Prince of Persia The Two Thrones is censored???

[RhymeKidder]

That was the very first thing I tried and spent maybe a week on. I personally think it's in there somewhere but they hid it pretty well. Comparing with Warrior Within gave no hard clues. Comparing the exe dumps didn't work out yet and I gave up on that idea for now. I'll need this Starforce experience to attempt a Pac-Man World 2 nocd.

They re-added in decaps for (all?) regions of PS3 POP Trilogy HD release. At least I've heard. PS2 also had gore but I'm not sure if it was regional.

The decaps themselves I don't care as much but I'd like it as a feature you can turn on/off like WW.

[RhymeKidder]

Trying new method: stop program right before it jumps into VM land. Full dump stack + registers + memory. Create program that will re-create entire environment and then debug simulate it without Starforce anti-protection running. This should be fun if it works.

[RhymeKidder]

Idea works to a point. It can bypass crc checks and I can get a full vm trace but they're not the -game- opcodes I want. Then Starforce issues an int1 - enter kernel mode. This screws future work until I find a way to debug this game in a win98 vm, attempt to write my own system driver (which is what Reloaded likely did with their unreleased sf3.sys) or use a ring0 hack exploit that works in xp sp3.

Back to comparing exe files while my head spins.

[myloch]

If you succeed you will be definitely one of my heroes

[RhymeKidder]

After spending time comparing all available exe with new knowledge, recovered about 44/49 stolen functions - most are very simple ptr redirections. Time consuming but likely correct. Other 5 are truly "stolen" and missing sizable portions of code. Since most of exe are very similar immediately outside the stolen area, I'm going to carefully scalpel and inject what is likely the "correct" parts, when I figure out how to do this.

Maybe there's more missing redirections not picked up by disassemblers that will lead to in-game crash. During this time of boredom of scan-documenting-rescan, I came up with a theory how WW censor part works. I think it uses "force physics" for bone structures. A decap generates two force - one for each limb at sever point. Gravity engine then treats both body parts separately based on weight. When blood is off though, it "reattaches" the limbs by giving the same force pressure to both parts. They both then fly through the air in same direction and speed = no noticeable detachment.

If correct, this could be a clue how TT works since it ignores blood toggle. Based on the code path for WW, I'm going to reverse the supposed 4 "force" values and see if the body part changes direction. Game runs a very small memcpy routine when blood is off so this could be a detail I need.

[GigaWatt]

RhymeKidder, check the Attic. ISO from that Trilogy is now there. Unprotected executable from the root folder of DVD is uploaded separately. Waiting for the results of investigation of this edition and that 3CD clones.

[RhymeKidder]

Thank you. Checking them all out right now.
- Gigawatt 3CD clones by MIRROR looks to be same as Shattered's 3CD US MIRROR Starforce upload
- US DVD vs EU DVD? Haven't finished checking files entirely
- US DVD exe = POP3_Final_EMEA.exe -except- they changed 2 bytes. Wonder why .... have to try this out.


I'm thinking there's at least 3 different exe's out in the wild atm:
1) US Starforce = POP3_SF_NA.exe (internal header) - looks like oldest version from code changes
2) EMEA Starforce = POP3_SF_EMEA.exe - newer than US probably
3) EMEA Collector = POP3_Final_EMEA.exe - latest, slightly updated


Have been working on US exe rebuild although there's more stolen funcs (= crashes) than I knew. But it's partly working.

POP TT = Starforce 3.6
Pac-Man World 2 = Starforce 3.4

[RhymeKidder]

I take back the 2-byte change - it's my nodvd fix. They're identical. Pah!

[myloch]

I'm VERY interested in a future Pacman world 2 fixed exe, it's the only pacman PC release that is still not cracked

[RhymeKidder]

Main menu now boots in. Crashes on load game - complicated stolen func. New problem is that US fonts may be different than EU fonts as I'm missing some text. Guess I'll have to brute force the special SFFS encryption key and figure something out.

[RhymeKidder]

Found a way to hook dump SFFS files while game runs. Turns out encrypted files NA = EU. So that's not the problem. This will be useful for PW2.

WIP main menu mouse cursor is very laggy compared to SF-NA, RLD-EU, non-SF-EU. Maybe Ubisoft has their own anti-tamper system on top of Starforce. WW re-analysis hasn't turned up anything useful yet.

[RhymeKidder]

Starforce or Ubisoft use timestamp checks to measure -exactly- how long it should take to execute some part of code. Incorrect answer (too fast for crack) results in menu and tutorial text not being loaded. 1 bug fixed. Laggy mouse cursor = not fixed yet. Drm protection = >>__>>>>>

[RhymeKidder]

9 timer checks removed. Menu now feels normal again. Stolen func1 = not used by NA exe, compared to EU ones = free skip me = may put back in anyway for crash safety. Stolen func2 = had to mentally trace this function to avoid bsod = solved = confident can be repaired. Stolen func3,4 = not done = huge chunks of code removed. Afterwards, game over Starforce. Although I still want to know where the decap code is.

[myloch]

Amazing job dude, until now basically I've never seen starforce cr@cks other than reloaded's
Again, you're doing an amazing job

[RhymeKidder]

non-SF EU DVD edition made it mostly possible to finish everything so "quickly" since I can't break into kernel driver yet. If we're lucky, PMW2 starforce will rely on their older tricks that is easier to follow around without breaking into ring0. Otherwise I can sit and poke it sometimes over a few years.

Fighting For Fun (FFF) cracked Starforce 1.0 but that didn't rely on 3.x kernel VM crap.

Func2 is now in and save games now load (partly depending on location) - I can finish ending stage but not some of the city areas. Also located an extremely annoying watchdog that shuts down the game when you debug it - launcher app wants an alive ping every few seconds. I'm hacking that out so it doesn't bother anyone else.

Going to blackbox analyze func3 now and monitor in/out changes.