2021-12-27

AKA: Sidestepping copy safety with Masa Mainio

There modified into once a Swedish sequence of childhood’s quite of tutorial video games known as Mulle Meck, identified in other languages with in an identical contrivance alliterative names love Masa Mainio, Gary Blueprint and Willy Werkel. The franchise includes 5 games about designing and building things, plus naturally a private organiser / calendar utility. Four of the 5 games secure been localised & launched in Finnish, and they secure been wildly stylish between the tiring 90s and early-to-mid 2000s. Take care of many other folks of my vintage I played and tremendously enjoyed them at the time. For me the games secure been outdated yet efficient gateway medication to more complicated engineering-y games year later love Garry’s Mod and Kerbal Dwelling Program. The easy gameplay modified into once supported by luminous hand-drawn artwork and quirky fully instruct acted dialogue.

None of the games are on sale anymore, and since a host of folks (no longer less than right here in Finland) played them in colleges or public libraries there are no longer too many physical copies spherical. Fortunately the total games are preserved on archive.org.

The first two games (about building automobiles and boats respectively) are quite easy to streak even on Windows 10 with the succor of some compatibility settings. The third sport (about planes) is more sophisticated to streak since it makes employ of an used version of Direct3D, and I commit it to memory being fiddly to streak even when it modified into once novel. Alternatively, it is by far the worst of the sequence (don’t @ me) and might perhaps per chance well be ran with the succor of a digital machine if nothing else.

The fourth sport — about building homes, pointless to articulate — modified into once launched in 2002 (2003 in Finland) and is form of of more sophisticated to streak on up-to-the-minute methods. While it is technology-vivid quite an identical to the first two games, from the preservation point of check it entails an sad addition: DRM.

UnsafeDisc

I mounted a backup disc image of the sport, and tried to streak the installer on my Windows 10 computer. Absolutely nothing came about. Why?

The CD of Bygg hus med Mulle Meck incorporates a disc copy safety scheme identified as SafeDisc V2, which modified into once very overall in games of the technology. Final time I encountered modified into once whereas backing up my CD copy of The Lord of the Rings: The Return of The King for PC.

SafeDisc v2 is easy to recognise: the foundation folder of the disc entails the files 00000001.TMP, 00000001.TMP and SECDRV.SYS. After I opened setup.exe in a hex editor I modified into once simply ready to search out the magic string that identifies the exe as being SafeDisc v2 procure.

SafeDisc modified into once implemented the utilization of a plan driver, which ironically ended in it to alter into a predominant source of security vulnerabilities. On account of this Windows 10 dropped make stronger for the DRM scheme in 2015, alongside the more widely identified and despised SecuROM utility. While this modified into once the exact transfer from the safety POV, the final end result’s that a pair of decade’s price of games are no longer playable on Windows 10, no longer less than when installing from an usual CD or DVD.

There are ways to circumvent the DRM, even on Windows 10. These consist of re-enabling the perhaps weak DRM driver (no thanks), installing a no-CD patch (I’m no longer mindful of 1 for this sport) or getting a digital copy of the sport (which as beforehand stated does no longer exist). Alternatively, it looks there’s a quite easy advance to circumvent the DRM in the case of this sport.

We don’t need no stinking installers

Bear in mind a pair of paragraphs previously once I stated that the SafeDisc signature is in setup.exe? This gave me an idea: what if SafeDisc is purely outdated for the installer, and no longer the sport itself? So by bypassing the installer, shall we streak the sport with out having to care referring to the DRM.

To check the principle, I needed to extract the total vital sport files from the CD. This modified into once both more gleaming and more complicated than I anticipated. The installer modified into once created the utilization of InstallShield 6.1. The game files is saved in two archives on the disc: data1.cab and data2.cab. I’ve accomplished this a pair of times sooner than the utilization of Standard Extractor 2, an gorgeous instrument for extracting literally hundreds of plenty of binary archive formats. But it absolutely didn’t work entirely for the sport: I modified into once ready to extract the first archive, but I purchased some undescriptive error messages when making an are trying to extract the 2d. No longer being in a mood to delve to the source code to resolve out why, I spent an hour or two purchasing for replacement instruments.

I modified into once in the raze ready to extract the files the utilization of unshield, which I constructed from source in WSL / Ubuntu as Windows binaries secure been no longer readily accessible. Extracting both .cab files resulted in the next folder pudgy of folders:

Program_Executable_Files
_Engine_Engine_Files
_Engine_Kernel_Placeholder
_Engine_Log_Services
_Engine_Log_Services_Placeholder
_Engine_ScriptEngine
_Engine_SelfRegistering
_Support_Finnish_Files
_Support_Finnish_OS_Independent_Files
_Support_Finnish_String_Tables
_Support_Language_Independent_OS_Independent_Files
_Support_Non-SelfRegistering

The single part we would favor from right here is the contents of Program_Executable_Files, because the total other stuff is purely outdated by the installer framework as far as I will notify. I copied the contents to a brand novel folder known as assembled. I also copied the Motion photography folder from the foundation of the CD to the identical itemizing, which contains on the total the overwhelming majority of the sport snarl.

And ta-da! We have efficiently bypassed the installer, and fully sidestepped the DRM.

Correctly, quite of efficiently. We are in a position to now streak MulleHus.exe, which results in a thrilling black cloak, followed by an noteworthy more intriguing message in Swedish:

…which roughly interprets to:

This draw is never any longer put in wisely. Please streak the installer again.

So what did we provide out unpleasant? Time to break out the huge boy instruments. I started poking at the sport executable in Ghidra and a hex editor, and I modified into once ready to locate the message as half of a script which sets some variables.

space errNotInstalled = "Programmet är inte korrekt installerat. Kör installationsprogrammet igen."

The same half contains other attention-grabbing stuff, such because the next:

criticalFileCD = "AttendMulleHusHelp.htm"
criticalFileHD = "RecordsRecords.cst"

That is also significant later.

Curiously, the message modified into once trivial to search out in the hex editor yet Ghidra didn’t present it at all — the Ghidra itemizing ended sooner than the half where the string modified into once presupposed to be. Understanding why requires another diversion.

The Mulle Meck games secure been no longer implemented in C or C++ love most games of the technology, but relatively the utilization of Macromedia Shockwave 8, which at the time modified into once a overall replacement for contemporary and revel in CD-primarily based mostly games and multimedia utility love interactive encyclopaedias. It modified into once also a favored browser plugin for net games (love Habbo Hotel) in the end of the turn of the millennium, but at final lost to Flash which modified into once also owned by Macromedia (and later Adobe).

So, the sport executable is never any longer basically the sport. Relatively it is the conventional Shockwave player executable (Macromedia Projector) presumably compiled by Macromedia, and the sport files is purely appended to the raze of the file. Ghidra only reveals what is in the executable half of the file, which is why it doesn’t procure the strings above. Therefore the error message is extremely seemingly produced by a script in the Shockwave half of the sport, and no longer any special code in the executable. I could perhaps per chance well presumably search out a replica of Macromedia Director (the instrument outdated to manufacture Shockwave capabilities) and a few instruments to unpack the files, but I certain to proceed engaged on the sport executable as a substitute.

I ran the sport again, but this time I outdated Ghidra 10’s novel integrated debugger. I saw that the sport loaded some libraries which I didn’t demand it to, which lead me to glimpse Shockwave’s Xtras plan. Fundamentally Shockwave capabilities are quite of cramped by advance of capabilities, but Xtras allow the runtime to be extended with native code in notify to as an illustration call working plan APIs or draw net requests. The game itemizing contains an Xtras folder, with plenty of stuff:

Amplitude.x32
Vigorous GIF Asset.x32
Vigorous GIF Alternatives.x32
Budapi.x32
DirectOS.x32
DirectSound.x32
FileIo.x32
Font Asset.x32
Font Xtra.x32
INetURL.x32
keypoll.x32
MacroMix.x32
Combine Services and products.x32
NetFile.x32
NetLingo.x32
PMatic.x32
QT3Asset.x32
QuickTime Agent.x32
Sound Adjust.x32
Sound Import Export.x32
SWADCmpr.x32
Textual snarl Asset.x32
TextXtra.x32
vList.x32

Despite the file extension .x32 these are basically just unsightly aged .dll files, which the sport executable loads dynamically. By going by contrivance of module imports and setting some breakpoints I modified into once ready to substantiate that sport makes employ of the libraries to support out things love file IO and registry procure admission to.

Breakthrough

I modified into once unable to attract extra course of with Ghidra, so I certain to employ another instrument: Sysinternals Assignment Visual display unit (Procmon). It is miles an precious instrument if you ought to resolve out what a program is de facto doing, because it basically logs most WinApi calls made by every in the intervening time working utility. I employ it quite of incessantly to confirm if some unhurried-working program has frozen or is de facto doing something.

I attached Procmon and ran the sport again, which gave me hundreds of events to scroll by contrivance of.

This straight printed some attention-grabbing things referring to the sport. The player creates a temporary folder (AppDataLocalTempTempFolder.aaa) and extracts some DLL files to it. The folder is destroyed when the sport exits. Between the two sequences of events, the sport performs the check(s) to validate the set up, after which reveals an error message if it detects any problems. After some scrolling, I chanced on what modified into once unpleasant.

Bingo! The game reads the Windows registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp PathsMulleHus.exe, and reveals the error message if the main does no longer exist. Procmon also produced a stack hint for the tournament which confirms that the main is be taught by code in the DirectOS.x32 Xtra. The keys below App Paths are outdated by Windows’ Utility Registration plan which is on the total outdated to associate file kinds and protocols with programs, but appears to be like love this sport makes employ of it to detect that the sport has been effectively put in with the installer. After increasing the main (containing the wobble of the executable) and the Direction subkey (which factors to the working itemizing) the sport can now be streak efficiently!

There might be another wärning båx about QuickTime 5 no longer being put in, but that only methodology you would’t gaze a 2-minute intro video. The game continues working on the total after closing the message.

Now carry out it with out the CD!

We’ve now reached the usual arrangement, but there’s another part to support out: to streak the sport with out the (digital) CD. This grew to alter into out to be basically straightforward. I unmounted the image and started the sport, which produced this error message:

I had an another check at the events I recorded earlier after working the sport efficiently for the first time.

10.16.11,6061719	MulleHus.exe	26396	QueryOpen	D:AttendMulleHusHelp.htm	PATH NOT FOUND	
10.16.11,6062203	MulleHus.exe	26396	QueryOpen	E:AttendMulleHusHelp.htm	PATH NOT FOUND	
10.16.11,6062606	MulleHus.exe	26396	QueryOpen	F:AttendMulleHusHelp.htm	PATH NOT FOUND	
10.16.11,6063213	MulleHus.exe	26396	CreateFile	G:AttendMulleHusHelp.htm	PATH NOT FOUND	Desired Entry: Learn Attributes, Disposition: Launch, Alternatives: Launch Reparse Point, Attributes: n/a, ShareMode: Learn, Write, Delete, AllocationSize: n/a
10.16.11,6064747	MulleHus.exe	26396	CreateFile	V:AttendMulleHusHelp.htm	SUCCESS	Desired Entry: Learn Attributes, Disposition: Launch, Alternatives: Launch Reparse Point, Attributes: n/a, ShareMode: Learn, Write, Delete, AllocationSize: n/a, OpenResult: Opened
10.16.11,6065008	MulleHus.exe	26396	QueryBasicInformationFile	V:AttendMULLEHUSHELP.HTM	SUCCESS	CreationTime: 5.6.2003 14.56.10, LastAccessTime: 1.1.1601 2.00.00, LastWriteTime: 5.6.2003 14.56.10, ChangeTime: 5.6.2003 14.56.10, FileAttributes: R
10.16.11,6065062	MulleHus.exe	26396	CloseFile	V:AttendMULLEHUSHELP.HTM	SUCCESS	

The game loops by contrivance of all of my drives (both onerous drives and digital CD drives) purchasing for the file AttendMulleHusHelp.htm, which we saw beforehand as a string in the sport executable. And also it is doable so that you can to guess that by copying the file from the CD to a corresponding folder on any onerous pressure the sport thinks that the CD is in the pressure. We’ve now bypassed the 2d and final procure of outdated copy safety!

Conclusions

Utility is never any longer made of magic. Installers are mostly ineffective. DRM is poor for utility preservation. Ghidra is enormous, but no longer for every cause. Procmon is gorgeous as lengthy as your mouse has a free-scrolling wheel.