Home Breaking 20 year old PC game copy protection
Post
Cancel

Breaking 20 year old PC game copy protection

Introduction

As a kid, I used to play Taz: Wanted on my PC, but nowadays it’s impossible to play these old games as most modern PCs don’t have a CD drive. While you can easily download no-CD cracks, where the CD checks have been removed, it’s more fun to create your own no-CD patch. In this post, I’ll show you how I was able to create my own no-CD patch for Taz: Wanted.

CD Check

After installing Taz: Wanted on my PC, I encountered a screen prompting me to insert the Taz: Wanted CD-ROM into my CD drive.

image

Analysis

Let’s find out how this check is being performed. Quick Googling around, old forum posts mention how games would just check for a CD-ROM drive on the PC, with a disk inserted that has a string of the game as the label. We will open the Taz.exe file open in Ghidra and see if we can find out if this CD-ROM check is done the same.

Once the executable is open in Ghidra, we will want to use all Analyzers and let it analyse.

image

My first thought is, if it is just checking if there is a CD Drive on the PC, and then checks if the Label of the CD-Drive is equal to something, I should check libraries that the executable imports.

image Under kernel32.dll I see that GetDriveTypeA and GetVolumeInformationA are referenced in the executable, and they are only ever referenced once, is this possibly the function that checks the CD-ROM and is the “copy protection”?

If I go to this reference, I can see in the decompiled view below.

image

At first glance, I can see that GetDriveTypeA is being assigned a variable, and is then being compared to the value 5. UVar2 = GetDriveTypeA((LPCSTR)local_138);

if ((UVar2 == 5)

Looking at the documentation for the function GetDriveTypeA we see that a return value of 5, means the drive is a CD-ROM drive. Looks like we have where our check is done.

Looking further down this function, we can see references to a string in the executable TazWanted as well as CD Found\n. This gives us further confirmation that this is the function checking that a CD-ROM drive is present, and a CD is inserted that has the label TazWanted.

image

If bVar8 is not 0, it then returns what looks to be a non 0 value. We can safely rename this FUN_004a1f10 to CD_CHECK. With this we can check what is actually calling CD_CHECK and see if we can just skip calling this CD-ROM function altogether. By showing all references of this CD_CHECK we can see that it’s mentioned 3 times by 1 other function FUN_004a1de0. Let’s jump to this function.

image

We can see that it assigns uVar2 = CD_CHECK(); a variable to the returned result. It then just does a return at the end if a simple condition is met with the returned result of CD_CHECK.

image

If we just return out of this function before the CD_CHECK does the game continue on as usual? Let’s patch this CALL CD_CHECK and change it to just a RET, then save and export this executable and replace the Taz.exe in the C:\Program Files (x86)\Infogrames Interactive\TazWanted directory and test it out.

image

image

Successs!

The game launches to the main menu now, doesn’t prompt to enter our Taz: Wanted CD-ROM and we can now play the game!

image

This post is licensed under CC BY 4.0 by the author.