Introduction to Ghidra: Commodore 64 Copy Protection Analysis

Introduction to Ghidra: Commodore 64 Copy Protection Analysis

HomeOther ContentIntroduction to Ghidra: Commodore 64 Copy Protection Analysis
Sources from David Youd, Youtube on Youtube Published 2 years ago
ChannelPublish DateThumbnail & View CountActions
Channel Avatar David Youd2023-02-27 23:28:57 Thumbnail
4,625 Views
View on YouTube View Channel
TOC:
0:00 Introduction
3:11 Basics of Ghidra and 6502 assembly
11:12 Introducing floppy disk copy protection schemes
—-
16:39 Start of Robots of Dawn copy protection analysis
25:52 Using python window to perform deobfuscation
30:13 Introducing custom scripts
34:57 Crash course in CBM DOS calls
39:45 Code relocation using the python window
42:35 Searching binary for strings
54:11 Protection revealed
—-
58:15 Start of Bride of Frankenstein copy protection analysis
59:12 Custom Ghidra loader and Ghidra/Eclipse integration
1:14:46 Using a script for deobfuscation
1:17:54 Yet another deobfuscation loop
1:20:20 And yet another deobfuscation loop
1:26:12 Code relocation using the GUI
1:27:08 Analysis of code sent to floppy drive
1:32:28 Protection revealed
1:37:38 Jumping into the middle of an instruction
—-
1:39:55 Custom Ghidra Analyzer (used on Bride of Frankenstein)
1:43:17 Emulating assembly code (used on Robots of Dawn)
1:48:34 Extending CPU instructions by changing the Sleigh
1:58:04 Close

Errata:
1:43:23 I claimed that the emulation doesn’t exist in the GUI, but it does! See: https://github.com/NationalSecurityAgency/ghidra/discussions/5042

Links:

Code in the talk (some updates since recording):
– https://github.com/c64cryptoboy/c64_ghidra

Ghidra:
– Ghidra downloads: https://ghidra-sre.org/
– All Ghidra classes: https://ghidra.re/ghidra_docs/api/allclasses-index.html
– The /”flat/” API: https://ghidra.re/ghidra_docs/api/ghidra/program/flatapi/FlatProgramAPI.html

Ghidra forums:
– https://github.com/NationalSecurityAgency/ghidra/discussions
– https://www.reddit.com/r/ghidra/

C64 protection schemes:
– Nate Lawson’s notes on dynamic analysis (VICE debugger) of Bride of Frankenstein: http://www.root.org/~nate/c64/bride_of_frank.txt
– For a more complex example, see the tutorial on removing the RapidLok6 copy protection from the Pirates (Microprose, 1987): https://rittwage.com/RL6Handbook_v130/I_1STTUT.HTM
– Karateka punishing pirates (from an 8-Bit Show and Tell episode): https://www.youtube.com/watch?v=a8B-EJQu6i0&t=552s
– Example of scheme that used many GCR zeros in a row (so it’s different every time you read it): https://github.com/Zibri/Rubicon-C64/blob/main/How%20I%20did%20it.txt

C64 floppy disk image file formats:
– D64 format: http://unusedino.de/ec64/technical/formats/d64.html
– G64 format: http://www.unusedino.de/ec64/technical/formats/g64.html

Please take the opportunity to connect and share this video with your friends and family if you find it useful.