Submitted by: musashi9
Date: 2004-07-25 11:19
Cannon Fodder 2
? Sensible Software
You will need following:
1. Original game.
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Four blank disks - find it in your local Amiga store
6. ProPack - find on amiga-stuff.com
7. ARIV ? find on romshare.net
8. Kickstart 2.0
9. Basic knowledge in file handling
Addresses may differ on your computer, due to different memory configurations.
ARIV does NOT like 68060 CPU?s.
Start by making a copy of original game disks. This is to determine type of protection.
You?ll notice an error on track 0, on all three disks. This is some type of a disk based protection, where you can?t duplicate a specially written track. Most likely to be a copylock?
Copy of game crashes big time, short after boot.
Let?s start by retrieving the copylock key. The type of copylock used in this game, uses the copylock key in a decryption routine, which makes it a little more difficult to get the key.
Execute ARIV, insert original disk 1 and reset. Enter ARIV with RMB, just after reset.
To avoid ARIV from popping up when exceptions occurs, disable it; ? ALLEXEC ?. Exit and continue loading.
Now comes the tricky part. The copylock causes ARIV to crash, so we have to enter before copylock is run.
Game loads for a little while, pauses and then loads shortly again. Then screen turns grey, it?s now time to enter ARIV.
Locate copylock in memory; ? F 48 7A ?. ARIV will return address 75F64.
Enable the RNC decrypter, so we can decrypt the copylock; ? ROBD ?.
Disassemble address 75F64 and watch out for these lines:
Address 76388 moves key from D6 to D0 and address 7638E branches to the decryption routine. Take note of the opcodes at address 7638E. If we alter these opcodes a little, before copylock is run, we can cause it to crash before key is cleared from the registers.
Boot original game on a A500 and enter AR when track counter moves to 0 / when screen turns black.
The code we needed to alter was at address 7638E, see contents of memory; ? M 7638E ?.
Just alter the value ? 73 ? to ? 70 ?. This is more than enough to crash the copylock.
Exit AR and wait a few secs and enter AR again.
Press ? R ? to see registers. Key is now sitting in D6, grab it :)
Copylock is located in the ProPacked data file ? CF2 ?. Copy this file and ProPack to a blank disk and decrunch it. Type this in DOS, to unpack file; ? propack u d cf2 ?.
You should now have a decrunched file called ? CF2.RNC ?. Enter ARIV and load file into memory, starting at address 30000; ? LM CF2.RNC,30000 ?.
Enable the RNC decrypter; ? ROBD ? and locate copylcok routine, so we can wire key into it; ? F 48 7A,30000 ?. ARIV returns address 39FFA. Disassemble this address and watch out for location to wire key in:
Registers are saved by the code at address 3A3DA.
The copylock key needs to be wired into address 3A3EE. After that, we set register D1 to #0. This will emulate Copylock in the best possible way. We can then branch past the whole disk accessing part.Continue to disassemble a few lines further:
The registers are restored at address 3A420, so this must be our branch address.
Assemble address 3A3EE and wire key in, see picture above. The code we type in will encrypted by ARIV, so need for any EOR calculations.
When copylock is run, the correct key will always be present, and the decryption routine in end of copylock will be executed correctly.
Save memory back to disk, as a file called ? CF3 ?; ? SM CF3,30000 5AEF0 ?.
Remove ARIV from memory and type this in DOS, to pack your newly cracked file; ? PROPACK P D CF3 ?.
You now have a packed file called ? CF3.RNC ?. Rename this to ? CF2 ? and copy it to copy of game, overwriting the old one.
Reboot and test your new crack.