Atari ST Protection: Midi-Maze

This is the actual call into the protection check:

	JSR       init_aes_window
	TST.W     D0
	BGE       aes_ok
	MOVEQ     #-1,D0
	BRA       init_screen_return
aes_ok:JSR       check_copy_protection
	MOVE.W    D0,protection_flag

	CLR.W     (A7)
	MOVE.L    #str_midimaze_d8a,-(A7)
	MOVE.W    #$3D,-(A7)                  ; Fopen("MIDIMAZE.D8A", 0)
	JSR       _gemdos

It is tested later and disables the multi-player game:

check protection in a different place later
	TST.W     protection_flag
	BNE       protOK
	MOVE.W    #-2,machines_online
	MOVE.W    #-2,all_players

The protection of Midi Maze is quite simple, but effective: Track 0, Sector 0 on Side 0 is read twice and while the first 6 bytes have to contain ‘100004’, the rest of the sector has to change between these two reads. This is done via “weak” or “fuzzy” bits on the disk. Interestingly a patch of the Floprd() function could defeat the protection easily, however because there is no further checksums or encryption replacing the beginning of check_copy_protection with ST D0; RTS will be more efficient. This was also exactly the patch that was done on a Karstadt Public-Domain disk with an official version of MIDIMAZE on it!

	MOVEM.L   A0-A6/D1-D7,-(A7)
	MOVEQ     #2,D6       ;test drive A and B
	MOVEQ     #2,D5       ;read the sector twice

	MOVE.W    #$19,-(A7) 	;DGETDRV
	TRAP      #1
	ADDQ.W    #2,A7
	MOVE.W    D0,D7
	CMPI.W    #2,D7
	BLT.S     check_copy_protection_rd_loop
	CLR.W     D7          ;if loaded from harddisk, search drive A


	MOVE.W    #1,-(A7)    ;1 sector
	CLR.W     -(A7)       ;Side 0
	CLR.W     -(A7)       ;Track 0
	CLR.W     -(A7)       ;Sector 0
	MOVE.W    D7,-(A7)    ;drive
	CLR.L     -(A7)       ;reserved
	PEA       check_copy_protection_buffer
	MOVE.W    #8,-(A7) 	;FLOPRD
	TRAP      #14
	ADDA.W    #20,A7
	TST.W     D0			;E_OK
	BEQ.S     check_copy_protection_verify
	CMP.W     #-4,D0		;E_CRC
	BEQ.S     check_copy_protection_verify

	SUBQ.W    #1,D6		;out of tries?
	BEQ.S     check_copy_protection_fail	;=> protection fail
	MOVEQ     #2,D5       ;read the sector twice (again)

	; try the potentially other floppy drive
	ADDQ.W    #1,D7       ;try reading drive B
	CMPI.W    #2,D7		;reached C?
	BNE.S     check_copy_protection_rd_loop
	CLR.W     D7          ;then try drive A
	BRA.S     check_copy_protection_rd_loop

	CLR.W     D0          ;fail
	BRA.S     check_copy_protection_return

	DC.B      'RMP  V1.00  31-July-86'

	CLR.W     D0

	; first: compare the first 6 bytes for identity
	LEA       check_copy_protection_buffer,A0
	LEA       check_copy_protection_magic,A1
	CMPM.L    (A0)+,(A1)+
	BNE.S     check_copy_protection_rd_retry
	CMPM.W    (A0)+,(A1)+
	BNE.S     check_copy_protection_rd_retry

	; count the number of set bits in the remaining 506 bytes
	MOVE.W    #505,D1
	MOVEQ     #7,D2
	MOVE.B    (A0)+,D3
	ASR.W     #1,D3
	BCC.S     check_copy_protection_bitloop2
	ADDQ.W    #1,D0
	DBF       D2,check_copy_protection_bitloop
	DBF       D1,check_copy_protection_byteloop

	SUBQ.W    #1,D5       ;already read twice?
	BEQ.S     check_copy_protection_check     ;yes! => compare the bitcounter

	MOVE.W    D0,D4       ; save the number of bits
	BRA       check_copy_protection_rd_loop	;read sector again

	SUB.W     D4,D0       ;same number of bits set?
	BEQ.S     check_copy_protection_rd_retry ;=> that is a fail!

	ST        D0          ;bitcounter change => success
	MOVEM.L   (A7)+,A0-A6/D1-D7

	DCB.B     512,0

	DC.B      '100004'
Previous post:
Next post: