This page describes the copy protection schemes implemented on all platforms that Dungeon Master and/or Chaos Strikes Back were released on.
The earlier versions released on Atari ST, Amiga and Apple IIGS feature very sophisticated copy protection schemes. Other versions have much weaker protections and some of them have no copy protection at all (check the Platform-specific details section).
It took several months after the first release of Dungeon Master on Atari ST before the copy protection was fully defeated, while most copy protections are defeated in a matter of hours or days by experienced hackers. This partially explains why they sold lots of copies, the main reason being, of course, that this is a great game!
Read what Andy The Arfling (a hacker once member of the BBC / Automation groups) said about the Dungeon Master copy protection in an Interview of a hacker talking about the Dungeon Master copy protection:
Encryption routines were a silly game, so the best protection has to be Dungeon Master as far as I’m concerned. Law has mentioned a decryption routine I wrote running on the keyboard processor, but it was still beaten by hardware.
Dungeon Master. It seemed to be written in some kind of interpreted language which made it very difficult to fathom. It also had protection embedded throughout the game. Good protection is like good encryption, it can never be an afterthought, you can’t buy it off the shelf, it has to be part of the fabric of the game. Apparently it had a protection check after the final boss, just so you couldn’t see the end sequence. Hats off to them. Hats off to Was (Not Was) for cracking it.
Doug Bell was the main programmer of Dungeon Master and its copy protection.
Posted on 06/09/2008 at 16:55 on http://www.next-gen.biz/index.php?option=com_content&task=view&id=10800&Itemid=50&show=1&start=8 (link is now dead)
Of course it is a difficult question to say how much more or less revenue a product would have earned with or without copy protection. The answer to the question is dependent on a number of factors including the effectiveness of the copy protection and availability of similar products at different price points with and without effective copy protection.
There are at least four different interest groups, with the lines between them blurred at times:
1) Software developers and publishers seeking to maximize the return on their efforts;
2) Paying customers interested in receiving value in exchange for their money;
3) Pirates interested in using the software while illegally minimizing or eliminating costs; and
4) Crackers interested in the technical challenge, notoriety and/or financial gain from circumventing the technical barriers to copying or pirating the software.
Each interest group offers up their own reasons and rationales to justify their actions. Crackers argue the copy protection is pointless because it can always be circumvented as if this somehow bestows their activities with some form of populist nobility. Pirates argue that they wouldn’t have paid for the product anyway, so their actions somehow don’t really amount to stealing from the developer. Paying customers are frustrated by paying for a product that is less functional or more cumbersome to use than the stolen version used by the pirate. Finally, the resources available to software developers to invest in creating software are limited by the revenue they earn and reduced by the resources invested in copy protection. All in all, this creates a tough situation to analyze.
However, as the developer of a must-have computer game (albeit from a couple of decades ago) that you had to actually buy, I may have the rare perspective to take a stab at the question. Back in 1988, cartridge games were rarely pirated while computer games were rampantly pirated. Most games were cracked within a week of being released, with probably significantly less than 1% of software remaining uncracked after two weeks. One notable exception during this period was the game Dungeon Master, which was the best selling game on several different personal computer platforms over a two-year period. Dungeon Master was first released on the Atari ST, and for the better part of a year the only way to play Dungeon Master was to own an Atari ST and to buy the game.
Dungeon Master exposed the fallacy in the claims of both the pirates and the crackers. The pirates who would never have paid for the game if they could steal it did pay for it. Despite a steadily growing bounty of fame and notoriety for cracking the game, the protection lasted more than a year. And the paying customer was rewarded with not just a minimally invasive copy protection scheme, but just as importantly, with the satisfaction of not feeling like a schmuck for paying for something that most people were stealing.
As the developer of both Dungeon Master and the software portion of its copy protection, I knew that eventually the copy protection would be broken, but that the longer it held out the less damage we would suffer when it was broken. We had the advantage of owning the patent on a floppy-disk copy protection scheme that required a $40,000 specialized hardware device to write the disks. It was impossible to create a disk image without this hardware, and the hardware itself was out of production. That meant that as long as there were enough layers on the copy protection, and these layers took long enough to crack, the only way to own the game was to buy it. The copy protection scheme took a couple of weeks to create, and while this added cost to the production without adding value for the customer, it was time well spent. The copy protection was based on many redundant, overlapping and isolated checks and cross checks. The copy protection was developed with the assumption that the cracker would be armed with a hardware emulator and developed with an awareness of the capabilities and limitations of the commonly available emulators of the time.
*Dungeon Master had a greater than 50% market penetration on the Atari ST—that is, more than one copy of Dungeon Master was sold for each two Atari ST computers sold. That’s easily 10 times the penetration of any other game of the time on any other platform. *
So what’s the lesson? That piracy does take significant money out the pocket of the developer and that secure anti-piracy schemes are viable.
Copy protected floppy disks require two things:
Pirates want to be able to copy the floppy disks easily, and because they cannot circumvent the hardware limitations of the home computers, their only solution is to change the original program to disable the copy protection checks. The job of crackers is to analyze the program to find the copy protection checks and neutralize them, for example by replacing some instructions to bypass them.
The next sections will show the smart ideas that FTL used to make the life of crackers as hard as possible.
Several techniques were used to place “unusual things” on the original floppy disks of Dungeon Master and Chaos Strikes Back to prevent easy disk copy. Check the ‘Platform-specific details’ section for more information.
The main technique is the use of “fuzzy bits”, also known as “weak bits” or “flakey bits” as they are called at the Software Preservation Society (SPS, ex CAPS). The main characteristic of fuzzy bits is that sometimes their value reads as ‘0’ and sometimes it reads as ‘1’: it is random.
There are several ways to create fuzzy bits:
In order to check if the floppy disk is original, the game reads the fuzzy bits several times and compares the results: if their value is different from one reading to another then the disk is an original. If their value is always the same then the disk is a copy.
Dungeon Master reads the copy protection sector containing the fuzzy bits periodically during gameplay: when starting a game and when moving to another level (only if the previous reading did not occur too recently). The detection of a single bit with changing value is enough for the program to consider the disk as original.
The copy protection code in the Atari ST/Amiga/Apple IIGS versions checks that at least some of the fuzzy bits have random values but it also checks that all the other bits in the sector are not random. This is important because creating random bits can be achieved in another way (the one used on X68000 and PC-9801), at least on Amiga (but not on Atari ST), and it requires writing a series of ‘0’ bits.
If the copy protection was only looking for any random bits in the sector, it would be possible to copy the game on Amiga using a special purpose program. The way the fuzzy bits were actually created on Atari ST/Amiga/Apple IIGS ensures that special hardware is required to provide the ability to position reversals with very accurate (and ambiguous) timings, something that was not possible on any consumer-grade hardware available when the games were released.
Cracking a program means modifying the program so that it will bypass its copy protection check. In the case of Dungeon Master, that means removing or bypassing the test that checks for the presence of fuzzy bits.
The designers knew that software pirates would try to crack their games so they included a lot of tricks to make their task as difficult as possible.
Many copy protection checks involve a single test when the game starts. It is relatively easy for pirates to find and remove such tests.
In the case of Dungeon Master and Chaos Strikes Back, the developers put several checks for the presence of fuzzy bits at various places in the program. For a “good” crack, you need to find and defeat them all.
In order to make things even harder, the designers put some hidden code pieces in the graphics.dat file. These routines are encoded just like normal images. At some points while you play, these hidden code pieces are decoded in memory, executed and then cleaned from memory. A pirate looking only at the main program would miss them.
You can see these routines disassembled on Dungeon Master and Chaos Strikes Back Graphics.dat: Hidden code.
A checksum is a computed value which depends on the contents of a block of data. Their main characteristic is that if you change anything in the data, then the checksum value will also change.
Dungeon Master uses checksums at several places in the program to ensure that the program itself has not been tampered with. If a pirate changes something in the code to remove one part of the copy protection, then the program is changed. The checksum of the program also changes so the program can itself detect the change and know that it has been cracked. Ultimately, it will also break and prevent you from playing the game normally.
That makes the cracking task harder, because you need to find and neutralize all these checksums, in addition to the other disk validation tests.
In many games, the copy protection checks immediately return an error message when a copy is detected. Some copy protection checks work in that way in Dungeon Master. But it is also more vicious: when some of the multiple copy protection tests fail, the game will often not stop immediately. Instead you will be able to keep playing for several minutes (or even hours in certain cases). But ultimately, you will face the consequences in one way or another (see below). The fact that a pirate cannot immediately know if the crack he made is working fine in the long term requires lots of testing and time, and very careful inspection of what the program is doing. This makes the cracking process a lot harder and longer.
If the game detects a copied disk or that the program was modified then it can produce different effects, immediate or delayed:
Although very sophisticated, that copy protection scheme has some drawbacks:
See Detailed analysis of Atari ST Floppy Disks of Dungeon Master and Chaos Strikes Back
If you want to study the software side of the copy protection, you may download ReDMCSB here. It contains the source code of the Atari ST versions and a detailed documentation of the copy protection schemes in these versions.
In Atari ST versions, a custom floppy disk boot sector runs SWOOSH.IMG. This program displays the FTL logo and plays the associated sound. Then it runs START.PRG which is a small program that decompresses in memory the main program stored in START.PAK. The main program is then run in memory.
START.PRG is run with the “AUTO” command line parameter which is forwarded to the main program in START.PAK. That is another protection: you cannot run the program directly if you copied the files to your hard disk.
On an Atari ST with 1 MB of memory (so that all the game fits in memory), you can detect if the game is an original. If there are short disk accesses while playing (mostly when changing levels), that means the copy protection is probably still there. If you can play for several hours then you have an original.
You may be able to finish Dungeon Master even with a copied version if you save often. Chaos Strikes Back breaks faster than Dungeon Master because there are a lot more level changes.
Amiga uses 3.5" floppy disks with a rotation speed of 300 rpm and use the MFM encoding.
The storage capacity is: 2 sides x 80 tracks x 11 sectors per track x 512 bytes per sector = 901120 Bytes = 880 KB.
Amiga tracks can store more data than other format because the Amiga always writes full tracks, not individual sectors. The benefit is that all gaps between sectors are reduced compared to other formats, which increases the useful storage.
The copy protection on Amiga is very similar to the Atari ST one. The sector 247 found on the Atari ST disk is not present, however the sector that contains fuzzy bits is also present on the Amiga versions of Dungeon Master and Chaos Strikes Back (only on the game disk, not on the Chaos Strikes Back Utility Disk). Track 0 on side 1 is formatted as a 10 sectors Atari ST track just like all tracks on the Atari ST floppy disks (and not an Amiga track like all other tracks on the Amiga floppy disk). The copy protection sector is sector 1 for Dungeon Master 2.x versions and it is sector 2 for Chaos Strikes Back versions 3.x. Other sectors in the track are regular sectors, they are not used by the copy protection and filled with $E5 bytes.
Dungeon Master Demo version 2.0 and Dungeon Master 3.6 are not copy protected and this Atari ST track is not present.
Dungeon Master for Amiga version 2.x:
Unlike the Atari ST versions, the game is not run from the boot block but uses the standard startup-sequence script located in the folder “s” on the disk. This script runs a loader called “exec”. This loader sets up a few things like display and memory reservations.
This program is “self detaching”, which means that it detaches itself from the process that launched it. In fact, it creates a new process for itself and then terminates. In later versions (like in Chaos Strikes Back for Amiga version 3.1), the loader is called “bjeload_r” and does the same thing. It can be seen if you run it in a shell: the program seems to terminate immediately without doing anything, then the game starts.
The loader runs the “swoosh” program (displaying the FTL logo and playing the associated sound), and then the main program “dm”. In fact, it runs “DungeonMaster:swoosh” and then “DungeonMaster:dm” because it refers to the floppy disk by its name. That is why you need to assign the name of the floppy disk to a hard disk folder if you want to play from hard disk (with a hacked version as the original does not permit this).
See Copy Protection of Dungeon Master for Apple IIGS
Floppy disks for Japanese computers (X68000, PC-9801 and FM-Towns) all use the same format for both 5.25 inch and 3.5 inch floppy disks. They all have a rotation speed of 360 rpm and use the MFM encoding.
The storage capacity is: 2 sides x 77 tracks x 8 sectors per track x 1024 bytes per sector = 1261568 Bytes = 1232 KB.
The information and screenshots below results from the analysis of Kryoflux raw images of these floppy disks with the ‘Track Analyzer’ feature that is part of the HxC Floppy Emulator.
Dungeon Master and Chaos Strikes Back for X68000 both use exactly the same copy protection, which is much weaker than the copy protection found in the Atari ST/Amiga/Apple IIGS versions.
There are several clues showing that the copy protection implementation was incomplete and/or rushed:
Compared to Dungeon Master for X68000, Chaos Strikes Back for X68000 contains code for an additional consequence of a failed copy protection check (to prevent saving the game), however the bug also makes it ineffective.
There is only one copy protection scheme that is still operational:
Track 1 on side 1 contains a sector 0 with no data (on the left of the screenshot) and a fake sector 9 (in addition to the regular 8 sectors) as shown in red at the right of this screenshot:
79 79 79
BC BC BC
5E 5E 5E
2F 2F 2F
97 97 97
CB CB CB
E5 E5 E5 <- Actual data written on the disk
72 F2 F2 <- The first byte may not have the
Data bits 0 1 1 1 0 0 1 0 1 1 1 1 0 0 1 0 1 1 1 1 0 0 1 0 1 1 1 1 0 0 1 same value as the
Clock bits 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 next ones depending
08 08 08 on the value of the
10 10 10 preceding random bit
20 20 20
40 40 40
80 80 80
01 01 01
02 02 02
04 04 04
The following annotated screenshot shows the MFM timing violations in the 4 random bytes area:
Each time the program checks for the presence of the game disk in the drive (including at the very beginning when starting or loading a game), it reads this fake sector 9 twice and makes sure that the resulting byte values are different. If they both give the same result then the program displays a message requesting insertion of the game disk until an original disk is detected.
Other weaknesses:
clr.l -(sp)
dc.w $FF20 ; DOS call SUPER()
addq.l #4,sp
lea Routine,a0
lea ($F00).l,a1 ; Address of unused memory
; in the IOCS work area
; $000800 - $001000
; Crack routine is copied there
movea.l a1,a2
move.w #$10,d0 ; Loop to copy the routine
copy_loop:
move.l (a0)+,(a1)+
dbf d0,copy_loop
lea ($518).l,a0 ; Get original B_READ ($46) routine address
; $518 = $400 (base) + 4 * $46
move.l (a0),d0
move.l d0,$3A(a2) ; Copy original routine address in jmp instruction
move.l a2,(a0) ; Replace the Read Sector routine
dc.w $FF00 ; DOS call EXIT()
Routine:
cmp.w #$9000,d1
bcs.s Call_B_READ ; Branch if call is not for first floppy drive
; (value between $9000 and $9100)
cmp.w #$9100,d1
bcc.s Call_B_READ
cmp.l #$1010109,d2
bne.s Call_B_READ ; If not reading copy protection sector
movem.l a0-a1,-(sp) ; Write bytes expected by the game:
; 'HPR-0007' string
; Followed by 4 random bytes (here a simple counter)
move.l #'HPR-',(a1)+
move.l #'0007',(a1)+
lea Counter,a0
addq.l #1,(a0)
move.l (a0),(a1)
movem.l (sp)+,a0-a1
move.l #$45202001,d0 ; Return value expected by the game
rts
Call_B_READ:
jmp $80000000
Counter: dc.l 0
Both 3.5 inch and 5.25 inch floppy disks of Dungeon Master and Chaos Strikes Back use exactly the same format that is used on the X68000 versions (see above), including the same special copy protection features found on track 1 (on both sides).
There are copy protection checks only when the game starts (new game or load a saved game) and when saving the game: it reads data in ‘diagnostic mode’ on side 0 in either track 0 or 2 starting at sector 1 in order to read more data than the regular sector data, including bytes located in gaps. It computes a checksum of the resulting data and performs comparisons to make sure the special bytes in gaps have their expected values. It also checks that sector 240 exists on track 1 side 1 but cannot be read (no content). If one of these copy protection check fails, the game immediately requests insertion of the original game disk. There are no delayed consequences.
The copy protection of PC-9801 versions also has a major weakness: there are no checksums on the game code. Modifying the program to bypass the copy protection checks has no consequence so that cracking the game was fairly easy, much more than with Atari ST/Amiga/Apple IIGS versions.
The FM-Towns versions were the only ones released on CD-ROM.
The copy protection is very basic: when the game starts, it checks that the Compact Disc has the correct number of audio tracks: 19 for Dungeon Master / 30 for Chaos Strikes Back. If the number of tracks is not correct then the game stops processing events which makes it unplayable: thrown items remain in the air, doors do not open/close anymore, etc.
Apart from the simple check described above, all other copy protection related code and variables are not present.
Dungeon Master for PC is not copy protected and uses the standard formats for both 5.25 inch and 3.5 inch floppy disks. All copy protection related code and variables are not present.
Dungeon Master for SNES is not copy protected. Dumping and duplicating the cartridge ROM data is not enough because it also contains a unique and proprietary chip named DSP-2 used for some graphics processing. Modern emulators can run the game from a ROM image because they also emulate this processor.
Cracked versions of Dungeon Master and Chaos Strikes Back are available for download on the page of each game version. Cracking instructions are also provided where available.
You may try the following actions with a copied disk to trigger some copy protection checks and their consequences (this list is not exhaustive):
If you copy an original copy protected floppy disk of Dungeon Master or Chaos Strikes Back using your favorite disk copier, the copy will not have the fuzzy bits but normal bits instead. The game can easily detect their presence by reading them several times: if it gets random results, then it assumes the disk is original. If it gets consistent results, it assumes the disk is a copy.
The only way to make perfect copies is to use special hardware like:
DUNGEON MASTER
by FTL GAMES/SOFTWARE HEAVEN INC.
!
0 : W 1 9 535 14
1 : R 10
R : 79
)
[Credits: Jean Louis-Guérin (DrCoolZic)]