Dream Library Hacking

[Roareye]

I thought I'd make a separate topic for this rather than overfill the DreamArena 2 topic, though it is a related topic. But this is much more specific.

I'm looking to hack and get Dream Library working again. I know this is an arduous task, happy to do most of the grunt work myself, however I need help in understanding certain things from those with more knowledge of coding.

THE PROBLEM
1 - Dream Library only plays for 15 minutes in "Demo" mode, meaning after 15 minutes of play you'll get an error flash up in Japanese and you'll be booted out of the emulator and back to the browser's title screen. I believe Dream Library checks with Dricas if you have a rental agreement in place before letting you play the full version. More on this in a bit.
2 - Dream Library won't let you reach it's game selection menu from inside the app. It tries to connect to a Dricas server before failing and returning you to the Dream Library title screen. Pressing the alternative option in the main menu boots you out to the browser's title screen.

ADVICE FROM BLUECRAB
BlueCrab had a very similar/identical problem with Phantasy Star Online - it calls Dricas to authorise before letting you play online. Here is what he told me;

Honestly, I've never looked at Dream Library, so I can't really speak to it at all. I can describe what I did to isolate the check in PSO and patch it out though... However, it does require some knowledge of SuperH assembly to pull it off...

Basically, PSO checks a certain server (auth01.dricas.com) with an HTTPS connection to check if the copy of the game is authorized to play. I never actually looked at how it goes about doing the check or what the HTTPS exchange even was with the server, as cracking the encryption on SSL seemed like a bad way to attempt it (I assumed it was using a good HTTPS cipher and would be infeasible to break the connection this way) -- this is why there's a disc needed to patch the game at runtime if you're using a real GD-ROM.

What I did instead was to find the server address string's location in the game's binary and trace every use of that string. In the case of PSO, it was only used in one place (as expected). I then looked at the piece of code referencing the string and figured out where the function began that used it. I then looked for all the locations that referenced that particular function in the code (you need the beginning of the function to do this, hence why you need to be able to reason about SuperH assembly and be able to tell where functions begin and end, as well as how they're called in the disassembly). I repeated this process a few times to get farther up the call stack (I based my reasoning here on knowing how most usual network programming works). Once I was satisfied I was far enough up the call stack, I just patched the first two instructions of the function to do nothing else other than return 0 (which is typically used as a "success" in C programming). I shocked myself by actually managing to pick the right place to put that and have it work on the first try with the patched game binary.

Basically, it was a bunch of guess and test based on knowing a bit about network programming and a lot about SuperH assembly. Unfortunately, this is probably not quite the same process you'd need to use, so I don't even know if this will be useful at all.

I do not know SuperH assembly, so this will be something I need support on. But before we come to that, let's look at the information we have available.

THE RESEARCH
We know Dream Library tries to call for file or access from the Dricas server, it tells us as much when we run the software. The DREAMLIB folder in the browser discs has the following files of note;
FOLDER: DreamLib/
1DR_LIB.BIN - This is full of code, but despite mentioning PVRs I couldn't extract any from it. Is it possible this has something to do with running DL with the DL and DEMO files mostly being the PVRs?
1MD_EMU.BIN - I would assume that this is the Mega Drive emulator itself
PCEMU.BIN - Likewise I'd assume this is a PC Engine emulator
MANATEE.DRV - According to the internet, this is an audio driver
STREAM.MLT - Apparently MLTs store sound effects in DSF format
2 PVRs

FOLDER: DREAMLIB/DPDL/
DEMO.BIN - Demo Mode of Dream Library
DEMO.PVM - Stores all of the PVRs for DEMO.BIN
DL.BIN - Download Manager
DL.PVM - Stores all of the PVRs for DL.BIN
DREAMLIB.MLT - Apparently MLTs store sound effects in DSF format
EMU_ROM.TXT - Copywrite information for each of the ROMS
S00001S00007102200.BIN to S00001S00007102242.BIN - Game ROMS (43 stored on the disc, oddly)

FOLDER: DREAMLIB/MD_EMU/
MANATEE.DRV - Audio driver
STREAM.MLT - Sound Effects
The rest of the folder are just PVRs.

To test a quick patch, drez replaced DEMO.BIN with DL.BIN to see if this would boot up the full version of the Library. This led to the software only booting up the Download Manager and being caught in a loop of trying to contact the server. It did not affect the playing of any games, however. By loading a game up via an avefront code, we could still play (suggesting this boots straight to emulator without opening the Dream Library). I was still restricted to 15 minutes play, but the fact that booting a game directly and booting Dream Library are completely separate actions in the code might be useful.

Out of the entire directory, I think we only need concern ourselves with 1DR_LIB.BIN, 1MD_EMU.BIN, DEMO.BIN and DL.BIN. The rest are things that won't affect the running of the software. Also check out the file sizes;
DEMO - 42.9KB
DL - 18.1KB
Would suggest to me that DL might actually just stands for Download instead of Dream Library on this occassion, and the Dream Library just calls on this file in an attempt to download from the server. Kind of a program-within-a-program idea.

1DR_LIB - 957KB
1MD_EMU - 1.93MB
These are substantially larger files. 1DR_LIB may actually be the Dream Library itself, and it simply calls DEMO and DL as and when it needs to use them. 1MD_EMU is the largest and might have something to do with the timing issue. I find it interesting that swapping DEMO and DL killed Dream Library but not my ability to play the ROMs. In fact that entire side was completely unaffected.

THE HEX CODE
So I decided to look through the Hex Code in all four of these files to try and find interesting information. I'll add screenshots of the most interesting and relevant code info below. First I'll give a brief description of some findings I've been able to chase up.

1DR_LIB.BIN's Hex Code;

There are two alternative names given for Dream Library. Ninja Library and Shinobi Library. Just a piece of trivia there.

Starting at Offset 0003DFC0, there are a short run of ROMs (two Mega Drive, three PC Engine as stated in brackets also in the code);
S00001S00003100901 S00001S0000310090101 Columns (MD)
S00001S00003101101 S00001S0000310110101 Flicky (MD)
S00001S00007101701 S00001S0000710170199 Shanghai (PCE)
S00001S00007101702 S00001S0000710170299 The Kunhuu (PCE)
S00001S00007101705 S00001S0000710170599 Draius Plus (PCE)
No idea what the relevance is of these titles. Columns and Flicky are two of the free-to-demo ROMs but the PCE games are not. There are ROMs in the DPDL folder of the disc, but I can confirm that these five file names are not in that folder. Perhaps they are stored within the BIN file itself? The ROM names in DPDL all follow the numbers S00001S000071022##. I do not know the relevance of the additional 01 (MD) and 99 (PCE) on the second set of numbers other than denoting which console it's for. The alternative is that 01 is a demo version and 99 is a full version?

Directly following the above is a bit more text
SEGA USER http://www.dricas.com /dl/param/game_list.txt text/plain
dricas.com has a corrupt symbol between it and /dl/param. All the same I searched for this file and the directory on Wayback Machine and got nothing. I wondered if it was referring to a potential file inside DL.BIN instead of online, but no such file exists there either. More than likely it was a web link that was never backed up to Wayback.

Not sure if these are relevant, but they appear to be dialling information. Not sure if they're just regular modem stuff or crucial to the Dream Library's authorisation process;
From Offset 0003D9E0 to 0003DBF0
net inf init err net inf get ntwk info err net inf get ntwk cmn info err net inf get ntwk cmn info flg err get dial prm err èàŒðàŒ Use K_1 K_2 K_MINUS PROVIDER:%s FLAG:%08X ID:%s PWD:%s %s P.DNS:%08X S.DNS:%08X ML AD:%s ML SV:%s POP SV:%s POP ID:%s POP PWD:%s PROXY:%s PORT:%04X N INFO î‚
Œƒ
Œ K_1 PPP USER [%1d] K_2 QUERY USER [%1d] K_3 ROM CID [%1d] FROM FRAM TEL:%s ID:%s PWD:%s FOLLOW PRM 18CID:%s 20CID:%s NAME:%s NETPRM CHG 4…
Πbroken fram err

From Offset 0003DE30 to 0003DFB0
atx3 send"AT\r" wait"OK",5 send"AT&F\r" send"AT&C1&D2\r" wait"OK",5send" \r" wait"OK",5 send" 0990 [email protected] sysken32 [email protected] nopasswd [email protected] illegal foutyover1foutyover2foutyover3foutyover4xxxx id‘SŠp zenkaku pwd‘O‰æ sixteenover234567 [email protected] tempstop [email protected] expired

DL.BIN's Hex Code

Offset 000042A0 to 000042E0 has a web link. http://www.dricas.com/cgi-bin/dl/RandBanner.cgi CmUrl:%s P!HŒÜ!HŒœ%HŒä&HŒX...winfo Err... The rest may be odd code, but I'll leave it in for now. Sadly Wayback Machine has no such file in it's database, meaning it's likely also lost to time. There is a similar looking link here; https://web.archive.org/web/*/http://www.dricas.com:80/sunrise21/randCard.js. While it has nothing to do with Dream Library, it appears to showcase a list of images. I don't understand Javascript at all, however, so I couldn't say what they're doing listed here.
What may be more important is that this is from DL.BIN, the program that only calls for downloading from the server. As such I believe that file/link is what tells Dream Library it has access and what to download. Anyone with Javascript experience, any advice would be much appreciated.

DEMO.BIN's Hex Code

Offset 00005980 to 000059D0;
Server Name; = %s Product ID = %s Auth Type = %d Extra = %d (No, Info1, Info2) = (%d, %s, %s)

Offset 00005AA0 to 00005B30;
NO TITLE : SERVER_NAME PRODUCT_ID AUTH_TYPE EXTRA COMMENT_BEGIN COMMENT_END DWLD_LIST_START DWLD_LIST_NEXT DWLD_LIST_END List end

Offset 0006820;
TM_PENGO1_VM
I have no idea why there appears to be a reference to Pengo in here. It's the only game referenced, and it appears to be referencing a VM file, commonly associated with the VMU. Was a VMU animation of Pengo due to play? Or a save file? Or perhaps a VMU image file? No idea, it's on it's own in the middle of Hex garble.

1MD_EMU.BIN's Hex Code

00000030 - Lib Handle Start
00000070 - Lib Handle End
I wonder if these might have functions to do with the 15 minute timer. There's some garble between them.

Offset 001CB660 to 001CB9F0
SEGA Ninja Library
Ninja Ver 01100111 Build: Feb 23 2000 15:29:51
MMU OFF .PVR
Ninja Ver. %08X
Nindows Ver. %08X (That is spelt right, it says Nindows)
Various other technical aspects to the program. I don't think this is too relevant to my needs. Let me know if I'm wrong.

That's about where I am currently. I need some help with Javascript, understanding the RandBanner.cgi aspect of things and how we might rebuild it (if needs be).
I also need help from anyone who knows about coding. I think DEMO.BIN seems to handle authorisation of playing the full experience because it has Hex code referring to Auth_Type and Server Lists. 1DR_LIB.BIN has some curious ROMs mentioned that aren't on the disc (or so it seems at first glance) and the dricas URL with the game_list.txt file mentioned. If that file is supposed to follow the ROM naming convention to simply respond with the names of available titles I may be able to rebuild this file myself.
Then it's modifying the code to aim at a new URL, with files that activate the full heft of the software.

Thank you to any and all for any bit of help in getting this off the ground. I have to say I'm operating far outside my bounds of knowledge here, so I'm grateful to anyone not letting me get lost in the sea.

Here are the still shots from 1DR_LIB.BIN, with more information and the Offset references;

[SMiTH]

We really need some1 to release a full hack of dream library including a pc engine romset.
If you have never seen this emulator...

[dcsteve]

Have you tried this hacked version?

https://archive.org/details/dream-passp ... games-hack

[SMiTH]

Have you tried this hacked version?

https://archive.org/details/dream-passp ... games-hack

AFAIK that is only the sega genesis emulator and not the pc engine.
The sega genesis emulator is basically what we got here in the usa with sega smash pack.
I could be wrong but this is my take on it.

here is a link with info about dream library genesis/pc engine emulator etc.

https://www.thedreamcastjunkyard.co.uk/ ... er-to.html

dream library was an officially released emulator that was bundled with the dream passport web browser.
it allowed the user to download roms and play them.

more than likely the bin for the pc engine emulator will need to be disassembled and modified to work.
roareye and drez have already attempted to get it working with hex editing and swapping files etc.
the pc engine emulator runs damn good with sound as well.
it does not work perfect for every rom as seen in the youtube vid.
but it is an awesome emulator imo.

thanks to roareye and drez for researching and hacking dream library.

[fafadou]

Nice job.

[Roareye]

Dream Library is a pain. Drez did well slightly improving the MD emulator (small but noticeable) and unlocking it fully, however any attempts to get the Dream Library software to connect online have failed.

Usually Dream Library will hang while attempting connection, then fail after being unable to authenticate via dricas. Via hex editing we've been able to stop the connection hanging, but so far have failed to get it to connect to a custom server.

The dricas authentication code is identical to PSO v1 in Japan, however even with advice from BlueCrab we've not yet cracked it. The issue is neither myself nor Drez are coders, so we don't even know how to check which code is being activated/used when Dream Library attempts connection. If anyone could help us with that, mlit would get us a step closer to cracking the code.

The benefit of getting Dream Library to connect is we can update the games listings online, instead of all ROMs being stored on the disc. I also reckon it's a vital step needed in order to fire up the PC Engine emulator (since nobody's been able to do it - and the 2/3 that have shown it refuse to share how. Leads me to believe they're hoaxers). This would make some sense as PC Engine isn't Sega's copyright and it wasn't long before support was dropped entirely.

Still hoping for someone with coding knowledge to help figure out which code is being accessed during dial up to dricas through Dream Library. BlueCrab stated that with PSO he simply set authentication=0 and it bypasses the official authentication process. We need to do that here.

[colgate]

Authentication=0? Can you elaborate?

[Roareye]

Authentication=0? Can you elaborate?

I slightly misremembered, but if you read the quoted message from BlueCrab in the first post you'll get a clear understanding of what I mean.

The authentication in C language has to be set to return 0, which is success in C code. However anything C related, or SuperH Assembly, is far beyond my skillset. I need someone to help with that part.

[fraggle200]

have you tried running any of the bin files through Ghidra? They've put a SH4 disassembler in there with the most recent version. I've had mixed results when poking about files with it but it could make life a little easier in being able to track down whats happening as the assembly code should be there to see instead of trying to work out what's happening through a hex editor.

[Roareye]

have you tried running any of the bin files through Ghidra? They've put a SH4 disassembler in there with the most recent version. I've had mixed results when poking about files with it but it could make life a little easier in being able to track down whats happening as the assembly code should be there to see instead of trying to work out what's happening through a hex editor.

I'll be honest, I've absolutely peaked my technical knowledge getting to this point. I don't know of Ghidra, how to run an SH4 disassembler, and I'm largely blind looking in the hex editor. My knowledge base is in film and cinematography, not coding.

If you are willing, I can send you the files. Would you be open to looking?