News:

Herr Otto Partz says you're all nothing but pipsqueaks!

Main Menu

Stunts cracks and modifications

Started by Daniel3D, July 28, 2021, 10:50:24 PM

Previous topic - Next topic

Daniel3D

While searching for original stunts images in response to llm I obviously came across some cracked versions.

That made me wonder a couple of things that I'd like to share because somebody may wonder the same.
(if not, feel free to say so or just ignore my post)

First thing.
As learned form dstien's restunts SVN repository the copy protection can be permanently disabled by setting a 0 to a 1 on two locations.
Why then are the cracks so elaborate?

my guess:  it was not the goal back then, you wanted to show off your work and it has a more visual appeal to have it work with enter in stead of been completely absent.

But it may also have been easier to do so. I don't know how difficult it is to find this bit in the original file and change it. I can 'see' how you can see the check for the right answer with debugging software and make sure the answer is always accepted. And my guess is that that is how it's done.

Most cracks just work as a preloader and continue with stunts.com that reads form setup.dat and feeds that to load.exe.
||st.com and stunts_k don't work without stunts.com||
I believe the only exception to this is the red sector crack, they replaced stunts.com with their own version,
RS-stunts.com calls stunts.ovl that reads setup.dat and calls back to RS-stunts.com which feeds that into load.exe

I don't know for sure if they work this way.
But it seems logical. Please correct me if i'm wrong.

list of known crack files.

Crackes that seem to flip the byte
  • ST4DLDR
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

Daniel3D

Secondly.
Is it worth the effort to create the original file with the bit changed, so the copy protection is disabled.
I know that I can just use the restunts executable or a crack, but I wish for an as clean as possible version without the copy protection.

It can be done, i'm sure of that.
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

KyLiE

I think the main reason is because most of these cracks were made around the time that Stunts was released, so time was critical.  The goal was probably to crack the game and release it as quickly as possible.

I'm not sure if it's worth the effort to produce a version of the game with no evidence of copy protection as I don't know what's involved.  Personally, I find that the other bugs and limitations in Stunts make the copy protection seem insignificant.

GTAManRCR

Stunts 1.1 and 4D Sports Driving 1.1 (1991) uses the same files (Last version is updated, so it only works with NeverLock)
Hejj bicska, bicska, bicska csantavéri kisbicska!

llm

Quote from: Daniel3D on July 28, 2021, 10:50:24 PM
As learned form dstien's restunts SVN repository the copy protection can be permanently disabled by setting a 0 to a 1 on two locations.
Why then are the cracks so elaborate?

First of all, its clvn's SVN, he started the restunts project

The cracks did not go the route to analyse the process of unpacking multiple files and combining them in ram before run, and reverted that process, what load.exe does but hooked themself at the end of this process and then do their thing, typical for most of these times crack programs

the original exe is like what clvn's unpacker creates with the restunts game.exe, but the dsi guys want it further processed, maybe for protection reason, most of the combined code file parts are afterwards packed with stunts own resource packing algorithm and the complete resulting executable is another time "packed" with exepack from microsoft, that is very special and not a typical way of distributing a executable

In the resulting executable what load.exe combines in memory to the game.exe is a pure uncompressed exe image that just contains a trivial password check that is easy to disabled by patching the result of a is-correct-password-result to always success



llm

I think they produced normal game.exes with the compiler with mapfiles, containing start/end of all the functions inside, packed the exe with exepack from microsoft, splitted the exe afterwards at multiple points in the base code and grafix code, packed the splitted parts with stunts own packing format and wrote load.exe to reverse this process at startup time

llm

here is the full exe combine code - even for non programmers small enough to someway understand was happening

https://github.com/xor2003/restunts/blob/master/src/execombiner/main.cpp

the input files in https://github.com/xor2003/restunts/tree/master/src/execombiner/assets
are alreay unpacked with dstiens stunpack

after the combine run the resulting exe-file is manually unpacked with UNP (or other Microsoft EXEPACK capable unpacker)

and then the byte is changed to disable copy protection (which prevents a jump to exit or something like that)

llm

#7
btw: the combine tool should also work with the CGA,EGA and TANDY Version - but i think never tested before

so in the End we've got a CGA,EGA,TANDY and MCGA exe - the Sound-Driver get loaded dynamically

my drvcombine tool just disables the dynamic loading of the sound drivers by directly integrating a driver (but that is only to ease the reverse engineering - then the disssembler can see also into the sound driver code - that was NOT in any way part of the original DSI release/packaging-process)

Daniel3D

So the whole deal with load.exe was intended as an elaborate way to hide the actual executable so the game would be difficult to crack?
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

Daniel3D

#9
Ok. Something else.
In the bypassing load.exe thread I read that the following parameters are accepted.
Quote/ns - no sound
/nb - parsed, but unused
/ssb - use soundblaster (ad15.drv) instead of pc speaker
/sXY - use driver XY15.drv instead of pc speaker (e.g /sad for soundblaster)
But these are all sound related.
Are the video parameters accepted as well?

In other words. If I would rename that executable to load.exe. would it load correctly with the setup.dat information if I run the game with stunts.com??
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

llm

Quote from: Daniel3D on July 29, 2021, 11:01:53 AM
So the whole deal with load.exe was intended as an elaborate way to hide the actual executable so the game would be difficult to crack?

that or maybe some extreme size constraints with release floppies that demand such splitting (but i don't think that was a problem at that time)

and also takes the load.exe process some more RAM - so its definitily not a RAM saving strategy

llm

#11
Quote from: Daniel3D on July 29, 2021, 12:36:28 PM
Quote
/nb - parsed, but unused
/ssb - use soundblaster (ad15.drv) instead of pc speaker
/sXY - use driver XY15.drv instead of pc speaker (e.g /sad for soundblaster)
But these are all sound related.

because only the sound drivers are loaded dynamical by stunts

Quote from: Daniel3D on July 29, 2021, 12:36:28 PM
Are the video parameters accepted as well?

no - the real executable is constructed (in RAM) based on the setup-selected code-file-parts - the sound driver get loaded by stunts itself

Quote from: Daniel3D on July 29, 2021, 12:36:28 PM
In other words. If I would rename that executable to load.exe. would it load correctly with the setup.dat information if I run the game with stunts.com??

not in a million years - these exes/coms have nothing in common

that is the reason why i sometimes talk about decent game.exes for CGA, EGA, MCGA and TANDY

all the non loader.exe programs (stunts.com, stuntsk.com etc...) are not part of the original package and not needed at all

Daniel3D

Quote from: llm on July 29, 2021, 06:57:42 AM
Quote from: Daniel3D on July 28, 2021, 10:50:24 PM
As learned form dstien's restunts SVN repository the copy protection can be permanently disabled by setting a 0 to a 1
Why then are the cracks so elaborate?
First of all, its clvn's SVN, he started the restunts project
I realized that to later. I copied the text of the copy that dreadnaut made of dstien's repository. It is clvn's SVN.

I apologize for the clumsy phrasing of that line.



Quotenot in a million years - these exes/coms have nothing in common
Ok. I was afraid you would say that.
I kind of expected it to be so as well.

So if I understand correctly. Load.exe creates an executable in memory based on the setup information.
For the reengineering project, only the MCGA/VGA output and the sound blaster/pc speaker were taken.
To create a different version, that process has to be redone with different setup data.

Then I return to my original idea. Can we change the copy protection bit in the original files?
I would like the copy protection popup to disappear like in the restunts version. Because it's annoying.

The other video modes are useful for creating better car graphics, but are not necessary for reverse engendering, if I understand correctly.
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)

llm

Quote from: Daniel3D on July 29, 2021, 01:54:58 PM
I realized that to later. I copied the text of the copy that dreadnaut made of dstien's repository. It is clvn's SVN.

there is no dstiens SVN repo - cvln's the only one (also refered as base on the gitlab page from dreadnaut)

Quote from: Daniel3D on July 29, 2021, 01:54:58 PM
Quotenot in a million years - these exes/coms have nothing in common
Ok. I was afraid you would say that.
I kind of expected it to be so as well.

So if I understand correctly. Load.exe creates an executable in memory based on the setup information.
For the reengineering project, only the MCGA/VGA output and the sound blaster/pc speaker were taken.
To create a different version, that process has to be redone with different setup data.

yupp - but the game.exe you've got is exactly the In-Memory version of the exe which load.exe produces if MCGA is selected in config
the sound drv integration is a different project

Quote from: Daniel3D on July 29, 2021, 01:54:58 PM
Then I return to my original idea. Can we change the copy protection bit in the original files?
I would like the copy protection popup to disappear like in the restunts version. Because it's annoying.

The other video modes are useful for creating better car graphics, but are not necessary for reverse engendering, if I understand correctly.

i don't think that is doable because the exe is builded like that game.exe = microsoft.exepack(stunpack(fileX)+stunpack(fileY)+stunpack(fileZ))
think of it as an mathematical expression - you want to change a byte in a stunpack compressed file that is also exepacked with other stunpack files
its not something like a zip-file its the pure binary code attached to get working - there is no way to get to that point without changing the files to a
non original state and we are missing a stunpack implementation that can re-pack the files

it changes the result that much that is isn't original anymore and only for keeping the setup-tool alive

i don't know what you mean by "better car graphics" CGA/EGA/TANDY are older technologies and got much less colors then VGA (4 or 16 colors, i don't know TANDY)


Daniel3D

#14
Quotei don't know what you mean by "better car graphics" CGA/EGA/TANDY are older technologies and got much less colors then VGA (4 or 16 colors, i don't know TANDY)

I mean for the graphics of the custom cars.
If you want to adjust the pallet it's good to see the effect.
Of course you can view that with the current crack as well.

In the bypassing load.exe there is mention of a repackaging tool.
http://forum.stunts.hu/index.php?topic=2454.msg55894#msg55894
Edison once said,
"I have not failed 10,000 times,
I've successfully found 10,000 ways that will not work."
---------
Currently running over 20 separate instances of Stunts
---------
Check out the STUNTS resources on my Mega (globe icon)