The year is 1997: Starship Troopers has just been released with mind blowing special effects and a promptly been torn apart by critics much to the chagrin of Paul Verhooven. It’s also the year the band The Prodigy started releasing their weird 90s electronica.
The 90s was a weird time to be alive anyway this isn’t about pop culture it’s about a little known RTS called Dark Reign. Dark Reign was released to little fan fare and to this day remains relatively obscure. It may have something to do with this being released a few months later.
Opting to play more popular titles at the time Dark Reign would go unknown to me for several years. I’m told (by wikipedia) that it was exceedingly popular in Australia and Germany. If you played it as a kid drop me comment below.
A few weeks ago I cruising the internet and stumbled across the ‘leaked’ source for Dark Reign 2. Dark Reign 2? I vaguely remember that! I wonder if they have the source code for the original? What followed was a bunch of futile efforts to locate old developers and such to attempt to see if it was even remotely possible to get them to dump it on github ala Id Software.
Something that’s also hilarious is the original site is still up!
Giving up and finding a download
My next step was to find some place to download it. Considering it’s age and relative obscurity I assumed that GOG would probably have it buried under 500 pages of obscure bullshit, and they did (with the expansion).
Launching the game with the GOG supplied exes resulted in this:
In addition to this kick in the bollocks their “launcher” also terminated my explorer instance. Did they get the intern to do this? What a dumpster fire.
While like usual the community has picked up the slack and fixed it, it still bugged me to no end that GoG would release something in such a broken state and have the audacity charge 10 USD for their slap dick launcher!
Digging into the code
I suspected their ‘launcher’ was nothing more than some AutoIT exe as process explorer informed me they were launching taskkill.exe to terminate explorer. I was more interested in their ‘patch’ and how they were bypassing this old school copy protection method.
Since it’s external I was 99% sure they were calling WriteProcessMemory to patch the game’s logic however it didn’t seem like they were doing this well as the game would either refuse to run, crash or simply do nothing.
Firing up API Monitor it was easy enough to obtain the memory addresses and the bytes they were writing.:
Taking those addresses and looking into the program’s memory you can see they correspond to the copy protection routine.
Here’s the start with the messagebox:
If you click yes (EAX = 7) the code will jump to this location here:
Without boring you too much basically the game performs two checks which the calls to WriteProcessMemory fix.
The first is call to GetLogicalDrives to get the number of drives available on the system. The next call is to determine the the drive type (the game searches for DRIVE_CDROM). If it fails to find a CDROM at this point it jumps back to the MessageBox.
If it finds a CDROM it then checks the label to see if it matches “Dkreign” for the original game or “Shadowhand” for the expansion. If it matches the game’s execution is allowed to continue and the game runs normally.
Also to note this routine is called while the game is running as well. So if you ever ejected the CD-ROM while the main game executable was running you’d be kicked back out.
Patching it out
While I could have easily written a ‘launcher’ and copy’n’pasted the WPM calls I’d run into the same problem the GoG launcher had (being terrible). I also ran into another issue: the game unpacks itself at run time.
Luckily whenever I run into something like this I tend to do things the lazy way. The program as already given us a suitable entry point with the call to MessageBoxA. All we need to do is get code running in the address space of the game and hook / detour a few choice API calls.
After playing around with a proxy DLLs I had laying around and running into yet more issues I ended up proxying the game’s anet2.dll. The approach is simple: anet2.dll is loaded early enough to patch MessageBoxA without crashing the game, then once the hook it called (as MessageBoxA will block the thread) we can safely apply our other hooks and patch the copy protection.
First we modify the call to GetLogicalDrives and add a ‘fake’ drive A:. Then when GetDriveType is called we check to see if it’s A: drive, if it is we lie and return DRIVE_CDROM. Finally when GetVolumeInformationA is called we check for A: again and return the appropriate label for the device.
Correctly doing this means we’ve bypassed the copy protection in a way that will work 100% of time.
I ran into a strange bug that occurred sometimes on Windows 10 where when launching the Expansion resulted in a blank button appearing on the Single Player Menu. I could have spent more time debugging this but it seemed kind of pointless for a quick no-cd fix for the GoG version.
Clicking on the blank area will still launch the expansion campaign anyway so I didn’t worry about it. If you want to fix this yourself the code is available on Github.
There’s also occasional weirdness with things not loading in correctly (I believe this is due to game unpacking itself at run-time and using relative pointers to decode assets). If you run into issues simply throw the GoG version into the bin and use the community stuff.
Support me on Patreon: