Req : "Audio Sculpture" (STX,...) even not running...

[ijor]

I don't remember seeing protected dumps of No Buddies Land or Son Shu Shi. Do you have the original disks or copy protected images? If so, could you please post them, thanks.

I don't have original disks/images of these 2 games. However, 2/3 of the protection code is still present in the cracked versions, even if the protection is no longer executed.

I see. Thanks.

Too bad that we still don't have any original dump of these two titles.

[DrCoolZic]

So it would not check duplicate sector on track 0 (or did you made the test using AS V1.2 that does not have duplicate?)
I suspect that "Read sector(s). track: 3 (80), side: 0, sector: 10" means read sector 10 on track 3 with track register set to 80 (decimal)

[ijor]

So it would not check duplicate sector on track 0 (or did you made the test using AS V1.2 that does not have duplicate?)

Tested ver 1.3, sorry for not being clear enough.

It doesn't check those headers on track 0, not that I see at least up to the point that you can actually run the program. Conceivable the program might perform further checks later on, but doesn't seem so. And this is consistent with being the same protection as version 1.2 that doesn't have those headers.

I suspect that "Read sector(s). track: 3 (80), side: 0, sector: 10" means read sector 10 on track 3 with track register set to 80 (decimal)

Correct.

[orionfuzion]

Hi guys,

I've analyzed the copy-protection of Audio Sculpture 1.5 and focused on how protected tracks and sectors are verified.

I've written scripts (a chain of breakpoint actions) that allow to "crack" the copy-protection under Hatari:
The original copy of AS 1.5 (AudioSculpture1-5.STX) has been duplicated using FastCopy III.
The resulting regular ST image can be run successfully under Hatari using the scripts provided in the attached zip file.

The zip file contains the following README:

Code: Select all

Audio Sculpture 1.5 - "IPL crack under Hatari 2.1.0"
By Orion / Replicants - January 2020

This set of files provides the means to crack the copy-protection of
Audio Sculpture 1.5 using the debugging facilities of Hatari 2.1.0.

This protection is called "IPL" which means "Initial Program Lock".
It consists of three different protections assembled into a single
mega-protection whose complete execution takes 15 seconds!
It has been developed by Illegal (Replicants), Altair (VMAX),
Zarathustra (The Invisibles) and some guys from SYNC.
It is present on all software published by Expose Software: Audio
Sculpture (all versions), No Buddies Land and Son Shu Shi.

The original copy of AS 1.5 (AudioSculpture1-5.STX) has been duplicated
using FastCopy III.
This copy is provided as a regular ST image (AudioSculpture1-5-COPY.ST).
If this ST image is run under Hatari without special actions, it will
crash because of the IPL copy-protection.

The *.ini files of this delivery implement a breakpoint actions chain
allowing to run the ST image of AS 1.5 under Hatari and to perform actions
such as patching the memory and the registers on-the-fly in order to
"crack" the IPL protection and to make the regular ST image of AS 1.5
run correctly.

To crack the IPL and make the ST image work correctly, launch a Unix
shell, go the the 'AS15.CRK' directory containing the *.ini files and
launch Hatari as follows:

$ <path_to_hatari>/hatari --configfile <your_hatari_config_file>  --disk-a ./AudioSculpture1-5-COPY.ST --parse ./as15_bp0.ini

It is also possible to run the original copy of AS 1.5 (the STX image)
with the same breakpoint actions chain:

$ <path_to_hatari>/hatari --configfile <your_hatari_config_file>  --disk-a ./AudioSculpture1-5.STX --parse ./as15_bp0.ini

This will dump the content of the protected tracks and sectors as well as
the routines that perform copy-protection checks.

This delivery contains the following files:

- README.txt
  This file.

- AudioSculpture1-5.STX
  The image of the original protected disk of AS 1.5.

- AudioSculpture1-5-COPY.ST
  The image of the copy (using FastCopy III) of AS 1.5 (protected tracks
  and sectors are missing or incorrect).
  The purpose of the files below is to be able to run this image
  correctly under Hatari.

- as15_bp0.ini
  The head of the breakpoint actions chain that is used to "crack" the
  protection of Audio Sculpture 1.5 under Hatari.

- as15_bp1.ini
  Neutralize track#1 protection.
  Hidden data into gap (HDG) and Invalid Data in Gap (IDG).

- as15_bp2_1.ini
  Neutralize track#2 protection (1st part).
  Hidden data into gap (HDG) and Invalid Data in Gap (IDG).

- as15_bp2_2.ini
  Fix loading of IPL Part#3.

- as15_bp3_1.ini
  Neutralize track#2 protection (2nd part).
  Hidden data into gap (HDG) and Invalid Data in Gap (IDG).

- as15_bp3_2.ini
  Neutralize track#3 protection (1st part).
  Write Splice Inside Sector (SIS).

- as15_bp3_3.ini
  Neutralize track#3 protection (2nd part).
  Write Splice Inside Sector (SIS).

- as15_bp3_4.ini
  Neutralize track#3 protection (3rd part).
  Write Splice Inside Sector (SIS).

- as15_bp4.ini
  Neutralize track#1 protection inside Audio Sculpture (outside the IPL).
  Hidden data into gap (HDG) and Invalid Data in Gap (IDG).

- ipl_part3.bin
  The 3rd part of the IPL normally located on sectors of track#2.

Every .ini file provides detailed comments about each part of the
copy-protection.

If you want to understand how this copy-protection works, just follow the directives.
It is a good complement to the doc written by Jean (DrCoolZic) as it shows what is actually verified (and how) by the copy-protection.

The "Write Splice Inside Sector" protection is very interesting and surprising as the copy-protection code is buggy! (see the as15_bp3_3.ini file for details).

I have another doc pending, but this one is more focused on the software part, and in particular on all the tricks used by the authors of the copy-protection to make it painful to reverse-engineer. I will publish it later...

Orion / Replicants

[dlfrsilver]

IPL means Initial Program Load (not lock) as indicated in the hex picture seen a page ago.

Audio-Sculpture protection was written with an analogic board in a PC, allowing to make copies. Not on an Atari ST of course.

[orionfuzion]

IPL means Initial Program Load (not lock) as indicated in the hex picture seen a page ago.

Well, both are valid.

Frederic himself wrote "IPL, yes i remember, for "Initial Program Lock", a joke made with "Initial program Load" a name that Pascal Truong had found..."

Audio-Sculpture protection was written with an analogic board in a PC, allowing to make copies. Not on an Atari ST of course.

The protection contains the following text: "IPL needs no custom chip".
And the "amateurish" technique used here rather suggests the use of a ST.

Did Frederic tell you he was using a PC?

[dlfrsilver]

Yes he did. He told me the protection was written with a PC with custom board/FDC, not with an ST.

[orionfuzion]

For those who are interested in copy-protections, I've documented the one used in Audio Sculpture and Son Shu Si.
This protection is just amazing and it deserves that you take a look at it. It was developed by the greatest hackers of the ST era!
It's in the top 5 of the nastiest protections!

The doc is available here: https://github.com/orionfuzion/newcrack ... uSi/IPL.md

This is a complement to the first analysis that I published in this thread, and which is now available on my github: https://github.com/orionfuzion/newcrack ... /README.md

The first doc details the software mechanisms used to prevent hackers from reverse-engineering the protection.
The second doc is more focused on the physical part of the protection, that is, how tracks and sectors are physically protected and verified.

Piracy was a crime, crime was our business!
Orion / Replicants

[troed]

I'm trying to create good dumps from my original Audio Sculpture v1.3. While the program disk seems fine, I have issues with the data disk. Even after extensive cleaning, I can't get better than 34 bad sectors according to HxC Software. I need the opinions of those who're much more used to this than I am so far.

Here's the .SCP from the data disk: https://troed.ddns.net/f/9c357f14697e430082f1/

This is what it looks like. The bad crc stems from the orange skewed lines, one example being on track 33, side 0.

Screenshot from 2020-05-09 11-36-08.png

edit: When converted to .STX and tested in Hatari, the readme txt cannot be viewed, and the side2 folder cannot be accessed (I think the side2 folder is supposed to show additional content when run in a double sided drive, everything else on single side)

regards,
Troed

[troed]

Sectors overwritten somehow? Sector 004 seems to come at the wrong time here.

Screenshot from 2020-05-09 12-35-42.png

I'm wondering if this is a screw up when producing the original, if no one has a good suggestion on how the previous owner could've caused it.

/Troed

[troed]

I've managed to get Aufit running under Wine. Interestingly enough, when converting disk B to STX using Aufit, it wrote something about "recovered" regarding a few sectors - and the resulting STX can indeed display both the readme2.txt as well as access the side2 folder.

/Troed

[troed]

... and that concludes my lonely string of posts here - by answering the original call

Here's a dump from an original Audio Sculpture v1.3, to SCP and converted to STX. I've verified both STX images with Hatari. I don't know if the SCP images work as is in Steem - as I wrote above, Aufit seems to have done something when converting the data disk.

STX: http://files.sync.wtf/as_13.zip
SCP: http://files.sync.wtf/as_13_scp.zip

/Troed

[DrCoolZic]

In Aufit I provide the capability to pick a good sectors from the different revolutions if they exist and combine them to recover the data...
For example on a track Aufit can pick sector one in revolution 1 and sector 2 in rev 4 etc.
When this happen that usually mean that your disk is very close to be dead …
It may happen that the stx file may contains bad sectors. Recover means that Aufit has been able to recover some sectors but may be not all of them.
If you are brave you may try the program from Josha that perform error correction on broken floppies.
Have a look at https://www.youtube.com/watch?v=ZmoOOuSRbdg
The program (using some pieces from Aufit) is available from GitHub https://github.com/imqqmi/FloppyControl
It can operate from scp files if you are able to figure out how to use it ….

Would be interested to look at the scp file unfortunately your link are not working

[troed]

Would be interested to look at the scp file unfortunately your link are not working

Sorry, had a self-caused outage on my server this afternoon. Back up now.

/Troed

[DrCoolZic]

thanks got it

[DrCoolZic]

as_13.PNG

Aufit can recover some sectors (pretty amazing looking at the condition) but not all of them

Actually Aufit seems to have recovered all of 55.0 56.0 56.0 and 48.0 49.1

[Mug UK]

I've been doing some preservation with my Greaseweazel Lightning over the last few days and I've found, imaged and tested two versions of Audio Sculpture. These are my original copies, I'm guessing they would be the v1.0 release - there's no version number listed on the opening screen, so this is a guess. There's also another original I acquired at some point which is labelled as v1.1 on the opening screen.

I've put them onto my Dropbox with the links below:

Audio Sculpture v1.0 - https://www.dropbox.com/s/wnt4uhimqaa4s ... cp.7z?dl=0

Audio Sculpture v1.1 - https://www.dropbox.com/s/7nveoo6xel8nv ... cp.7z?dl=0

Audio Sculpture Data Disk - https://www.dropbox.com/s/qgikq4g91uyc8 ... 29.7z?dl=0

All three disks were examined using Batch Aufit, so the extra files generated are inside the 7Z files. Let me know if there's anything wrong or that the disk images need redoing. I've tested them with STEEM only and loaded a .MOD from the Data Disk with both versions to test them out.

[MiggyMog]

I finally got around to re-imaging disk 2 of audio sculpture 1.2

audiosculpture1_2_atari_DataDisk.zip

[Marcer]

Where to find aufit 1.4 ??

[MiggyMog]

Interesting additional info, I also had issue converting disk 2 to stx with aufit and instead used hxc software. The converted 1 would not boot in steam but as I had already done it with pasti I was not too bothered. The scp of disk 1 worked in Steem however