News: 11 March 2016 - Forum Rules
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia, Danke

Author Topic: Puggsy Copy-Protection Disabling Patch + Explanation  (Read 4579 times)

DurradonXylles

  • Jr. Member
  • **
  • Posts: 4
  • Example text.
    • View Profile
Puggsy Copy-Protection Disabling Patch + Explanation
« on: September 16, 2017, 12:55:23 am »
So I created a patch that works around the copy-protection that is used in the Sega Genesis version of Puggsy. Since there isn't an entry for the game in our games list, and it's a bit of an overlooked gem, I decided to put in a short blurb about the game below.


Puggsy is a sidescrolling puzzle-platformer game with some neat physics elements developed by Traveller's Tales (yes, the same people behind Sonic 3D Blast, Mickey Mania, Crash: Wrath of Cortex and every LEGO related game since 2005) and published by the now defunct Psygnosis. It was released back in 1993 for the Sega Genesis/Mega Drive and Amiga, and later for the Sega/Mega-CD in 1994. The game sees you play as the titular Puggsy, an orange alien that vaguely resembles a space hopper toy, who got stranded on a planet foreign to him after the raccoon natives of the planet stole his spaceship.

With that introduction out of the way, all three versions of the game are virtually identical in gameplay, level design and general presentation. The only major differences between them are sound design and the Genesis version's rather clever copy-protection. As stated on the TCRF.net page on the game, Traveller's Tales put in a rather simple yet ingenious anti-piracy measure that specifically targeted cartridge copiers from the time since they all used SRAM.

The copy-protection worked like this: the game tries to create SRAM and makes six different checks throughout the game to see if SRAM was created. If the game finds SRAM, it trips the anti-piracy measure displaying a message stating that you cannot play any further and that you should buy an actual copy of the game instead. Since the game strictly used passwords, and there wasn't a volatile RAM chip inside the retail carts of Puggsy, the copy-protection wouldn't have any means to trip under normal circumstances.


Despite the fact that Tt only intended this copy-protection to deter cartridge copiers that were around in the early to mid nineties, this method has proven itself to be future-proof as all flash cartridges and console emulators will blindly make SRAM data from any game that requests for it to be made. Even modern Sega emulators that aim to be hardware accurate like Kega Fusion, Genesis Plus GX, Exodus and BlastEm! are not safe since it cannot account for a piece of software requesting the usage of hardware it shouldn't have access to under normal circumstances.

Luckily, AndLabs, a member of RHDN, TCRF and Sonic-Retro had found the exact hex values of the Puggsy ROM where the SRAM checks are made and showed how to render them mute. Despite the fact that he made this find five years ago, no one had bothered to make a patch out of this fix. Not until today, that is. Below are the links to patches for the US and EU versions of the ROM, in XDELTA format.


I want to again stress that AndLabs did all the heavy lifting to make this patch possible, and if it wasn't for him finding the hex values and posting them online I would not have been able to make and release these patches. The one thing I will make note of is that he believes that he found all of the hex values where SRAM checks are made, and as far as I could find looking into it myself I couldn't find any concrete evidence to the contrary. If you happen to find yourself getting the Tt sarcastic message of death please let me know. Anyways, enjoy!

UPDATE 16/9/17: So I found that both the US and EU versions of the game have the same three hexadecimal sequences for the anti-piracy checks. While the location of the last sequence differs between regions, the first two are located on the same addresses on both ROMs. I updated the EU version of the patch with the second address, with a new download link for it.
« Last Edit: September 16, 2017, 09:27:49 pm by DurradonXylles »
"Humanity's potential can only travel as far as their imagination, and as high as their aspirations." -Some wise man from a video game I played, I dunno. XD

dACE

  • Sr. Member
  • ****
  • Posts: 353
    • View Profile
Re: Puggsy Copy-Protection Disabling Patch + Explanation
« Reply #1 on: September 16, 2017, 07:20:25 am »
This was a really interesting read. You rarely come across those things on RHDN these days. Thank you.

/dACE

Gemini

  • Hero Member
  • *****
  • Posts: 2026
  • 時を越えよう、そして彼女の元に戻ろう
    • View Profile
    • Apple of Eden
Re: Puggsy Copy-Protection Disabling Patch + Explanation
« Reply #2 on: September 16, 2017, 08:07:37 am »
I was expecting some disassembly of the protection routines. Would be far more interesting than "patch xx with yy".

PS: Link to Sonic Retro is broken.
I am the lord, you all know my name, now. I got it all: cash, money, and fame.

DurradonXylles

  • Jr. Member
  • **
  • Posts: 4
  • Example text.
    • View Profile
Re: Puggsy Copy-Protection Disabling Patch + Explanation
« Reply #3 on: September 16, 2017, 08:36:04 am »
This was a really interesting read. You rarely come across those things on RHDN these days. Thank you.

/dACE

Thanks, glad to hear it.

I was expecting some disassembly of the protection routines. Would be far more interesting than "patch xx with yy".

PS: Link to Sonic Retro is broken.

I am going to attempt to break down how exactly the copy protection works in the near future, but as far as I can see it simply requests for SRAM to be created like any other game that would use it. It's when it reads or "loads" the successfully written SRAM at the specified points in the ROM what causes the anti-piracy measure to trip. I figure that this patch would be nice to put out into the wild regardless since it is a hidden gem with a cult fanbase.

Also, fixed the link. I don't know how, but somehow a RHDN forum link got interspliced with the Sonic-Retro forum link. It works now.
« Last Edit: September 16, 2017, 09:30:08 am by DurradonXylles »
"Humanity's potential can only travel as far as their imagination, and as high as their aspirations." -Some wise man from a video game I played, I dunno. XD

Jorpho

  • Hero Member
  • *****
  • Posts: 4758
  • The cat screams with the voice of a man.
    • View Profile
Re: Puggsy Copy-Protection Disabling Patch + Explanation
« Reply #4 on: September 16, 2017, 09:31:21 am »
Is this not a fairly standard means of doing a copy protection check?  Earthbound uses something similar – though in that case the check is used to verify that the cartridge doesn't have more SRAM than it should.
http://media.earthboundcentral.com/2011/05/earthbounds-copy-protection/index.html
https://tcrf.net/EarthBound#Layer_Two_-_SRAM_Check

I was expecting some disassembly of the protection routines. Would be far more interesting than "patch xx with yy".
I expect "routines" are probably pretty boring – just "write aa to bb" and then "check if the value at bb is aa", since reading from an invalid address would not return the value that the program previously tried to write there.
This signature is an illusion and is a trap devised by Satan. Go ahead dauntlessly! Make rapid progres!

DurradonXylles

  • Jr. Member
  • **
  • Posts: 4
  • Example text.
    • View Profile
Re: Puggsy Copy-Protection Disabling Patch + Explanation
« Reply #5 on: September 16, 2017, 09:38:10 am »
Is this not a fairly standard means of doing a copy protection check?  Earthbound uses something similar – though in that case the check is used to verify that the cartridge doesn't have more SRAM than it should.
http://media.earthboundcentral.com/2011/05/earthbounds-copy-protection/index.html
https://tcrf.net/EarthBound#Layer_Two_-_SRAM_Check
I expect "routines" are probably pretty boring – just "write aa to bb" and then "check if the value at bb is aa", since reading from an invalid address would not return the value that the program previously tried to write there.

Yes, but that is for checking that the proper SRAM size is being used. Checking that the correct hardware is being used is a common anti-piracy measure, and it trips because the ROM picks up that it's not being played on genuine hardware like in Earthbound as you showed. This is the only instance where the existence of SRAM itself is the copy-protection, which is why even hardware accurate emulators trip it.
« Last Edit: September 16, 2017, 09:48:57 am by DurradonXylles »
"Humanity's potential can only travel as far as their imagination, and as high as their aspirations." -Some wise man from a video game I played, I dunno. XD

KingMike

  • Forum Moderator
  • Hero Member
  • *****
  • Posts: 7086
  • *sigh* A changed avatar. Big deal.
    • View Profile
Re: Puggsy Copy-Protection Disabling Patch + Explanation
« Reply #6 on: September 16, 2017, 12:20:06 pm »
Supposedly Mega Man X (and maybe other Capcom SNES games?) use non-existent SRAM as one of the copy-protection checks. Although MMX delays execution of its antipiracy effects in order to make them harder to detect.
"My watch says 30 chickens" Google, 2018

DurradonXylles

  • Jr. Member
  • **
  • Posts: 4
  • Example text.
    • View Profile
Re: Puggsy Copy-Protection Disabling Patch + Explanation
« Reply #7 on: September 16, 2017, 01:13:30 pm »
Supposedly Mega Man X (and maybe other Capcom SNES games?) use non-existent SRAM as one of the copy-protection checks. Although MMX delays execution of its antipiracy effects in order to make them harder to detect.

Again quite true, but Mega Man X, Demon's Crest and Super Street Fighter 2 only attempt to detect SRAM from a period cartridge copier (and quite poorly I may add). They don't actively try to create SRAM, so modern SNES emulators can easily evade their attempts to seek the copying out.
« Last Edit: September 16, 2017, 02:26:34 pm by DurradonXylles »
"Humanity's potential can only travel as far as their imagination, and as high as their aspirations." -Some wise man from a video game I played, I dunno. XD

Jorpho

  • Hero Member
  • *****
  • Posts: 4758
  • The cat screams with the voice of a man.
    • View Profile
Re: Puggsy Copy-Protection Disabling Patch + Explanation
« Reply #8 on: September 16, 2017, 02:21:59 pm »
The big list is at https://tcrf.net/Category:Games_with_anti-piracy_methods ; the MMX page links to this discussion, which also mentions Demon's Crest and SSFII. 

I suppose it's uncommon for a game to lack SRAM while simultaneously having developers care enough to put in a copy protection check.
This signature is an illusion and is a trap devised by Satan. Go ahead dauntlessly! Make rapid progres!