Introduction to Ghidra: Commodore 64 Copy Protection Analysis

Channel:
United States David Youd
Subscribers:
3,160
Published on ● Video Link: https://www.youtube.com/watch?v=3wW1una5Pgg


Duration: 1:59:15
3,518 views
171

TOC:
0:00 Introduction
3:11 Basics of Ghidra and 6502 assembly
11:12 Introducing floppy disk copy protection schemes
----
16:39 Start of Robots of Dawn copy protection analysis
25:52 Using python window to perform deobfuscation
30:13 Introducing custom scripts
34:57 Crash course in CBM DOS calls
39:45 Code relocation using the python window
42:35 Searching binary for strings
54:11 Protection revealed
----
58:15 Start of Bride of Frankenstein copy protection analysis
59:12 Custom Ghidra loader and Ghidra/Eclipse integration
1:14:46 Using a script for deobfuscation
1:17:54 Yet another deobfuscation loop
1:20:20 And yet another deobfuscation loop
1:26:12 Code relocation using the GUI
1:27:08 Analysis of code sent to floppy drive
1:32:28 Protection revealed
1:37:38 Jumping into the middle of an instruction
----
1:39:55 Custom Ghidra Analyzer (used on Bride of Frankenstein)
1:43:17 Emulating assembly code (used on Robots of Dawn)
1:48:34 Extending CPU instructions by changing the Sleigh
1:58:04 Close

Errata:
1:43:23 I claimed that the emulation doesn't exist in the GUI, but it does! See: https://github.com/NationalSecurityAgency/ghidra/discussions/5042

Links:

Code in the talk (some updates since recording):
- https://github.com/c64cryptoboy/c64_ghidra

Ghidra:
- Ghidra downloads: https://ghidra-sre.org/
- All Ghidra classes: https://ghidra.re/ghidra_docs/api/allclasses-index.html
- The "flat" API: https://ghidra.re/ghidra_docs/api/ghidra/program/flatapi/FlatProgramAPI.html

Ghidra forums:
- https://github.com/NationalSecurityAgency/ghidra/discussions
- https://www.reddit.com/r/ghidra/

C64 protection schemes:
- Nate Lawson's notes on dynamic analysis (VICE debugger) of Bride of Frankenstein: http://www.root.org/~nate/c64/bride_of_frank.txt
- For a more complex example, see the tutorial on removing the RapidLok6 copy protection from the Pirates (Microprose, 1987): https://rittwage.com/RL6Handbook_v130/I_1STTUT.HTM
- Karateka punishing pirates (from an 8-Bit Show and Tell episode): https://www.youtube.com/watch?v=a8B-EJQu6i0&t=552s
- Example of scheme that used many GCR zeros in a row (so it's different every time you read it): https://github.com/Zibri/Rubicon-C64/blob/main/How%20I%20did%20it.txt

C64 floppy disk image file formats:
- D64 format: http://unusedino.de/ec64/technical/formats/d64.html
- G64 format: http://www.unusedino.de/ec64/technical/formats/g64.html



Other Videos By David Youd


2024-05-07Silicon Warrior mystery: Intro to Retro Debugger and 6502Bench
2024-04-08#2024eclipse through 5.25" #floppydisk
2024-03-24Alter Ego, Explained in 64 Seconds
2024-02-04Tensegrity table
2024-01-18Whistle Register #musicnerd #bassvoice
2024-01-04Galton Board
2023-10-15CRX2023: Mark Lemmert, Nox Archaist technical deep dive
2023-10-14CRX2023: Piracy AI vs. a Python script
2023-09-27Piracy, Explained in 64 Seconds
2023-03-25DIY Musicbox River Lullaby - Prince of Egypt (1998)
2023-02-27Introduction to Ghidra: Commodore 64 Copy Protection Analysis
2022-12-26Juke Box, Explained in 64 Seconds
2022-11-24Make Your Own Murder Party, Explained in 64 Seconds
2022-11-10Sword of Fargoal (VIC-20), Explained in 64 Seconds
2022-10-28Music Construction Set, Explained in 64 Seconds
2022-10-16Spot (C64) vs. Ataxx (Arcade)
2022-10-16Infection, Explained in 64 Seconds
2022-10-06Realm of Impossibility, Explained in 64 Seconds
2022-10-06C64anabalt, Explained in 64 Seconds
2022-10-06Lords of Conquest, Explained in 64 Seconds
2022-09-23Rocky's Boots, Explained in 64 Seconds


Tags:
ghidra
commodore 64
c64
bride of frankenstein
robots of dawn
epyx
xor obfuscation