ForumsFlashtro.comWhy??Gremlin Protoscan RSS



Ok, since a couple of ppl asked for info on Protoscan, here it is... not very interesting, so it's a forum post instead of a real tutorial :)

The protection can usually be spotted by the following sequence:-

MOVE.W	#$9E,D0

usually followed by:-

TST.B   D0

d0 is the track number to check (0-159, $9e is 158 which is cylinder 79 lower side). Of course in theory any track could be used, but I don't think I've ever seen a different track number...
The other constants used in Protoscan protections are the MFM sync value ($4124), and the amount of data read from the track ($1b58 words), but you'll see all this in the following commented disassembly.

The basic sequence of events is similar to every other 'check bad track' protection:

[1] Specially formatted 'bad track' is loaded.
[2] Contents are decoded/examined.
[3a] If read was successful, it's an original.
[3b] If read failed, it's a copy.

There's no decryption to trace, there's no special sector read timing a la Copylock, it's just a vanilla 'bad track' check... let's check out a full commented disassembly (from "Venus the Flytrap" (c)1990 Gremlin):-

-[START DISASM]-----------------
0068C4  MOVE.W  #5,$68C2    ;number of retries
0068CC	MOVE.W  #$9E,D0      ;track 79 protection check
0068D0  BSR.W   0023E6         ;step heads to correct place
0068D4  LEA     $20(A4),A0      ;MFM buffer address
0068D8  BSR.W   0068F0         ;the main PROTOSCAN code
0068DC  BMI.S   0068E2          ;branch if PROTOSCAN returned negative
0068DE  CLR.B   D0                 ;success
0068E0  RTS

0068E2	SUBQ.W  #1,$68C2     ;retrycount -1
0068E8  BNE.S   0068CC           ;try protection again if retrycount > 0
0068EA  MOVE.B  #1,D0           ;failed
0068EE  RTS

0068F0	LEA     $DFF000,A6
0068F6  MOVE.L  A0,-(A7)
0068F8  BSR.W   002638          ;prepare some regs for disk DMA
0068FC  MOVE.W  #2,$9C(A6)
006902  MOVE.L  A0,$20(A6)    ;MFM buffer address	
006906  MOVE.W  #$4124,$7E(A6)	;new MFM sync
00690C  MOVE.W  #$7F00,$9E(A6)
006912  MOVE.W  #$9D00,$9E(A6)	;MFM format,fast disk clockrate
006918  MOVE.W  #$4000,$24(A6)
00691E  MOVE.W  #$9B58,$24(A6)
006924  MOVE.W  #$9B58,$24(A6)	;DMA $1b58 words
00692A  BSR.W   00694C          ;wait for disk DMA to finish
00692E  MOVEA.L (A7)+,A0        ;restore a0 from stack (pts to base of MFM buffer)
006930  MOVE.W  #$4124,D1    ;sync value to look for
006934  CMP.W   (A0)+,D1
006936  BNE.W   006948           ;sync not found
00693A  MOVEQ   #-1,D0
00693C	ADDQ.W  #1,D0
00693E  CMP.W   (A0)+,D1
006940  BNE.S   00693C            ;loops until it finds 2nd sync
006942  SUBI.W  #$1900,D0      ;2nd sync mark @ $1954 words into buffer, so d0=$54 returning
006946  RTS

006948	MOVEQ   #-1,D0            ;failed
00694A  RTS

00694C	LEA     $DFF000,A6
006952	MOVE.W  $1E(A6),D0
006956  ANDI.W  #2,D0
00695A  BEQ.S   006952
00695C  MOVE.W  #2,$9C(A6)
006962  RTS
-[END DISASM]-------------------

I haven't commented the routines @ 0023E6 (head-stepper) and 002638 (disk DMA setup) since they're not relevant to the protection.
As you can see, it just reads a specially formatted track, checks for 2 sync markers in the MFM buffer, and if they match it's 100% satisfied... needless to say, it's not the world's hardest protection to bypass :)



Wow, I've never seen this before on here. A good easy beginner level cracking post. The good thing about the tutorials you've put on here recently (and also this one from 3 years ago :) is that you give a bit more algorithmic style explanation regarding the thought process one goes through when doing things like this.

Earlier this year I read the PPM I and II, a manual of copy protection and how to break it, on the c64. That and the Cracker Jax Revealed are good documents that explain a lot of the thought process behind analyzing protections, but of course a lot of the skill has to be honed by personal experience. And cracking on one platform creates abilities that apply to all architectures.

It seems possible to me to maintain these types of skills in the present and into the future, and keep it from just becoming a bit of nostalgic memories for a narrow contingent of old schoolers. Cracking is still alive on the c64, even though it has slowed down considerably. There was a recent +7 101% crack of Exile by Ksubi/Neophytes...a game which had never been cracked 100% in the past, and was a huge project...very precedent setting. But the main thing is that this was Ksubi's 1st crack ever, yet he accomplished a project of a scope exceeding most experienced guys from the "competitive" era.

So my main point is that there really is no reason why this couldn't be accomplished on the Amiga if the level of activity was upped just a bit. I know that before I knew anybody on here or EAB I had assumed that the Amiga OCS/512k/1m scene must be at least as big as what you see on CSDb (I remembered the scene from 1987-1992). I was shocked to find only about 8-10 people on EAB who were interested in either cracking or demos. Actually 3...maybe 4 into cracking and the rest demos.

Well, I better not rant too much more until I start coming out with my own OCS releases, but I am going to find some Gremlin games and look for this protection. Very nice tutorial.
Intros?...I'm just here for the girls!


Excelent I have seen this one a few gremlin games. What happens in Venus when this protection fails?


This protection is used on Lotus Turbo challenge atari ST. screen stays black :)