Synthworks without dongle

[EdOX]

Hi everyone

I recently discovered that the latest versions of Synthworks (released in 1994) were able to run on Falcon, but also were able to run from hard disk without the dongle
Actually, you need to run it once with the dongle plugged in, and then the subsequent launches will not require the dongle anymore.

If confirmed this with Synthworks v1.6 for D10/20/110/MT32, and I was wondering if somebody took advantage of this feature to create a "crack"
Actually, I am looking for a D-50 version, and as I cannot find one, this could be a nice solution (better than a truly cracked version which may crash because of the crack)

I tried to investigate how this was working:

After running it once from C:\MIDI with the dongle, I tried (without the dongle)
- from C:\MIDI\ : it works
- from C:\OTHER\ : it does not work (it was a copy from C:\MIDI\ and files still exists in C:\MIDI\)
- replaced files in C:\MIDI\ with the original files : it does not work

So my guess is that the program is patched to tell "it can be run from C:\MIDI without dongle"
So I compared the content of all files in C:\MIDI before and after a run with the dongle, and spotted only one difference in the D10.BIT file

Before:

d10.bit.before.png

After:

d10.bit.after.png

Only 4 bytes change, which does not obviously contain the path, unless it a "shortcut" to the entry of this folder in the FAT or something similiar.
Or there is some additional stuff (file, flag, ...) hidden somewhere on the hard disk

Did somebody ever investigate this ?

[Greenious]

If you zip your installation folder, can you unzip and run it from the same path on another falcon setup?

[EdOX]

If you zip your installation folder, can you unzip and run it from the same path on another falcon setup?

This is on my todo list (I do not have a second Falcon, but I have a Mega STE)
Unfortunately the Falcon does not have a floppy drive anymore (replaced by a gotek) and the Mega STE still have its floppy.
So moving stuff from one machine to the other is not straightforward

[Greenious]

Latest version of synthworks can be found in the last post here.
Seems to be all versions, original, so needs dongle.

In the readmes for these versions:

February 1994

Dear Synthworks User,

This new version of Synthworks is now compatible with...

- Falcon computers with a 68030 processor
- Atari computers running at 16Mhz (only if you use a hard disk).
- Any other Atari running at 8Mhz.

It is not compatible with the Atari TT.

If you have a hard disk and use several programs that have a key protection,
this version will make your life a lot easier than before:

You can now install the program on your hard disk and then forget about
the key for the next times. In other words, once installed on a hard disk,
you can use several Synthworks WITHOUT any key plugged into your computer.

To install Synthworks on your hard disk...

- Make sure power is Off on your computer.
- Insert the key in your computer`s cartridge port. Make sure that you
don`t put the key in upside down.
- Switch on power and copy all files on this floppy disk onto your hard disk.
- If you have a 16Mhz Atari ST(e), set it to 8Mhz/Cache Off mode
BEFORE you run the program for the first time.
- Run Synthworks once WITH the key plugged in.
- After you have quit Synthworks you can set your ST(e) back to 16 Mhz mode
and Synthworks will run fine. (If you have a MIDEX connected to your ST(e)
the Cache must be set to Off).

That`s all, the next time you run Synthworks, you don't need the key
anymore.

You should however keep your key in a safe place!
You will need it, when you change your configuration (eg. if you want to
move Synthworks on your hard disk, when you run a new version, or wish to
install the program on another hard disk. A lost key means a lost
Synthworks program.

If you do not have a hard disk, you will need the key each time you run the
program. Using Synthworks in 16 Mhz mode without a hard disk is also not
possible.

Please keep in mind that the key should never be plugged into the cartridge
port when power on your computer is on.

Have fun using Synthworks!

Steinberg Soft- und Hardware GmbH

[Greenious]

If you zip your installation folder, can you unzip and run it from the same path on another falcon setup?

This is on my todo list (I do not have a second Falcon, but I have a Mega STE)
Unfortunately the Falcon does not have a floppy drive anymore (replaced by a gotek) and the Mega STE still have its floppy.
So moving stuff from one machine to the other is not straightforward

Well, if you can get it uploaded here, I'm sure we have poeple more than willing to try it out.

I recently aquired a Roland D110 and need some soft for that.

[troed]

Yes, it would likely be quite easy to make a crack out of this.

[EdOX]

Here it is:

D10_MT32.zip

To be sure, I restarted from scratch:
- installing it in C:\MIDI\D10_MT32\ (original, uncracked version)
- run it with the dongle
- rebooted without the dongle and ensure it was working
- copied the D10_MT32 directory to my PC using the gotek, then make the zip

I checked the modified bytes, and they are now changed to B3 24 7B D4 while it was B3 24 77 2C in the version installed in a different folder (from which I took the screenshots of my first message)

[troed]

Thoughts on that archive:

* The four bytes that change are the size of the symbol segment in a .PRG, and the .BIT file is a regular executable. The symbol segment itself is not standardized, but I think the size field cannot be messed with like this.
* D10.PRG mostly just installs MROS and then launches D10.BIT using Pexec.

However. When I naïvely try to run this folder (as the only folder on a Hatari emulated gemdos drive) D10.PRG fails to figure out the name of the included MROS, and tries to launch MROS???? which ... doesn't work. Patching that to MROS3_38 gets me all the way to the launch of D10.BIT, however, that fails with error: -66 EPLFMT Invalid program load format

... and just renaming the .BIT to .PRG and launch from desktop will cause a TOS ERROR #35 which fits.

This might be me not understanding how to "install" the archive, otherwise I'm somewhat confused as to how this can work for you.

Editing the symbol segment size in D10.BIT to zero works fine and I finally get the "No Key | Bye" dialog. I'll continue there later, just thought I'd document this in case someone else wants to take a look.

[troed]

Screenshot from 2023-10-18 21-01-50.png

"No key" gone. But I'm unable to say anything about how well it works atm. I have an MT32 emu I could hook up but I know absolutely nothing about midi soft ...

edit: I _think_ there's a lot more to the protection and getting the program to launch is not enough. Based on how I guess they tried to re-use the dongle protection routines.

edit2: confirmed. My current hypothesis is that on the first run they generate the correct jump tables for program actions, followed by creating a seed that can recreate them without the dongle. This seed is dependent on some system information (like program path) and is then stored. I cannot understand how it can be stored as the size of the symbol table though. Anyway, on the next boot this seed (together with current system parameters, thus changing program path doesn't work) recreates the jump tables. If those aren't correctly filled in, some/all program actions will just jump to code that exits the program immediately.

There are a few ways to attack this scenario. It's tantalizing to brute force the seed for any current system parameters, I can't imagine the actual search space being the full 4^256. Another way would be to extract correct jump tables from a system with a working dongle and re-create those.

[troed]

Well here's a revelation. It looks as if it's the Hatari Gemdos-emulation layer that balks on the humongous symbol size field. Turning that off and running the program from an emulated disk (so that TOS Gemdos is used) seems to work. Let's see then ...

[troed]

Alright, I think I've cracked it fully (needs testing by someone with knowledge and equipment). Tomorrow I'll package something up.

[Greenious]

Hmm, this was interesting.

I checked the modified bytes, and they are now changed to B3 24 7B D4 while it was B3 24 77 2C in the version installed in a different folder (from which I took the screenshots of my first message)

The last 2 bytes is almost certainly program path.

B3 24 could be dongle identity or something else individual, like hdd serial? The readme says "different hdd".

I wonder if the protection used is similar enough between the different synthworks that installing another version, like D50, in the same folder, changing the D50 .bit file of that with the same values above, generates a working copy.

[Greenious]

Alright, I think I've cracked it fully (needs testing by someone with knowledge and equipment). Tomorrow I'll package something up.

Nice!

Well done Troed!

[troed]

Attached is what might or might not be a fully working Synthworks v1.6 crack. Please test away.

Reason for saying it might be: I can run and click on stuff for ages on a 4MB Mega ST without issues

Reasons for saying it might not be:
- I haven't tested with a MIDI device
- When run in Hatari it doesn't find MROS (but the original doesn't either)
- When run in Hatari it will bus error after a short while

(on the other hand, Hatari has incomplete GEMDOS emulation which would fail to run the original)

Enjoy?

[tOri]

Hi,

Amazing findings. Good job. Thank you very much! It is worth to check Greenious suspictions about 'dongle identity' word. I am curious, haha.

tOri

[EdOX]

I wonder if the protection used is similar enough between the different synthworks that installing another version, like D50, in the same folder, changing the D50 .bit file of that with the same values above, generates a working copy.

I tried, and unfortunatly got the "no key, bye" message.
We will need somebody with a D-50 dongle to be able to do what troed did with this version.

Attached is what might or might not be a fully working Synthworks v1.6 crack. Please test away.

Amazing work Troed!
I made some tests today with my Falcon and D-20, and it seems to work fine.
I was able to read data (tone) from the synth, update data in the soft, with real time change on the synth
I did not test all functionalities, but so far it looks good.

Do you think you would be able to do the same work on the D-50 version (without having a "already working from hdd with no dongle" version) ?


Just for references, all synthworks versions (uncracked 1994 ones, able to run with dongle removed) are available here: https://atari-forum.com/download/file.php?id=50213
- Synthworks 01/W
- Synthworks D-50
- Synthworks D-10/D-20/D-110/MT-32
- Synthworks DX7/TX7
- Synthworks ESQ-1
- Synthworks K1
- Synthworks M1
- Synthworks Wavestation

(link taked from this topic: https://atari-forum.com/viewtopic.php?p ... ip#p448331)

[Atari74user]

Well that's a development, nice work!

There are a few different SynthWorks, for reference and if required, there are more versions than mentioned above collated from various sources (inc. above if I recollect) under Downloads, all original which require a dongle: https://sites.google.com/view/ataritosser/downloads

Direct link: https://drive.google.com/drive/folders/ ... jmM7IFwfwS

[troed]

Do you think you would be able to do the same work on the D-50 version (without having a "already working from hdd with no dongle" version) ?

If this works fine and the apps are "the same" just with different libraries, then there's no need to have run it once with a dongle. That's actually why I'm hesitant - the crack was a lot easier than I thought it would be.

I've made a preliminary writeup here: https://ioc.exchange/@troed/111266741827130657

/Troed

[tOri]

Hi,

The topic is developing great! Some more experiments and it will be all clear

Once again thank you all very much - troed, EdOX, Greenious

tOri

[troed]

If this works fine and the apps are "the same" just with different libraries, then there's no need to have run it once with a dongle. That's actually why I'm hesitant - the crack was a lot easier than I thought it would be.

D50 is similar enough that I could write an automatic patcher that would take care of both D10_MT32 and D50 with the exact same patch. I've just run it.

Of course, both of these are from the same developer. There were actually larger differences than I expected in the "launcher" (D50.PRG vs D10.PRG - the actual program is in the .BIT files).

[Eero Tamminen]

(on the other hand, Hatari has incomplete GEMDOS emulation which would fail to run the original)

Could mail more details of the issue to hatari-devel mailing list (now that tuxfamily.org is up again)? Or to Hatari sub-forum here?

[beel1]

Did somebody ever investigate this ?

Well, I did some time ago

Using HDD disk images and emulators (both Steem and Hatari), so far I found that the executable path, TOS version and the number of disks/partitions change the seed stored in the executable. With an original dongle and an emulated HDD on my ST I compared the disk image before and after the executable patches itself and the only difference is what you found (and maybe the executable date/time stamp in FAT, I'm not 100% sure, but this may have an impact).
The only downside of making use of this feature to run the software without dongle is that you cannot run it from a floppy disk.
But this allowed me to run Synthworks (WaveStation in my case) on Steem without cracking the protection, which is exactly what I was looking for

[Zippy]

Attached is what might or might not be a fully working Synthworks v1.6 crack. Please test away.

Nice job, well done!

[charles]

does this cracked1.6 work for multi unit?
fz1 d110 m1 d50 or is it aimed at a single periphreal ?

[troed]

Not too shabby if I might say so. Will package the successes up shortly.

Code: Select all

$ ls
 crack_synthworks.py  'Steinberg SynthWorks'
$ ls Steinberg\ SynthWorks/
01W  D10_MT32  D50  DXTX  ESQ1_80  FZ1_1.2  K1  M1  README.txt  SYTG77_1.21  TX81Z  WAVSTN
$ python crack_synthworks.py 
Steinberg SynthWorks/SYTG77_1.21/ProgDisk/SY77.DAT/SY77.BIT:
Did not find known exploit sequences. Not patching the program.
Steinberg SynthWorks/K1/K1.DAT/K1_B.BIT:
Sufficient confidence in automatic approach, patching now .... done
Steinberg SynthWorks/D10_MT32/D10.DAT/D10.BIT:
Sufficient confidence in automatic approach, patching now .... done
Steinberg SynthWorks/D50/D50.DAT/D50_B.BIT:
Sufficient confidence in automatic approach, patching now .... done
Steinberg SynthWorks/M1/M1.DAT/M1.BIT:
Sufficient confidence in automatic approach, patching now ... done
Steinberg SynthWorks/DXTX/DX7.DAT/DX7.BIT:
Sufficient confidence in automatic approach, patching now ... done
Steinberg SynthWorks/ESQ1_80/ESQ.DAT/ESQ180_C.BIT:
Did not find known exploit sequences. Not patching the program.
Steinberg SynthWorks/ESQ1_80/ESQ.DAT/ESQ180_B.BIT:
Did not find known exploit sequences. Not patching the program.
Steinberg SynthWorks/WAVSTN/WS.DAT/WS.BIT:
Sufficient confidence in automatic approach, patching now ... done