Credit for finding this goes to Oggzee and airline38. Oggzee created lots of test versions of CFG, and airline tried about 20 test versions.
The game We Dare uses some good protection that works against all current loaders. But it is defeated by a single nop...
All loaders that support the "new" Ocarina code handler include the following source code:
and adding one nop makes it:
Which is the required change to get the game working. Apparently the game looks for the byte pattern:
3C608000 606318A8 7C6903A6
and it doesn't find it when it looks like this:
3C608000 606318A8 60000000 7C6903A6
It doesn't matter if the code is executed or just part of the code somewhere. The actual pattern might be bigger, but only with the code after it, adding a nop before the code in question still triggers the protection. It's quite a good idea, as it blocks all recent loaders, including Gecko OS, but as it wasn't combined with some other protection, so it was not good enough. A mixed protection would have required to disassemble the game, not just some simple testing.
The game We Dare uses some good protection that works against all current loaders. But it is defeated by a single nop...
All loaders that support the "new" Ocarina code handler include the following source code:
Code:
ÂÂÂÂÂÂÂÂ__asm__(
ÂÂÂÂÂÂÂÂÂÂÂÂ"lis %r3, appentrypoint@h\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"ori %r3, %r3, appentrypoint@l\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"lwz %r3, 0(%r3)\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"mtlr %r3\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"lis %r3, 0x8000\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"ori %r3, %r3, 0x18A8\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"mtctr %r3\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"bctr\n"
ÂÂÂÂÂÂÂÂ);
and adding one nop makes it:
Code:
ÂÂÂÂÂÂÂÂ__asm__(
ÂÂÂÂÂÂÂÂÂÂÂÂ"lis %r3, appentrypoint@h\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"ori %r3, %r3, appentrypoint@l\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"lwz %r3, 0(%r3)\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"mtlr %r3\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"lis %r3, 0x8000\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"ori %r3, %r3, 0x18A8\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"nop\n"ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
ÂÂÂÂÂÂÂÂÂÂÂÂ"mtctr %r3\n"
ÂÂÂÂÂÂÂÂÂÂÂÂ"bctr\n"
ÂÂÂÂÂÂÂÂ);
Which is the required change to get the game working. Apparently the game looks for the byte pattern:
3C608000 606318A8 7C6903A6
and it doesn't find it when it looks like this:
3C608000 606318A8 60000000 7C6903A6
It doesn't matter if the code is executed or just part of the code somewhere. The actual pattern might be bigger, but only with the code after it, adding a nop before the code in question still triggers the protection. It's quite a good idea, as it blocks all recent loaders, including Gecko OS, but as it wasn't combined with some other protection, so it was not good enough. A mixed protection would have required to disassemble the game, not just some simple testing.