Submitted by: musashi9
Date: 2004-08-03 16:13
You will need following:
1. Original game ? find on romshare.com
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disk. You will notice an error on track
0. This is most likely to be
Boot copy of game. The game seems to be loading just fine and this screen appears.
If you press fire here, the game continues to load and suddenly the trackcounter goes to track 0. A few secs after, your
computer crashes. This doesn?t happen with original game, so this must be a copylock routine kicking in.
Reboot game, when you see the picture above, enter AR. Copylocks often starts with a ?PEA?, the opcode for this
is 48 7A. Search for the opcode by typing ?F 48 7A?; hit enter. It will return four addresses, see pic:
We are interested in address 18164. Disassemble it with: ? D 18164?, and hit enter a few times. You will see
typically signs of a copylock routine. Lets find end of copylock, Hold down enter until you see something like this:
The copylock stops at address 18A3C. Address 18A40 moves address 32D42 into A7 but the interesting part is
coming now. Address 18A46 compare some numbers with D0, and if its not equal it will send the game into some
strange code, causing the game to crash This is done by the ?BNE? on address 18A4C?. These numbers it compares
to D0 must be magic number. The best way to crack this, would be to move magic number into D0 and branch to end of
copylock. A little later we will make such a patch. To test our theory, lets remove that ?BNE? at address 18A4C. Assemble
address 18A4C with: ? A 18A4C?; hit enter, type ?NOP?; hit enter, type ?NOP? again and hit enter.
Press Esc, and exit AR with X.
Start game and see what happens.
It works! Notice that the track counter still returns to track 0. When we make our patch, we will deal with this.
Since this is a NDOS game, we must read the raw tracks into memory and search for the copylock. To save time I?ll
tell you witch tracks copylock is located on, track 58+59. Read them into memory starting at location 30000.
Type: ?RT 74 4 30000?; hit enter. Search for the copylock with ?F 48 7A?; hit enter.
Take note of the first address (34564), because this is where we will insert our patch. To find end of copylock disassemble
address 34564 with ?D 34564? and hold down enter until you see this:
Copylock ends at address 34E40. and we have magic number in address 34E46. Now we have all information?s to make
a patch. Assemble address 34564 and type this in:
34564 MOVE.L #6D10B13A,D0; MOVE MAGIC NUMBER INTO D0
3456A BRA 34E40; BRANCH TO END OF COPYLOCK
When done write tracks back with ?WT 74 4 30000?; hit enter. Reset computer and start game.
Notice that the trackcounter stays off track 0. This is because we have inserted magicnumber in D0 and then bypassed
the whole copylock routine, by branching to the end of it.
Hope you enjoyed this basic copylock crack.
Dedicated to sweet sweet Victoria?..