Locked out of Ghost Rider disc. Anyone experienced with bypassing pseudo-DRM?

Discussion in 'Rare and Obscure Gaming' started by VerticalE, Feb 12, 2018.

  1. VerticalE

    VerticalE Robust Member

    Joined:
    Feb 28, 2012
    Messages:
    290
    Likes Received:
    177
    I have two discs marked "PS2 Leipzig". I've always assumed it was a standard Ghost Rider beta and today I took a better look at it. When booting up I am presented with the following:

    [​IMG]

    The data structure is as follows: https://pastebin.com/Zrg2Wr4p

    Anyone experienced any similar pseudo-DRM and have some tips on an approach to cracking it? I'm assuming I'll have to enter a combination on the controller so I tried mashing buttons on port 1 and 2 to no avail.
     
  2. Borman

    Borman Digital Games Curator

    Joined:
    Mar 24, 2005
    Messages:
    9,428
    Likes Received:
    1,533
    I actually meant to take a look for the password and never did. I ran into the same thing as you did. I figure if anyone has the password, it's me.
     
  3. VerticalE

    VerticalE Robust Member

    Joined:
    Feb 28, 2012
    Messages:
    290
    Likes Received:
    177
    May the power of GREP compell you to find that password! "Leipzig" would be a good starting point ;)
     
  4. Knuckles500

    Knuckles500 Spirited Member

    Joined:
    Mar 16, 2006
    Messages:
    113
    Likes Received:
    29
    SLUS_000.00 looks like it was compiled with debugger symbols. If you upload that file I could try and disassemble it and see if they left a label for it. :)
     
  5. VerticalE

    VerticalE Robust Member

    Joined:
    Feb 28, 2012
    Messages:
    290
    Likes Received:
    177
    Sure thing! At work at the moment but will try to get it up later tonight :D
     
  6. VerticalE

    VerticalE Robust Member

    Joined:
    Feb 28, 2012
    Messages:
    290
    Likes Received:
    177
    http://www.filedropper.com/slus000

    I could email it if you PM me your address. I have no idea about filesharing websites so I just found a random one. Hope it has all you need :)
     
  7. Knuckles500

    Knuckles500 Spirited Member

    Joined:
    Mar 16, 2006
    Messages:
    113
    Likes Received:
    29
    I found the byte sequence for the button code. The only problem is I don't know what the values correlate to on the controller. I'd need to run the game in a debugger (emulator) to find out:

    Code:
    .data:003ECDE0 _8BootLock$cSeq:.half 0x40               # DATA XREF: BootSequence::Manager::HandleEvents(RWS::CMsg &)+FC↑o
    .data:003ECDE2                 .half 0x10
    .data:003ECDE4                 .half 0x80
    .data:003ECDE6                 .half 0x20
    .data:003ECDE8                 .half 0x80
    .data:003ECDEA                 .half 0x10
    .data:003ECDEC                 .half 0x40
    .data:003ECDEE                 .half 0
    The code consists of 7 or 8 presses. 0x40 is one button, 0x10 is one button, 0x80 is one button, and 0x20 is one button. So it utilizes four buttons. It might utilize button combos as well, but these values seem to hint at just one single button press, imo. 0x0 is probably "START", or just a null terminator for this array.
     
    Last edited: Feb 13, 2018
    Getta Robo, Atombomb66 and speedyink like this.
  8. speedyink

    speedyink Site Supporter 2016

    Joined:
    Apr 10, 2015
    Messages:
    1,245
    Likes Received:
    501
  9. sp193

    sp193 Site Soldier

    Joined:
    Mar 29, 2012
    Messages:
    2,101
    Likes Received:
    846
  10. VerticalE

    VerticalE Robust Member

    Joined:
    Feb 28, 2012
    Messages:
    290
    Likes Received:
    177
    This is why our community matter. God damn I'm impressed! Currently at work so will have to test it when I get home. The other disc is marked "Leipzig V2" so I'm presuming that it is the same code on that build as well. Can't wait to try it out :D

    Now as for the approach used to find the code: Where do you even start? I'm assuming you don't actually run it in debug, but rather poke around the file for a string/specific hex? I find this absolutely fascinating and would love to learn more.
     
  11. Borman

    Borman Digital Games Curator

    Joined:
    Mar 24, 2005
    Messages:
    9,428
    Likes Received:
    1,533
    I extracted the files overnight, but it looks like you have an answer hah. I do remember the debug menu working regardless of entering the code or not, just nothing to skip the screen in it iirc.
     
  12. VerticalE

    VerticalE Robust Member

    Joined:
    Feb 28, 2012
    Messages:
    290
    Likes Received:
    177
    How do you open the debug menu? I didn't get that open using either controller port 1 or 2 and mashing buttons. Anyways, checking combo on my builds in an hour or so. If I get in I'll post some screens from both builds :)
     
  13. Borman

    Borman Digital Games Curator

    Joined:
    Mar 24, 2005
    Messages:
    9,428
    Likes Received:
    1,533
    One or both of the thumbsticks pushed in. The builds should be pre-alpha. They of course made both PS2 and PSP builds. It will likely appear slightly off screen, so you have to move it down with one of the thumbsticks, I think the right one for all of this. Dpad moves through the menu.
     
  14. VerticalE

    VerticalE Robust Member

    Joined:
    Feb 28, 2012
    Messages:
    290
    Likes Received:
    177
    Alrighty, thanks. I was hoping to test the PSP builds as well today. I'm keeping my fingers crossed that one of them is wrongfully labeled Ghost Rider but is in fact Silent Hill ;)
     
  15. VerticalE

    VerticalE Robust Member

    Joined:
    Feb 28, 2012
    Messages:
    290
    Likes Received:
    177
    No dice, couldn't get the codes to work :( Tried both versions.
     
  16. speedyink

    speedyink Site Supporter 2016

    Joined:
    Apr 10, 2015
    Messages:
    1,245
    Likes Received:
    501
    Lame...what about trying it in controller port 2? (just for shits and giggles :p)
     
  17. Borman

    Borman Digital Games Curator

    Joined:
    Mar 24, 2005
    Messages:
    9,428
    Likes Received:
    1,533
    You would think the password would be in the notes for the build, but no such luck.
     
  18. sp193

    sp193 Site Soldier

    Joined:
    Mar 29, 2012
    Messages:
    2,101
    Likes Received:
    846
    It seems to be a 7-button code, since it checks a sequence of 7. That zero is probably just a padding byte.
    If you press the wrong button, then it will reset.

    From the ReadInput__Q212InputDevices19CPSX2StndController function, it seems like the bytes will be swapped before being inverted:
    Code:
     jal scePadRead
     ...
      lbu $v0, 0x3e($s0)
      lbu $v1, 0x3f($s0)
      sll $v0, $v0, 8
      or $v0, $v0, $v1
      xori $v0, $v0, 0xFFFF
      ...
    
    Hence the combination should probably be:
    • 0x40 - Cross
    • 0x10 - Triangle
    • 0x80 - Square
    • 0x20 - Circle
    • 0x80 - Square
    • 0x10 - Triangle
    • 0x40 - Cross
    Are you using a DualShock 2? Just in case this game is one of those that do not support other types of controllers.

    If you want to check out the game, it is perhaps also possible to edit the boot file before burning/installation, just to inhibit the check.
    It is enabled during runtime:
    Code:
    0x0016b848 addiu v0, zero, $0001
    0x0016b84c sw v0, $cdd0(v1) <- _8BootLock$bLocked
    
    This would be at offset 0x6C848 of the ELF. You could try to replace the 8 bytes there with EIGHT 0x00 bytes, which will overwrite these instructions with NOPs.

    If you're using the TOOL, you can save a NOP over the store word operation at 0x0016b84c and that should work too.
     
    Last edited: Feb 15, 2018
  19. VerticalE

    VerticalE Robust Member

    Joined:
    Feb 28, 2012
    Messages:
    290
    Likes Received:
    177
    Forgot to mention, sorry. I'm running this on a PS3 TEST. My TOOL packed away somewhere in the attic and I only have the TEST available atm. Not sure if its a DualShock or SixAxis but since it is emulated I guess it doesn't matter. I don't have time to test it tonight but I'll try to get it done tomorrow :)
     
  20. N!NJA

    N!NJA ßanned

    Joined:
    Feb 12, 2018
    Messages:
    24
    Likes Received:
    24
    Would offer help here seeing as I released all mine, but none even had this in place so no clue how to help sorry :( I don't think a PS3 TEST A00A would effect things too much. It's closer to the real thing than emulation.

    @Borman could it be a comment in the code do you think?
     

Share This Page