Hacking PS1/2 Homebrew app APrip - Patch Out Additional Anti-Piracy Copy Protection Found In Some Later PSX Games

[alexfree]

https://alex-free.github.io/aprip/
APrip is a portable open source tool capable of bypassing/patching-out the ‘standardized’ additional anti-piracy copy protection found in some later PSX games. APrip can:

• Patch The CD Image of a game to remove the additional anti-piracy copy protection.
• Generate valid GameShark code(s) to remove the additional anti-piracy copy protection.
• Convert an existing GameShark code which bypasses or removes the additional anti-piracy copy protection for one version of a game to a different version (i.e. converts a Rev 0 code to a Rev 1 or Demo version compatible code, or for a different regional release of the same game entirely).

 

[SylverReZ]

That's really cool. Loving your projects so far!

Post automatically merged: Nov 5, 2022

Right now I'm thoroughly testing out every known game with AP measures, I'll report back with the results later.

 

[alexfree]

That's really cool. Loving your projects so far!

Post automatically merged: Nov 5, 2022

Right now I'm thoroughly testing out every known game with AP measures, I'll report back with the results later.

Post automatically merged: Nov 5, 2022

Note: If your game isn't listed here and that it doesn't work with the patcher, either report an issue to the developer (that being "alexfree") on the APrip GitHub issues page, generate and use GameShark AP codes from a DuckStation RAM dump, or apply an already existing crack.

Here is a list of known tested games with anti-piracy measures that does and doesn't work with binary patching so far as of writing, this is still a work-in-progress:
(updated: 05th November 2022)

Redump AP games list (some may be incorrectly listed): http://redump.org/discs/antimodchip/1/

Emulator used to check AP (anti-piracy) measures: pSX v1.13 with SCPH-1001 BIOS.

Working:

Spoiler: Japan

- Pocket MuuMuu (Japan) | Reason: Works perfectly.
- PoPoRoGue (Japan) (Rev 0, Rev 1) | Reason: Works perfectly.
- Saru! Get You! (Japan) (Rev 0, Rev 1) | Reason: Works perfectly.

Spoiler: USA

- Ape Escape (USA) (Original, Demo) | Reason: Works perfectly.

Not Working:

Spoiler: Japan

- Alundra 2: Mashinka no Nazo (Japan) (Original) | Reason: Freezes on a black screen after logos.
- Biohazard 3: Last Escape (Japan) (Rev 0, Rev 1, Taikenban) | Reason: Freezes on game disclaimer instead of the usual AP message.
- Animetic Story Game 1: Card Captor Sakura (Japan) | Reason: Locks up at a black screen.
- Crash Bandicoot Carnival (Japan) | Reason: Softlocks at SCEI presents screen instead of the usual AP message.
- Crash Bandicoot Racing (Japan) | Reason: Either freezes after the introduction sequence or displays the AP message.
- Dance Dance Revolution (Japan) | Reason: Locks up at disclaimer.
- Dance Dance Revolution: Best Hits (Japan) | Reason: Locks up after disclaimer and logos.
- Dance Dance Revolution: Disney's Rave (Japan) | Reason: Locks up at disclaimer.
- Dance Dance Revolution: Extra Mix (Japan) | Reason: Locks up after disclaimer and logos.
- Dino Crisis (Japan) | Reason: Freezes on game disclaimer instead of the usual AP message.
- Doko Demo Issho (Japan) (Rev 0, Rev 1, Calpis Water) | Reason: Locks up at AP message.
- Glint Glitters (Japan)
- Hyper Value 2800: Hanafuda (Japan)
- i-mode Mo Issho - Doko Demo Issho Tsuika Disc (Japan) | Reason: Locks up at AP message.
- Pocket Jiman (Japan) | Reason: Locks up at a black screen.
- Pop'n Music 2 (Japan) | Reason: Locks up at a black screen.
- Pop'n Music 5 (Japan) | Reason: Locks up at the loading screen.
- Pop'n Music 6 (Japan) | Reason: Locks up at the loading screen.
- Shiritsu Justice Gakuen: Nekketsu Seishun Nikki 2 (Japan) | Reason: Displays AP screen when starting a new game.
- TokiMeki Memorial II (Japan) (Rev 0, Rev 1)

Spoiler: USA

- Crash Bash (USA) | Reason: Softlocks on SCEA presents screen instead of the usual AP message.

On real hardware almost all of those games work. The emulator your using doesn't seem like it can handle my APv2 patch which does work.

If you see the text 'got APv1 table match' or 'got APv2 table match' while bin patching its gaurenteed to work. At least it hasn't failed in the many games so far if it does display that text

You can actually test the patch using duckstation if you want. If you use the ap-type-checker script you can see if it sends the test commands and or the readtoc command. As long as the patched version is sending 0 test commands and 0 readtoc commands the patch worked.

 

[SylverReZ]

On real hardware almost all of those games work. The emulator your using doesn't seem like it can handle my APv2 patch which does work.

If you see the text 'got APv1 table match' or 'got APv2 table match' while bin patching its gaurenteed to work. At least it hasn't failed in the many games so far if it does display that text

You can actually test the patch using duckstation if you want. If you use the ap-type-checker script you can see if it sends the test commands and or the readtoc command. As long as the patched version is sending 0 test commands and 0 readtoc commands the patch worked.

Thanks for the heads up. I'll make sure to re-test everything and update my previous post.

 

[alexfree]

Thanks for the heads up. I'll make sure to re-test everything and update my previous post.

From looking at your list, every game that is locking up and not showing the anti-piracy screen actually works on real hardware IIRC but please do test again if you are able to.

I wanted to include a compatibility list but didn't have time before the initial release. In a future update I'd include such a list.

 

[SylverReZ]

From looking at your list, every game that is locking up and not showing the anti-piracy screen actually works on real hardware IIRC but please do test again if you are able to.

I wanted to include a compatibility list but didn't have time before the initial release. In a future update I'd include such a list.

Okay, will do. I'm thinking of moving the list to a seperate thread so that I don't bloat up this thread.

 

[alexfree]

@SylverReZ i think there may not need to be a compatibility list after all. I’m going through the games that I thought didn’t work with aprip and it seems they all actually work if you get the memory dump early enough. So besides Spyro year of the dragon (which we now have custom codes for) every apv2 game is by passable with at least GameShark codes that is. I’m going to maybe go through every single known game again to make sure but the readtoc method seems rock solid for every game maybe.

 

[alexfree]

Confirmed... @SylverReZ I'm messing around with this again and the apv2 code seems to just be obfuscated in the ISO/BIN file but not in run time memory.... this is huge. This means aprip gs codes probably work for every apv2 game!

(whispers about libcrypt support)

Post automatically merged: Jun 19, 2023

Just a fun little screenshot of (some of, not all of) the ram dumps used to add apv2 support to Tonyhax International

 

[SylverReZ]

Confirmed... @SylverReZ I'm messing around with this again and the apv2 code seems to just be obfuscated in the ISO/BIN file but not in run time memory.... this is huge. This means aprip gs codes probably work for every apv2 game!

(whispers about libcrypt support)

Post automatically merged: Jun 19, 2023

Just a fun little screenshot of (some of, not all of) the ram dumps used to add apv2 support to Tonyhax International

Huh, interesting. Maybe I can delve into this a little bit. What needs working on, let me know.

 

[alexfree]

Huh, interesting. Maybe I can delve into this a little bit. What needs working on, let me know.

Adding all the magic keys to the patcher and the boot files basically. I still need to finish though but I’ll probably push an update to a prop with this support for a few titles at first.

 

[SylverReZ]

Adding all the magic keys to the patcher and the boot files basically. I still need to finish though but I’ll probably push an update to a prop with this support for a few titles at first.

Magic keys? What's that?

 

[alexfree]

Magic keys? What's that?

I meant magic words:
https://www.psdevwiki.com/ps3/PS1_Custom_Patches
each game has it's own magic word, in the link above it has many already figured out

The patcher seems to work. I tested it with Dino Crisis Europe. The usage is

./aprip -b <magic word here> <track 01 .bin here>

So like I did

./aprip -b 6C3A '/home/alex/Downloads/Dino Crisis (Europe)/Dino Crisis (Europe) (Track 1).bin'

 

[SylverReZ]

I meant magic words:
https://www.psdevwiki.com/ps3/PS1_Custom_Patches
each game has it's own magic word, in the link above it has many already figured out

The patcher seems to work. I tested it with Dino Crisis Europe. The usage is

./aprip -b <magic word here> <track 01 .bin here>

So like I did

./aprip -b 6C3A '/home/alex/Downloads/Dino Crisis (Europe)/Dino Crisis (Europe) (Track 1).bin'

Oh nice. Now it will be easier to patch LibCrypt games and make codes too.

 

[alexfree]

Version 1.0.3 (6/22/2023)​

• aprip-1.0.3-windows-x86 For Windows 95 OSR 2.5 Or Newer (32-bit Windows)
• aprip-1.0.3-windows-x86_64 For 64-bit Windows
• aprip-1.0.3-linux-x86 For x86 Linux Distros
• aprip-1.0.3-linux-x86_64 For x86_64 Linux Distros
• aprip-1.0.3-source

Changes:

• Added support for LibCrypt 2 CD image patching.
• Substantial documentation rewrite.

 

[SylverReZ]

Version 1.0.3 (6/22/2023)​

• aprip-1.0.3-windows-x86 For Windows 95 OSR 2.5 Or Newer (32-bit Windows)
• aprip-1.0.3-windows-x86_64 For 64-bit Windows
• aprip-1.0.3-linux-x86 For x86 Linux Distros
• aprip-1.0.3-linux-x86_64 For x86_64 Linux Distros
• aprip-1.0.3-source

Changes:

• Added support for LibCrypt 2 CD image patching.
• Substantial documentation rewrite.

Nice job, we've been wanting LibCrypt support for a while. Is it possible to do the later revisions of LC too?

 

[alexfree]

Nice job, we've been wanting LibCrypt support for a while. Is it possible to do the later revisions of LC too?

I think it will be pretty difficult since it’s encrypted. LC3/LC4 make up I think 19 games. LC1 will be easy since it’s only one game and like LC2 it’s not encrypted.

 

[SylverReZ]

I think it will be pretty difficult since it’s encrypted. LC3/LC4 make up I think 19 games. LC1 will be easy since it’s only one game and like LC2 it’s not encrypted.

It might work, all that is needed is to store the magic key at startup when the game is inserted. Add a few anti-piracy fixes here and there too.

 

[alexfree]

It might work, all that is needed is to store the magic key at startup when the game is inserted. Add a few anti-piracy fixes here and there too.

The LC3/LC4 functions are encrypted and unlike LC2 or LC1 there isn’t a general patching method AFAIK.

LC4 is one game and there actually is good docs on it so I can probably do it eventually. I can’t find anything on LC3 yet.

 

[alexfree]

I thought it would suck to test a libcrypt v1 patch because the only game which contains libcrypt v1 is MediEvil, and it triggers this screen when you start the 4th level.

However, it turns out there is a debug menu that has built in cheats, like 'complete level'. Literally you can just enable that via button presses in the pause menu: https://tcrf.net/MediEvil

To do: Document this in more detail.

There is a master cheat code which, when entered, enables new options in the pause menu. These options give you access to a variety of things such as Level Select, Sound Test, individual cheats (money, weapons, energy, etc.), and more. Enter the button combination for the appropriate region to access it. The sound of a groan will confirm activation.

• US: Pause the game, hold L2 and press Square, Triangle, Circle, Up, Triangle, Triangle, Right, Circle, Left, Left, Square, Triangle, Right, Circle, Left, Left, Square, Triangle, Circle, Down, Circle, Circle, Right (STOUT TROLL STROLLS TO DOOR).
• Europe: Pause the game, hold L2 and press Triangle, Circle, Triangle, Circle, Circle, Triangle, Left, Circle, Up, Down, Right, Circle, Left, Left, Triangle, Right, Circle, Left, Left, Triangle, Circle, Down, Circle, Circle, Right (TOTOOT LOUD ROLL TROLL TO DOOR).
• Japan: Pause the game, hold L2 and enter Square, Triangle, Circle, Up, Triangle, Left, Circle, Up, Down, Left, Circle, Right, Down, Square, Left, Circle, Square, Triangle, Left, Circle, Circle, Triangle (STOUT LOUD LORDS LOST LOOT). Note: This version is more like a normal cheat menu. As such, it does not include Restart, Camera, individual Inventory toggle, Just Dan, Go To Level, and the Sound and Speech of the Sound Test. The Super Cheat still grants all items and unlocks all levels.

Once enabled it stays enabled too. So I can just start MediEvil Europe, enable the debug menu via secret pause menu button combo, and skip to the next level. Then enter the second level, pause, skip to level 3, and so on until level 4 when the protection actually kicks in.

Post automatically merged: Jun 27, 2023

Version 1.0.4 (6/26/2023)​

• aprip-1.0.4-windows-x86 For Windows 95 OSR 2.5 Or Newer (32-bit Windows)
• aprip-1.0.4-windows-x86_64 For 64-bit Windows
• aprip-1.0.4-linux-x86 For x86 Linux Distros
• aprip-1.0.4-linux-x86_64 For x86_64 Linux Distros
• aprip-1.0.4-source

Post automatically merged: Jun 27, 2023

 

[alexfree]

Fun fact, I reverse engineered how the TRSIMEDI patch by ICEPICK works to include LibCrypt v1 patch support https://github.com/alex-free/aprip/blob/master/icepick-patch-re.txt and made it an aprip style function. This is pretty cool because you have to have DOS (I used DosBox) to even run TRSIMEDI patcher. Then you need to rename the track 01 bin file of Medievil to MEDIEVIL.BIN and mount the directory as a drive. Insane.
https://consolecopyworld.com/psx/psx_medievil.shtml

Now with aprip you can use modern windows (or windows 95), and any x86 or x86_64 Linux computer. Just drag the track 01 bin too (no need to rename, what is this 1998 )

Source is also available as always under the 3-BSD license. No dependencies, straight C.