Chuck Rock

Hits: 6536

Uga Buga

Author: rob
Submitted by: Rob
Date: 2004-11-28 00:26
No tags
Chuck Rock
? Core Design

1. Original game ? find on
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk - find it in your local Amiga store
6. Copylock Decoder ? find on
7. Scientific calculator (build into windows)

Start by making a copy of original game disks. This is to determine type of protection. You?ll notice an error on track 0,
on both disks. This is probably a copylock protection.
Copy of game crashes short after boot, due to the copylock is failing.
Boot game again and enter AR when the Core logo appears. Copylocks often starts with a ? PEA $$$$(PC) ?, search
for the opcodes: F 48 7A. AR returns four addresses, this is because copylock is moved from one memory location
to another. Take note of address 6E5C, copylock starts here.

Disassemble address 6E5C and hold enter down, until you reach around address 778A. Copylock ends around address
777E and we have a compare of magic number with D0 in address 7780. Perhaps you should take note of this ?
Insert a blank disk and save out copylock: SM COPYLOCK,6E5C 7786
Start copylock decoder and load in saved copylock:

CD will ask for the sync, choose $89?? ? We have original keydisk. Insert disk 1 and press ok.

It then asks for D3 register, choose $0000.

After a few secs, decoded copylock is ready to be saved. Insert disk with saved copylock and press ok.

Fire up AR and load decrypted copylock into memory so we can have a look at it: LM COPYLOCK.DEC,40000

Address 403E6 is the one we are interested in. This code will appear in most copylocks and it?s here we?ll wire magic
number. When we have done that, there is no need for disk access part to be executed, so we can branch past that part.
You can see the code is getting a little ? weird ? around address 40226, try to disassemble address 40428 and hit enter
a few times. You?ll notice a BRA at address 40430, this BRA also appears in most copylocks, and this is the address
we?ll branch to.

Assemble address 403E6 and insert the code you see in the picture above. We only do this, so we can see the opcodes
for our patch, because we?ll need them to calculate the encrypted opcodes. You can see the opcodes in the
picture above, marked with red.
To calculate the new encrypted opcodes, we?ll need the encrypted opcodes for the previous long word instruction to
our changes.
The instruction before our changes started at address 403E2.
Load encrypted copylock into memory, starting at address 40000: LM COPYLOCK,40000.

See opcodes with M 403E2.
We now have everything need to make the calcs.
xor the encrypted opcodes with the non ? encrypted opcodes and you?ll get the new encrypted opcodes

A47BF875 with 203C9B50 = 84476325
Last 2 Bytes ? ?

A47B with CBE8 = 6F93
? ? ?
Take the previous encrypted long word and xor:
63256F93 with 60000042 = 03256FD1
? ? ?

Then new encrypted opcodes for copylock looks like this: 84 47 63 25 6F 93 03 25 6F D1.
We simply replace these new opcodes with the original opcodes in the copylock and it?s cracked.
Copylock is located on track 41. Insert copy of disk 1and read track 57 into memory starting at address 30000;
RT 72 2 30000.
We have the opcodes for the previous long word instruction to our changes.
Search for it, starting at address 30000: F A4 7B F8 75,30000.
AR returns address 31E56, see opcodes with M 31E56.

Previous long word instruction is marked with red. The opcodes we need to change, came right after and they are
marked with white. Insert the new opcodes you calculated, marked with green. Don?t forget to press enter when done.
Write track back: WT 72 2 30000.
And now? you are not finished L
There is also a copylock track on disk 2 and it?s executed, when game request for disk 2. The copylock routine is
located on disk 1, in a ProPacked data file. Let?s try to find a way to patch the decrunched copylock before its executed.
Copylock 2 is easy to crack, since the opcodes from copylock 1 can be used.
Boot your newly cracked disk 1 and enter AR, when prompted to insert disk 2. Search for copylock: F 48 7A.
AR returns address 15AEC & 15AFC. This means that copylock 2 starts at address 15AEC, take note of this.
NDOS games often load data into either low or high chip memory. See memory with N 0 and stop when you reach around
address 1580:

Data on address 1000 seems to be start of something. Check if anything jumps to this address with FA 1000.
AR returns two addresses, where one of them is a JMP 1000.

Reboot game and enter AR when the Core logo appears. Check if this jumps appears at this early state of game boot:
D 613A0. The jump surely appears, and it?s probably not even crunched . Then it would be really great if the copylock
was decrunched when the game performs the jump, but not executed yet.

Stick a breakpoint to address 613A0: BS 613A0 and continue game. After a while AR pops up. Copylock started at
address 15AEC, disassemble this address and hit enter a few times. You?ll notice that the copylock is decrunched and
and game haven?t executed it yet, since it hasn?t requested for disk two.
Let?s take over this jump and change it to JMP C0, where we?ll put a little patch, that inserts the cracked opcodes into the
The jump is located on track 41 (find by trial and error), read it into memory starting at address 30000: RT 52 2 30000.
Search for the jump, starting at address 30000: FA 1000 30000.
AR returns address 319A0.

Assemble address 319A0 and change the JMP 1000 to JMP C0 and write track back, see picture above.
We now have to determine where in copylock, to insert new opcodes. This copylock is equal to copylock 1, so we can
reuse the opcodes. Search for the opcodes for the previous long word instruction, to our changes: F A4 7B F8 75.
AR returns address 15ECE, see opcodes with M 15ECE.

The instruction we searched for is marked with red. The opcodes we wanted to change came right after. They are
marked with white. The new opcodes are marked with grey. Since we have to insert the opcodes with the MOVE
command, the easiest thing is to divide them into two long words and one word.
Long word 1 starts at address 15ED2 and it?s marked with yellow. Long word 2 starts at address 15ED6 and it?s marked
with green. The last word starts at address 15EDA and it?s marked with orange.
Next step is coding the patch and add a track loader that moves it into address C0.
Read out track 0: RT 0 2 70000.
We now have track 0 in memory, starting at address 70000. Let?s move original boot block to another location on disk.
Make a new boot block that moves our patch and original boot block into memory, and then executes original boot block.
If you check address 71A00 with N71A00, you?ll notice that this offset from disk is not used.
Move original boot block to offset 1A00; TRANS 70000 70400 71A00.

Assemble address 70200 (offset $200 of new boot block) and insert following code:

70200; MOVE.L #84476325,15ED2; move first long word of crack into copylock
7020A; MOVE.L #6F930325,15ED6; move second long word of crack into copylock
70214; MOVE.W #6FD1,15EDA; move last word of crack into copylock
7021C; JMP 1000.S; jump we took over, jump back to game.

This little patch will move the new encrypted opcodes into copylock.
Assemble address 7000C and make the two track loaders:

The code from address 7000C ? 70054 will first move patch into memory, starting at address C0 from offset $200 on
disk. It will then move original boot block from offset $1A00 into memory, staring at address 60000. It will then be
executed by the jump to address 6000C.
Address 7002A & 70050 can?t be assembled with AR, insert the opcodes instead.
Correct boot block checksum with BOOTCHK 70000 and write track back: WT 0 2 70000.

Dedicated to sweet sweet Victoria?.







Powered by the best online Amiga mod player: FLOD

Some more you may like:
Chuck rockChuck Rock 2Anthrox - Chuck Rock 2Dynamix - Chuck Rock 2


Leave a Comment!

: Use this calculator
Your comment will be available for editing for 10 minutes
2014-08-27 17:10

1. MiniChuck writes

Hi there, thought I would 'chuck' in a few points :) By no means am I an expert! 1. Havent really managed to get my head around how you worked out the XOR'd new opcodes, but I shall try again later. How did you know they had been XOR'd in the first place? In a few places it mentions things underlined in red or orange for example, and there is no red/orange colour in screenshot? 2. I know it is always best practice to emulate what the copylock does, and wire in any keys, but a method I have found to work with Chuck Rock is: You can read in track 57, rt !114 1 40000, and search for opcodes 4E F9 00 00 20 00, this is 5B0A JMP 2000, which is the jmp to first location the copylock appears, before apparently being copied to 6E5C??, and we can change this to 4E F9 00 00 292C, so now we are jumping over to the end of the copylock @ 292C. Disk now continues loading after first core design logo :) Even though there is a copylock track on disk 2, the copylock code used to verify it is loaded from disk one. Trying to simply jump over this copylock did not work. This copylock is from 15AEC - 16448ish, at around 16416 we see a CMP key statement and then a BNE statement. By changing this BNE to a BEQ the game continues to load OK after asking for disk 2. :) For this read in track 50, side 2 on disk 1. rt !101 1 40000, search for opcodes 66 30 4E B8 and change to 67 30 4E B8. By just changing 3 bytes game no longer crashes and loads OK :)............... 3. Or so I am still wondering. Using the cheat I tried to check if the game loads OK all the way through. I have noticed that the following levels do not load correctly (screen all messed up). Level 2 - 5 Level 3 - 4 Level 3 - 5 Level 4 - 5 Level 5 - 4 Level 5 - 5 At first I thiught it may be my lame crack :), but I have tried many adf versions, the ipf version and flashtro trainer version and all crash on these levels. You are able to quickly jump past these levels, and I have managed to go all the way through to end sequence with my crack version. I'm not sure if this is down to my winuae config? Just wondering if others have found this too? Cheat I used to test this was typing "mortimer" and "turn frame" on the title screen, and then using keys 1 - 5 for level skip, and keys F1 - F5 for sub level skip. MC:/
2014-08-27 17:12

2. MiniChuck writes

Sorry about horrible formatting?. I also see you still cannot edit messages, some Ajax error message???
Reply to comment #2
2014-08-28 00:20

3. musashi9 writes

I have sent Rob (author of this tutorial) a MSG hopefully he will come back to flashtro and check. Although it has been some years since he left. About the edit error, hmm it works for me but I do know there is a 10 min edit period and after that it may not let you edit.
Reply to comment #3
2014-08-28 07:21

4. MiniChuck writes

Hi again, just tried to edit last message again? Console reports: Request URL: Request Method: POST Status Code: HTTP/1.1 403 Forbidden and a javascript pop-up stating 'AJAX error:[object Pbject] is displayed? Not a big thing, more interested in CR questions though as I work with webdev issues all day :). Thanks again. MC
2014-08-28 07:15

5. MiniChuck writes

Hi musashi9, Thanks for update, appreciate this article was originally written way back on 2004, only 10 yrs ago, its taken me 25 years to discover this stuff anyhow!! :). I have tried to edit messages twice now within the 10 minute expiry, and still no joy? Do you know if there is any reason some levels in CR are not loading properly? Rgds Mc
Reply to comment #5
2014-08-28 10:53

6. musashi9 writes

The error could be because you are not a logged in member?? Regarding Chuck Rock I just tested 2 versions and you are right it does crash on 2-5 but this is because there is no such level. Level 2-4 = BOSS and if you kill him it goes straight to 3-1. I am not sure about the other corrupted levels but it could be a similar case.