Hacking One nop to rule them all...

W

WiiPower

Well-Known Member
OP
Member
Level 3
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
Credit for finding this goes to Oggzee and airline38. Oggzee created lots of test versions of CFG, and airline tried about 20 test versions.

The game We Dare uses some good protection that works against all current loaders. But it is defeated by a single nop...

All loaders that support the "new" Ocarina code handler include the following source code:
Code: 
ÂÂÂÂÂÂÂÂ__asm__(
ÂÂÂÂÂÂÂÂÂÂÂÂ"lis %r3, appentrypoint@h\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"ori %r3, %r3, appentrypoint@l\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"lwz %r3, 0(%r3)\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"mtlr %r3\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"lis %r3, 0x8000\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"ori %r3, %r3, 0x18A8\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"mtctr %r3\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"bctr\n"
ÂÂÂÂÂÂÂÂ);

and adding one nop makes it:
Code: 
ÂÂÂÂÂÂÂÂ__asm__(
ÂÂÂÂÂÂÂÂÂÂÂÂ"lis %r3, appentrypoint@h\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"ori %r3, %r3, appentrypoint@l\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"lwz %r3, 0(%r3)\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"mtlr %r3\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"lis %r3, 0x8000\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"ori %r3, %r3, 0x18A8\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"nop\n"ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂ"mtctr %r3\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"bctr\n"
ÂÂÂÂÂÂÂÂ);

Which is the required change to get the game working. Apparently the game looks for the byte pattern:
3C608000 606318A8 7C6903A6
and it doesn't find it when it looks like this:
3C608000 606318A8 60000000 7C6903A6

It doesn't matter if the code is executed or just part of the code somewhere. The actual pattern might be bigger, but only with the code after it, adding a nop before the code in question still triggers the protection. It's quite a good idea, as it blocks all recent loaders, including Gecko OS, but as it wasn't combined with some other protection, so it was not good enough. A mixed protection would have required to disassemble the game, not just some simple testing.
 
FAST6191

FAST6191

Techromancer
Editorial Team
Level 33
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,348
Country
United Kingdom
How amusing, thanks for the news/work all concerned.

I would say I am shocked how simple it was but I guess a 10 minute job worked well enough.
 
W

WiiPower

Well-Known Member
OP
Member
Level 3
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
Can somebody please confirm if the game has a protection against main.dol patches?

Just enable the video mode patching, "All+sneek" or how it is named in CFG should be good enough as test. And one test please with hook set to VI and Ocarina enabled.

Thanks.
 
W

WiiPower

Well-Known Member
OP
Member
Level 3
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
SifJar said:
I'm curious: What made you try this? You say you didn't disassemble it, so did you just make some random guesses and one worked out?
Click to expand...

Like i said, Oggzee did this. Somebody found out that CFGv53 could start the game, and CFGv54 could not. After trying all changes that made sense somehow, he eventually noticed that the asm code block triggered the protecion. I thought it was related to the way the game is booted or having such an asm code block changes some compiler stuff or whatever. But it became clear what was going on after putting the asm code behing the code to jump to the entrypoint.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Emulation  Snes9x unacceptable input latency

Hacking  Bricked Wii Family Edition

Hacking Tutorial Project  Wiiflow lite 5.5.4 , 10 themes in one pack 2024 - with extras

64DD on Wii?

All Channels Discussion

Astebros doesn't work on GenPlusGx

Hacking  Animal Crossing City Folk not working on any USBLoader

Feedback  Hacking The Internet Channel. "Internet Channel Deluxe" ? [WIP]

General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: https://www.youtube.com/watch?v=KYZD7ykz9aQ