. We're at a point now where people are switching to linux just to they can keep playing this game (for some reason none of the problems we see on windows are reproduceable on linux). And EA just does nothing about it, probably because they want us to buy Sims 4. No one is even asking them to spend resources on fixing it, after two decades they could just release the code and let the community handle it themselves.
Ah, that reminds me of when I was removing the SafeDisk protection from EA's Battle for Middle-Earth 1. There it also starts with creating two temp files, which attach to the main process and start debugging it. In the case of BfME1 there were 4 layers of protection: 1. Nanomites (opcodes replaced with 0xcc that trip the SafeDisk debugger and prompt it it to fill them in with the correct opcodes); 2. Scrambled import table (calls to some imports go to one of the two temps, which directs them to to their actual intended destinations); 3. Some opcodes are also replaced with arbitrary calls to the debugger, and when such a spot is hit, SafeDisk replaces them with valid opcodes (stolen bytes); 4. The most grinding part is the final layer. The way it works is that an occasional calculation is made not in the game's process but using special data tables in the SafeDisk protector instead (apparently this one is called SDAPI2). This is a more recent one and might be missing on Sims. But even if it is there, apparently in some games (not the case with BfME1 though) SDAPI2's code is left right in the game's exe from the debug handler, so there it's just about getting those tables and patching the exe to use the code.
Correct me if I'm wrong, but aren't 1 and 3 the same thing? 0xCC is the byte value of the instruction INT 3, which is what's used to break into the debugger. The debugger responds to the interrupt by providing the correct opcode to execute.
@@Acorn_Anomaly, not exactly: in 3 bytes are replaced not with 0xCC but with jumps and calls to the protector - that is, triggering there proceeds not through the debugger mechanism. In fact, I think, 3 was introduced somewhat before 1.
@@damianabregba7476, ah yes, the mass suicide! That's a little trick from inside the game itself. That little 200kb file lotrbfme.exe you start the game with does effectively 2 things: 1. It calls the actual (packed) binary kept in game.dat; 2. It creates a mutex with a particular Id, and the game itself later tries to do the same - if it succeeds, that indicates that the mutex hasn't been created and the protection is hacked or absent. This is recorded, and then in the game the suicide timer is set.
3 дня назад
It's so nice to see someone breaking through these measurements.
this is suuuuper interesting as i love ts2 and basically learned how to do some reverse engineering and dll hooking through it! i believe the game might have some more anti-tampering beyond all the cd checks and obfuscation. iirc when the game was new a lot of ppl with cracked copies were reporting not being able to build walls and such, but that was never properly documented.
Also pirates released unofficial patches, for example v1.1 or v1.5 which fixed the above mentioned problems. You can read about it on old Russian forums in old threads that are dedicated to solving problems with the game from the time of its release, FAQ, for example, Playground ru or 3DNews.
Also pirates released unofficial patches, for example v1.1 or v1.5 which fixed the above mentioned problems. You can read about it on old Russian forums in old threads that are dedicated to solving problems with the game from the time of its release, FAQ, for example, Playground ru or 3DNews.
Also pirates released unofficial patches, for example v1.1 or v1.5 which fixed the above mentioned problems. You can read about it on old Russian forums in old threads that are dedicated to solving problems with the game from the time of its release, FAQ.
what a banger of a video, I really hope you keep going as reverse engineering old school DRM mechanism is something I dream of being able to do - the only reverse engineering I can do is pull apart private REST APIs...
Nathan, never stop these brilliant videos. I mainly program in Java and JS, so it's just great to see all this low-level C++, reverse engineering, tweaking executables etc. Fascinating seeing how these devs built these executables and then how you get around them.
Super knowledgeable video and at the perfect pace where it's not too slow that I'm falling asleep or too fast that I have no clue what's going on. Entertaining & educational, love it. Subbed.
You would have been a menace back in the early 2000s. I really love these videos not only from an engineering and hacking standpoint, but it's really encouraging to see that with enough knowledge and dedication, game preservation is technically accessible to anyone who's willing to put in the time and effort.
I think you should do a series of videos (maybe a different channel if you want to focus on this style here) of the tools you use and how you set everything up. This has gotten me rather interesting in RE but I haven't yet found much for getting started.
Funfact: when you have Need for Speed Most Wanted 2005, you can copy the contents of the disc into a folder, then open the ini file and set the demo value to true. That just removes the cdkey question from the installer, because it thinks it's just a demo.
I'm interested in one thing: from my very limited experience, I know that "patches", cracks and other such tools can trigger anti-virus software because they mess with the original binaries, inject their own data into memory, etc. How come this original executable doesn't bother antivirus? From my perspective, all this obfuscation and shifting code in the libraries looks very much like the code usually found in patches.
Coming from a cybersec background, behaviors like the ones employed here (dropping PE files, cross-process debugger attachment with an unexpected parent-child process relation, writing to executable memory regions, packed code) would definitely trip up a modern day EDR that is inspecting behavioral patterns. You'd be surprised as to how many modern DRM/anti-piracy/anti-cheat mechanisms employ behavioral patterns that resemble malware (or vice-versa) and are typically whitelisted (usually by the vendor) in EDRs/AVs through file hash or certificates.
Indeed - The most common cause of a "false positive" is from various patchers that affect memory of other applications (which is something nasty tools can do, but obviously also entirely necessary for the ones that you DO want to do such)
Love your channel and love reversing! It's such an amazing puzzle to solve that involves entering the mind of the puzzle creator to be able to finish it :D
just think, if they hadn't spent weeks of developer work adding obfuscation algs and copyright checks many people just bypassed anyway, maybe those engineers could have been building cool stuff instead of installers.
Hey man, really great video. Not many RU-vidrs doing this level of RE. You got this - you have the skills and the insanity factor to see it through. You must be slightly insane to be a good RE/VR person
This was brilliant, well done! These videos are basically everything I was trying to figure out as a teenager but with 100x the skill I had! Loving these. Your coffee advert was also great 😁
For sure the running another process that attaches itself as a debugger was a common tool in the 90s and 2000s PC game developer toolkit. Worked at a couple studios where people mentioned doing that.
Will say that when they were delisting it they actually upgraded everyone who owned at least the base version of The Sims 2 to the Ultimate Version with all the DLC and did the same thing for anyone who had the game physically and had a CD Key for it (it's how I got The Sims 2 on Origin.). So that was actually pretty cool of EA.
I don't keep track but I think this was probably in the ball park of 100 hours for the technical content. Plus then script writing, filming, editing and thumbnail design
I don't work on low level stuff so if I wanted to fully understand what's going on I would have to pause every 3 seconds... but that's what actually awesome about your presentation: you are able to completely narrate what you are doing and don't dismiss any step with some magic handwaving. If I had seen this video 20 years ago it might've driven me more into the cracking scene just for shits n giggles. Your videos are a beautiful amalgam of tutorial and storytelling. Thank you.
I thought this was gonna be some regular Sims 2 piracy tutorial video, seriously impressive work. One of the most consequential games of all time doesn't deserve to be lost.
The devs were serious on protecting the game. This was an amazing effort by you, I can only imagine how many hours you must have spent debugging this. Fantastic work!
I know the feeling of spending a lot of time on a project but still not reaching the intended happy end. It can definitely be tough releasing a video covering such a result so I want to thank you for releasing this video anyway.
Maybe a no cd patch that were available some games in the past? Wonder if you can reverse those if existed and see what would be the difference in that syscall you mentioned for the disc reader
the only thing this codebase is missing is one of obfuscators that generates a massive hedgemaze of meaningless comparisons, jumps, and dead ends that you have to step through manually in a debugger, and the last thing it does is overwrite its own function address to bypass the hedgemaze on subsequent calls
Oh my god. I love your videos as i am a developer myself, but holy hell i think if i tried to even follow your steps in this video, it would take me like a year to get to the point you got to here :D Awesome to see how you can figure out how the protections work and how to manipulate them. I would be so happy if i could generate keys to some old games with my self-made keygen :D Hope you keep doing these types of videos!
We’re really blessed with a lot of smart people fixing the game at this point. My only complaint is that the UI just doesn’t fit on anything over 720, and even on a 2k display everything looks like it’s for ants
@@CrAzYpotpie It's true that piracy would still happen between those who aren't up for paying for the product. I more so meant that it gives a way to obtain it without having to proceed to illegal tactics. I know my words weren't exactly precise. It was just meant to be a short way of saying it.
@@harasen_haras5 It's no problem, I apologize for my confusion, I assumed you merely didn't understand. I agree that it would be wise for EA to provide a way to still purchase these games, but they are probably not too invested in having to hire a team to bring it up to date with more modern systems for it to be worth it for them in the end, financially. It also just adds more competition with their latest Sims, which I assure you they have no interest in doing. Long live piracy for keeping the game alive.
I love your work sir, It's fascinating to see such tools in the hands of a maestro! I've played with Ghidra myself a little, updating some older Cheat engine tables for an older titles that hasn't been updated in a while, definitely cathartic work! Would you say that the Sys Internals monitor is the best tool for seeing what process-external access an exe makes? Or might there be better tools, if one is prepared to take the time? In the long term,. what I would love to have is a sort of modified Windows sandbox, that ostensibly lets me run any old windows app as normal, but with the added bonus of keeping an eye on everything, writes, reads, handles, regkeys etc, calls that a process makes, Especially in the case of using 'no-cd' cracks for titles that I do own, but like you, don't have easy access to any kind of optical drive, I also want as much performance as possible, running the entire game from nvme, which even on a pretty modern machine like mine (12th gen i7, 20 cores, 16gb ram, RTX3070TI, but some games like the older 40k Dawn of Wars, can still hand out a lot of punishment, especially (and the same problem with many older titles) getting the games to run at 4k, its clear that such resolutions were just a dream in those developers eyes, and seemingly have very different optimisation requirements, might even just be down to something as simple as moving reserved memory for off-screen buffering, is quite a lot of RAM for a 4K screen and does indeed require different coding strategy! Any suggestions for tools that would help me would be very kindly received, especially as I am currently covid quarantined and somewhat at my wits end for keeping myself entertained! Thank you so much for your content and the work you put it, one of my absolute favourite channels of this nature - You should write and sell a course, Sir!
I've been doing some firmware reversing with Ghidra lately and I just wanted to say how vindicated I feel watching these videos. That moment when you open a subroutine and it's like 500 lines of loop unrolled compiler optimized garbage (or in this case hand obfuscated garbage) 😂🔫 cheers though great video
I was convinced they still had it available as I just downloaded it from EA play last week. Dammit EA, the game is amazing, it deserves to be preserved
"I've attached a debugger and now I get a new message warning me, that I got a debugger attached". Lmao. I love it when coding adventures become slightly convoluted. Though I would admittedly trade it in for a world without any DRM at all.
2:44 whenever seeing something like this, you just have to remember compilers are crazy, and the decompiler could be slightly wrong. It could even be an inlined implementation of a version of memcpy.
Process Monitor itself has the 64bit version inside it. If you run the 32bit and it sees you're on 64bit, it unpacks that and runs it. And here's me dreaming of being able to code my own cracks. Looking at this, jesus! That would never happen. Once you're done, watch the AV software come along and delete your exe as malware as they do with most cracks and keygens even when they have no infections.
11:27 oh i have the same case but mi9ne is without the glass :D i know that fractal has some les expensive case that can have 1 or 2 bays for dvd/cd :D love this kind of videos from you :D i hope you can perhaps make it work on win10/11 some day hehe :D
Classic AAA game dev - the most insane DRM measures in place which ultimately lead to the game being unplayable when this same insanity stops being supported by the OS
Sims 2 came out in 2004. Asymmetric cryptography was already widespread. ECC/ECDSA entered wide use the same year. How they thought relying on their own obfuscation instead of cryptography is beyond me.
I can tell you that breaking encrypted stuff with well known cryptography is way easier than cracking the stuff shown in this video. With known cryptography and the well known and documented standard library functions to do these operations... you can just overwrite them, redirect the call to the actual function and dump everything in the process.
@@DerTechNick No, it's not. With asymmetric encryption, it's proven that you can't simply reverse it. You thinking that "security by obscurity" is a better mechanism shows a lack of understanding. Had EA used asymmetric encryption, it would have been no more difficult to extract the obfuscated code, but it would have been entirely impossible to simply replace it with his own, lest he also replaces all keys, or patched out everything relating to decryption. I was also talking about the keygen, where again, proper encryption would make it impossible to reverse engineer it - only patching would be an option.
@@graealex so do you want to tell me that I wasn't able to do it? You just fake a server, change the root cert in the binary and that is literally it if you are talking about license verification right now. But that is something totally different than you were implying in the start
No matter what - the game must be able to decrypt the encrypted content. So the key IS present somewhere. This makes dumping the decrypted content , modifying it, and patching out the decrypt step all the same.
Actually, EA gives it for free, just contact customer support. They will give you the ultimate collection for free. If you are a Mac user you can buy the Super Collection.
interesting you tried this with the base game and not literally any of the expansions instead, like apartment life or mansion and garden stuff, which technically isn't an expansion but it functions like one
"Abandonware," a term with such broad meaning to every individual person that it has no real use at all. It definitely isn't recognized in any US law in any positive way for those who want that to mean anything is a-okay to do with the material. I've seen people say that the instant Nintendo removes the ability to purchase one of their old games, that it becomes abandonware, even if Nintendo plans to make it purchasable the following week on a new storefront. Greedy entitled people with no brain ruining words, as usual.
making a keygen for yourself for a game favorite is just awesome indeed, but having to censor the key you generated doesn't make sense, for me at least.
Thank you for your work I love your content ! ❤ I'm myself a junior software engineer and I'm really interested in reverse engineering, but I'm not sure how I could acquire such a skill level 😅 Do you have any recommendations for learning RE, like programs, courses or roadmaps etc... ?
I consider it an investment in sanity and usability to have a DVD drive in my computer. You might want to consider the same, and I've used it for all my PS1 and PS2 games. I really wish I could get a drive to read XBox games, because that's a massive PITA. Also, did you create a fake website just for that 0xc0ffee gag? Hilarious either way. I don't have a copy of the Sims 2 myself, so I'm wondering if you could tell me if the game assets are also obfuscated and/or encoded in some way? It'd be interesting to see someone RE the engine so that people that own a copy of the game could just copy the files and play it, but I also wonder how difficult it would be to write a lookalike engine from scratch. Did they do anything unique for the game?
@@nathanbaggs Ah, I see. Then you might need to do some debugging on the website because it didn't work when I tried it, which is why I assumed it was a fake website.