ChuckRock 2 son of chuck

Hits: 36569

whats the magic number?

Author: rob
Submitted by: Rob
Date: 2004-08-01 17:58
No tags

Chuck Rock II ? Son Of Chuck
Core Design


You will need following:

1. Original game ? find on
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. 1 blank disk
6. Pro-Pack v2.08 ? find on
7. X-Copy or some similar program
8. Basic knowledge in file handling

Start by making a copy of original game disks. You will notice an error on track 0 on both disks.
This is probably a copylock, or you have a problem with your disk drive?..
Boot copy of disk 1. The Core logo appears and game load.
After a while the logo disappears and track counter goes to track 0. It hangs there a few secs and game seems to be starting.
When you press ?start?, at the title menu, game continues to load and this screen appears:

After this screen? your computer crashes. This doesn?t happen with original game, so the copylock routine must have
done ?something? to the game, causing it not to work. We could crack it by bypassing the whole copylock, but this
probably wouldn?t work, because the game continues to load after the copylock have run. So the game must be using
magic number (s) for something ?useful?. So, lets find these numbers.
Boot original game, in the exact moment the Core logo disappears and track counter goes to track 0, enter AR.
Do a HEX search for 48 7A, copylock often starts with this. See picture:

It returns two addresses, disassemble the first one with: ?D 19716?; hit enter a few times. Notice the ?PEA? and ?ILLEGAL?
this is typical signs of a copylock. Continue disassembling by holding down enter, until you see something like this:

The copylock ends at address 1A01C, and address 1A01E jumps back to game. Let?s make a loop routine aftermagic number have been returned. Do this by
inserting a BRA at address 1A01E branching to address 1A01E.
See picture:

Exit AR. Game goes to track 0 and then it hangs at track 59. Enter AR, press ?R? followed by enter. You should see this:

Ok, I can tell you that we have multiple magic numbers, it?s not enough just returning D0. We are interested in the
following registers: D0, D2, D3, D4, D5 and D6. D7 contains the address that will start the game after copylock have
been run, we don?t care about this. You probably should take note of these registers. Magic numbers are also returned
in some addresses, we wont dig into these know. I?ll tell you the addresses when we make our patch.
Now its time to find the copylock on disk. This is difficult since its crunched, so we must find the crunched data, rip it
from disk and decrunch it. To help you a little I?ll tell where its located: between track 45-59.
Remove disk from drive and reset computer. When Kickstart picture appears, enter AR and insert COPY of disk 1.
Read tracks into memory starting at location 30000; ?RT 59 20 30000?; hit enter.

Lets find start of data. RNC crunched data files starts with ?RNC?, the opcode for this is ?52 4E 43?
Type this and hit enter: ?F 52 4E 43 30000?. It returns two addresses, the first one (32A00) is start of our data.
We can?t find exact end of data, but it doesn?t matter since ProPack only checks start of file. To find end of data
read into memory, type: ?NQ 32A00?; hit enter.

A lot crap will flash down your screen and it ends at address 5BF58. Now we have an start and an end address. So,
lets save this into a file. Insert a blank disk, and type this: ?SM RNC, 32A00 5BF58?; hit enter. When done copy
ProPack to this disk too and reset.
Type this in DOS to decrunch file: ?PROPACK U D RNC?; hit enter

When done you should have a new file called ?RNC.RNC?. This is a big fella ah? Ok, enter AR and
type: ?LM RNC.RNC, D00?

File is located between D000 ? 7F775; Wow, almost felt over the edge. Just kidding. Take note of these two addresses.
Search for copylock signs with: ?F 48 7A?: hit enter. I returns two addresses. We are interested in the first one,
because this is start of the copylock. Lets make a patch, witch returns magic numbers in the registers AND the
addresses I mentioned earlier. Make a patch like this:

This patch will cause the file to get larger than original, when we crunch it. We deal with this by inserting a lot of
repeated code right after our patch. Repeated code is crunched more efficient. Insert ?NOP??s from address
7D582 til 7D600.

We still have one little problem. We have inserted an ?RTS? in end of copylock, so it returns to it?s entry point. The
problems is, that the copylock is started by a ?JMP? command. This means we can?t ?RTS? our way back. So, lets
change that ?JMP? to a ?JSR?, turning our patch into a subroutine. Disassemble address D000 and hold down enter
until you see this:

Notice address D070, this address jumps into the copylock routine. Alter the ?JMP? to a ?JSR?. See bottom of the
picture above.
Its time to save file back to disk. Before you do this, delete file called ?RNC? and RNC.RNC?. Save memory with:
?SM RNC, D000 7F775?; hit enter

Exit to DOS and type: ?PROPACK P D RNC?; hit enter.

After some time, approx a week or two, it?s finished and you should have a new file called ?RNC.RNC?. Enter AR, insert
COPY of disk 1 and read tracks to memory with: ?RT 59 20 30000?; hit enter.

When done, insert disk with your cracked file and load it into memory starting at locating 32A00, see picture above.
Insert COPY of disk 1 and write tracks back with: ?WT 59 20 30000?; hit enter.

Next step is? oh sorry no next step, you?re finished! Reset computer and boot your newly cracked game.

And it works of course! Disk 1 and Disk 2 contains the same magic numbers, so the game just calls the same copylock
whether your playing from disk 1 or 2. I have playtested through the WHOLE game, and it worked fine all the way
to the final monster. So, we should be pretty safe with this one too.
Crack dedicated to sweet sweet Victoria.

Powered by the best online Amiga mod player: FLOD

Some more you may like:
Chuck RockChuck rockChuck Rock 2Anthrox - Chuck Rock 2


Leave a Comment!

: Use this calculator
Your comment will be available for editing for 10 minutes
2005-06-12 15:11

1. Rob writes

If you want to avoid the repacking stuff, I have included a bootblock crack.
Just install the supplied bootblock on a fresh copy of disk 1 and game is cracked.
When background turns green at the Core logo, press LMB for unlimited life & energy or RMB for normal game.
Boot block can be downloaded in top of this tutorial.
Reply to comment #1
2014-08-14 14:53

2. MiniChuck writes

Where can I find boot block download? (Cant seem to find download at top of tutorial), and is there a tutorial covering how this method works? Rgds MC
Reply to comment #2
2014-08-14 14:57

3. MiniChuck writes

I meant to also say that I cant seem to find download at top of tutorial, like it says? Also when trying to edit the previous comment, I'm getting JS Ajax error message appearing? Hence why I have commented again. Rgds MC
Reply to comment #2
2015-08-23 08:54

4. Rob writes

I do not seem to have the bootblock anymore. If you are still interested, I can make a new one. Regards
Reply to comment #1
2014-08-14 16:29

5. MiniChuck writes

Me again ;), When looking here I find the value of reg D6 (0D038C92) is also in address 100, 130C and address 13D2. Is there any reason why we only patch D6 into address 13D2, and not the other 2 address'?. Appears to work OK anyhow? Rgds MC
2014-08-14 23:04

6. musashi9 writes

I think Rob removed all the bootblock images because he feared there could be a copyright issue with the site hosting them. I guess he can upload to a free download site and add a link here in the comments if he still has the bootblock
Reply to comment #6
2014-08-15 17:15

7. MiniChuck writes

Hairy Muff :), Hope it surfaces somewhere, that would make for an interesting read. With regards to comment 4, Is there any reason why we only patch D6 into address 13D2, and not the other 2 address' (100 & 130C)? I thought 100 was a common place to stick key? Rgds MC
Reply to comment #7
2015-08-23 08:49

8. Rob writes

A little late... Don't remember this one 100%, but you are right about $100, key should be stored there too, it is the proper thing to do. It will not make any diffrence to this game, as key is not checked at $100. Key at 13d2 is probably just part of the copylock stack
Reply to comment #8
2015-08-23 09:01

9. sim writes

Good article! And commenting after the gap of 10 years RULEZ HARD =)!