I cannot stress enough how incredible it is to see what would be a completely impenetrable defence for most people being chipped away piece by piece, with excellent explanations and absolutely no filler or nonsense. Awesome stuff.
the disc check works by verifying various weak encoded sectors exist and then builds a decryption key, but their exist a couple of 4kb backup keys in memory which can be reinjected, these are then used to form the final 32bit TEA decryption key for decrypting the game code. it was common for people to create loaders that hooked the disc check and injected these keys into memory to create a simple bypass
@@test-rj2vl in CD sectors, 8bits of data are encoded into 14bit streams, know as EFM, eight to fourteen moduluation, this is done to space out the physical pits for readability. a form of copyprotection that safedisc uses is to press discs with a certain data pattern in the sectors that causes issues for CD burners to duplicate this exact pattern 100% but however have the original sectors read ok. so trying to read and write these specially crafted sectors gives drive some issues so they are referred to as weak-sectors :) there are many other kinds of signatures that other copyprotections used but safedisc is know for using this EFM manipulation trick (-: /R.
Watching you debug at such a low level puts me in a calm meditative state. I thoroughly enjoy your practical application of decompiling and debugging to old Windows games. It provides for great storytelling. Many thanks.
Funfact: when you have Need for Speed Most Wanted 2005, you can copy the contents of the disc into a folder, then open the ini file and set the demo value to true. That just removes the cdkey question from the installer, because it thinks it's just a demo.
I predict that in the future we'll have software archeologists whose sole job is to get old stuff working again. It's crazy how much source code gets lost over time, or how stuff just gets abandoned and you can't use it anymore without some obnoxious requirements (such as having the original 20+ year old CD). Nothing pisses me off more though than companies sitting on source code for ancient games for decades and not doing anything with it because MUH IP.
Agree. I still play Sims 2 nowadays for nostalgic reasons, but with each year the sims 2 community gets increasingly pissed off with EA. The game appears to have tremendous problems on newer systems/OS that render it almost unplayable and no one really knows why. We're at a point now where people are switching to linux just to they can keep playing this game (for some reason none of the problems we see on windows are reproduceable on linux). And EA just does nothing about it, probably because they want us to buy Sims 4. No one is even asking them to spend resources on fixing it, after two decades they could just release the code and let the community handle it themselves.
@@evest7829 While I advocate for the release of the sources as well, I think they can't do it. With games as large as this, companies often outsource parts of development to many different companies and the final binary is full of code from different sources which can only be sold under the original contract they issued but isn't solely owned (in source form) by EA. So releasing the source code would violate those contracts and open them up to lawsuits. This has been the problem with most of the proprietary software since before the beginning of the millennia. This is somewhat unavoidable as well if you want to release your game for platforms other than PC (like Sims 2 was), for instance No Man's Sky uses a proprietary PSArc format for storing game assets (which is simply an extended ZIP format), but they'd have to redesign large parts of the game to work without it (and probably other stuff as well) if they ever wanted to release it in source form. So sadly it turns out to be cheaper to fix issues with newer Windows builds than replace large chunks of the original game to release its sources.
@@ytivarg5371 wine has the advantage of being able to implement old buggy syscall implementations without having to care about how doing so would damage modern/future windows systems. Early on Microsoft made backwards compatibility a central tenet which is why despite 2000 having greatly improved encryption of the SAM password file, it would fall back on NT's trivially crackable format for inter-compatibility. The thing is their early APIs were often buggy and could be used beyond the documented specs, game devs would take advantage of this for performance reasons but if MS fixed the bugs it'd break software. Yes you can emulate older windows versions in a VM but the beauty of wine is that its not an emulator. Not only can they deliberately implement the original buggy functions but they can also improve them, sometimes increasing performance by orders of magnitude. That even extends to program specific fixes that remove some games' horribly inefficient bottlenecks.
Ah, that reminds me of when I was removing the SafeDisk protection from EA's Battle for Middle-Earth 1. There it also starts with creating two temp files, which attach to the main process and start debugging it. In the case of BfME1 there were 4 layers of protection: 1. Nanomites (opcodes replaced with 0xcc that trip the SafeDisk debugger and prompt it it to fill them in with the correct opcodes); 2. Scrambled import table (calls to some imports go to one of the two temps, which directs them to to their actual intended destinations); 3. Some opcodes are also replaced with arbitrary calls to the debugger, and when such a spot is hit, SafeDisk replaces them with valid opcodes (stolen bytes); 4. The most grinding part is the final layer. The way it works is that an occasional calculation is made not in the game's process but using special data tables in the SafeDisk protector instead (apparently this one is called SDAPI2). This is a more recent one and might be missing on Sims. But even if it is there, apparently in some games (not the case with BfME1 though) SDAPI2's code is left right in the game's exe from the debug handler, so there it's just about getting those tables and patching the exe to use the code.
Correct me if I'm wrong, but aren't 1 and 3 the same thing? 0xCC is the byte value of the instruction INT 3, which is what's used to break into the debugger. The debugger responds to the interrupt by providing the correct opcode to execute.
@@Acorn_Anomaly, not exactly: in 3 bytes are replaced not with 0xCC but with jumps and calls to the protector - that is, triggering there proceeds not through the debugger mechanism. In fact, I think, 3 was introduced somewhat before 1.
@@damianabregba7476, ah yes, the mass suicide! That's a little trick from inside the game itself. That little 200kb file lotrbfme.exe you start the game with does effectively 2 things: 1. It calls the actual (packed) binary kept in game.dat; 2. It creates a mutex with a particular Id, and the game itself later tries to do the same - if it succeeds, that indicates that the mutex hasn't been created and the protection is hacked or absent. This is recorded, and then in the game the suicide timer is set.
this is suuuuper interesting as i love ts2 and basically learned how to do some reverse engineering and dll hooking through it! i believe the game might have some more anti-tampering beyond all the cd checks and obfuscation. iirc when the game was new a lot of ppl with cracked copies were reporting not being able to build walls and such, but that was never properly documented.
Also pirates released unofficial patches, for example v1.1 or v1.5 which fixed the above mentioned problems. You can read about it on old Russian forums in old threads that are dedicated to solving problems with the game from the time of its release, FAQ, for example, Playground ru or 3DNews.
Also pirates released unofficial patches, for example v1.1 or v1.5 which fixed the above mentioned problems. You can read about it on old Russian forums in old threads that are dedicated to solving problems with the game from the time of its release, FAQ, for example, Playground ru or 3DNews.
Also pirates released unofficial patches, for example v1.1 or v1.5 which fixed the above mentioned problems. You can read about it on old Russian forums in old threads that are dedicated to solving problems with the game from the time of its release, FAQ.
I think I’ve seen you on the Classic Offensive Discord, awesome you got into programming through TS2 It’s such an EA move to slip hidden code just to mess with ppl pirating the game.
I know the feeling of spending a lot of time on a project but still not reaching the intended happy end. It can definitely be tough releasing a video covering such a result so I want to thank you for releasing this video anyway.
I think it's great that you decided to share this journey in spite of not having reached the end goal of reversing all aspects of the copy protection measures. There's a lot of very interesting and useful information in this video! Thank you
The devs were serious on protecting the game. This was an amazing effort by you, I can only imagine how many hours you must have spent debugging this. Fantastic work!
You have a great combination of charisma, eloquence and mad skills dude! That was really enjoyable to watch I miss this era, where you had all sorts of clever obfuscation tricks, oftentimes hand rolled for the specific product. Nowaday those kind of things seem harder to pull off by a single person in a non-unreasonable amount of time, however skilled they might be and however deep into madness they are willing to descend
Would love to see you delve deeper and finish this, I've been cooking up Securom recently myself in the name of patching a broken graphics function in a newer game, and let's just say that SecuROM does one hell of a circus act in it's pre-denuvo days. EA always cooked up weird stuff, so I'm not surprised at all to see how convoluted this is. Kudos to you!
I rarely leave comments nowadays - but your process was utterly mesmerising, fantastically edited and funny to boot. I hope one day to have this level of capability. Incredible
This game has a pretty huge fanbase and a large number of active players. It's still playable and there are other people attempting to solve these problems. Afaik the game has never been unplayable. I feel zero guilt for downloading patches that fix a game like this after it stops being sold. Unlike every later title from EA it doesn't have any online DRM so it works just fine with a regular crack. Cracks have been freely shared since the game was new. I bought Sims 2 and most of the DLC on CD but it was generally easier and more stable to use a pirate's installer because it saved you having to swap discs 35 times whenever you needed to reinstall.
Nathan, never stop these brilliant videos. I mainly program in Java and JS, so it's just great to see all this low-level C++, reverse engineering, tweaking executables etc. Fascinating seeing how these devs built these executables and then how you get around them.
I have been running the same version of windows since 2015. I have sims3 with all expansions installed (even the katy perry one). I have all Unreal Tournament games installed, all age of empires games, both black and white games, etc. It's like a dream PC and I never want it to die.
This is going to sound stupid, but you might want to back those up somewhere now that the Internet Archive is out of whack for the time being. Some of us would love to play a good old Sim2's game.
Great video, love how quickly yet clinically you fly through the code finding anti ways for everything. Great video format, if you can do other games and legacy software I think you’re onto something big here!
I think you should do a series of videos (maybe a different channel if you want to focus on this style here) of the tools you use and how you set everything up. This has gotten me rather interesting in RE but I haven't yet found much for getting started.
This was brilliant, well done! These videos are basically everything I was trying to figure out as a teenager but with 100x the skill I had! Loving these. Your coffee advert was also great 😁
I’ve always wondered how this was done. I’ve only begun to see this sort of stuff near the end of my degree with a class in Malware reverse engineering. It’s interesting that DRM seems to share a lot similarities to malware in terms of the anti-debug and obfuscation present. Very cool to see an actual context demonstrating how, where, and what the output of these tools is used towards a specific purpose. Extremely cool, thank you!
The Sims 2 was notorious for having other DRM checks throughout the game. If I remember correctly, the base game had a DRM check that blocked build mode and saving. Later expansions had things like students coming back from college classes as zombies (that ended up not being issues, because other cracks caught it before release). Getting the game to launch successfully will not be the "final boss" haha. They switched from SafeDisc to SecuROM with later packs.
The Sims 2 Ultimate Collection and The Sims 2 Store Edition supposedly removed SecuROM and replaced it with an Origin DRM, which may actually be easier to patch. The Store Edition had 2 unique builds from Origin acting as different expansion pack numbers, and later "Collection" discs (University Life Collection, Best of Business Collection, and Fun with Pets Collection) included the Store Edition as well but I haven't checked my discs to confirm if they include SecuROM or use the Origin DRM (I would suspect the former).
Just found your Channel today and I love it. I see how hard you work and I bow down I could never do what you do. Just a suggestion I think you could get a bigger sub count by making part 2s.
Gained a subscriber today, with so many channels to keep up with there are only so many channels I want to be subscribed to, and so I base them on how seamlessly they integrate and transition to their sponsorships and this one was great!
Love your channel and love reversing! It's such an amazing puzzle to solve that involves entering the mind of the puzzle creator to be able to finish it :D
Really cool video! I never had the patience to sit and learn how to properly reverse engineer, but you are explaining things clearly enough that I'm able to understand what you are explaining, it's also fun and surprising seeing that maxis/ea code was actually pretty good! A bit disappointed that you ended up buying the game, I'd have loved seeing you accomplish this without that help, still very impressive!
This was so much fun to watch. Would love to see a "dev reaction" from the original game devs around the obfuscation decisions etc. Thanks for the great vid.
what a banger of a video, I really hope you keep going as reverse engineering old school DRM mechanism is something I dream of being able to do - the only reverse engineering I can do is pull apart private REST APIs...
You would have been a menace back in the early 2000s. I really love these videos not only from an engineering and hacking standpoint, but it's really encouraging to see that with enough knowledge and dedication, game preservation is technically accessible to anyone who's willing to put in the time and effort.
For sure the running another process that attaches itself as a debugger was a common tool in the 90s and 2000s PC game developer toolkit. Worked at a couple studios where people mentioned doing that.
Your ability to succinctly relay a lot of information, at a fast pace, is impressive. A lot of this I don't fully understand, but I found it easy to watch the whole video, and kind of keep up with it.
Will say that when they were delisting it they actually upgraded everyone who owned at least the base version of The Sims 2 to the Ultimate Version with all the DLC and did the same thing for anyone who had the game physically and had a CD Key for it (it's how I got The Sims 2 on Origin.). So that was actually pretty cool of EA.
Almost as cool as supporting their games long term and not replacing them with cash grab sequels. There's still some debate about whether Sims 2 or Sims 3 is the best title in the series (it's Sims 2) but literally everybody knows that it's not 4. I get genuinely mad every time they announce another broken DLC for Sims 4 knowing that 1. It will over promise and under deliver 2. It WILL break the existing game functions and 3. People will buy it anyway. The nodding community for Sims 2 was delivering more custom content than EA could ever dream of making themselves and they did that for free. EA couldn't stand the idea of people adding to their own games and now you can buy a fake furniture set for your fake house for a fraction of the price of the real thing ... EA sucks.
Hey man, really great video. Not many TH-camrs doing this level of RE. You got this - you have the skills and the insanity factor to see it through. You must be slightly insane to be a good RE/VR person
2:44 whenever seeing something like this, you just have to remember compilers are crazy, and the decompiler could be slightly wrong. It could even be an inlined implementation of a version of memcpy.
Classic AAA game dev - the most insane DRM measures in place which ultimately lead to the game being unplayable when this same insanity stops being supported by the OS
I'm not even a developer(former Infrastructure Engineer, now Support Engineer) and I love this series not because of the technical content itself but, the thinking process that you use to break a bigger problem into smaller ones and the problem solving lessons involving all sorts of scenarios.... Nice vid, as usual :)
this is insane amount of work. I have sims 2 on my windows 11 laptop and honestly the amount of setups that i had to do to play the game is exhausting but it's so worth it. i don't understand what exactly you're doing but it looks impressive regardless
Hey Nathan, been watching you for a while now and just have to hand it to you. absolutely love your videos, your intuition and teaching! Looking forward many more videos. Keep upp the good work and thank you!
Super knowledgeable video and at the perfect pace where it's not too slow that I'm falling asleep or too fast that I have no clue what's going on. Entertaining & educational, love it. Subbed.
Amazing video! Entertaining to watch, video was understandable and I didn't feel talked down to or like my attention was nefariously trying to be attracted. Love this, really respectable video.
Oh my god. I love your videos as i am a developer myself, but holy hell i think if i tried to even follow your steps in this video, it would take me like a year to get to the point you got to here :D Awesome to see how you can figure out how the protections work and how to manipulate them. I would be so happy if i could generate keys to some old games with my self-made keygen :D Hope you keep doing these types of videos!
I remember those old H20 and AiR releases that said in some cases software performance was increased dramatically when encryption and obscurification was removed. Interesting but kinda sad that they have to build such mechanisms in the first place. It must be a software company’s dream when they only offer a cloud based service.
I don't keep track but I think this was probably in the ball park of 100 hours for the technical content. Plus then script writing, filming, editing and thumbnail design
@@nathanbaggs having put that effort in across many games now, are you able to reuse the tricks and techniques you've learnt to speed up the process? Or is each game so different you feel like it is starting from scratch? Obviously SafeDisc v2 was a completely unknown entity but when you made the only viable choice and wrote a keygen I figured it'd be much easier having done so before.
@@CrAzYpotpie It's true that piracy would still happen between those who aren't up for paying for the product. I more so meant that it gives a way to obtain it without having to proceed to illegal tactics. I know my words weren't exactly precise. It was just meant to be a short way of saying it.
@@harasen_haras5 It's no problem, I apologize for my confusion, I assumed you merely didn't understand. I agree that it would be wise for EA to provide a way to still purchase these games, but they are probably not too invested in having to hire a team to bring it up to date with more modern systems for it to be worth it for them in the end, financially. It also just adds more competition with their latest Sims, which I assure you they have no interest in doing. Long live piracy for keeping the game alive.
there is already an installer tool called sims 2 starter pack which includes all of the fixes for modern hardware and windows which an original install won't have and will likely corrupt very quickly
New to the channel, thought this would just be some guy showing us how to download an exisiting crack or a dodgy download link. Glad I actually watched - fantastic breakdown of your reverse engineering. Would love a part 2 if you manage to figure out how to defeat the physical disc checks!
This is good content. These skills are on increasing demand when it comes to game preservation as there's ever growing number of old games you can no longer play either due to servers being shut down or because they require some patches to work on modern systems etc.
Before they stopped selling The Sims 2, they gave away the TS2 Ultimate. If you had an active TS2 key (or any of its expansion packs) on your Maxis/EA/Origin account, you could just message customer support and they’d add the full TS2 and expansions to your EA account. You can still download it via the EA app if you have it but it’s pretty buggy (which is solved by lots of mods).
Maybe a no cd patch that were available some games in the past? Wonder if you can reverse those if existed and see what would be the difference in that syscall you mentioned for the disc reader
I don't work on low level stuff so if I wanted to fully understand what's going on I would have to pause every 3 seconds... but that's what actually awesome about your presentation: you are able to completely narrate what you are doing and don't dismiss any step with some magic handwaving. If I had seen this video 20 years ago it might've driven me more into the cracking scene just for shits n giggles. Your videos are a beautiful amalgam of tutorial and storytelling. Thank you.
This is (almost) getting me back to coding again. Good job, good video! If only EA would put the same amount of effort in the quality of their games...
I hacked DungeonSiege2 by reading through the system functions it used, to get Multiplayer on the right interface working. All I needed was WireShark and ProcessMonitor. Culprit was the systemcall which returned the fqdn and its ip. But it also looked for a specific environmental variable to overwrite the return. That was my solution without real hacking. With a modified hosts file the game works now. Maybe you have the time to debug DS2 Broken World? On many systems the game only runs with like 15fps. On others it runs flawless 100+ fps. Nobody knows the answer. I wasted weeks on this but it is problam with the .exe. I am not that experienced with a debugger xD. Many thanks for your content. It is really interesting!
just think, if they hadn't spent weeks of developer work adding obfuscation algs and copyright checks many people just bypassed anyway, maybe those engineers could have been building cool stuff instead of installers.
Sims 2 works flawlessly on Mac with the App Store….. until iCloud archive a random core file to the cloud, corrupting the entire game and all your saves. Because the App Store isn’t Steam, there’s no standardized save file backup system.
I've been doing some firmware reversing with Ghidra lately and I just wanted to say how vindicated I feel watching these videos. That moment when you open a subroutine and it's like 500 lines of loop unrolled compiler optimized garbage (or in this case hand obfuscated garbage) 😂🔫 cheers though great video
My guy created a Sims 2 keygen in the year 2024. That’s awesome.
Knowing EA, same things should be used in another games
Unlike the obfuscation algorithm
Sounds pretty damn easy if you know what you're doing and rooted your way around past devices.
Did he release it to the public?
No stupid intro, no background music, no potates nor salad, just pure meat. You don't see much of content like this nowadays. Appreciated.
Thanks!
@@nathanbaggs I find the yank channels are the worst for that.
Hey wait a minute, what's wrong with potato salad? X)
Most definitely the most impressive show of skill yet. Extremely interesting to see all the anti re techniques used!
Thanks for the kind words (:
Very impressive
Really need more people like Nathan. There are so many games & softwares that otherwise would get lost to time.
@@FR4M3Sharma like tears in the rain.
i love how in the command line you blurred out the beginning of the key and in the activation dialog you blurred out the other side of the key 😂😂
I've been waiting six days for someone to notice that (:
@@nathanbaggs 😘
@@nathanbaggs man i had to do a double take on that the moment i saw it and it made me lol hahaha
Not supposed to share keys 😏
I saw it the first time xD Thanks, could get handy sometime in the future ;)
I cannot stress enough how incredible it is to see what would be a completely impenetrable defence for most people being chipped away piece by piece, with excellent explanations and absolutely no filler or nonsense. Awesome stuff.
Thanks!
the disc check works by verifying various weak encoded sectors exist and then builds a decryption key, but their exist a couple of 4kb backup keys in memory which can be reinjected, these are then used to form the final 32bit TEA decryption key for decrypting the game code. it was common for people to create loaders that hooked the disc check and injected these keys into memory to create a simple bypass
I was hoping someone would come along and fill in the blanks, thanks!
@@nathanbaggs Will you now continue with that new knowledge?
What is weak encoded?
@@test-rj2vl in CD sectors, 8bits of data are encoded into 14bit streams, know as EFM, eight to fourteen moduluation, this is done to space out the physical pits for readability.
a form of copyprotection that safedisc uses is to press discs with a certain data pattern in the sectors that causes issues for CD burners to duplicate this exact pattern 100% but however have the original sectors read ok.
so trying to read and write these specially crafted sectors gives drive some issues so they are referred to as weak-sectors :)
there are many other kinds of signatures that other copyprotections used but safedisc is know for using this EFM manipulation trick (-: /R.
@nathanbaggs Part 2 please
Best game in the series and they bury it like it never existed.
They released it for free with all dlcs when sims 4 released or sth like that. I can download it from the EA launcher
It being so great makes their lovely Sims 4 look pathetic, so they buried it in their golden era graveyard alongside SimCity 4
It’s also been available on the Mac App Store for an entire decade.
@@SpeeDimIt was a limited time offer. You can't do that anymore. They only did it at all since they went whole hog on the now dead Origin
now we can have it
issa blessing
Watching you debug at such a low level puts me in a calm meditative state.
I thoroughly enjoy your practical application of decompiling and debugging to old Windows games. It provides for great storytelling. Many thanks.
Thanks!
@@nathanbaggs It gave me stress not calm state haha. Maybe because I actually try to follow him
Funfact: when you have Need for Speed Most Wanted 2005, you can copy the contents of the disc into a folder, then open the ini file and set the demo value to true. That just removes the cdkey question from the installer, because it thinks it's just a demo.
? really?
@@vasopel i mean they said it was a fact. they wouldn't lie about something like that. no one would :)
@@dumaass I asked because I can't find anything about it on the internet. do you know if it is true or not?
@@vasopel nah, I have no idea. OH SHIT actually I have a friend who might have the og disc. I can go check sometime in the near future :D!!
@@dumaass ;-)
I predict that in the future we'll have software archeologists whose sole job is to get old stuff working again. It's crazy how much source code gets lost over time, or how stuff just gets abandoned and you can't use it anymore without some obnoxious requirements (such as having the original 20+ year old CD). Nothing pisses me off more though than companies sitting on source code for ancient games for decades and not doing anything with it because MUH IP.
Agree. I still play Sims 2 nowadays for nostalgic reasons, but with each year the sims 2 community gets increasingly pissed off with EA. The game appears to have tremendous problems on newer systems/OS that render it almost unplayable and no one really knows why. We're at a point now where people are switching to linux just to they can keep playing this game (for some reason none of the problems we see on windows are reproduceable on linux). And EA just does nothing about it, probably because they want us to buy Sims 4. No one is even asking them to spend resources on fixing it, after two decades they could just release the code and let the community handle it themselves.
There are cracks for pretty much every game out there. The only real problem are the always-online games, like DarkSpore.
@@evest7829 While I advocate for the release of the sources as well, I think they can't do it. With games as large as this, companies often outsource parts of development to many different companies and the final binary is full of code from different sources which can only be sold under the original contract they issued but isn't solely owned (in source form) by EA. So releasing the source code would violate those contracts and open them up to lawsuits. This has been the problem with most of the proprietary software since before the beginning of the millennia.
This is somewhat unavoidable as well if you want to release your game for platforms other than PC (like Sims 2 was), for instance No Man's Sky uses a proprietary PSArc format for storing game assets (which is simply an extended ZIP format), but they'd have to redesign large parts of the game to work without it (and probably other stuff as well) if they ever wanted to release it in source form.
So sadly it turns out to be cheaper to fix issues with newer Windows builds than replace large chunks of the original game to release its sources.
@@evest7829 Linux is better than windows 10 and especially 11 for old pc gaming in general because proton is just so damn good.
@@ytivarg5371 wine has the advantage of being able to implement old buggy syscall implementations without having to care about how doing so would damage modern/future windows systems. Early on Microsoft made backwards compatibility a central tenet which is why despite 2000 having greatly improved encryption of the SAM password file, it would fall back on NT's trivially crackable format for inter-compatibility. The thing is their early APIs were often buggy and could be used beyond the documented specs, game devs would take advantage of this for performance reasons but if MS fixed the bugs it'd break software.
Yes you can emulate older windows versions in a VM but the beauty of wine is that its not an emulator. Not only can they deliberately implement the original buggy functions but they can also improve them, sometimes increasing performance by orders of magnitude. That even extends to program specific fixes that remove some games' horribly inefficient bottlenecks.
Ah, that reminds me of when I was removing the SafeDisk protection from EA's Battle for Middle-Earth 1. There it also starts with creating two temp files, which attach to the main process and start debugging it. In the case of BfME1 there were 4 layers of protection:
1. Nanomites (opcodes replaced with 0xcc that trip the SafeDisk debugger and prompt it it to fill them in with the correct opcodes);
2. Scrambled import table (calls to some imports go to one of the two temps, which directs them to to their actual intended destinations);
3. Some opcodes are also replaced with arbitrary calls to the debugger, and when such a spot is hit, SafeDisk replaces them with valid opcodes (stolen bytes);
4. The most grinding part is the final layer. The way it works is that an occasional calculation is made not in the game's process but using special data tables in the SafeDisk protector instead (apparently this one is called SDAPI2). This is a more recent one and might be missing on Sims. But even if it is there, apparently in some games (not the case with BfME1 though) SDAPI2's code is left right in the game's exe from the debug handler, so there it's just about getting those tables and patching the exe to use the code.
Correct me if I'm wrong, but aren't 1 and 3 the same thing?
0xCC is the byte value of the instruction INT 3, which is what's used to break into the debugger. The debugger responds to the interrupt by providing the correct opcode to execute.
I remember playing bfme on multiplayer and game deciding after few minutes to loose the whole game. Is the last part the reason for it?
Interesting insight thanks! I definitely saw the first layer you mentioned during this (although I didn’t know they were called nanomites)
@@Acorn_Anomaly, not exactly: in 3 bytes are replaced not with 0xCC but with jumps and calls to the protector - that is, triggering there proceeds not through the debugger mechanism. In fact, I think, 3 was introduced somewhat before 1.
@@damianabregba7476, ah yes, the mass suicide! That's a little trick from inside the game itself. That little 200kb file lotrbfme.exe you start the game with does effectively 2 things:
1. It calls the actual (packed) binary kept in game.dat;
2. It creates a mutex with a particular Id, and the game itself later tries to do the same - if it succeeds, that indicates that the mutex hasn't been created and the protection is hacked or absent. This is recorded, and then in the game the suicide timer is set.
this is suuuuper interesting as i love ts2 and basically learned how to do some reverse engineering and dll hooking through it!
i believe the game might have some more anti-tampering beyond all the cd checks and obfuscation. iirc when the game was new a lot of ppl with cracked copies were reporting not being able to build walls and such, but that was never properly documented.
Also pirates released unofficial patches, for example v1.1 or v1.5 which fixed the above mentioned problems. You can read about it on old Russian forums in old threads that are dedicated to solving problems with the game from the time of its release, FAQ, for example, Playground ru or 3DNews.
Also pirates released unofficial patches, for example v1.1 or v1.5 which fixed the above mentioned problems. You can read about it on old Russian forums in old threads that are dedicated to solving problems with the game from the time of its release, FAQ, for example, Playground ru or 3DNews.
Also pirates released unofficial patches, for example v1.1 or v1.5 which fixed the above mentioned problems. You can read about it on old Russian forums in old threads that are dedicated to solving problems with the game from the time of its release, FAQ.
I knew I'd be seeing you in the comment section of this video xD
I think I’ve seen you on the Classic Offensive Discord, awesome you got into programming through TS2
It’s such an EA move to slip hidden code just to mess with ppl pirating the game.
I don’t know 80% of what you are doing but I like the logical approach you take to solve the issue.
I know the feeling of spending a lot of time on a project but still not reaching the intended happy end. It can definitely be tough releasing a video covering such a result so I want to thank you for releasing this video anyway.
Thanks for the kind words. It’s tough not being able to finish something but I hope my videos are more about the journey than the destination
I think it's great that you decided to share this journey in spite of not having reached the end goal of reversing all aspects of the copy protection measures.
There's a lot of very interesting and useful information in this video!
Thank you
The devs were serious on protecting the game. This was an amazing effort by you, I can only imagine how many hours you must have spent debugging this. Fantastic work!
You have a great combination of charisma, eloquence and mad skills dude! That was really enjoyable to watch
I miss this era, where you had all sorts of clever obfuscation tricks, oftentimes hand rolled for the specific product. Nowaday those kind of things seem harder to pull off by a single person in a non-unreasonable amount of time, however skilled they might be and however deep into madness they are willing to descend
Would love to see you delve deeper and finish this, I've been cooking up Securom recently myself in the name of patching a broken graphics function in a newer game, and let's just say that SecuROM does one hell of a circus act in it's pre-denuvo days.
EA always cooked up weird stuff, so I'm not surprised at all to see how convoluted this is. Kudos to you!
2 minutes in. Nate picks option 4! I was hoping for a keygen, and you deliver! You are doing a great job with your videos brother!!!
4:40 I love how he tried to censor the key but ended up censoring the two different parts individually so you can see the full key anyway
I rarely leave comments nowadays - but your process was utterly mesmerising, fantastically edited and funny to boot. I hope one day to have this level of capability. Incredible
Ha! An EA game.. i knew it because of the temporary binary file. 🤪
Wait so you lost? Noooo finish this. I want to see victory royal.
I don't think I've ever seen him finish a project in these vids. It's odd.
This game has a pretty huge fanbase and a large number of active players. It's still playable and there are other people attempting to solve these problems.
Afaik the game has never been unplayable. I feel zero guilt for downloading patches that fix a game like this after it stops being sold.
Unlike every later title from EA it doesn't have any online DRM so it works just fine with a regular crack. Cracks have been freely shared since the game was new.
I bought Sims 2 and most of the DLC on CD but it was generally easier and more stable to use a pirate's installer because it saved you having to swap discs 35 times whenever you needed to reinstall.
@@SineN0mine3 okay?
I do a bit of assembly debugging at work, but your videos are so next level. Great to see you attack an actual keygen and copy protection. Godlike.
Nathan, never stop these brilliant videos. I mainly program in Java and JS, so it's just great to see all this low-level C++, reverse engineering, tweaking executables etc. Fascinating seeing how these devs built these executables and then how you get around them.
This needs a bangin midi song to go along with it.
It's so nice to see someone breaking through these measurements.
I have been running the same version of windows since 2015. I have sims3 with all expansions installed (even the katy perry one). I have all Unreal Tournament games installed, all age of empires games, both black and white games, etc. It's like a dream PC and I never want it to die.
This is going to sound stupid, but you might want to back those up somewhere now that the Internet Archive is out of whack for the time being. Some of us would love to play a good old Sim2's game.
Great video, love how quickly yet clinically you fly through the code finding anti ways for everything.
Great video format, if you can do other games and legacy software I think you’re onto something big here!
I think you should do a series of videos (maybe a different channel if you want to focus on this style here) of the tools you use and how you set everything up.
This has gotten me rather interesting in RE but I haven't yet found much for getting started.
I’ve toyed with the idea of a second channel but I’ll probably do something like this on livestream and cut it up into a video after
This was brilliant, well done!
These videos are basically everything I was trying to figure out as a teenager but with 100x the skill I had! Loving these.
Your coffee advert was also great 😁
That QR code was real slick buddy
I’ve always wondered how this was done. I’ve only begun to see this sort of stuff near the end of my degree with a class in Malware reverse engineering. It’s interesting that DRM seems to share a lot similarities to malware in terms of the anti-debug and obfuscation present. Very cool to see an actual context demonstrating how, where, and what the output of these tools is used towards a specific purpose. Extremely cool, thank you!
incredible work -- I love your levels of deep and reasoning on how you're figuring things out. Really impressive
I got the sims 2 deluxe on dvd in an old laptop ready to fire up. There was never a chance.
The Sims 2 was notorious for having other DRM checks throughout the game. If I remember correctly, the base game had a DRM check that blocked build mode and saving. Later expansions had things like students coming back from college classes as zombies (that ended up not being issues, because other cracks caught it before release). Getting the game to launch successfully will not be the "final boss" haha. They switched from SafeDisc to SecuROM with later packs.
The Sims 2 Ultimate Collection and The Sims 2 Store Edition supposedly removed SecuROM and replaced it with an Origin DRM, which may actually be easier to patch. The Store Edition had 2 unique builds from Origin acting as different expansion pack numbers, and later "Collection" discs (University Life Collection, Best of Business Collection, and Fun with Pets Collection) included the Store Edition as well but I haven't checked my discs to confirm if they include SecuROM or use the Origin DRM (I would suspect the former).
Just found your Channel today and I love it. I see how hard you work and I bow down I could never do what you do. Just a suggestion I think you could get a bigger sub count by making part 2s.
Downloaded this video in case it gets removed by YT. It's very educational.
Gained a subscriber today, with so many channels to keep up with there are only so many channels I want to be subscribed to, and so I base them on how seamlessly they integrate and transition to their sponsorships and this one was great!
Love your channel and love reversing! It's such an amazing puzzle to solve that involves entering the mind of the puzzle creator to be able to finish it :D
Ox and Dunder sounds like some TV show from the 70s.
Really cool video! I never had the patience to sit and learn how to properly reverse engineer, but you are explaining things clearly enough that I'm able to understand what you are explaining, it's also fun and surprising seeing that maxis/ea code was actually pretty good!
A bit disappointed that you ended up buying the game, I'd have loved seeing you accomplish this without that help, still very impressive!
This was so much fun to watch. Would love to see a "dev reaction" from the original game devs around the obfuscation decisions etc. Thanks for the great vid.
what a banger of a video, I really hope you keep going as reverse engineering old school DRM mechanism is something I dream of being able to do - the only reverse engineering I can do is pull apart private REST APIs...
Thanks for the support
You would have been a menace back in the early 2000s. I really love these videos not only from an engineering and hacking standpoint, but it's really encouraging to see that with enough knowledge and dedication, game preservation is technically accessible to anyone who's willing to put in the time and effort.
For sure the running another process that attaches itself as a debugger was a common tool in the 90s and 2000s PC game developer toolkit. Worked at a couple studios where people mentioned doing that.
Interesting, thanks!
Your ability to succinctly relay a lot of information, at a fast pace, is impressive. A lot of this I don't fully understand, but I found it easy to watch the whole video, and kind of keep up with it.
Will say that when they were delisting it they actually upgraded everyone who owned at least the base version of The Sims 2 to the Ultimate Version with all the DLC and did the same thing for anyone who had the game physically and had a CD Key for it (it's how I got The Sims 2 on Origin.). So that was actually pretty cool of EA.
Almost as cool as supporting their games long term and not replacing them with cash grab sequels.
There's still some debate about whether Sims 2 or Sims 3 is the best title in the series (it's Sims 2) but literally everybody knows that it's not 4.
I get genuinely mad every time they announce another broken DLC for Sims 4 knowing that 1. It will over promise and under deliver 2. It WILL break the existing game functions and 3. People will buy it anyway.
The nodding community for Sims 2 was delivering more custom content than EA could ever dream of making themselves and they did that for free. EA couldn't stand the idea of people adding to their own games and now you can buy a fake furniture set for your fake house for a fraction of the price of the real thing ... EA sucks.
@@SineN0mine3bro they literally gave everyone the game. stop being salty you weren't there at the time.
@@polocatfanthen they blocked people from buying the game? Not exactly the greatest thing to do
@@everythingiseconomics9742 just pirate it? they clearly don't care lol
Hey man, really great video.
Not many TH-camrs doing this level of RE. You got this - you have the skills and the insanity factor to see it through.
You must be slightly insane to be a good RE/VR person
2:44 whenever seeing something like this, you just have to remember compilers are crazy, and the decompiler could be slightly wrong. It could even be an inlined implementation of a version of memcpy.
Some call it pirating, I call it game preservation.
Classic AAA game dev - the most insane DRM measures in place which ultimately lead to the game being unplayable when this same insanity stops being supported by the OS
11:29 did you try saying sudo before trying to insert the disc?
I'm not even a developer(former Infrastructure Engineer, now Support Engineer) and I love this series not because of the technical content itself but, the thinking process that you use to break a bigger problem into smaller ones and the problem solving lessons involving all sorts of scenarios....
Nice vid, as usual :)
i never thought this would have been so interesting. i get why people call them puzzles and cracking them is the fun itself
this is insane amount of work. I have sims 2 on my windows 11 laptop and honestly the amount of setups that i had to do to play the game is exhausting but it's so worth it. i don't understand what exactly you're doing but it looks impressive regardless
For anyone wondering what the music at 15:14 is, it's "First Volley" from the Sims 2 OST
Hey Nathan, been watching you for a while now and just have to hand it to you. absolutely love your videos, your intuition and teaching! Looking forward many more videos. Keep upp the good work and thank you!
Super knowledgeable video and at the perfect pace where it's not too slow that I'm falling asleep or too fast that I have no clue what's going on.
Entertaining & educational, love it. Subbed.
This is literally the best thing ever - I had no idea there was this much going on under the hood when installing a game (especially one this old)
Amazing video! Entertaining to watch, video was understandable and I didn't feel talked down to or like my attention was nefariously trying to be attracted.
Love this, really respectable video.
also dang sims 2's code is spaghetti as all out, I know its meant to be confusing so you dont gen a code- but still lol
I’ve tried to reverse engineer programs before, but never really succeed, you are very talented. I learned a lot from watching this video.
Very nice video this is pretty much how I was reverse engineering a malware sample for college. You present information well I have subscribed.
Oh my god. I love your videos as i am a developer myself, but holy hell i think if i tried to even follow your steps in this video, it would take me like a year to get to the point you got to here :D Awesome to see how you can figure out how the protections work and how to manipulate them. I would be so happy if i could generate keys to some old games with my self-made keygen :D Hope you keep doing these types of videos!
Development time:
game - 10%
obfuscation algorithms - 90%
I remember how hard it was to do a bootleg version of Sims to back in 2006. Adding mods was the simplest thing ever.
*EA the next day*: we have put 3 supreme court suits on you, and don't even think of finding a lawyer, we've taken care of them all.
15:20 you forgot to set the kitchen on fire
That’s next video
I had to jump through MASSIVE hoops to run Sims2 on Windows11.
I had to use the computers admin just to install the discs!
Your attempt is admirable.
This content is pure gold, even though I barely understand anything. You my sir, are what I aspire to become one day. Hats off 🤝
I don't have any idea about the whole process but it's deeply fascinating to me. Great job, Nathan! :)
I remember those old H20 and AiR releases that said in some cases software performance was increased dramatically when encryption and obscurification was removed. Interesting but kinda sad that they have to build such mechanisms in the first place. It must be a software company’s dream when they only offer a cloud based service.
Not the developer's dream, but the accountant's.
How much time do you actually take to understand everything and reverse it successfully? Amazing skill and video!
I don't keep track but I think this was probably in the ball park of 100 hours for the technical content. Plus then script writing, filming, editing and thumbnail design
@@nathanbaggs having put that effort in across many games now, are you able to reuse the tricks and techniques you've learnt to speed up the process? Or is each game so different you feel like it is starting from scratch? Obviously SafeDisc v2 was a completely unknown entity but when you made the only viable choice and wrote a keygen I figured it'd be much easier having done so before.
How to avoid piracy: Actually sell the software to those who are interested in it.
That just limits it.
@@CrAzYpotpie It gives players a legal way of obtaining it
@@harasen_haras5 Yes, which doesn't avoid piracy, it just limits it. If you are still confused, I am not sure how to explain it better. Good luck.
@@CrAzYpotpie It's true that piracy would still happen between those who aren't up for paying for the product. I more so meant that it gives a way to obtain it without having to proceed to illegal tactics. I know my words weren't exactly precise. It was just meant to be a short way of saying it.
@@harasen_haras5 It's no problem, I apologize for my confusion, I assumed you merely didn't understand. I agree that it would be wise for EA to provide a way to still purchase these games, but they are probably not too invested in having to hire a team to bring it up to date with more modern systems for it to be worth it for them in the end, financially. It also just adds more competition with their latest Sims, which I assure you they have no interest in doing.
Long live piracy for keeping the game alive.
Amazing ghidring bro. I miss the 8-bit music somewhere in the background lol. Nice video!
Great video, loved the deep dive 👍
2:02 bro said fun but his face said “f U” to EA!
there is already an installer tool called sims 2 starter pack which includes all of the fixes for modern hardware and windows which an original install won't have and will likely corrupt very quickly
Very Cool. I recently tried some game hacking and don't understand everything but this was an very exciting and informative watch. :)
New to the channel, thought this would just be some guy showing us how to download an exisiting crack or a dodgy download link. Glad I actually watched - fantastic breakdown of your reverse engineering. Would love a part 2 if you manage to figure out how to defeat the physical disc checks!
This is good content. These skills are on increasing demand when it comes to game preservation as there's ever growing number of old games you can no longer play either due to servers being shut down or because they require some patches to work on modern systems etc.
Love these videos, thanks for going down the rabbit hole!! I'm sure you'll get it in the end.
Before they stopped selling The Sims 2, they gave away the TS2 Ultimate. If you had an active TS2 key (or any of its expansion packs) on your Maxis/EA/Origin account, you could just message customer support and they’d add the full TS2 and expansions to your EA account.
You can still download it via the EA app if you have it but it’s pretty buggy (which is solved by lots of mods).
Loved this video! Genius as always
dude, your videos are awesome, a real gold mine, you keep things simple and deep at the same time.
Maybe a no cd patch that were available some games in the past? Wonder if you can reverse those if existed and see what would be the difference in that syscall you mentioned for the disc reader
i freaking love your videos, man. And I've learned so much. I'm a fan for life, brother, keep the hits coming!
@Nathan Bagg, just one minute into your video....I hit subscribe....that's very well explained....well done :)
I don't work on low level stuff so if I wanted to fully understand what's going on I would have to pause every 3 seconds... but that's what actually awesome about your presentation: you are able to completely narrate what you are doing and don't dismiss any step with some magic handwaving. If I had seen this video 20 years ago it might've driven me more into the cracking scene just for shits n giggles. Your videos are a beautiful amalgam of tutorial and storytelling. Thank you.
That’s the style I’m going for, glad it comes across!
No wonder people just used "👹 tools" back then to simulate the CD drive and get the game working 😅
So obviously we are going for option 4. Of course we are! You are a legend Nathan!
This is (almost) getting me back to coding again. Good job, good video! If only EA would put the same amount of effort in the quality of their games...
I have no idea what’s going on in this, my coding knowledge is very limited. But, this is very cool! Keep up the good work!
I hacked DungeonSiege2 by reading through the system functions it used, to get Multiplayer on the right interface working. All I needed was WireShark and ProcessMonitor. Culprit was the systemcall which returned the fqdn and its ip. But it also looked for a specific environmental variable to overwrite the return. That was my solution without real hacking. With a modified hosts file the game works now.
Maybe you have the time to debug DS2 Broken World? On many systems the game only runs with like 15fps. On others it runs flawless 100+ fps. Nobody knows the answer. I wasted weeks on this but it is problam with the .exe. I am not that experienced with a debugger xD.
Many thanks for your content. It is really interesting!
just think, if they hadn't spent weeks of developer work adding obfuscation algs and copyright checks many people just bypassed anyway, maybe those engineers could have been building cool stuff instead of installers.
Sims 2 works flawlessly on Mac with the App Store….. until iCloud archive a random core file to the cloud, corrupting the entire game and all your saves. Because the App Store isn’t Steam, there’s no standardized save file backup system.
I've been doing some firmware reversing with Ghidra lately and I just wanted to say how vindicated I feel watching these videos. That moment when you open a subroutine and it's like 500 lines of loop unrolled compiler optimized garbage (or in this case hand obfuscated garbage) 😂🔫 cheers though great video
Good luck!
Unsung hero of game preservation. Also love the unexpected inserted humor
Your videos are really helpful and enjoyable even if u are talking about hard "subjects", thankyou for ur hard work.
I like seeimg the proces of what it was like to crack a 20 year old game. This is a true nerd channel.