Rayman DOS versions - no-CD patches

[dr_st]

Not really "modding", and not nearly as impressive as most of the stuff around here, but maybe someone will find it useful nonetheless.

I've spent some time figuring out proper no-CD cracks for all Rayman DOS games - Rayman, Designer, By His Fans and 60 Levels. The goal was to patch the programs so that they can run well without any CD (obviously without music), but also play CD music if a CD is inserted.

They can be useful, for example:

• If you want to play Rayman on a DOS system and your CD drive is broken or you are too lazy to get the disc.
• If you have one of the "bad" releases, like Rayman Gold without the audio tracks, or Rayman Forever with the butchered soundtrack, and you want to be able to play music from a different Rayman version.
• If for some reason you want to listen to a completely different CD while playing Rayman.

The end result (offsets for patching) is described here. A more detailed write-up explaining how I got these offsets (I was using the DOSBox debugger) is here.

Main limitation: For Rayman, I only figured out how to patch US v1.21 so far. My EU v1.12 had some issues running without a disc, even when patched.

Thanks to PluMGMK for some pointers on the extra protection for EU v1.12. That version is also fully cracked now.

Some ideas for future work (other than trying to patch more versions):

• I've only tested in DOSBox. Maybe I will have access to a real DOS machine this weekend and can check that no unexpected issues come up.
• An auto-patcher program may be an interesting project. Personally I just patch all my EXEs manually with a hex editor.
• Probably PluMGMK's awesome Per-level Soundtrack TSR can also allow the game to run with no CD at all (or can be adapted for it).

[PluMGMK]

Nice job! I love reading about efforts like this!

The reason for the exits with EU v1.12 is that it checks the filesize of the intro.dat and conclu.dat files on the CD when loading Allegro Presto, as an additional sneaky DRM. My TSR gets around this by redirecting those file-opens to the hard drive, but patching the EXE you could probably just bypass those checks altogether.

It's funny actually, that when it exits it still says "Thank you for playing Rayman." Coupled with the very specific nature of the check, and the randomly-chosen place at which it occurs, the whole thing feels like a crossover between Rayman 2's arcane DRM and THEdragon's creepypasta!

[Flat Earth Society]

Good job! That will certainly be useful to a lot of people.

[ICUP321]

Just to let you know, there is actually a DRM-free version of Rayman 1; it's in the SoftKey and SmartSaver US releases and it contains an unprotected v1.12 executable.

[dr_st]

The reason for the exits with EU v1.12 is that it checks the filesize of the intro.dat and conclu.dat files on the CD when loading Allegro Presto, as an additional sneaky DRM. My TSR gets around this by redirecting those file-opens to the hard drive, but patching the EXE you could probably just bypass those checks altogether.

Oh, nice! It happens not just in Allegro Presto, but various other levels as well. I remember cave levels 7 (in Eat at Joes) and 9 (first level of Skops' Stalactites), for example.

I did notice in the DOSBox debugger file open calls to G:\INTRO.DAT and G:\CONCLU.DAT, so I suspected it was related. But somehow I felt it crashed out before I saw these prints from the debugger, so it confused me. I think now these prints may come out with a slight delay. Or perhaps I was intermittently dealing with a different problem (hard CPU lock in case there is no CD drive), which I later solved in 1.21.

Anyways, you are right, I should be able to locate the exact calls to these checks and simply patch them out. So, I'll definitely be looking into it some more.

Just to let you know, there is actually a DRM-free version of Rayman 1; it's in the SoftKey and SmartSaver US releases and it contains an unprotected v1.12 executable.

I know, and I have it as well. It is mentioned in the longer write-up.

There is still one advantage to using my patches, though. They don't lock up during startup if you run them with an empty CD drive, whereas the DRM-free version does (and all other versions, as far as I could test, at least in DOSBOx). There is some sort of infinite loop that happens there, and somehow the patches skip over it.

[PluMGMK]

Those DRM-free versions lack parallax backgrounds though, don't they?

[dr_st]

Those DRM-free versions lack parallax backgrounds though, don't they?

Hm, I never paid attention to that. I guess I can check, because I still have EU 1.12 and US 1.12 (unprotected) installed in the same folder on one of my PCs. Where should I look?

BTW, while working on this I noticed a few things that I never paid attention to before:

• Mr. Stone's growl when he shakes the screen and Mr. Dark's laughter - these are usually drowned in the music.
• That the world-specific vignette that is displayed when you enter a level only shows up when you move between worlds. As long as you keep exiting and reentering levels from the same world, it is skipped and you jump from the map screen directly into the level. This behavior is different in the spinoffs where the vignette appears every time you enter a level.
• That if you end a Betilla level with WINMAP cheat before talking to her, you don't get the power.

I also remember things I have previously forgotten - like cheats not working in Candy Chateau, and the fact that the game is saved automatically after you defeat Mr. Dark. It's a good thing I have a 100% completion backup save just before visiting Mr. Dark's Dare, which I keep restoring every time I want to replay it!

[PluMGMK]

Those DRM-free versions lack parallax backgrounds though, don't they?

Hm, I never paid attention to that. I guess I can check, because I still have EU 1.12 and US 1.12 (unprotected) installed in the same folder on one of my PCs. Where should I look?

The setting is called "Differential Scrolling" and can be found in the "Graphics Details" submenu of Options as accessed from the main menu (not from the pause menu). It seems to be missing in v1.12 US unprotected…

That the world-specific vignette that is displayed when you enter a level only shows up when you move between worlds. As long as you keep exiting and reentering levels from the same world, it is skipped and you jump from the map screen directly into the level. This behavior is different in the spinoffs where the vignette appears every time you enter a level.

Yep, the vignette comes up when it's loading the world data, as opposed to the level data, and it keeps the former in memory until you visit a new world. It makes sense in the original game, where chances are many levels from the same world will be played in sequence, but not so much in spin-offs!

[ICUP321]

Those DRM-free versions lack parallax backgrounds though, don't they?

No, I think it hides the differential scrolling option depending on the video card you have. For example, if you have "machine=svga_s3" in the DOSBox configuration file, the option should show up I think.

[PluMGMK]

Ah, very interesting! I've only tried that one on qemu (with Cirrus) and real hardware (with Radeon 5500 XT ) lately, so I guess it just didn't recognize the video cards!

[dr_st]

I just checked and the "Differential Scrolling" option is present if the video mode is set to PCI1 (fast graphics). PCI2 and VESA modes do not show it. It seems consistent across all versions I tried (EU 1.12, US 1.12, US 1.21).

Oh, and I succeeded in cracking the extra protection in EU 1.12. In the end it was just one function call that should be skipped. I am too tired to update the write-up now, will do it tomorrow (or should I say today, cause it's past midnight here).

Turns out it is called on every level 7 and up, in every world after the Dream Forest. What a weird form of 'protection'. But I guess it pales compared to what they did in Rayman 2.

BTW, the same function call is present in the US 1.21 version, but the function it calls is empty (the 'call' instruction jumps straight to 'ret'). So it was clearly a deliberate decision to take it out.

EDIT: The summary page has been updated with entries for Rayman EU v1.12 and Rayman FR v1.21 (from Rayman Collector CD). The latter is just like US v1.21 with all offsets moved forward by 0x20. I expect to update the longer write-up with info on the process of searching for the EU 1.12 crack some time later.

[dr_st]

Bumping this to report the additional findings so far.

The write-up has been updated with details about the EU v1.12 cracking. I almost forgot to mention the weird bug that corrupts the program when performing PMODE/W decompression. Very strange, and has only happened in this version. Fortunately, it was also a single instruction fix.

BTW, is it normal that when INTRO.DAT is on the hard drive, then it plays every time you load a game, and not just when you start a new one? I have experienced this behavior for as long as I remember, but it always seemed like a bug to me...

Two more peculiarities, specific to v1.21:

• After beating Mr. Dark, every time you re-enter any level, you get greeted with the Atari Jaguar intro image, displaying the level number (relative to the world) of that level. For example, Allegro Presto will display "Level 7", Mr. Skops Stalactites - "Level 9" and Mr. Dark's Dare - "Level 1". Then the game proceeds as always. See attached image. Is this documented anywhere?
• US v1.21 cannot work if the INTRO.DAT video is installed on the hard drive - loading or starting a game HARD-CRASHES DOSBOX. Need to see what happens on real DOS, of course, but comparing the relevant code between US v1.21 and FR v1.21 (which does work with videos) shows what looks like a corrupt assembly routine. No idea how it got there. It is not a decompression artifact - the original EXE also crashes.

[PluMGMK]

Yeah, the intro always plays when you start a game if it's present. It seems weird to me too, but I think PS1 and Saturn do something similar (showing it when you start up the game) so it's probably an intentional design choice…

I've never noticed that Jaguar-style vignette! I don't think it's documented anywhere, but I could be wrong…

[Hunchman801]

Neither have I, could it be an oversight? It sounds quite confusing for the player to have those seemingly random numbers displayed.

[dr_st]

Neither have I, could it be an oversight? It sounds quite confusing for the player to have those seemingly random numbers displayed.

I agree. If you are not aware of any documentation on it, I will probably add it to the wiki at some point (should figure out which page is the most appropriate).

I've only tested in DOSBox. Maybe I will have access to a real DOS machine this weekend and can check that no unexpected issues come up.

Got a chance to test it in pure DOS over the weekend. Cracks work just as well.

There is still one advantage to using my patches, though. They don't lock up during startup if you run them with an empty CD drive, whereas the DRM-free version does (and all other versions, as far as I could test, at least in DOSBOx). There is some sort of infinite loop that happens there, and somehow the patches skip over it.

This indeed turned out to be a DOSBox issue. I couldn't replicate it in pure DOS; it would simply eject the drive instead asking for the Rayman CD to be inserted. I suppose this function is simply not implemented properly in DOSBox, and the game gets confused.

US v1.21 cannot work if the INTRO.DAT video is installed on the hard drive - loading or starting a game HARD-CRASHES DOSBOX. Need to see what happens on real DOS, of course, but comparing the relevant code between US v1.21 and FR v1.21 (which does work with videos) shows what looks like a corrupt assembly routine. No idea how it got there. It is not a decompression artifact - the original EXE also crashes.

And this also happens on real hardware. I actually checked it in Windows 98 - it closes the program with "general protection fault". Sure enough, the same failure also happens with the ending movie (if you beat Mr. Dark while having CONCLU.DAT in the game directory).

A bizarre bug to say the least. If I ever figure out how to fix it, it would be worthy a separate write-up. I guess it wasn't caught back then, because I think US v1.21 was only distributed on Rayman Gold CDs and the like, which never shipped with intro/ending movies.

[PluMGMK]

I'm gonna have to look into that #GP with the Intro/Conclu files – it sounds intriguing!

And yes, I should've realized that that infinite loop was coming from the attempt to eject the tray. As I recall, the game keeps polling the drive until it reports its status as fully open, or something like that, which I guess never happens in Dosbox…

[dr_st]

I'm gonna have to look into that #GP with the Intro/Conclu files – it sounds intriguing!

What happens is this. A routine calls an inner routine. The inner routine is identical in both versions (US 1.21 and FR 1.21). The calling routine is different and the one in US 1.21 is corrupt and does not set up the registers properly before the call. Unfortunately, the bad routine is also 15 bytes shorter, so there is no way to simply replace the opcodes to make it do what it has to.

I guess there is always the possibility of finding some unused space in the EXE, jumping there, doing the right stuff, and jumping back. I wonder if there is a more elegant solution, like some redundancy in the longer routine, but it does not sound promising, as essentially you would have to squeeze the logic of 23 bytes into 9.

Bad code:

Code: Select all

0860:3855C  51                 push ecx
0860:3855D  83EC04             sub  esp,0004
0860:38560  89E1               mov  ecx,esp
0860:38562  891C24             mov  [esp],ebx
0860:38565  E8F0700400         call 000C4380 ($+470f0)
0860:3856A  85C0               test eax,eax
0860:3856C  7405               je   0007D292 ($+5)
0860:3856E  B8FAFFFFFF         mov  eax,FFFFFFFA
0860:38573  83C404             add  esp,0004
0860:38576  59                 pop  ecx
0860:38577  C3                 ret

Good code:

Code: Select all

0860:3855C  51                 push ecx
0860:3855D  56                 push esi
0860:3855E  83EC04             sub  esp,0004
0860:38561  89C6               mov  esi,eax
0860:38563  89D0               mov  eax,edx
0860:38565  89DA               mov  edx,ebx
0860:38567  891C24             mov  [esp],ebx
0860:3856A  89E3               mov  ebx,esp
0860:3856C  8CD9               mov  cx,ds
0860:3856E  53                 push ebx
0860:3856F  89C3               mov  ebx,eax
0860:38571  89F0               mov  eax,esi
0860:38573  E802710400         call 000C6569 ($+47102)
0860:38578  85C0               test eax,eax
0860:3857A  7405               je   0007F469 ($+5)
0860:3857C  B8FAFFFFFF         mov  eax,FFFFFFFA
0860:38581  83C404             add  esp,0004
0860:38584  5E                 pop  esi
0860:38585  59                 pop  ecx
0860:38586  C3                 ret

Inner function:

Code: Select all

0860:7F67A  68003F0000         push 00003F00
0860:7F67F  1E                 push ds
0860:7F680  8ED9               mov  ds,cx
0860:7F682  89D1               mov  ecx,edx
0860:7F684  89DA               mov  edx,ebx
0860:7F686  89C3               mov  ebx,eax
0860:7F688  8B442404           mov  eax,[esp+0004]
0860:7F68C  CD21               int  21
0860:7F68E  1F                 pop  ds
0860:7F68F  1E                 push ds
0860:7F690  7206               jc   0007F688 ($+6)
0860:7F692  8B5C240C           mov  ebx,[esp+000C]
0860:7F696  8903               mov  [ebx],eax
0860:7F698  E8A56C0000         call 0008632A ($+6ca5)
0860:7F69D  1F                 pop  ds
0860:7F69E  83C404             add  esp,0004
0860:7F6A1  C20400             ret  0004
0860:7F6A4  6800400000         push 00004000
0860:7F6A9  EBD4               jmp  short 0007F656 ($-2c)
0860:7F6AB  85C0               test eax,eax
0860:7F6AD  7C0C               jl   0007F68E ($+c)
0860:7F6AF  3B05B8EC1900       cmp  eax,[0019ECB8]
0860:7F6B5  0F869A6C0000       jbe  00086320 ($+6c9a)
0860:7F6BB  B804000000         mov  eax,00000004
0860:7F6C0  E8F8600000         call 0008577D ($+60f8)
0860:7F6C5  B8FFFFFFFF         mov  eax,FFFFFFFF
0860:7F6CA  C3                 ret

(pay no attention to the absolute offsets shown in the disassembly - they are inaccurate)

[PluMGMK]

Oh wow, that's pretty screwed up… The inner function is _dos_read from the Watcom C library, which includes a far pointer in its function signature. I have no idea what could have caused the compiler to generate such a malformed call to it (ECX is not set up with a segment, so of course it causes a GP fault), unless the outer routine was indeed hand-coded in assembly and someone just decided to delete a load of lines from the file. Seems unlikely though, since the registers are also different

[Hunchman801]

I agree. If you are not aware of any documentation on it, I will probably add it to the wiki at some point (should figure out which page is the most appropriate).

Great idea, I'm not aware of any place where it's mentioned.

[RayCarrot]

After beating Mr. Dark, every time you re-enter any level, you get greeted with the Atari Jaguar intro image, displaying the level number (relative to the world) of that level. For example, Allegro Presto will display "Level 7", Mr. Skops Stalactites - "Level 9" and Mr. Dark's Dare - "Level 1". Then the game proceeds as always. See attached image. Is this documented anywhere?

That is the level select the developers used to test the levels in the game. It's available in the code of essentially all versions but is only functional and accessible in the PC version. It's accessed by pressing the tab key, typing "alevel" and then pressing backspace. Not sure why it appeared in this case, but from my understanding the game's code was modified? It won't appear normally without inputting the cheat code.