Clever Anti Piracy on the Super Nintendo | MVG

February 28, 2020

Cartridge-based lockout chips We first saw Nintendo utilize these all the way back in 1984 Known as the 10 NES, we covered this chip and its history in a previous episode But to summarize, a simple lock and key methodology was used to mitigate any unlicensed bootleg games on the system With two identical chips, one installed inside the console and the other in the cartridge They were used to lock out any unlicensed or different region games Although it was possible to disable and circumvent this chip simply by cutting a pin from the chip The code inside the chip was intact, and this method wasn’t foolproof And of course you would need to void your warranty In fact The 10 NES took over 20 years for it to be cracked It took even longer on the Super NES Nintendo used almost the same 10 NES chip on the Super NES I say almost because although it was a variant of the same chip It wasn’t identical. It ran a different set of code. This meant that the reverse engineering efforts on the NES would not help Just like on the NES, the Super NES had its own variant of the 10 NES lockout chip known as the CIC It had a different set of instructions and a different set of code. And really on the Super NES The chip was mainly used for region locking of games. But this only really represented the first line of Anti-piracy on the Super Nintendo as we’ll see more sophisticated anti-piracy techniques needed to be developed During the heyday of the 16-bit Super NES and Sega Genesis days Disk copiers started to become very popular A disk copier is essentially a device that plugs into the cartridge port and has its own firmware It also includes a built-in disk drive, the same that you would find on a PC, and this would allow you to simply insert an Original cartridge and you could dump the contents on the disk It also allows you to play games directly from the disk, completely bypassing the need for the original game You can also backup and restore save files These disk copiers were essentially tools for piracy, based on copying being very popular on other 16-bit platforms the Amiga and the Atari ST The most well known disk copier for the Super Nintendo is known as the Super WildCard DX2 This was the Swiss Army knife of copiers and allowed you to do almost everything But unfortunately this form of piracy meant release and cracking groups started to get involved Super NES games, just like others, were dumped and released and spread around the world on bulletin boards and FTP servers As you can imagine, Nintendo was not thrilled On the NES there was bootlegging, sure, but disk copiers weren’t really a thing back then On the Super NES they were affordable and easy to get and you could buy a box of floppy disks very cheap Nintendo was worried about people renting their games, copying them, and returning the originals In 1994 Nintendo bought a 25% stake in Rare and became a second-party developer Nintendo’s partnership with Rare was extremely important to both companies Rare had the experience with making quality games and their new secret weapon, Silicon Graphics Technology, Was about to be utilized in the up-and-coming games Donkey Kong Country and Killer Instinct To stop disk copiers, both Killer Instinct and Donkey Kong Country would lock the game out if it knew that a copier was attached to it Or if it had loaded a ROM from floppy disk. It would present an anti-piracy message that looked like this Nintendo also started to introduce the same Anti-piracy features in other games like EarthBound and Super Punch-Out!! This meant that the games needed to be cracked Owning just a disk copy wouldn’t work. You also needed to patch the ROM So how does this anti-piracy actually work? And how does it kick in? Any Super NES game that requires a save has what’s known as SRAM or save RAM This RAM is usually quite small in size. Maybe only 8 or 16 kilobytes in size depending on the game It’s built into the cartridge and connected by a battery. If the battery dies, you lose your save games Disk copiers, on the other hand, have a much larger amount of SRAM Because they want to ensure that they can manage and handle any size save file possible And this is how the games are checked. Because any particular game knows how much SRAM is needed, It simply checks to see how much SRAM has been allocated To whatever is in the cartridge and if it’s any different to what it expects It will display the anti-piracy message and lock up the game So let’s go ahead and see if we can trigger an anti-piracy message on the Super NES And the best way to do this is to use an emulator such as Snes9x With an emulator like Snes9x, I downloaded the source code and compiled it up on my PC So let’s go ahead and fiddle with the SRAM in the memory class This is the function where the SRAM is calculated from the wrong and this is where we can hijack the SRAM value I’m going to give it a size of 64 kilobytes, which is way larger than normal. Let’s go ahead and see what happens Running the emulator and loading Donkey Kong Country, everything seems to work fine But as soon as you load a level it indeed shows us the anti-piracy message. And just to prove that This is not a fluke, this also appears in Donkey Kong Country 2 If we go ahead load up EarthBound it displays a similar message In fact, SRAM anti-piracy checks were introduced in late 1994 There’s only around 12 games with his anti-piracy check, with most resorting to the lockout chip The SRAM check method against a disk copier was one way that Nintendo was able to circumvent piracy But Nintendo didn’t stop there. They came up with more ingenious ways to beat the pirates Donkey Kong Country 2 was one of the first Super NES games that introduced multi layers of anti piracy The CIC region lockout and the SRAM checks came first, and incidentally, if you open up the SRAM save file that DKC2 creates, it leaves a nice little message knowing that you’ve tampered with the game with the words “A PIRATE” embedded in the code Nice one! Another check was to test the registers of the main CPU, the 65C18 In theory, if these registers are set to their default values during boot up then it’s assumed that an original cartridge has been inserted But if they are different than expected it’s assumed that a copier is connected and potentially running its own code There are some additional RAM tests as well to check for copiers Which also has CRC or checksum validation. If this check fails, the memory address location 0AFD hexadecimal Which contains a count to the total number of screens for a level, is reduced by 1 And to test this out let’s go ahead and use Donkey Kong Country 2 and a Snes9X emulator By hijacking and patching the memory location 0AFD hexadecimal And reduce the number of total screens count you can see that this character is completely boxed in This means that this level will stop scrolling and the end of the level can never be completed There’s also a reset vector check. A reset vector is essentially a pointer to a section of memory where the game boots from Recent vectors are modified if there’s a cracktro, Trainer, or intro that was injected into the ROM. If this was modified the game will have weird behavior Like barrels not breaking or being randomly kicked out of a level back to the map and not being able to proceed Donkey Kong Country 3 also took these features and added a few more. And of course, None of these stop expert crackers from dumping and patching the game, but it certainly made their life a lot harder. So if there’s one game that stands out in the entire Super NES library of devious anti-piracy methods The one that really comes to mind has to be EarthBound EarthBound is a role-playing game known as Mother 2 in Japan It was released in North America in 1995, right in the middle when disk copying was running rampant. The story follows Ness and his friends Traveling the lands, getting into adventures, leveling up to ultimately defeat the end evil boss Giygas No one really liked EarthBound at launch in North America, with lukewarm reviews and sales But the game is now a cult classic and one of the most sought-after and expensive Super NES games around EarthBound implements four levels of copy protection Each more devious than the one before it. Like Donkey Kong Country, regional lockout and SRAM checks are in place But any cracker worth their salt can easily patch both of these out when they dump the ROM But the EarthBound developers detected for these patches By all accounts the game appeared to work, and you could play and save your progress just fine But the game’s enemy encounter logic was amped up significantly and there was a ton more random encounters than usual These encounters on the beach, for example, hardly ever happened in the real game and Encounters often occurred in places where they normally wouldn’t, with the game almost becoming unplayable as is But then there’s one last middle finger to the hackers and those that are playing a bootleg version If you get to the last boss Giygas, during the battle the game freezes the screen turns black But the music continues and when you reset the game to reload your save, your saves are completely wiped clean This is also easily tested on an emulator like Snes9x, and surely enough it works There are other Super NES games that have anti-piracy measures like this But in the end without any form of encryption on the console meant that the hackers would always find a way Nintendo stopped the casual disk copying but they couldn’t prevent the experts from patching the code Still Removing a savegame right at the end is one of many methods to mitigate piracy by letting the cracker think that he’s defeated the anti-piracy when clearly he has not. And finally, going back to the CIC lockout chip the Super NES variant of the chip was finally completely reverse engineered in 2010 with the Super CIC mod, a way to play all region games, being released So there you have it guys, so that’s the story of Anti-piracy methods on the Super NES. It’s a fascinating topic and Nintendo really took things to the next level with some of their games They really wanted to protect some of their IPs and you know, they were successful in doing so from a casual copying standpoint but obviously with the disk-based copiers that were out at the time and the ability to quickly patch ROMs and really just remove any type of protection or any Type of checks in the ROMs themselves, it meant that Ultimately, these games were quickly dispatched and defeated Now we’re going to take a look at the Nintendo 64 in an up and coming episode Because there’s some more interesting stuff to talk about there as well, but I’m going to leave it here for this video I hope you enjoyed it. As always, if you liked it Leave me a thumbs up and let me know what you thought about it in the comments below As always, don’t forget to Like and Subscribe, and I’ll catch you guys in the next video. Bye for now

Leave a Reply

Your email address will not be published. Required fields are marked *