Tuesday, August 29, 2023

The Colonel’s Bequest – Case Cracked (2020)

We've solved The Colonel's Bequest but some things still don't add up. The Sleuth-O-Meter was the target of my investigation but I took the Darryl Zero approach and went looking for everything. Along the way, inconsistencies accumulated, but they were immaterial to the case at hand. Subtle behaviors that I was certain I understood seemed to shift. Eventually the elevator broke me. It was never where I'd expect, even after auditing the script several times. Upon discovering two computers with two different elevators I suspended all investigations, dug out the floppy disks, and launched an inquest. Forensics turned up a lone discrepancy: one byte had changed in SCIV.EXE.

SCIV.EXE Size Byte 88DF MD5
Original 76,419 bytes 75 5f4656cc6d2cc6e42cdf82e9b8fae92a
Modified 76,419 bytes EB e32501260cca3f6c5d5de7497e23839a

SCIV.EXE is a surprising place to find a one-byte change. The Sierra Creative Interpreter is the program that runs the game but it's not where the game lives. The Colonel's Bequest was written in Sierra's custom scripting language, named Script, and compiled to bytecode. The compiled scripts live with the pictures, sounds, and text in the game files. SCIV.EXE doesn't know anything about murder mysteries or elevators, it just runs whatever game files it wakes up next to, so this one byte seems pretty far from the action. For those of you that made good life choices it can be hard to imagine one errant value having such wide ranging effects. For the rest of us, that EB immediately JMPs out.

  

  56               push      si
  57               push      di
  55               push      bp
  8b ec            mov       bp, sp
  8b 1e 62 07      mov       bx, word ptr [0762]
  0b db            or        bx, bx
- 75 08            jnz       08  ; skip clock if seeded
+ eb 08            jmp       08  ; skip clock
  b4 2c            mov       ah, 2c
  cd 21            int       21  
  8b da            mov       bx, dx
  eb f4            jmp       -0c
  b8 4d 7c         mov       ax, 7c4d
  f7 e3            mul       bx
  a3 62 07         mov       [0762], ax
  8a c4            mov       al, ah
  8a e2            mov       ah, dl
  5d               pop       bp
  5f               pop       di
  5e               pop       si
  c3               ret

This is the random number generator in SCIV.EXE. It cranks out unpredictable integers by multiplying a global, shifting the results, and returning the run-off. To get the ball rolling it uses the computer's clock. You'd call this a time-seeded pseudo random generator and it's fine for an adventure game but not much else. Our one byte lands us right in the middle of this interesting code. The French have a word for this, and so do we: Suspicious! That one byte changes an instruction to skip using the computer's clock. We have a word for that too: Very Suspicious! Without the clock to mix things up, the first random number will always be zero. And the second. And the third. This random number generator only generates one number! We're now well beyond suspicions and even plausible deniability. This is a crime scene. What we have here is a copy protection crack.

Celie's Fingerprint

The Colonel's Bequest's copy protection is a particularly brutal document check. You have to identify a fingerprint every time you start the game and you only get one try. There are twenty four of these pixely bastards and they're printed on a red sheet that's obscured with a pattern. You can only see them through a paper magnifying glass with a red plastic lens. I can't tell if this was photocopy protection or just an earnest miscalculation in fun. Sierra later switched to regular paper but probably only because it was cheaper. In a final accidental knife twist, or perhaps a sly commentary on the pseudoscience of fingerprinting, they programmed the screen with the wrong random ranges. This classic coding mistake subtly broke the copy protection and not in a good way. There's a one in six hundred and one chance of the right answer being rejected and a one in one thousand chance of no fingerprint appearing at all. I discovered this bug last year and fixed it in ScummVM with a straight face but it was really just supposed to be funny. It was an April Fool's joke but I took the Jimmy James approach and sprung it on the wrong day and month.

What happens when you pair the copy protection script with the mystery byte? Normally, the script picks a random fingerprint by requesting two random numbers from the interpreter. If both happen to be zero then Celie's fingerprint is chosen. Celie's name also happens to be the initial selection. Altering the interpreter to always return zero causes Celie's fingerprint to always be chosen and so all you have to do is press Enter to bypass the copy protection every single time. That's one heck of a byte! It's a clever patch, and I am impressed, but this seems too good to be true. What happens when one of the other 250 scripts asks for a random number?

This copy protection crack destroys all randomness in the entire game! Game scripts request a random number in nearly 400 places.

Damage Report!

  • Dead bodies are always in the first place you look
  • Items only appear in the west secret passages
  • The elevator always starts out downstairs
  • You're always killed when opening the closet when the killer is active
  • You're always killed at the end of secret passages when the killer is active
  • The botched Red Barron easter egg never occurs
  • The Southern Belle easter egg always occurs
  • You never get carried off by a gator at the front gates
  • You always see the ghost in the cemetery
  • The killer always walks by windows when possible
  • The chandelier never stops shaking, explaining this false ScummVM bug report
  • Everyone blinks, fidgets, and moves with lifeless constancy
  • Literally hundreds of things

Suddenly a lot of pieces fell into place. As my on-again-off-again investigation bounced between machines and emulators so did my results. The sabotage had only compromised one laptop and only when using DOSBox. The other computers were clean and ScummVM was unaffected since it replaces the interpreter. I had been so blind. In retrospect, the signs all pointed to a rogue random number generator.

Who committed this randalism? I rounded up the usual suspects: a gang of old DOS programs known as The Wringer.

The Wringer

These 90s relics are databases of game cracks wrapped in colorful codepage 437, copyright claims, and the occasional absurd request for money. NeverLock, Locksmith, and Patcher handled The Colonel's Bequest and they all patched SCIV.EXE. Long ago I briefly lived the NeverLock Thug Life so that was probably the culprit. Instead, NeverLock and Locksmith injected code to patch the keyboard script to accept any answer, although Locksmith bungled the job and ruined the file. Their keyboard technique worked when pressing Enter but not when clicking a mouse or joystick. Patcher took a different approach and injected code that targeted the exit script. Selecting the wrong fingerprint displayed the Sorry message but the game still continued. All three programs chose the same location to inject their code and it's hard to believe that's a coincidence. This crew may have been ripping off someone, or even each other, but none of them were the saboteur.

If NeverLock & The Lads didn't patch my SCIV.EXE then it must have come with a copy of the game I downloaded. There's no telling when that happened or from where. I'm sure I had a good reason, the alternative would have been to get up and... well I rest my case right there. Now I wanted to know how widespread this was so I took the Michael McDonald approach and Takinged It To The Streets. I would take a grand census of all sites, no matter how sketchy, along with whichever filesharing swamps were still rotting away. When you flatfoot in neighborhoods like these you need to take precautions, so I strapped a virtual machine to my chest and set Google Translate to Soviet. I began methodically shaking down all the CB.ZIPs I could find. The first one coughed up a tampered random number generator. Nooo! I made a note and checked the next, and the next, and the next and the next until there was no point in continuing. The one-byte crack was everywhere. Nooooo!! With increasing dread I turned to the one thing in this world that's still pure and good, The Internet Archive's Software Library, where MS-DOS games run wild and free in the browser. It was there, atop a flaming tower of unholy software abstractions, that I was greeted with Celie's fingerprint. NOOOOOOOOO!!!!

This game was confusing enough when we were just trying to solve the Sleuth-O-Meter. Now it turns out we haven't even been playing the same game! No wonder no one can agree on anything. We can confirm this by using Celie's fingerprint and the chandelier to quickly diagnose any recording in the wild. Nearly half of the Let's Play videos on youtube are infected with broken randomness, including the first one ever recorded back in 2008. "In this case for some reason it's always Celie."

How long has this been going on? If a group of organized pirates were responsible then they would have left behind a cocky blocky text file with a date, so I consulted a ludicrous database of 2.6 million pirate releases dating back to 1980. There are a lot of Sierra games in there but no Colonel's Bequest. I was out of leads. At this point in a detective story there's nothing left to do but reach for the bottom drawer and run up a bill until it's time to face facts. This has been fun but we're talking about sourcing one byte out of thirty years. There's no paper trail on this stuff and even if there were this isn't True Detective season four. In the real world you don't just solve time crimes by flipping through archives until the answer is spelled out for you.


Computist Issue #83, 1991

Like the man says, better to be lucky than good! The case had broken wide open and I was stunned. "That's it!"? What even is this?? I came along at the tail end of the era where magazines printed source code for computer hobbyists to type in by hand, but what I didn't know is that a much more exciting publication existed that did the same for breaking copy protection. The magazine Computist started its fight in the Apple II wars but as those waned the publisher allowed IBM content and retreated from Tacoma to Eatonville, Washington. Once again I had been so blind. In retrospect, the signs all pointed to Pierce County.

Computist didn't date its issues beyond unreliable copyright years, but between their software reviews and tax troubles I narrowed issue #83 down to early 1991. Issue #85 reprinted the crack soon after. We're now just over a year from when The Colonel's Bequest was released, but we're not done. Computist sent this crack to the presses and mailed it to the ends of the earth but they're not the author. The magazine solicited material from readers who would mail in floppy disks full of text files or upload them to a BBS. Someone submitted this crack somehow, but "Softkey" is Computist's in-house term, so the submission must have been edited for publication. That's okay, this is the future, and this tiny text is still disturbingly plenty to search on.

  THIS IS AN UNPROTECT FOR COLONEL'S BEQUEST FROM SIERRA.
  THIS UNPROTECT WILL CAUSE THE FINGERPRINT TO BE CELIE'S ALL THE
  TIME,SO WHEN IT LIGHT'S UP JUST HIT ENTER!
  USE PCTOOLS OR OTHER PROGRAM AND EDIT SCIV.EXE. GO TO SECTOR 68
  OFFSET 223 AND CHANGE 75 TO EB.
  THAT'S IT!

  -- COLONEL.UNP, January 27 1990

This is the place.

COLONEL.UNP is our man and he's been captured in an archive complete with a timestamp: January 27 1990. The Colonel's Bequest's floppy disks are stamped December 13 1989 so now we're within 45 days of the game being finished. Sabotaged from the start. I can't believe it all traces back to this little text file. It's anonymous of course, it's not like I ever expected to put a real name to the saboteur, but maybe I should have? Now that I knew what to look for I quickly turned up more of these "unprotect" text files, but this time by more onymous authors. COLBEQST.UNP by "The Lonestar" is a lengthy guide to typing 49 bytes and was written on December 23 1989, only 10 days after Sierra compiled the game. CB-UNP by "Super Dave" is another data entry hexercise and appears in an August 4 1990 archive but it's the most ambitious. Dave included his full name, a home address, and an ad for his debugger so that you can crack just like him. $40 plus shipping to South Carolina, Wassup! I followed both instructions to see how they worked. The Lonestar injected code to patch the exit script and Super Dave injected code to patch the keyboard script. These are the exact cracks we just saw in NeverLock, Locksmith, and Patcher from years later, so now we know where those programs got their goods.

We've traced the source of the one-byte crack across three decades along with its contemporaries. If only one of the others had been copied into oblivion instead! They weren't perfect but at least they didn't have global side effects. That correctness lost out to complexity. Typing one byte instead of fifty is a world of difference and brevity got the simpler instructions physically published twice. It's not surprising that that's what was laying around when it came time to zip up the world and dump it on the web. There's a lesson in there, and while it's a stretch to claim it's Worse Is Better, it's also too funny not to.

Here in the future we really can do better. A proper crack would patch the resources instead of the interpreter, always work, and avoid altering any original files. Sierra's interpreter supports this exact feature through patch files. When any SCI game starts, it looks at all the files in its directory, and if any are named after individual resources then they get used instead of the real ones. If it were me, I'd extract script 414 with a tool like SCI Companion, name it SCRIPT.414, and then patch all three instances of 30 08 00 to 30 00 00. That would cause the keyboard, mouse, and joystick handlers to accept any answer, work in all emulators, and even work on the Amiga and Atari ST versions. Drop that file in the game directory and you'd be all set. I mean, you know, it's just a theory.

Southern Belle Easter Egg
This easter egg is only supposed to occur 5% of the time

Case Cracked! This time we really are done with The Colonel's Bequest. We've pulled back the curtain on the Sleuth-O-Meter and put a name to the sabotage that's kept us from playing the same game from the very beginning. I am finally satisfied with the explanations at hand and I hope you are too. It's not quite the mystery the Queen Mum intended, and I don't expect her to approve of this part, but it's the case we've been given. In those regards it's similar to a real case. Clients have their agendas but all you can do is follow the leads, be patient, and above all be lucky. At least, that's been my experience, so if you can pull that off then you too can be a successful intercontinental private detective.



from Hacker News https://ift.tt/BxQy2TG

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.