PlayStation Development Network

MottZilla (mostly) and I have finally figured out a way to bypass the APv1 (detect non-stealth modchip), APv2 (detect swap trick/ no $ unlock), and anti-tamper (kicks you out randomly during final boss, tells you it's a pirated game, etc. due to non-complete bypass that only appears to work) in the game Spyro Year Of The Dragon USA Rev 0. Spyro Year Of The Dragon USA Rev 1 will get a code ported soon. For now, here's this first of it's kind true Spyro Year Of The Dragon USA Rev 0 bypass in GameShark form:

D007F08C 0001
8007F08C 0000
D007F08C 0002
8007F08C 0000
D007F08C 0003
8007F08C 0000
D007F08C 0004
8007F08C 0000
D007F08C 0005
8007F08C 0000
D007F08C 0006
8007F08C 0000
D007F08C 0007
8007F08C 0000
D007F08C 0008
8007F08C 0000
D007F08C 0009
8007F08C 0000
D007F08C 000A
8007F08C 0000
D007F08C 000B
8007F08C 0000
D007F08C 000C
8007F08C 0000
D007F08C 000D
8007F08C 0000
D007F08C 000E
8007F08C 0000

There are existing GameShark codes that are supposed to bypass this at sites like: https://gamehacking.org/game/89897 but they have the same problem that the original Spyro 3 Year Of The Dragon USA Rev 0/Rev 1 patches had, they only disable the first anti-piracy screen. The anti-tamper then kicks in and it will cause all kinds of issues. MottZilla and I's code is the only one to ever defeat both the anti-tamper and anti-piracy.

The game does freeze for about 15 seconds at the point where the anti-piracy screen would usually trigger. But it never does trigger and anti-tamper protection is never triggered either. I tested this by playing the final boss which will always (if anti-tamper is triggered) kick you out shortly after the battle starts, and then delete your spyro year of the dragon progress save file on your memory card. None of that happens with our code.

How it works is, the game checksums the code but not the variables in the anti-piracy routine. We basically just bruteforce every step to step 0 when they are ran at startup. This disables the code for the rest of the game (along with the anti-tamper)

USA Rev 1:
D007F23C 0001
8007F23C 0000
D007F23C 0002
8007F23C 0000
D007F23C 0003
8007F23C 0000
D007F23C 0004
8007F23C 0000
D007F23C 0005
8007F23C 0000
D007F23C 0006
8007F23C 0000
D007F23C 0007
8007F23C 0000
D007F23C 0008
8007F23C 0000
D007F23C 0009
8007F23C 0000
D007F23C 000A
8007F23C 0000
D007F23C 000B
8007F23C 0000
D007F23C 000C
8007F23C 0000
D007F23C 000D
8007F23C 0000
D007F23C 000E
8007F23C 0000

I am not familiar with the NTSC version, but I think the PDX patch does work the same way. The anti-tamper memory scanning is still enabled, though. While the anti-mod routine is bypassed, any memory modification within specific range would trigger final boss crash.

I am not sure how many times the memory is scanned throughout the game. The game does scan the main memory (0x8002xxxx-0x8005xxxx) and overlay segment (0x8007xxxx) at least twice at the startup. Just right before anti-piracy check.

Fun fact, the PAL Libcrypt encrypted routine falls outside the range of a memory scan (0x80067xxx). In other words, the anti-piracy protection is completely useless. Nonetheless, the PAL PDX patch is broken, because the anti-AR patch is detected through the checksumming (P/N selector too, if enabled).

R3k wrote: ↑June 15th, 2023, 6:21 am I am not familiar with the NTSC version, but I think the PDX patch does work the same way. The anti-tamper memory scanning is still enabled, though. While the anti-mod routine is bypassed, any memory modification within specific range would trigger final boss crash.

I am not sure how many times the memory is scanned throughout the game. The game does scan the main memory (0x8002xxxx-0x8005xxxx) and overlay segment (0x8007xxxx) at least twice at the startup. Just right before anti-piracy check.

Fun fact, the PAL Libcrypt encrypted routine falls outside the range of a memory scan (0x80067xxx). In other words, the anti-piracy protection is completely useless. Nonetheless, the PAL PDX patch is broken, because the anti-AR patch is detected through the checksumming (P/N selector too, if enabled).

While I assume the PDX patch has the same limitation as these codes, these codes have one incredible advantage.

You can use Tonyhax International with a Japanese console and a real copy of Spyro YOTD Rev 0 or Rev 1, the real disc is live-patched. The PDX patch requires using a burned CD-R modified in a specific way.

I have heard the PAL PDX patch doesn't work. If there is an AP screen in the PAL version I can make codes to bypass it the same way as I am the other versions... Then you'd just need to burn the copy with CloneCD to defeat libcrypt.

There is no freeze with the PDX USA patch, though. I am looking into the old memory dump I found today. Here is a code snippet from the hook: Regarding the PAL copy, I have already patched all copy protection checks with a stealth hook. But I am interested in disabling the crack protection completely. On the other hand, I am very lazy to play the game on the PC once again. I could disable all anti-tamper scans on the title screen. The question is, does the game scan memory throughout the playthrough. Since the game does use overlays (kind of Insomniac's fetish, PS2 R&C games are no different), it would be a tedious task for such old game to find every single check.

R3k wrote: ↑June 16th, 2023, 7:00 am There is no freeze with the PDX USA patch, though. I am looking into the old memory dump I found today. Here is a code snippet from the hook:

Code: Select all

8000f0c4 li t0,0x8007af6e
8000f0cc lw t1,0xff6a(t0) // 0x8007aed8 subroutine for regional check of anti-mod routine
8000f0d4 li t2,0x3c03bfc8
8000f0dc bne t1,t2 // check if the overlay code with anti-mod is there
8000f0e4 li t0,0x8007f08c
8000f0ec li t1,0x2
8000f0f0 sb t1,(t0) // write 0x2 at 0x8007f08c

Regarding the PAL copy, I have already patched all copy protection checks with a stealth hook. But I am interested in disabling the crack protection completely. On the other hand, I am very lazy to play the game on the PC once again. I could disable all anti-tamper scans on the title screen. The question is, does the game scan memory throughout the playthrough. Since the game does use overlays (kind of Insomniac's fetish, PS2 R&C games are no different), it would be a tedious task for such old game to find every single check.

That's interesting, it does work similar. Basically MottZilla told me about the address and we tried something like when this is 1 write 0 and it wouldn't via gameshark codes. Then I looked in no $ psx emu and saw that the value would go from 1 to 0E in a second or two at startup, it is indeed the 'steps' in the ap code. So I tried just writing 0 at every step every time it counted up and that ended up working (which is why it has the freeze for like 15 seconds to, I honestly am amazed this all doesn't completely lockup the game).

I might of been writing not so clearly before. This doesn't defeat anti-tamper/anti-crack, it by itself just doesn't trigger it. Literally any other GameShark code is pretty much going to trip anti-tamper/anti-crack but this one is written in such a way where it won't. To really break anti-tamper/anti-crack would probably take decompiling the entire game.

At least for USA versions, the game is constantly scanning/checksumming memory regions of the game. If at any time it isn't correct then it silently trips anti-tamper. I think the Europe version is the same, but also it uses LibCrypt?

The foolproof thing to test the USA bypass is to download a save from the internet with a completed game, and go to the final boss and 'replay' it. If the anti-tamper is triggered by the bypass, it will kick you out of the boss battle after about a minute, warp you to level one, and remove all the stats from the save game file. That's the fastest way to test any bypass at least for the USA versions, and that's what we did.

I have a Protection Fix for Spyro YotD USA Rev0 and Rev1 on my webpage. It doesn't modify the executable at all. My loader runs which then loads the game. When the anti-piracy routine is about to run it skips past it. It uses COP0 functionality so the executable will pass all checksum anti-tamper tests.

If I remember alexfree tested it on hardware and it worked perfectly. No trouble beating the final boss.

Where abouts can I find the protection fix? I tried looking everywhere haha

wafflewizard1 wrote: ↑October 3rd, 2023, 9:45 pm Where abouts can I find the protection fix? I tried looking everywhere haha

Tonyhax International automatically applies the gameshark codes/bypass.

MottZilla's Patch (needed if not using Tonyhax International) is at https://thegaminguniverse.org/ninjagaid ... o3u_mz.zip