Demonlord Generic EA protection remover v0.002

Welcome to another new and very useful (yeah, right) utility from Demonlord...

This program will remove the EA booter protection envelope, and create an
output image with the protection removed. The output image can be converted
to Snatchit format, if you want to write the image back to a physical floppy
disk. This disk can be both 5,25" and 3,5".

This program is also a small step on the way to add support for protected
images in Flopper. Since the EA disks can't be copied with programs like
CopyIIPC/Snatchit/Teledisk/Anadisk, they will have to be cracked before
they can be used. This program should take care of that problem, and if it
doesn't, contact me (see end of document). The program also saves the about
45 minutes that it normally takes me to do this operation manually... (and
maybe even more on disks with broken track 0F)

Options:
Source drive - Selects the drive to use to read the EA booter disk (can be
               either A or B).

Use protected track from disk - If you answer Yes, the program will read the
protected track 0F from the Source disk. If you answer No, the program will
use the file EA.DAT, which contains the protected sectors saved to disk. In
all the games I've come across, the protected track 0F contains the same
data, so the EA.DAT file should be universal.

If the protected track can't be read from source disk, or it doesn't seem
correct (sector 24 is very special!), you will get the question again if you
want to use the file instead. This will be the case if the disk has been
copied with CopyIIPC/Teledisk. The only thing I've been able to copy these
disks with is the CopyIIPC Option Board, which is a hardware card, and I
don't think the normal floppy controller can write these disks...


Patch output image for Flopper - Will add a few extra patches to remove
Flopper hostile code from the protection envelope. (like INT killers and
memory clears)


Force Singlesided output - Will force the output image to be single-sided,
even though the source disk may be double-sided. The One on One disk is
double sided, but the game only resides on side 0, so saving both sides in
this game is probably just a waste of space... If the disk only is
single-sided, the program will detect this, and only save one side.


Output image filename - Not too hard to guess, the filename of the output
image. If no extension is specified, .IMG will be added automatically.
(if output filename ends with ".", .IMG will not be added). The image will
either be 200K (10 sectors/track, 1 side, 40 tracks) or 400K
(10 sectors/track, 2 sides, 40 tracks). Sector 10 on side 1 will be added as
an empty sector on double sided images, since they only have 9, and saving
the image like that would just be a bad idea...

No checks for free diskspace is made when writing image to disk, so make
sure you have at least 500K free diskspace before running program!



Program operation:

After all questions are answered, the program will start its work. It starts
by reading the bootrecord. It seems that the EA games only have 2 different
kinds of bootrecords, one for games that does have DOS directory, and one for
the games
that doesn't. This is because the loader code is located in the FAT and DOS
directory in the games without proper DOS files. (see list below)

If the program can't determine the type of bootrecord used, it will try to
read sector 24 from track 0F. This sector is very special. When trying
to read it, INT 13 will return that 2 sectors have been read, and 1024 bytes
of data will be read if the read is successful. If INT 13 returns 2 sectors
read, the program will tell you to contact me... :) (this is because track
0F acts like EA booter, but it has unknown bootcode). If INT 13 returns either
1 sector read, or an error, the program will want you to make sure it really
is an EA booter. If you're not sure, or don't know how to determine, contact
me anyway...

Once the bootrecord type is determined, the program will locate where the
loader code is located on the disk. After this is done, it will read the
loader code, and try to read the protected track to get the data needed
to decrypt the loader. If the read to track 0F fails on any sector, you will
be asked if you want to use the EA.DAT file instead. If you select No, the
program will quit, since it can't find the data it needs to continue.

When the loader is decrypted, the program will look up which tracks the
game itself is located on. It will then read the sectors from the protected
track needed to decrypt the game itself. As before, if any read fails, you'll
be asked if you want to use data in EA.DAT.

When the necessary sectors are loaded successfully from track 0F, the program
will determine how many sectors should be decrypted, and then decrypts the
game. If the initial code is recognized, the game's name will be shown. All
games listed below will be identified and the game's name will be shown. If
you have a game that is not identified, please contact me (see below).

When this is done, the program will start to create an output image. First
it will patch the bootrecord, and then the loader code to make sure the game
works without the protected track (among other things...). It will also patch
image for Flopper, if you've selected for the program to do so. After that,
the program will read the remaining tracks to make a complete image. Please
note that track 0F will read a lot slower than the other tracks but that is
just because of its weirdness... (tracks already read will not be re-read, so
the program will skip these tracks, as they already are in memory...)

That is it... But note that this program only removes the "standard" EA
protection envelope, and not any additional protections that may exist. One
on One, for example, has another protection that is checked either when the
intro times out or/and when selecting Color/Mono. This protection, and others
like it will NOT be removed by this program. They either have to be removed
by you, or by sending the output image to me...

If you selected to patch for Flopper, the output image should be ready to run
unless the game has additional protections, or other weird stuff that will
kill Flopper...

"Known" games that use EA protection:

Games with DOS files:
(loader code normally located in sector 9,0A on tracks 10-13)
Mind Mirror
Murder on the Zinderneuf
Music Construction Set
Pinball Construction Set

These disks all have sectors marked as bad by DOS. The sectors marked bad
are where the loader code is located, and the entire side 1 (on PCS, at
least)...

Games without files:
(loader code normally located in sectors 2-8 on track 0)
Archon
Boulder Dash 1+2
Hard Hat Mack
Julius Erwing and Larry Bird Go One-on-One
Seven Cities of Gold

Not supported EA game(s):
Marble Madness (it has a protection that probably was a predecessor to the
protection that this program removes. The disk has the same layout as the
"later" games, but it doesn't use the data in the sectors on the protected
track, it only checks for their presence. It also had entirely different
bootrecord and loader, so no support will be added for it.

In all other EA booters, the bootrecord and loader code are practically
identical. The only thing that differs is the number of tracks to read,
number of sectors to decrypt and the checksum of the loader code.)


Error messages:

Drive not ready -
The source drive is not ready. Insert disk, close door and try again.

EA.DAT has illegal filesize -
EA.DAT file was found, but it doesn't have the correct filesize. The file
should be 4864 bytes long, and contain the raw contents of the sectors
needed to decrypt loader, and the processed contents of the sectors needed
to decrypt the game.

Error creating image file -
There was an error creating the output image file. Maybe you specified
an illegal filename?

Error opening EA.DAT -
The file EA.DAT was not found, and you've
either chosen to use this file instead of protected track, or the protected
track was broken. This file is not required to run the program, if track 0F
is fully working on source floppy disk.

Error reading bootrecord/loader code/game data -
There was an error reading one
sector on the source disk. This is a fatal error, so if one occurs, the
program will automatically quit.

Error reading protected sectors -
One or more sectors from track 0F couldn't be read
properly, or didn't return the correct error. You will be asked if you want
to use data in EA.DAT instead.

Not enough memory free to complete operation -
The program requires 70K of free memory after load, to run. This memory
is used as buffers to load different parts of the disk.


For the interested:
Disk layout and other technical info:

The "standard" EA booter disk has 10 sectors/track on side 0, numbered
6, 1, 7, 2, 8, 3, 9, 4, 10, 5. Track 0F contains 96 "sectors", numbered 1, 31h,
2, 32h, 3, 33h... and so on up to 30h, 60h... Since there's no way to store
96 512 byte sectors on a single track, the only thing on this track are the
sector headers, which is also what is read when reading a sector from the
track...
If the disk is double-sided, side 1 will have 9 sectors, numbered 1-9 on all
tracks.
If the game has DOS files, it also has a lot of sectors marked as bad by DOS.
These are the sectors that contains the loader & game code. In the Construction
Set "games", the rest of the disk space is available, to be able to save the
stuff you create in them. Pinball Construction Set also has entire side 1 of
the disk marked as bad, since the disk is single sided.


The bootrecord and loader code is filled with niceties that will kill
Flopper, and make debugging a bit harder.

Part 1: Boot record operation
The bootrecord sets up INT 1E at 0:80 (effective way to kill INT 20+), set
up SS:SP, set CGA video mode and start loading the EA logo from sector 9
on track 0. It will read sector 9-0A from this track, and then proceed to
read tracks 1, 2 and 3. This data is read directly into CGA memory at B800:0,
so the image will be shown as it's loaded.

After this, the loader is loaded from disk (into memory starting at 0:F000).
The loader is read from different sectors, depending on whether or not the
game has DOS files on the disk.
Then the decryption data is loaded from track 0F, sectors 0F, 0D, 0B, 09, 07,
05 and 03. These sectors are used to decrypt the loader using an XOR loop.
After decryption is done, it will jump to the loader.
The bootsector is only patched to not read from protected track, and not
to decrypt anything, since the program saves decrypted loader in image file.


Part 2: Loader operation
This is where most of the stuff happens.
The loader starts by setting a number of Interrupts to "original" values.
These are probably values used in 100% compatible PC BIOS. INTs that are
restored are: 0, 1, 3, 4, 5. It will then set INT 18 (ROM BASIC) and 1B
(Ctrl-C check) to INT 19 (bootstrap loader).

It moves a routine to clear the memory at 0:F000-0:FFFF, to wipe out all
traces of the loader, to memory at 50:EA.

Then it overwrites the first byte of Interrupts 0-1D with an IRET instruction.
This is just to kill all interrupts that have been hooked, since these INTs
are in BIOS if the game is booted properly. A little hacker protection...

It continues to do a checksum on the bootrecord. I'm not sure if this value
is ever checked, but I still insert the value it's supposed to become...

It then hooks INT 3, and then runs it. The new INT 3 will check the checksum
of the loader code. This IS checked later, and if incorrect, the game will
reboot instantly (after load) using INT 19.

Then it clears certain areas in memory (segments 1000-1C00, 2000-B000,
C000-F000).

After that it actually starts to load the encrypted game code. After this is
done, it loads the protected sectors to use to decrypt the game with. If any
read errors occur here, or the wrong errors occur, it will jump to EA:50,
which is not a good thing! The sectors loaded are: 24, 0B, 1D, 17, 5F, 42, 57,
58, 1B, 4A, 46, 11, 03 and 41. All sectors above 40 are expected to have CRC
errors... When it has loaded all protected sectors it runs an advanced
calculation to figure out a value to use to modify the protected sectors.
Luckily for me, this value is always 7CE0.

Then it decrypts the actual game. When that is done, it does a new checksum,
this time on the decrypted game data. Incorrect checksum results in a reboot.

Before jumping to 50:EA, it sets 0:84 (originally INT 21 vector), to 9, since
the game has moved the INT 1E table to 0:80, this value is the number of
sectors per track byte.


Part 3: Memory cleanup
When the loader is done, it jumps to 50:EA. This is where the loader moved
a little piece of code that will clear first the memory area at 0:F000-0:FFFF
and then clear 50:EA-50:FF. It will then automatically continue at 50:100
where the game was loaded. The game will (or should) start.


If you want to debug the actual game code (after de-protection), there's an
easy way to get to the real game's start (in SoftIce).

Enter SoftIce (and insert disk in A:, have BIOS check floppy, and boot A: first)
bpint 10 ax=4 (trap the setting of CGA videomode)
boot (boot the game, SoftIce will break somewhere around 0:7C5C, depending on
      which bootrecord the game has...)
bc * (clear all breakpoints)
p ret (let the game load loader code)
g 50:100 (proceed to 50:100, which is where the game will be loaded)
... and that's it. The loader code is wiped from memory before this. Use
g 50:EA (instead of g 50:100) if you want to look at loader code, which is
located at 0:F000.

(you can get to the game code like described above with protection intact,
except you have to use command "i3here off", to turn off checks for INT 3
breakpoints. It's not much use, though, since both the loader code and the
game code will still be encrypted on disk...)


Final words:

If you should find a game that isn't listed above (under header "Known games
that use EA protection"), or if the program tells you to, please contact me.
If you have a game that the program doesn't recognize (either doesn't
recognize bootcode/loader or the game itself) or doesn't unprotect properly,
please contact me, and something will be done about it...

e-mail: demonlord@swipnet.se