Page 1 of 3
Rayman DOS versions - no-CD patches
Posted: Sun Aug 15, 2021 8:39 pm
by dr_st
Not really "modding", and not nearly as impressive as most of the stuff around here, but maybe someone will find it useful nonetheless.
I've spent some time figuring out proper no-CD cracks for all Rayman DOS games -
Rayman,
Designer,
By His Fans and
60 Levels. The goal was to patch the programs so that they can run well without any CD (obviously without music), but also play CD music if a CD is inserted.
They can be useful, for example:
- If you want to play Rayman on a DOS system and your CD drive is broken or you are too lazy to get the disc.
- If you have one of the "bad" releases, like Rayman Gold without the audio tracks, or Rayman Forever with the butchered soundtrack, and you want to be able to play music from a different Rayman version.
- If for some reason you want to listen to a completely different CD while playing Rayman.
The end result (offsets for patching) is described
here. A more detailed write-up explaining how I got these offsets (I was using the DOSBox debugger) is
here.
Main limitation: For Rayman, I only figured out how to patch US v1.21 so far. My EU v1.12 had some issues running without a disc, even when patched.
Thanks to PluMGMK for some pointers on the extra protection for EU v1.12. That version is also fully cracked now.
Some ideas for future work (other than trying to patch more versions):
- I've only tested in DOSBox. Maybe I will have access to a real DOS machine this weekend and can check that no unexpected issues come up.
- An auto-patcher program may be an interesting project. Personally I just patch all my EXEs manually with a hex editor.
- Probably PluMGMK's awesome Per-level Soundtrack TSR can also allow the game to run with no CD at all (or can be adapted for it).
Re: Rayman DOS versions - no-CD patches
Posted: Sun Aug 15, 2021 9:59 pm
by PluMGMK
Nice job!
I love reading about efforts like this!
The reason for the exits with EU v1.12 is that it checks the filesize of the intro.dat and conclu.dat files on the CD when loading Allegro Presto, as an additional sneaky DRM. My TSR gets around this by redirecting those file-opens to the hard drive, but patching the EXE you could probably just bypass those checks altogether.
It's funny actually, that when it exits it still says "Thank you for playing Rayman." Coupled with the very specific nature of the check, and the randomly-chosen place at which it occurs, the whole thing feels like a crossover between
Rayman 2's arcane DRM and
THEdragon's creepypasta!
Re: Rayman DOS versions - no-CD patches
Posted: Sun Aug 15, 2021 10:06 pm
by Flat Earth Society
Good job! That will certainly be useful to a lot of people.
Re: Rayman DOS versions - no-CD patches
Posted: Mon Aug 16, 2021 12:34 am
by ICUP321
Just to let you know, there is actually a DRM-free version of Rayman 1; it's in the SoftKey and SmartSaver US releases and it contains an unprotected v1.12 executable.
Re: Rayman DOS versions - no-CD patches
Posted: Mon Aug 16, 2021 7:34 am
by dr_st
PluMGMK wrote: Sun Aug 15, 2021 9:59 pm
The reason for the exits with EU v1.12 is that it checks the filesize of the intro.dat and conclu.dat files on the CD when loading Allegro Presto, as an additional sneaky DRM. My TSR gets around this by redirecting those file-opens to the hard drive, but patching the EXE you could probably just bypass those checks altogether.
Oh, nice! It happens not just in Allegro Presto, but various other levels as well. I remember cave levels 7 (in Eat at Joes) and 9 (first level of Skops' Stalactites), for example.
I did notice in the DOSBox debugger file open calls to G:\INTRO.DAT and G:\CONCLU.DAT, so I suspected it was related. But somehow I felt it crashed out before I saw these prints from the debugger, so it confused me. I think now these prints may come out with a slight delay. Or perhaps I was intermittently dealing with a different problem (hard CPU lock in case there is no CD drive), which I later solved in 1.21.
Anyways, you are right, I should be able to locate the exact calls to these checks and simply patch them out. So, I'll definitely be looking into it some more.
ICUP321 wrote: Mon Aug 16, 2021 12:34 am
Just to let you know, there is actually a DRM-free version of Rayman 1; it's in the SoftKey and SmartSaver US releases and it contains an unprotected v1.12 executable.
I know, and I have it as well. It is mentioned in the longer write-up.
There is still one advantage to using my patches, though. They don't lock up during startup if you run them with an empty CD drive, whereas the DRM-free version does (and all other versions, as far as I could test, at least in DOSBOx). There is some sort of infinite loop that happens there, and somehow the patches skip over it.
Re: Rayman DOS versions - no-CD patches
Posted: Mon Aug 16, 2021 9:56 am
by PluMGMK
Those DRM-free versions lack parallax backgrounds though, don't they?
Re: Rayman DOS versions - no-CD patches
Posted: Mon Aug 16, 2021 11:31 am
by dr_st
PluMGMK wrote: Mon Aug 16, 2021 9:56 am
Those DRM-free versions lack parallax backgrounds though, don't they?
Hm, I never paid attention to that. I guess I can check, because I still have EU 1.12 and US 1.12 (unprotected) installed in the same folder on one of my PCs. Where should I look?
BTW, while working on this I noticed a few things that I never paid attention to before:
- Mr. Stone's growl when he shakes the screen and Mr. Dark's laughter - these are usually drowned in the music.
- That the world-specific vignette that is displayed when you enter a level only shows up when you move between worlds. As long as you keep exiting and reentering levels from the same world, it is skipped and you jump from the map screen directly into the level. This behavior is different in the spinoffs where the vignette appears every time you enter a level.
- That if you end a Betilla level with WINMAP cheat before talking to her, you don't get the power.
I also remember things I have previously forgotten - like cheats not working in Candy Chateau, and the fact that the game is saved automatically after you defeat Mr. Dark. It's a good thing I have a 100% completion backup save just before visiting Mr. Dark's Dare, which I keep restoring every time I want to replay it!
Re: Rayman DOS versions - no-CD patches
Posted: Mon Aug 16, 2021 7:41 pm
by PluMGMK
dr_st wrote: Mon Aug 16, 2021 11:31 am
PluMGMK wrote: Mon Aug 16, 2021 9:56 am
Those DRM-free versions lack parallax backgrounds though, don't they?
Hm, I never paid attention to that. I guess I can check, because I still have EU 1.12 and US 1.12 (unprotected) installed in the same folder on one of my PCs. Where should I look?
The setting is called "Differential Scrolling" and can be found in the "Graphics Details" submenu of Options as accessed from the main menu (not from the pause menu). It seems to be missing in v1.12 US unprotected…
dr_st wrote: Mon Aug 16, 2021 11:31 amThat the world-specific vignette that is displayed when you enter a level only shows up when you move between worlds. As long as you keep exiting and reentering levels from the same world, it is skipped and you jump from the map screen directly into the level. This behavior is different in the spinoffs where the vignette appears every time you enter a level.
Yep, the vignette comes up when it's loading the world data, as opposed to the level data, and it keeps the former in memory until you visit a new world. It makes sense in the original game, where chances are many levels from the same world will be played in sequence, but not so much in spin-offs!
Re: Rayman DOS versions - no-CD patches
Posted: Mon Aug 16, 2021 10:18 pm
by ICUP321
PluMGMK wrote: Mon Aug 16, 2021 9:56 am
Those DRM-free versions lack parallax backgrounds though, don't they?
No, I think it hides the differential scrolling option depending on the video card you have. For example, if you have "machine=svga_s3" in the DOSBox configuration file, the option should show up I think.
Re: Rayman DOS versions - no-CD patches
Posted: Mon Aug 16, 2021 10:33 pm
by PluMGMK
Ah, very interesting! I've only tried that one on qemu (with Cirrus) and real hardware (with Radeon 5500 XT
) lately, so I guess it just didn't recognize the video cards!
Re: Rayman DOS versions - no-CD patches
Posted: Mon Aug 16, 2021 10:46 pm
by dr_st
I just checked and the "Differential Scrolling" option is present if the video mode is set to PCI1 (fast graphics). PCI2 and VESA modes do not show it. It seems consistent across all versions I tried (EU 1.12, US 1.12, US 1.21).
Oh, and I succeeded in cracking the extra protection in EU 1.12. In the end it was just one function call that should be skipped.
I am too tired to update the write-up now, will do it tomorrow (or should I say today, cause it's past midnight here).
Turns out it is called on every level 7 and up, in every world after the Dream Forest. What a weird form of 'protection'. But I guess it pales compared to what they did in Rayman 2.
BTW, the same function call is present in the US 1.21 version, but the function it calls is empty (the 'call' instruction jumps straight to 'ret'). So it was clearly a deliberate decision to take it out.
EDIT: The
summary page has been updated with entries for Rayman EU v1.12 and Rayman FR v1.21 (from
Rayman Collector CD). The latter is just like US v1.21 with all offsets moved forward by 0x20. I expect to update the longer write-up with info on the process of searching for the EU 1.12 crack some time later.
Re: Rayman DOS versions - no-CD patches
Posted: Thu Aug 19, 2021 10:18 pm
by dr_st
Bumping this to report the additional findings so far.
The
write-up has been updated with details about the EU v1.12 cracking. I almost forgot to mention the weird bug that corrupts the program when performing PMODE/W decompression. Very strange, and has only happened in this version. Fortunately, it was also a single instruction fix.
BTW, is it normal that when INTRO.DAT is on the hard drive, then it plays every time you load a game, and not just when you start a new one? I have experienced this behavior for as long as I remember, but it always seemed like a bug to me...
Two more peculiarities, specific to
v1.21:
- After beating Mr. Dark, every time you re-enter any level, you get greeted with the Atari Jaguar intro image, displaying the level number (relative to the world) of that level. For example, Allegro Presto will display "Level 7", Mr. Skops Stalactites - "Level 9" and Mr. Dark's Dare - "Level 1". Then the game proceeds as always. See attached image. Is this documented anywhere?
- US v1.21 cannot work if the INTRO.DAT video is installed on the hard drive - loading or starting a game HARD-CRASHES DOSBOX. Need to see what happens on real DOS, of course, but comparing the relevant code between US v1.21 and FR v1.21 (which does work with videos) shows what looks like a corrupt assembly routine. No idea how it got there. It is not a decompression artifact - the original EXE also crashes.
Re: Rayman DOS versions - no-CD patches
Posted: Thu Aug 19, 2021 11:40 pm
by PluMGMK
Yeah, the intro always plays when you start a game if it's present. It seems weird to me too, but I think PS1 and Saturn do something similar (showing it when you start up the game) so it's probably an intentional design choice…
I've never noticed that Jaguar-style vignette!
I don't think it's documented anywhere, but I could be wrong…
Re: Rayman DOS versions - no-CD patches
Posted: Fri Aug 20, 2021 6:31 pm
by Hunchman801
Neither have I, could it be an oversight? It sounds quite confusing for the player to have those seemingly random numbers displayed.
Re: Rayman DOS versions - no-CD patches
Posted: Sat Aug 21, 2021 6:28 pm
by dr_st
Hunchman801 wrote: Fri Aug 20, 2021 6:31 pm
Neither have I, could it be an oversight? It sounds quite confusing for the player to have those seemingly random numbers displayed.
I agree. If you are not aware of any documentation on it, I will probably add it to the wiki at some point (should figure out which page is the most appropriate).
dr_st wrote: Sun Aug 15, 2021 8:39 pm
I've only tested in DOSBox. Maybe I will have access to a real DOS machine this weekend and can check that no unexpected issues come up.
Got a chance to test it in pure DOS over the weekend. Cracks work just as well.
dr_st wrote: Mon Aug 16, 2021 7:34 am
There is still one advantage to using my patches, though. They don't lock up during startup if you run them with an empty CD drive, whereas the DRM-free version does (and all other versions, as far as I could test, at least in DOSBOx). There is some sort of infinite loop that happens there, and somehow the patches skip over it.
This indeed turned out to be a DOSBox issue. I couldn't replicate it in pure DOS; it would simply eject the drive instead asking for the Rayman CD to be inserted. I suppose this function is simply not implemented properly in DOSBox, and the game gets confused.
dr_st wrote: Thu Aug 19, 2021 10:18 pm
US v1.21 cannot work if the INTRO.DAT video is installed on the hard drive - loading or starting a game HARD-CRASHES DOSBOX. Need to see what happens on real DOS, of course, but comparing the relevant code between US v1.21 and FR v1.21 (which does work with videos) shows what looks like a corrupt assembly routine. No idea how it got there. It is not a decompression artifact - the original EXE also crashes.
And this also happens on real hardware. I actually checked it in Windows 98 - it closes the program with "general protection fault". Sure enough, the same failure also happens with the ending movie (if you beat Mr. Dark while having CONCLU.DAT in the game directory).
A bizarre bug to say the least. If I ever figure out how to fix it, it would be worthy a separate write-up. I guess it wasn't caught back then, because I think US v1.21 was only distributed on Rayman Gold CDs and the like, which never shipped with intro/ending movies.
Re: Rayman DOS versions - no-CD patches
Posted: Sat Aug 21, 2021 6:49 pm
by PluMGMK
I'm gonna have to look into that #GP with the Intro/Conclu files – it sounds intriguing!
And yes, I should've realized that that infinite loop was coming from the attempt to eject the tray. As I recall, the game keeps polling the drive until it reports its status as fully open, or something like that, which I guess never happens in Dosbox…
Re: Rayman DOS versions - no-CD patches
Posted: Sat Aug 21, 2021 7:29 pm
by dr_st
PluMGMK wrote: Sat Aug 21, 2021 6:49 pm
I'm gonna have to look into that #GP with the Intro/Conclu files – it sounds intriguing!
What happens is this. A routine calls an inner routine. The inner routine is identical in both versions (US 1.21 and FR 1.21). The calling routine is different and the one in US 1.21 is corrupt and does not set up the registers properly before the call. Unfortunately, the
bad routine is also 15 bytes shorter, so there is no way to simply replace the opcodes to make it do what it has to.
I guess there is always the possibility of finding some unused space in the EXE, jumping there, doing the right stuff, and jumping back. I wonder if there is a more elegant solution, like some redundancy in the longer routine, but it does not sound promising, as essentially you would have to squeeze the logic of 23 bytes into 9.
Bad code:
Code: Select all
0860:3855C 51 push ecx
0860:3855D 83EC04 sub esp,0004
0860:38560 89E1 mov ecx,esp
0860:38562 891C24 mov [esp],ebx
0860:38565 E8F0700400 call 000C4380 ($+470f0)
0860:3856A 85C0 test eax,eax
0860:3856C 7405 je 0007D292 ($+5)
0860:3856E B8FAFFFFFF mov eax,FFFFFFFA
0860:38573 83C404 add esp,0004
0860:38576 59 pop ecx
0860:38577 C3 ret
Good code:
Code: Select all
0860:3855C 51 push ecx
0860:3855D 56 push esi
0860:3855E 83EC04 sub esp,0004
0860:38561 89C6 mov esi,eax
0860:38563 89D0 mov eax,edx
0860:38565 89DA mov edx,ebx
0860:38567 891C24 mov [esp],ebx
0860:3856A 89E3 mov ebx,esp
0860:3856C 8CD9 mov cx,ds
0860:3856E 53 push ebx
0860:3856F 89C3 mov ebx,eax
0860:38571 89F0 mov eax,esi
0860:38573 E802710400 call 000C6569 ($+47102)
0860:38578 85C0 test eax,eax
0860:3857A 7405 je 0007F469 ($+5)
0860:3857C B8FAFFFFFF mov eax,FFFFFFFA
0860:38581 83C404 add esp,0004
0860:38584 5E pop esi
0860:38585 59 pop ecx
0860:38586 C3 ret
Inner function:
Code: Select all
0860:7F67A 68003F0000 push 00003F00
0860:7F67F 1E push ds
0860:7F680 8ED9 mov ds,cx
0860:7F682 89D1 mov ecx,edx
0860:7F684 89DA mov edx,ebx
0860:7F686 89C3 mov ebx,eax
0860:7F688 8B442404 mov eax,[esp+0004]
0860:7F68C CD21 int 21
0860:7F68E 1F pop ds
0860:7F68F 1E push ds
0860:7F690 7206 jc 0007F688 ($+6)
0860:7F692 8B5C240C mov ebx,[esp+000C]
0860:7F696 8903 mov [ebx],eax
0860:7F698 E8A56C0000 call 0008632A ($+6ca5)
0860:7F69D 1F pop ds
0860:7F69E 83C404 add esp,0004
0860:7F6A1 C20400 ret 0004
0860:7F6A4 6800400000 push 00004000
0860:7F6A9 EBD4 jmp short 0007F656 ($-2c)
0860:7F6AB 85C0 test eax,eax
0860:7F6AD 7C0C jl 0007F68E ($+c)
0860:7F6AF 3B05B8EC1900 cmp eax,[0019ECB8]
0860:7F6B5 0F869A6C0000 jbe 00086320 ($+6c9a)
0860:7F6BB B804000000 mov eax,00000004
0860:7F6C0 E8F8600000 call 0008577D ($+60f8)
0860:7F6C5 B8FFFFFFFF mov eax,FFFFFFFF
0860:7F6CA C3 ret
(pay no attention to the absolute offsets shown in the disassembly - they are inaccurate)
Re: Rayman DOS versions - no-CD patches
Posted: Sat Aug 21, 2021 9:52 pm
by PluMGMK
Oh wow, that's pretty screwed up… The inner function is
_dos_read from the Watcom C library, which includes a far pointer in its function signature. I have no idea what could have caused the compiler to generate such a malformed call to it (ECX is not set up with a segment, so of course it causes a GP fault), unless the outer routine was indeed hand-coded in assembly and someone just decided to delete a load of lines from the file. Seems unlikely though, since the registers are also different
Re: Rayman DOS versions - no-CD patches
Posted: Mon Aug 23, 2021 9:38 am
by Hunchman801
dr_st wrote: Sat Aug 21, 2021 6:28 pm
I agree. If you are not aware of any documentation on it, I will probably add it to the wiki at some point (should figure out which page is the most appropriate).
Great idea, I'm not aware of any place where it's mentioned.
Re: Rayman DOS versions - no-CD patches
Posted: Fri Aug 27, 2021 1:31 pm
by RayCarrot
dr_st wrote: Thu Aug 19, 2021 10:18 pm
After beating Mr. Dark, every time you re-enter any level, you get greeted with the Atari Jaguar intro image, displaying the level number (relative to the world) of that level. For example, Allegro Presto will display "Level 7", Mr. Skops Stalactites - "Level 9" and Mr. Dark's Dare - "Level 1". Then the game proceeds as always. See attached image. Is this documented anywhere?
That is the level select the developers used to test the levels in the game. It's available in the code of essentially all versions but is only functional and accessible in the PC version. It's accessed by pressing the tab key, typing "alevel" and then pressing backspace. Not sure why it appeared in this case, but from my understanding the game's code was modified? It won't appear normally without inputting the cheat code.