Submitted by: Rob
Date: 2004-08-01 17:58
Chuck Rock II ? Son Of Chuck
You will need following:
1. Original game ? find on romshare.com
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. 1 blank disk
6. Pro-Pack v2.08 ? find on amiga-stuff.com
7. X-Copy or some similar program
8. Basic knowledge in file handling
Start by making a copy of original game disks. You will notice an error on
track 0 on both disks.
This is probably a copylock, or you have a problem with your disk drive?..
Boot copy of disk 1. The Core logo appears and game load.
After a while the logo disappears and track counter goes to track 0. It hangs there a few secs and game seems to be starting.
When you press ?start?, at the title menu, game continues to load and this screen appears:
After this screen? your computer crashes. This doesn?t happen with original game, so the copylock routine must have
done ?something? to the game, causing it not to work. We could crack it by bypassing the whole copylock, but this
probably wouldn?t work, because the game continues to load after the copylock have run. So the game must be using
magic number (s) for something ?useful?. So, lets find these numbers.
Boot original game, in the exact moment the Core logo disappears and track counter goes to track 0, enter AR.
Do a HEX search for 48 7A, copylock often starts with this. See picture:
It returns two addresses, disassemble the first one with: ?D 19716?; hit enter a few times. Notice the ?PEA? and ?ILLEGAL?
this is typical signs of a copylock. Continue disassembling by holding down enter, until you see something like this:
The copylock ends at address 1A01C, and address 1A01E jumps back to game. Let?s make a loop routine aftermagic number have been returned. Do this by
inserting a BRA at address 1A01E branching to address 1A01E.
Exit AR. Game goes to track 0 and then it hangs at track 59. Enter AR, press ?R? followed by enter. You should see this:
Ok, I can tell you that we have multiple magic numbers, it?s not enough just returning D0. We are interested in the
following registers: D0, D2, D3, D4, D5 and D6. D7 contains the address that will start the game after copylock have
been run, we don?t care about this. You probably should take note of these registers. Magic numbers are also returned
in some addresses, we wont dig into these know. I?ll tell you the addresses when we make our patch.
Now its time to find the copylock on disk. This is difficult since its crunched, so we must find the crunched data, rip it
from disk and decrunch it. To help you a little I?ll tell where its located: between track 45-59.
Remove disk from drive and reset computer. When Kickstart picture appears, enter AR and insert COPY of disk 1.
Read tracks into memory starting at location 30000; ?RT 59 20 30000?; hit enter.
Lets find start of data. RNC crunched data files starts with ?RNC?, the opcode for this is ?52 4E 43?
Type this and hit enter: ?F 52 4E 43 30000?. It returns two addresses, the first one (32A00) is start of our data.
We can?t find exact end of data, but it doesn?t matter since ProPack only checks start of file. To find end of data
read into memory, type: ?NQ 32A00?; hit enter.
A lot crap will flash down your screen and it ends at address 5BF58. Now we have an start and an end address. So,
lets save this into a file. Insert a blank disk, and type this: ?SM RNC, 32A00 5BF58?; hit enter. When done copy
ProPack to this disk too and reset.
Type this in DOS to decrunch file: ?PROPACK U D RNC?; hit enter
When done you should have a new file called ?RNC.RNC?. This is a big fella ah? Ok, enter AR and
type: ?LM RNC.RNC, D00?
File is located between D000 ? 7F775; Wow, almost felt over the edge. Just kidding. Take note of these two addresses.
Search for copylock signs with: ?F 48 7A?: hit enter. I returns two addresses. We are interested in the first one,
because this is start of the copylock. Lets make a patch, witch returns magic numbers in the registers AND the
addresses I mentioned earlier. Make a patch like this:
This patch will cause the file to get larger than original, when we crunch it. We deal with this by inserting a lot of
repeated code right after our patch. Repeated code is crunched more efficient. Insert ?NOP??s from address
7D582 til 7D600.
We still have one little problem. We have inserted an ?RTS? in end of copylock, so it returns to it?s entry point. The
problems is, that the copylock is started by a ?JMP? command. This means we can?t ?RTS? our way back. So, lets
change that ?JMP? to a ?JSR?, turning our patch into a subroutine. Disassemble address D000 and hold down enter
until you see this:
Notice address D070, this address jumps into the copylock routine. Alter the ?JMP? to a ?JSR?. See bottom of the
Its time to save file back to disk. Before you do this, delete file called ?RNC? and RNC.RNC?. Save memory with:
?SM RNC, D000 7F775?; hit enter
Exit to DOS and type: ?PROPACK P D RNC?; hit enter.
After some time, approx a week or two, it?s finished and you should have a new file called ?RNC.RNC?. Enter AR, insert
COPY of disk 1 and read tracks to memory with: ?RT 59 20 30000?; hit enter.
When done, insert disk with your cracked file and load it into memory starting at locating 32A00, see picture above.
Insert COPY of disk 1 and write tracks back with: ?WT 59 20 30000?; hit enter.
Next step is? oh sorry no next step, you?re finished! Reset computer and boot your newly cracked game.
And it works of course! Disk 1 and Disk 2 contains the same magic numbers,
so the game just calls the same copylock
whether your playing from disk 1 or 2. I have playtested through the WHOLE game, and it worked fine all the way
to the final monster. So, we should be pretty safe with this one too.
Crack dedicated to sweet sweet Victoria.