TOPOLOGIKA - an education in CPU emulation and protection methods

chat about arc/risc pc gaming & RISC OS software here (NOT the core OS!)Related forum: adventures


Post Reply
sirbod
Posts: 829
Joined: Mon Apr 09, 2012 8:44 am
Location: Essex
Contact:

TOPOLOGIKA - an education in CPU emulation and protection methods

Post by sirbod » Mon Apr 23, 2018 5:08 pm

Over the past seven years I've been trying to get the TOPOLOGIKA adventures to run beyond a physical Archimedes. None of the emulators are accurate enough at emulating the ARM3 instruction set, so I've been forced to use a physical Archimedes and more recently the ARM3 JIT under ADFFS.

What's so special about the TOPOLOGIKA protection you ask? Well, the loader code is obfuscated using a routine that not only relies on the behaviour of instructions, but also disables IRQ/FIQ, takes over the hardware vectors and dynamically switches CPU modes. PC+PSR, the RISC OS boot instruction and the hardware vectors are all used as part of the obfuscation process and it relies on pipelining.

Some examples of instructions it relies on are:

Code: Select all

E12FF001 TEQP PC,R1 (S bit missing)
C143AD86 CMPGT R3,R4,LSL #27 (S bit missing)
E86D200E STMDA R13!,{R1-R3,R13}^
39FD200E LDMIB R13!,{R1-R3,R13}^
The first two instructions are fairly obvious, the TEQP switches CPU mode without altering flags and the CMP becomes a NOP. The last two are far more interesting when the CPU is in an elevated mode.

The JIT in ADFFS doesn't paravirtualize the CPU mode, so I had to emulate the PC mode changes with extra code. Once I had the obfuscation routine running to completion without crashing, I could then see it was using MLA's with PC in various registers. With these emulated, it still wasn't decrypting the code correctly, so some head scratching ensued.

It's here that I had a lucky break as I managed to get it to crash after running the obfuscated code. I promptly saved the obfuscated code and could then proceed with testing under emulation, which made things a lot quicker.

What followed was code that kills all Modules except UtilityModule, FileSwitch, FileCore and ADFS which locks the machine if it can't kill a Module and code that claims all screen, RMA and main memory and clears it. It then reads 128 bytes of obfuscated code from disc, which it turns out can only be read on a 1772, on a 710/711 it only manages to read the first 64 bytes. Finally, the main DiscOp loop that loads the obfuscated adventure interpreter from disc.

So...after six years, I've finally managed to image the TOPOLOGIKA adventures and get them running on all machines. The only ones I'm missing are Countdown to Doom and The Myth of Moby, I'm still looking for originals of these to image.

I have to thank Paul Oates for donating some originals and Zarchos for loaning several other TOPOLOGIKA titles. These allowed me to get them working, something I could only have done with original floppies on a physical machine.
Last edited by sirbod on Fri May 11, 2018 5:25 pm, edited 2 times in total.

User avatar
BigEd
Posts: 1824
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: TOPOLOGIKA - an education in CPU emulation and protection methods

Post by BigEd » Mon Apr 23, 2018 5:26 pm

An excellent adventure - or meta-adventure perhaps.

steve3000
Posts: 1838
Joined: Sun Nov 25, 2012 12:43 am
Contact:

Re: TOPOLOGIKA - an education in CPU emulation and protection methods

Post by steve3000 » Mon Apr 23, 2018 6:52 pm

Great detective work! =D>

Post Reply