Submitted by: Rob
Date: 2004-12-17 02:06
? Team 17
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk - find it in your local Amiga store
6. Copylock Decoder ? find on aminet
7. Scientific calculator (build into windows)
Start by making a copy of original game. This is to determine type of protection.
You?ll notice an error on track 0,
on both disks. This is very likely to be a copylock protection.
When you boot game, it loads a little, decrunch some data and executes a copylock. The copylock fails, but game
continues to load. You can actually start playing level one without any problems. When you have played for 2 mins,
the game crashes, work of the copylock. ? Thanks to Musashi9 for discovering the crash point.
This is a sneaky copylock that needs to be decrypted, so let?s start by ripping it from disk.
Boot copy of game and enter AR when the Team 17 logo appears.
Search for the copylock with F 48 7A. AR returns three addresses. There is $10 between the two first, a typically sign
for a copylock. Disassemble address 4038 and hold enter down, until you reach around address 495E.
You?ll see tons of encrypted code, and it seems to end around address 4954, where the normal code starts again.
Insert a blank disk and save copylock: SM COPYLOCK,4038 4958.
Start copylock decoder and load in saved file:
CD asks for the sync ? Choose $89??, since we have original keydisk. Insert original disk 1 and press ok.
It then asks for the value of D3. Choose $100F, since D3 is not set to 0 when copylock is executed.
You can find value of D3 by breakpoint the first PEA in copylock, before it?s executed.
After a few secs, the decrypted copylock is ready to be saved. Insert disk with copylock on and press ok.
You should now have a decrypted copylock called ? copylock.dec ?.
Copylock Decoder will also show you a decryption routine, just press ok to this.
Enter AR and load decrypted copylock into memory, starting at address 30000: LM COPYLOCK.DEC,30000
Disassemble address 30000 and stop when this appears:
Notice address 30512, it moves D6 to address FF8. This is REALLY important, since it?s the magic number being
copied to a memory address.
We now know that magic number is returned at address FF8, take note of this.
Boot original game and enter AR when the Team 17 logo appears, copylock have been executed at this time.
Let?s see what we have at address FF8: M FF8.
Magic number is marked with red. Load decrypted copylock into memory, starting at address 30000;
Disassemble address 30000 and stop when this appears:
Address 403E0 is the one we are interested in. This code will appear in most copylocks and it?s here we?ll wire magic
number. But should it be returned in D0 or D6 ?. Notice that the code is getting a little weird around address 30476.
Try to disassemble address 30470 and hit enter a few times:
Some new code appears? Notice address 3047A, it moves D6 to D0. Also take note of address 30480, it branches
to ? second ? part of copylock, that messes with memory and registers. If you disassemble address 3082C, you?ll
see the copylock is messing a lot with D0, so let?s assume D0 is the right register to return magic number in.
When you are finished cracking the copylock, compare registers after original copylock has run with cracked copylock,
if they are the same, you got it right?.
We now know where to return magic number, but there is no need for the disk access part to be executed. If we branch to
address 30480 after returning magic number in D0, disk access won?t be executed.
Assemble address 30436 and insert the code you see in the picture beneath. We only do this, so we can see the opcodes
for our patch, because we?ll need them to calculate the encrypted opcodes. You can see the opcodes in the
To calculate the new encrypted opcodes, we?ll need the encrypted opcodes for the long word instruction previous to
The previous long word instruction to our changes started at address 30432
Load encrypted copylock into memory, starting at address 30000: LM COPYLOCK,30000.
See the opcodes with M 30432.
We now have everything need, to make the calcs.
xor the encrypted opcodes, with the non ? encrypted opcodes and you?ll get the new encrypted opcodes.
We rewrite the word instruction 6042 to a long word instruction by adding the extra 0?s.
Next step is getting these new opcodes into the copylock somehow. Copylock is located
in a ProPack?ed file,
but it can?t be decrunched normally, because the programmers has corrupted something in it. So instead, we have
to find a way to patch decrunched data before it?s executed.
Boot copy of game and enter AR when it begins to load. Press D + enter to disassemble actual program.
Seems like we are in the 78000 area of memory.
Disassemble address 78000 and hold enter down, until you reach around 780BC. This looks like an interesting address,
jumps are always interesting J
Stick a break point to address 780BC and exit AR. After a few secs, AR pops up. Notice that the track counter haven?t
moved to 0, or you haven?t heard the drive grinding sound yet.
We have the opcodes for the previous long word instruction to our changes. Let?s search for them and if they appear, we
know that address 780BC jumps to decrunched data.
Search for opcodes: F A3 98 F8 75.AR returns address 446A See opcodes with M 446A.
The instruction we searched for is marked with red. The opcodes we wanted to change came right after. They are
marked with white. The new opcodes are marked with grey. Since we have to insert the opcodes with the MOVE
command, the easiest thing is to divide them into two long words and one word.
Long word 1 starts at address 446E and it?s marked with yellow. Long word 2 starts at address 4472 and it?s marked
with green. The last word starts at address 4476 and it?s marked with orange.
We now know which jump to takeover, and we know which addresses of copylock to patch. Insert copy of game.
Let?s find the JMP 4000.S on disk and alter it to JMP C0.S, where we?ll place a little patch, that ? takes care ? of the
copylock. The JMP 4000.S is located on track 1, read it into memory, starting at address 4000: RT 2 2 30000.
Search for the JMP: FA 4000 30000.
AR returns four address and we are interested in 300BC, assemble this address and insert a JMP C0.S, see picture above.
Write track back: WT 2 2 30000.
The patch can be located on the boot block, since there are plenty of free bytes there.
Read boot block into memory, starting at address 70000: RT 0 1 70000. See boot block with N 70000 + enter.
Let?s add the patch to address 70200 and put the track loader for the patch on address 70100.
Let?s find out, how to call the track loader. Disassemble address 7000C and hit enter a few times.
We have a BRA 7002A on address 7000E.
Let?s change this to BRA 70100. Assemble address 7000E and insert BRA 70100.
Assemble address and write the track loader:
70100; MOVEA.L 00000004.S,A6; EXEC
70104; MOVE.W #2,1C(A1); cmd read
7010A; MOVE.L #C0,28(A1); destination address for data
70112; MOVE.L #200,24(A1); amount of data to read
7011A; MOVE.L #200,2C(A1); offset on disk to read from
70122; JSR ?1C8(A6); I/O
70126; BRA 7002A; branch we took over
You can?t assemble address 70122 with AR so insert the opcodes instead, see picture above.
This track loader moves $200 of data into memory, starting on address C0, from offset $200 on disk.
So we better put our patch at address 70200:
70200; MOVE.L #83A418CE,446E.S; move first long word of new encrypted code into
70208; MOVE.L #C3C778CE,4472.S; move second long word of new encrypted code into copylock
70210; MOVE.W #C385,4476; move last word of new encrypted code into copylock
70216; MOVE.L #E0BB605F,FF8.S; wire magic number to address FF8.S ?
we don?t execute the key calculation routine in copylock, where magic number are moved to address FF8, therefore
we do it here !
7021E; JMP 4000.S; jump into decrunched data
Correct boot block checksum, or game won?t boot: BOOTCHK 70000. and finally write track back: WT 0 1 70000.
I have done a lot of play testing with this one and there SEEMS not to be other protections?