Anybody experienced with TAGES?
 

I've recently taken an interest in an old game again, Runaway 2 v1.3 English, which seems to be:

[!] Tages v5.5.2 protected !
[i] protection level: Tages BASIC

Has anybody been unable to unpack one of these? I'm even unable to point my finger at the OEP...

Any knowledge and tips would be welcome, or if somebody is interested, the finished file too.
But what I really want is insight on how to do it myself...

post what you've discovered then....

Having looked in the other no-cd's (french scene releases, although there are none for the english version), It's probably compiled with c++ 6+, because of the OEP:

I can also see the Imports correctly, and IAT, but in the packed one (the one I'm trying to unpack), I can't see a thing, since I haven't succeeded in locating OEP.

Obviously, no text strings are legible, but I've passed a breakpoint to GetDriveTypeA, which probably triggers the CD Check routine (a message box saying: Please insert CD of "Runaway 2"), and I was able to jump past it, but then it triggers another messagebox saying "Please insert original CD of "Runaway 2"", and I'm guessing that's where the TAGES kicks in. I haven't been able to figure out what causes that, I've been running a trace, but it's taking too long to get to where it breaks. Plus on some occasions it even triggers something that restarts the PC altogether. And now, I'm at a loss, and don't know how should I proceed with the unpacking.

I could upload the binary somewhere if you or someone else would like to take a look at it? Although you could just download and extract it from the official patch...

Have you already decrypted the executable? If so, can you upload it as an attachment? (Not that I can crack these commercial copy protections... :))

No, I'm sorry, I haven't... I suppose I was a bit unclear on that part.
I'll put the original one (English, packed/encrypted), and the French one (unpacked/decrypted), along with the dll's needed to start it (I mean, It won't start without the resources, but it can sometimes bitch about not having BINK in there...).

P.S.: Both of the file's names should be Runaway2.exe

the check is via deviceiocontrol, through their driver, some parts can also be vm'ed, without sounding insulting i think you may be out of your depth

No no, I don't find that insulting, I respect constructive criticism more than anything. I think that's a really good way to improve on one's methods.

I actually suspected DeviceIOControl before GetDriveTypeA, but since it's directly underneath DeviceIOControl I guessed that an I/O (a CD drive in this case) must be initialized first, before continuing to the check, so I wrote that off... A mistake on my part.

You could check the CMP at 620222, and jump past the CloseHandle part that comes after it (after the RETN, I think it was 62026E), and it would pass the CD check (After you click OK at the messagebox), and take you to the additional protection I spoke of earlier.

I agree that I'm probably a bit out of my depth, so could you point me in the right direction? I'd appreciate that very much, since I like this game a lot, and TAGES intrigues me to no end...

well, the cdcheck is done from timing looking at duplicate sector reads (thats why you can't burn an image), in game there's also checks which read a good sector (cracked will read bad sector), and the game acts on that, theres a bit of difference in the versions too, but all the reads and checks are via deviceiocontrol (possibly 'masked' inside the vm code).. so dumping at the oep isn't the end, rather it might be mid way through.. depending on the protection settings

I don't need to create a backup of the disc, I was only interested in the executable. But, duplicate sector reads? I read about that somewhere, and was a bit perplexed. Apparently, I lack sufficient knowledge and probably the ability to properly comprehend this one.

Thank you TippeX.
Sadly, I might have to abandon it. Remember that bit about me being out of my depth...?