Chaos Engine 2

Hits: 5530

Wow this is a big one

Author: rob
Submitted by: Rob
Date: 2005-02-14 00:54
No tags
Chaos Engine 2
? Bitmap Brothers


1. Original game ? find on
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk - find it in your local Amiga store
6. Copylock Decoder ? find on
7. Scientific calculator (build into windows)

Note! Addresses may differ on your computer, due to different memory configurations

Start by making a copy of original game. This is to determine type of protection. You?ll notice an
error on track 0, on all three disks. Only disk 1 holds a REAL copylock track, disk 2 & 3 is NOT copylock tracks.
When copy of game is executed, a screen like this will appear short after boot:

Hmm? Enter AR and search for start of the copylock: F 48 7A. AR returns? many references?
Copylock starts at address C19014 ? the next ? PEA $$$$ (PC) ? is $10 away, on address C19024 ? typical sign
for a copylock.

Insert a blank disk and save copylock: SM COPYLOCK,C19014 C20000 ? then we should have all code with us:)
We?ll decrypt the copylock a little later, but first it?s time to find the copylock key.
Boot original game and enter AR when track counter moves to 0 (or you hear the drive grinding sound).
Search for the copylock once again: F 48 7A. This time you?ll get some hits in lower chip memory too. There is $10
between the two first addresses, so copylock probably starts at address 3B3A.

Disassemble address 3B3A and hold enter down, until normal code starts again. The copylock seems to end at address
43F4, where it returns. Stick a breakpoint to this address and exit AR. BS 43F4.

When AR pops up, press R to see registers. D0 holds copylock key!
Start copylock decoder and load in saved copylock:
CD then asks for sync, choose 89?? ? We have original keydisk. Insert original disk 1 and press ok.
It then asks for value of D3 register, choose $0000
A few secs after, CD is finished and decoded copylock is ready to be saved. Insert disk with saved copylock and press ok.
You should now have a decoded copylock called ? copylock.dec ?.
Enter AR and load decrypted copylock into memory, starting at address 30000; LM COPYLOCK.DEC,30000.
Let?s determine where to wire key into the copylock. By wireing key into the encrypted code, there is a better chance
to get a 100% crack, since all ? dirty ? tricks will be executed then. We find the place to wire the key, by looking at the
decrypted code.
Assuming you have loaded copylock into memory, disassemble address 30000 and stop when this appears:

Address 303CA is the one we are interested in. This code will appear in most copylocks and it?s here we?ll wire
copylock key. When we have done that, there is no need for disk access part to be executed, so we can branch past that
part. You?ll notice a BRA at address 30414 this BRA also appears in most copylocks, and this is the address
we?ll branch to. The BRA at address 30414, branches to ? second ? part of copylock, that messes with memory and
registers. (this one don?t seems so nasty :))

Assemble address 303CA and insert the code you see in the picture above. We only do this, so we can see the opcodes
for our patch, because we?ll need them to calculate the encrypted opcodes. You can see the opcodes in the
picture above, marked with red.
To calculate the new encrypted opcodes, we?ll need the encrypted opcodes for the long word instruction previous to
our changes.
The previous long word instruction to our changes started at address 303C6.
Load encrypted copylock into memory, starting at address 30000: LM COPYLOCK,30000.

See the opcodes with M 303C6
We now have everything need to make the calcs.
xor the encrypted opcodes, with the non ? encrypted opcodes and you?ll get the new encrypted opcodes.

The new opcodes look like this: 20 26 37 A4 EF FD 57 A4 EF BF.

The tricky part is now getting the new opcodes into the copylock.
Remember that we had some data in C00000 area of memory ? This means that game does not use fixed address.
Game can, of course not, assume that all people have slow memory. Some might have fast or chip and game will
load data into that memory.
Boot copy of game. It loads a while and then it stops to decrunch data. Enter AR when game begins to load data.
Press D + enter to disassemble actual memory. Seems like we are in the 7C000 area of memory.

Address 7C000 is nice and ? round ?, disassemble this address and stop when you see something like in the picture
above. Address 7C512 might be interesting. It jumps to what A0 point to + 24. Perhaps a EXE file???
Stick a breakpoint to address 7C512 and exit AR.
When AR pops up, press R to see registers. A0 points to address C004EC. See memory with N C004EC and hit
enter a few times.

I have marked the txt ? RNC ? two places in the picture above. This smells like a ProPacked file?
So, the game want to jump to A0 + 24 which is C00510. Disassemble this address and stop when this appears:

When game reaches address C0074A, the file has been decrunched, and this includes the copylock also?.
We could change the code from address C00746 to a JMP 100 and but a patch at this address, that inserts our opcodes
into the copylock.
To be able to locate the code on disk, we need something to search for. Take note of the opcodes from address
C00744: M C00744.

The code is located some where on disk between tracks 0 ? 4, read tracks into memory, starting at address 30000:
RT 0 A 30000. Search for the opcodes: F 2E 81 4C DF 7F FF 4E 75,30000. AR returns two address 33E58.
Disassemble this address and hit enter a few times. You should see some familiar code?.

We wanted to change the code on address 33E5A to a JMP 100. Before we do this, take note of the existing code,
as we have to restore it in our patch. If we don?t do this, the registers won?t point to the correct addresses and?.
Assemble address 33E5A and insert a JMP 100. Write tracks back when done: WT 0 A 30000.
When the file is decrunched, the game will now jump to address 100, instead of executing the decrunched data.
We still have the little problem, that game doesn?t use fixed addresses.
Let?s stick a breakpoint to address C0074A and exit AR. AR will then pop up when file is decrunched.

When AR activates, press R to see registers. A0 still points to address C004EC, start of the file. Perhaps we could
use A0 as a pointer to the code we need to change. If we locate the code that needs to be modified, subtract A0
from this address, we have the number to ADD to A0, to make it point to the code. Sounds confusing !?.
The file is decrunched, so we should be able to find the previous encrypted long word to our changes.
Search for it, starting in slow mem.: F 00 1A F8 75,C00000. AR returns address C193DA.

Address C193DA is the PREVIOUS long word to our changes. To find the changes, add 4 to C193DA
(1long word) = C193DE.
Address C193DE is the first long word of our changes. Subtract C004EC (A0 points to start of file) from C193DE, which
is = 18EF2. If we add this number to A0, A0 points to the first long word, which needs to be patched.
We basically have all information?s need, to make the patch.
Let?s check out the boot block, to see if can put our patch there and add a track loader also, to move it to address 100.
Read boot block into memory, starting at address 70000: RT 0 1 70000. See boot block with N 70000 + enter.

Seems like we could add the track loader on 70180 and the patch at 70200 (offset 200). Disassemble address 7000C
and hit enter a few times. I think we could replace the code at 7000C with a BSR 70180, to call our track loader.
Assemble address 7000C and insert a BSR 70180, see picture below.

Assemble address 70180 and code the track loader:

70180; MOVE.W #2,1C(A1); cmd read
70186; MOVE.L #100,28(A1); destination address for data
7018E; MOVE.L #200,24(A1); amount of data to read
70196; MOVE.L #200,2C(A1); offset on disk to read from
7019E; JSR ?1C8(A6); I/O
701A2; MOVEA.L 4.S,A6; EXEC, data we removed from address 7000C
701A6; RTS; return to original loader

You can?t assemble address 7019E with AR, so insert the opcodes instead.
Assemble address 70200 and code the crack patch:

70200; MOVEM.L (A7)+,D0-D7/A0-A6; game code we replaced with a JMP 100, restores registers
70204; ADDA.L #18EF2,A0; add #18EF2 to A0, so A0 points to part of copylock, that needs to be patched
7020A; MOVE.L #202637A4,(A0); move first long word of new opcodes into the address A0 points to
70210; MOVE.L #EFFD57A4,4(A0); move second long word of new opcodes into the address A0 points to + 4
70218; MOVE.W #EFBF,8(A0); move last word of new opcodes into the address A0 points to + 8
7021E; SUBA.L #18EF2,A0; subtract #18EF2, restoring A0 to it?s original value
70224; RTS; return

The patch uses A0 as an offset for moving the new opcodes into the copylock. In this way, it doesn?t matter what memory
config. the game is run under, since A0 always points to start of the decrunched file.
Correct boot checksum with BOOTCHK 70000.

And finally write track back: WT 0 1 70000.

Play testing by Yuggi Bear.
Cracking by Rob
Dedicated to sweeet Victoria

Powered by the best online Amiga mod player: FLOD

Some more you may like:
Crystal - Chaos EngineLightForce - Chaos Engine 2Infect - Chaos EngineBetrayal - Chaos Strikes Back

Leave a Comment!

: Use this calculator
Your comment will be available for editing for 10 minutes
No comments yet