First post, by DivByZero
- Rank
- Newbie
On my continuing quest to get my full list of classic games working on my 486 retro box, I've prepared another new patch, this time for the original DOS version of "Castle Wolfenstein", circa 1984. I suspect anyone who has actually tried to play this game in the last decade has run straight into this bug. This bug occurs even if you run using an original floppy on the original PC-XT hardware, as long as you are running on DOS 3.X+. This issue has been discussed before, but from what I can see, nobody has correctly identified the cause, or patched the issue:
Castle Wolfenstein on a Pentium 133 (all cache disabled)
https://github.com/86Box/86Box/issues/4947
https://forum.vcfed.org/index.php?threads/can … n-ibm-pc.63608/
https://forum.vcfed.org/index.php?threads/cas … 150-5155.72764/
What's the cause of the issue? Possibly the very first version of OS tamper detection and anti-debugger protection out there in commercial software, at least the earliest I know about. Some not very robust checks were tripping a protection routine under DOS 3.X+, thinking you were trying to "fake" the floppy disk hardware to bypass the copy protection! This would occur even if you were using a genuine disk on original hardware. There was also some aggressive anti-debugger check routines in there too. I've prepared a patch in the form of a python script like my previous patches. This patch DOES NOT remove the actual copy protection, it just removes the faulty tamper and debugger detection, and can be applied on either a "cracked" or unaltered original binary.
Full details on the cause of the issue, and the fix, are as follows from the notes in the patch script:
# This patch modifies CW.EXE from the 1984 DOS release of "Castle Wolfenstein" to stub out the faulty# OS tamper protection checks, which were part of the original copy protection code for this game. This# game used quite sophisticated copy protection for 1984, employing polymorphic code to both check for# pirated copies, and trigger the blocks when this was detected at multiple points in code. While# "cracked" versions of the game have been circulating for 40 years, there was another hidden issue# lurking in the code which remained unaddressed, and would cause problems even for original disks on# original hardware without any cracks being performed.## The authors of Castle Wolfenstein had another layer of independent copy protection checks hidden in# the code, which didn't verify the actual disk itself, rather it is probably one of, if not the earliest# example of OS-level anti-tampering protection. The code has a routine, triggered when starting a new# game, which checks the address of the interrupt routine handler 0x13 for low-level floppy disk access# appears to point directly into the BIOS routines. The original intent is, if the interrupt appears to# have been redirected to user code, assume the user is trying to bypass the copy protection via a patched# disk IO routine, to make the game code think it's seeing an original floppy disc when it actually isn't.# If the routine appears to have been redirected, it'll set a "tamper" flag, and trigger the "You're Caught"# ending routine. That's deliberate you see, saying "You're Caught" is a personal message to the would-be# pirate/hacker, saying "we've caught you trying to crack our software"! The problem is, while on DOS# 1.x/2.x the original PC-XT disk access routines may have gone direct to the BIOS, that was no longer the# case as of DOS 3.x and up, meaning this tamper protection first broke things for legitimate users back# in 1985, just a year after launch! This was a case of the programmers getting a little too clever.## It wasn't even just this OS-level anti-tampering protection in the code. It turns out there was yet# another layer of protection, which is possibly the earliest example of anti-debugger protection. There# were additional checks, independent of the disk IO redirection check, which were designed to trigger# if a debugger was detected. First, on program start, there was a check for if any software breakpoints# appeared to be active by checking the address of the interrupt routine handler 0x03. If this was detected# the tamper protection would be tripped. Additionally, when the game was running, polling was done to# check if an interrupt handler 0x01 appeared to be hooked for single-stepping. Debugging tools on systems# later than the PC-XT with the 8086 processor would generally make use of hardware debugging registers# on the 286+ CPU rather than hooking software interrupts like these, but these anti-debugger checks# could still in theory cause problems on some DOS releases because of the way they're implemented. If# any of the software interrupt addresses don't match expected known values, the protection will be# tripped, and since these addresses are not fixed constants intended to remain unchanged, apart from# debuggers actually using trace and breakpoint features, different versions of DOS, let alone third# party clones or variants, may legitimately have different addresses, which would trip these protection# routines.## This patch removes all identified anti-tamper and anti-debugger protection routines in the executable.# It does NOT remove the original actual disc copy protection, for that you need to look elsewhere,# however this patch can be applied to either a cracked or original CW.EXE file. This patch will make the# game work as intended on all hardware, not the narrow window of PC-XT machines running DOS 2.x or below.# Note that since this game has no speed clocking and is therefore timing sensitive, we have preserved the# execution time of the original unpatched code.
Like my other patches, I kept the patch in python since it's transparent and self-documenting. If someone has a question about this 10 years from now, if I just drop an opaque 16-bit binary, that's going to be a pain. This script on the other hand does everything using a few regex expressions. As a python script, you won't be able to run this from dos, but once the files are patched you just need to transfer them onto your DOS machine.
Anyway, that's about it. Let me know if there are any questions or issues.
