Stunts cracks and modifications

[Alain il professore]

If you guys have any "old DOS game cracking" questions, I'll answer what I can. 

We didn't crack those games, in fact, we had friends handing us... photocopies of the manual. But thank you for your efforts. The Stunts source code is lost, and the community has been searching for indirect exe decoding for years. Happy to know it was a built in feature after all those years. I'm sure memory freeze reverse engineers will love your insights.

I'm interested in an interview solely about the Stunts cracking process. I'll PM you.

[alanrotoi]

I know I'm late to the party, but I wanted to chime in about the reasoning for creating a loader to crack this game instead of spending the time to find the bit to flip to eliminate the protection, or to load it into memory and then dump it out.

The reason, as someone above surmised, was SPEED.  We at THG had the game, and we had no idea if INC, TDT, or anyone else did as well, so we wanted to get it done ASAP.  And the quickest way for us (most likely ME) to do that was to find the bytes in memory that needed to be changed, and then to modify the loader to modify them at runtime. 

Another thing that I can contribute.  Exepack.  It serves 2 purposes in protection systems like the DSI one.  One, it makes the executable smaller (obviously), but the other NON-obvious reason is that it also processes all the relocation table entries.  So that the DSI protection doesn't have to do the relocation.  It just rebuilds the EXEPack'd image in memory and jumps to the entry point, and exepack unpacks, and handles the relocation table as well.  Another famous copy protection Rob Northen's Copylock also used exepack for what I believe is the same reason.

If you guys have any "old DOS game cracking" questions, I'll answer what I can.  I was INTIMATELY involved in the scene from '89 through '91, and can answer most questions. 

This is quiet interesting!! Thank you!