Carv-Up

Hits: 1535

Removing Copylock Protection

More
Tags
Author: scenex
Submitted by: scenex
Date: 2004-06-29 00:12
No tags

Carvup by Core
-------------------------

This time we'll deprotect Carvup

We need following things:

1. Carvup original disk or CAPS image
2. Action Replay cartridge or ROM
3. An Amiga or WinUAE emulator may be handy too =)

Alright let's get started, fire up X-Copy and make a copy from our game. You'll notice very soon that
the first track of our disk seems to be protected. Looks like another copylock secured game.

Start the game. Seems like it loads quite far.

Press fire and here we go, the game crashes. Keep your eyes on the track counter.
At the very beginning when you inserted the disk, it jumps to track 0 and another two times
when you try to start the game. What does it tell us? Well three checks on track 0. Let's find out
where the checks are located. Reboot Amiga, wait until you see the title screen.
Enter your Action Replay by either pressing the red button or if you're in WinUAE by ?Page Up' button.

Search through the memory for ?48 7A' which in most cases indicates the copylock protection.

F 48 7A

It found 2 addresses 023D04 / 023D14 (values may differ on your system)

D 23D04 ; gives us following result

Note the PEA and ILLEGAL instructions, those are responsible for our hard work we have to do =)
Ok now we got the location which makes all the troubles. But we have to find out where this part is called
in the game.

FA 23D04

You should have received 3 addresses

01004E
01018A
0104A4

Remember the 3 checks on track 0?
Lets dive into the mechanics.

D 01004E
D 01018A
D 0104A4

See the similarities at the CMP Instructions? Seems like the 'magic value' is being compared against our not
so magic value since we don't got this special track on our copied disk. If those values don't match, our game
screws up. The perfect crack would be, if we could fool the game into thinking we got the right magic value in
register D0 plus if the game wouldn't even need to check track 0.

Alright lets patch the whole thingy in memory.

Enter 'A' to start assembler mode.

A 1004E
NOP
NOP
NOP
MOVE.L #E55A6DD8,D0
BRA 010062

Do the same for the 2 other addresses we found earlier (with the corresponding branch address ofcourse)
Exit AR, press fire to start the game. Hey wow, it doesn't crash anymore and you're in middle of the game.

Cool, so now its time to make our memory hack permanent.
Reboot Amiga, wait until the title screen appears, enter AR. Now we need the opcodes from the
important addresses, since we gonna just NOP (its 4E71) out the JSR instruction in each check, we don't
have to care about this one right now. But the CMP.L & BEQ instructions are important now.

Here are the opcodes:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
10054 - B0 BC E5 5A 6D D8 (Original Instruction)
10054 - 20 3C E5 5A 6D D8 (Patched Instruction)

1005A - 67 06 20 39 00 01 00 6D 4E B9 (Original Instruction)
1005A - 60 06 20 39 00 01 00 6D 4E B9 (Patched Instruction)

10190 - B0 BC E5 5A 6D D8 (Original Instruction)
10190 - 20 3C E5 5A 6D D8 (Patched Instruction)

10196 - 67 08 48 E7 FF FE 61 00 FF FA (Original Instruction)
10196 - 60 08 48 E7 FF FE 61 00 FF FA (Patched Instruction)

104AA - B0 BC E5 5A 6D D8 (Original Instruction)
104AA - 20 3C E5 5A 6D D8 (Patched Instruction)

104B0 - 67 1C 41 F9 00 01 00 6C 43 F9 (Original Instruction)
104B0 - 60 1C 41 F9 00 01 00 6C 43 F9 (Patched Instruction)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

When we later come along writing the patch, keep in mind that patching for example instruction
1005A would result in a byte patch since just one byte is affected. And patching instruction
10054 would result in a word patch since two bytes equal a word. Why the hell should i care,
you may ask. The reason is simple since just one or two bytes (word) change, we just have to
patch the affected byte(s) not the whole instruction. Easy isn't it?

Ok reboot your Amiga and enter AR. Its time to inspect the bootblock. For this reason we have
to manually load in the first track from disk. Lets load it in at memory $50000

RT 0 01 50000

Then begin to trace the code.

D 50000

Scroll down until you reach instruction 5006E. Looks interesting, seems to be a jump to address 78000.
Note this address on a piece of paper.

As you keep scrolling down you'll notice that our bootblock isn't very large its about 6E. Scroll down until
you're at address 50400. Here comes another interesting part. At address 50420 it jumps into a
subroutine which just begins at 5042A. This subroutine is quite large. After the execution of the subroutine
it jumps back and we're at instruction 50424. It says ?JMP 010000' there. Hmm weren't the copylock check
routines also located around 010000? I think the answer is yes. So location 010000 could be the actual start
of the game. I suspect the subroutine at 50420 is the loader.

Remember the instruction at 5006E.

05006E JMP 078000

Ok the loader from disk gets loaded into 78000. Exit AR, reboot your Amiga and wait until the title screen
appears again. Then enter AR again and check out 078000

D 78000

Looks familiar? Now we know where the loader gets loaded in. As soon as instruction at 078024 (JMP 010000)
is reached, we can assume that the game is in memory, so instead of right jumping in our game, we'd first
jump into our patch make all the appropriate changes to our game, after those are done then we'll allow the
game to start.

Let's search through the loader on disk for some space, so that we could insert our patch into it. Reboot the
Amiga, and enter Action Replay.

RT 0 01 50000

After the first track is loaded into memory at 050000, we'll search for enough space, so enter following command
and watch out for ?00'. The first 400 bytes are reserved for the boot block, so enter

M 50400

What about 51222 doesn't look bad.

Now we gonna write the patch inside there. Check opcodes above for help.

A 051222

051222 MOVE.W #4E71,01004E ; NOP 1
05122A MOVE.W #4E71,010050
; NOP 2
051232 MOVE.W #4E71,010052
; NOP 3
05123A MOVE.W #203C,010054
051242 MOVE.B #60,01005A

05124A MOVE.W #4E71,01018A
051252 MOVE.W #4E71,01018C
05125A MOVE.W #4E71,01018E
051262 MOVE.W #203C,010190
05126A MOVE.B #60,010196

051272 MOVE.W #4E71,0104A4
05127A MOVE.W #4E71,0104A6
051282 MOVE.W #4E71,0104A8
05128A MOVE.W #203C,0104AA
051292 MOVE.B #60,0104B0
05129A JMP 010000
; Jump into game

Write it back on disk

WT 0 01 50000

Great, so now we got the patch on disk, but wait its not getting executed by the game. Hmm reboot
your Amiga, wait until the title screen appears. We have to obtain the correct address where our patch gets
loaded into memory.

Search our patch by scrolling down from 78000, since our patch is 16 lines long it should be no problem to
find it. Another way would be to search it by an opcode.

Great here it is, note the start address 078E22

Now since we got the entry point of our patch in memory, we can reboot our Amiga once again and enter
AR to fix the entry point on disk.

RT 0 01 50000

D 50000

Scroll down until you see line 050424.
Patch ?JMP 010000' to ?JMP 078E22'

A 050424

JMP 078E22

Write it back on disk

WT 0 01 050000

Restart Amiga, cool while the loading was in progress, there were no access to track 0. Ok we see the
title screen again, as we saw it before many times, so nothing special yet. Press fire to start the game.
Hmm once again no access on track 0. Wow it works! No crash anymore! Let's rock.

scenex ? June 2004

?

?

?

?

?

?

Powered by the best online Amiga mod player: FLOD


Some more you may like:

None


Comments

Leave a Comment!

Name:
: Use this calculator
Your comment will be available for editing for 10 minutes
2004-06-30 20:59

1. WayneK writes

Good tutorial for a pretty weak protection :) What were they thinking CoMParing the magic number 3 times...that makes it so easy you could crack it without a working original!
reply