'GFL Championship Football'
Author:Lord Crass (guest: search)
Date: Sun, Jun 05th, 2011 @ 02:14 ( . )

The Activision version of GFL Championship Football uses an early V-Max. The loader is on track 1, contained in standard DOS sectors. I always thought this one was straightforward and easy to copy, but it turns out that is not the case...

Software nibblers fail to copy this one. You'll see the "V-Max!" screen and hear the drive grind off to track 1, then it hangs. There is a custom copier on Kracker Jax's Bullseye, but I believe it cracks the protection (I'll check later).

The loader is read in from sectors on track 1 using the job queue. The last 3 sectors it loads (14, 17, 4) are encrypted. The decryption key is formed like so:

1. Move drive head to sector 5 header of track 1.

2. EOR $94 consecutive bytes. Does this 4 times to get 4 values (stored at $1A0 in drive RAM). This should result in 63 B6 18 41 for a legit disk.

3. EOR the first two values with the return address on the stack ($04DA), which alters the key to B9 B2 18 41.

Since the code in step 2 reads $1BC bytes while skipping sync marks, it includes gap bytes and the byte before/after sync. These are bytes that aren't copied by software nibblers and the reason the protection works quite well (you'll get the wrong decrypt key and then execute garbage code). It is defeated easily by 8k/parallel nibblers and can be fairly easily cracked.

This disk also has tracks 12-18 written at non-standard speeds, exactly like Defender of the Crown, but it never checks this.

Howard the Duck (NTSC) is the same protection, and uses a key of 4E 56 E8 FB. It also has the oddball density on T12-T18 and doesn't check it.

Star Rank Boxing (V2) and Championship Baseball also employ this scheme, plus they check the T12-T18 densities as well as sync lengths and other checks.

REPLY: [With No Quote] --- [With Quoted Text]

'GFL Championship Football'
Author:Lord Crass (guest: search)
Date: Sun, Jun 05th, 2011 @ 12:12 ( . )

Attached is the commented disassembly of the protection routine along with a simple crack.


REPLY: [With No Quote] --- [With Quoted Text]

'GFL Championship Football'
Author:Pete Rittwage (registered user: 558 posts )
Date: Sun, Jun 05th, 2011 @ 12:57 ( . )

Thanks for all your hard work. I always wondered why the protection copied easily on Howard the Duck but not on other titles with that same short/long track setup.

REPLY: [With No Quote] --- [With Quoted Text]

--- 0 Users Online --- 0 Recent Unique Posters

Q41=1674957866 - Threads: / 1674957866