Spyro Year Of The Dragon USA's Infamous Anti-Piracy Detection Destroyed In 2023 By GameShark Codes Thanks To MottZilla

Members research, findings and information that can be useful towards the PlayStation 1.
Post Reply
alexfree
Verified
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 221
Joined: Oct 21, 2021
I am a: Programmer, Gamer
PlayStation Model: SCPH-1000
Location: USA
Contact:

Spyro Year Of The Dragon USA's Infamous Anti-Piracy Detection Destroyed In 2023 By GameShark Codes Thanks To MottZilla

Post by alexfree » May 26th, 2023, 4:01 pm

MottZilla (mostly) and I have finally figured out a way to bypass the APv1 (detect non-stealth modchip), APv2 (detect swap trick/ no $ unlock), and anti-tamper (kicks you out randomly during final boss, tells you it's a pirated game, etc. due to non-complete bypass that only appears to work) in the game Spyro Year Of The Dragon USA Rev 0. Spyro Year Of The Dragon USA Rev 1 will get a code ported soon. For now, here's this first of it's kind true Spyro Year Of The Dragon USA Rev 0 bypass in GameShark form:

D007F08C 0001
8007F08C 0000
D007F08C 0002
8007F08C 0000
D007F08C 0003
8007F08C 0000
D007F08C 0004
8007F08C 0000
D007F08C 0005
8007F08C 0000
D007F08C 0006
8007F08C 0000
D007F08C 0007
8007F08C 0000
D007F08C 0008
8007F08C 0000
D007F08C 0009
8007F08C 0000
D007F08C 000A
8007F08C 0000
D007F08C 000B
8007F08C 0000
D007F08C 000C
8007F08C 0000
D007F08C 000D
8007F08C 0000
D007F08C 000E
8007F08C 0000

There are existing GameShark codes that are supposed to bypass this at sites like: https://gamehacking.org/game/89897 but they have the same problem that the original Spyro 3 Year Of The Dragon USA Rev 0/Rev 1 patches had, they only disable the first anti-piracy screen. The anti-tamper then kicks in and it will cause all kinds of issues. MottZilla and I's code is the only one to ever defeat both the anti-tamper and anti-piracy.

The game does freeze for about 15 seconds at the point where the anti-piracy screen would usually trigger. But it never does trigger and anti-tamper protection is never triggered either. I tested this by playing the final boss which will always (if anti-tamper is triggered) kick you out shortly after the battle starts, and then delete your spyro year of the dragon progress save file on your memory card. None of that happens with our code.

How it works is, the game checksums the code but not the variables in the anti-piracy routine. We basically just bruteforce every step to step 0 when they are ran at startup. This disables the code for the rest of the game (along with the anti-tamper)

alexfree
Verified
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 221
Joined: Oct 21, 2021
I am a: Programmer, Gamer
PlayStation Model: SCPH-1000
Location: USA
Contact:

Post by alexfree » May 27th, 2023, 3:09 pm

USA Rev 1:
D007F23C 0001
8007F23C 0000
D007F23C 0002
8007F23C 0000
D007F23C 0003
8007F23C 0000
D007F23C 0004
8007F23C 0000
D007F23C 0005
8007F23C 0000
D007F23C 0006
8007F23C 0000
D007F23C 0007
8007F23C 0000
D007F23C 0008
8007F23C 0000
D007F23C 0009
8007F23C 0000
D007F23C 000A
8007F23C 0000
D007F23C 000B
8007F23C 0000
D007F23C 000C
8007F23C 0000
D007F23C 000D
8007F23C 0000
D007F23C 000E
8007F23C 0000

R3k
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Jan 02, 2022

Post by R3k » June 15th, 2023, 6:21 am

I am not familiar with the NTSC version, but I think the PDX patch does work the same way. The anti-tamper memory scanning is still enabled, though. While the anti-mod routine is bypassed, any memory modification within specific range would trigger final boss crash.

I am not sure how many times the memory is scanned throughout the game. The game does scan the main memory (0x8002xxxx-0x8005xxxx) and overlay segment (0x8007xxxx) at least twice at the startup. Just right before anti-piracy check.

Fun fact, the PAL Libcrypt encrypted routine falls outside the range of a memory scan (0x80067xxx). In other words, the anti-piracy protection is completely useless. Nonetheless, the PAL PDX patch is broken, because the anti-AR patch is detected through the checksumming (P/N selector too, if enabled).

alexfree
Verified
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 221
Joined: Oct 21, 2021
I am a: Programmer, Gamer
PlayStation Model: SCPH-1000
Location: USA
Contact:

Post by alexfree » June 15th, 2023, 11:37 am

R3k wrote: June 15th, 2023, 6:21 am I am not familiar with the NTSC version, but I think the PDX patch does work the same way. The anti-tamper memory scanning is still enabled, though. While the anti-mod routine is bypassed, any memory modification within specific range would trigger final boss crash.

I am not sure how many times the memory is scanned throughout the game. The game does scan the main memory (0x8002xxxx-0x8005xxxx) and overlay segment (0x8007xxxx) at least twice at the startup. Just right before anti-piracy check.

Fun fact, the PAL Libcrypt encrypted routine falls outside the range of a memory scan (0x80067xxx). In other words, the anti-piracy protection is completely useless. Nonetheless, the PAL PDX patch is broken, because the anti-AR patch is detected through the checksumming (P/N selector too, if enabled).
While I assume the PDX patch has the same limitation as these codes, these codes have one incredible advantage.

You can use Tonyhax International with a Japanese console and a real copy of Spyro YOTD Rev 0 or Rev 1, the real disc is live-patched. The PDX patch requires using a burned CD-R modified in a specific way.

I have heard the PAL PDX patch doesn't work. If there is an AP screen in the PAL version I can make codes to bypass it the same way as I am the other versions... Then you'd just need to burn the copy with CloneCD to defeat libcrypt.

R3k
Interested PSXDEV User
Interested PSXDEV User
Posts: 7
Joined: Jan 02, 2022

Post by R3k » June 16th, 2023, 7:00 am

There is no freeze with the PDX USA patch, though. I am looking into the old memory dump I found today. Here is a code snippet from the hook:

Code: Select all

8000f0c4 li t0,0x8007af6e
8000f0cc lw t1,0xff6a(t0) // 0x8007aed8 subroutine for regional check of anti-mod routine
8000f0d4 li t2,0x3c03bfc8
8000f0dc bne t1,t2 // check if the overlay code with anti-mod is there
8000f0e4 li t0,0x8007f08c
8000f0ec li t1,0x2
8000f0f0 sb t1,(t0) // write 0x2 at 0x8007f08c
Regarding the PAL copy, I have already patched all copy protection checks with a stealth hook. But I am interested in disabling the crack protection completely. On the other hand, I am very lazy to play the game on the PC once again. I could disable all anti-tamper scans on the title screen. The question is, does the game scan memory throughout the playthrough. Since the game does use overlays (kind of Insomniac's fetish, PS2 R&C games are no different), it would be a tedious task for such old game to find every single check.

alexfree
Verified
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 221
Joined: Oct 21, 2021
I am a: Programmer, Gamer
PlayStation Model: SCPH-1000
Location: USA
Contact:

Post by alexfree » June 17th, 2023, 2:17 am

R3k wrote: June 16th, 2023, 7:00 am There is no freeze with the PDX USA patch, though. I am looking into the old memory dump I found today. Here is a code snippet from the hook:

Code: Select all

8000f0c4 li t0,0x8007af6e
8000f0cc lw t1,0xff6a(t0) // 0x8007aed8 subroutine for regional check of anti-mod routine
8000f0d4 li t2,0x3c03bfc8
8000f0dc bne t1,t2 // check if the overlay code with anti-mod is there
8000f0e4 li t0,0x8007f08c
8000f0ec li t1,0x2
8000f0f0 sb t1,(t0) // write 0x2 at 0x8007f08c
Regarding the PAL copy, I have already patched all copy protection checks with a stealth hook. But I am interested in disabling the crack protection completely. On the other hand, I am very lazy to play the game on the PC once again. I could disable all anti-tamper scans on the title screen. The question is, does the game scan memory throughout the playthrough. Since the game does use overlays (kind of Insomniac's fetish, PS2 R&C games are no different), it would be a tedious task for such old game to find every single check.
That's interesting, it does work similar. Basically MottZilla told me about the address and we tried something like when this is 1 write 0 and it wouldn't via gameshark codes. Then I looked in no $ psx emu and saw that the value would go from 1 to 0E in a second or two at startup, it is indeed the 'steps' in the ap code. So I tried just writing 0 at every step every time it counted up and that ended up working (which is why it has the freeze for like 15 seconds to, I honestly am amazed this all doesn't completely lockup the game).

I might of been writing not so clearly before. This doesn't defeat anti-tamper/anti-crack, it by itself just doesn't trigger it. Literally any other GameShark code is pretty much going to trip anti-tamper/anti-crack but this one is written in such a way where it won't. To really break anti-tamper/anti-crack would probably take decompiling the entire game.

At least for USA versions, the game is constantly scanning/checksumming memory regions of the game. If at any time it isn't correct then it silently trips anti-tamper. I think the Europe version is the same, but also it uses LibCrypt?

The foolproof thing to test the USA bypass is to download a save from the internet with a completed game, and go to the final boss and 'replay' it. If the anti-tamper is triggered by the bypass, it will kick you out of the boss battle after about a minute, warp you to level one, and remove all the stats from the save game file. That's the fastest way to test any bypass at least for the USA versions, and that's what we did.

User avatar
MottZilla
Verified
Serious PSXDEV User
Serious PSXDEV User
Posts: 88
Joined: Jul 04, 2015
Location: North America

Post by MottZilla » July 6th, 2023, 6:01 pm

I have a Protection Fix for Spyro YotD USA Rev0 and Rev1 on my webpage. It doesn't modify the executable at all. My loader runs which then loads the game. When the anti-piracy routine is about to run it skips past it. It uses COP0 functionality so the executable will pass all checksum anti-tamper tests.

If I remember alexfree tested it on hardware and it worked perfectly. No trouble beating the final boss.

wafflewizard1
What is PSXDEV?
What is PSXDEV?
Posts: 1
Joined: Jan 12, 2023
PlayStation Model: SCPH-9002
Discord: waffle#2140
Location: NZ

Post by wafflewizard1 » October 3rd, 2023, 9:45 pm

Where abouts can I find the protection fix? I tried looking everywhere haha

alexfree
Verified
Extreme PSXDEV User
Extreme PSXDEV User
Posts: 221
Joined: Oct 21, 2021
I am a: Programmer, Gamer
PlayStation Model: SCPH-1000
Location: USA
Contact:

Post by alexfree » October 28th, 2023, 6:08 am

wafflewizard1 wrote: October 3rd, 2023, 9:45 pm Where abouts can I find the protection fix? I tried looking everywhere haha
Tonyhax International automatically applies the gameshark codes/bypass.

MottZilla's Patch (needed if not using Tonyhax International) is at https://thegaminguniverse.org/ninjagaid ... o3u_mz.zip

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests