DarkMan

Hits: 7698

Crackers Nightmare

More
Tags
Author: rob - musashi9
Submitted by: musashi9
Date: 2005-05-08 23:42
No tags
Darkman ?
? Ocean
1991
You will need following:
1. Copy of game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk - find it in your local Amiga store
6. ARIV ? find on romshare.net
7. Kickstart 2.0
As usual, start by making a copy of original disk. You?ll notice an error on track 0. This is as many of you guessed, a copylock
track. But wait, in this one we not only have three copylock routines, we also have a nasty encryption and even better; checksums.
Let the fun begin :)
Game starts by loading a encrypted main file to address 60000 and then executes it. We need to decrypt this file, and grab
the decrypted data, so we can crack the copylocks. To avoid game from executing the file, we?ll replace the jump to file, with
a loop routine.
Insert copy of game, and read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?
Disassemble start of boot code and look out for jumps:
Line 7006A executes encrypted file, by doing a ? JMP 60000 ?. Alter this to a loop, correct boot block checksum and
write boot block back:
Boot game and enter AR when it hangs. Loaded file starts at address 60000, take a little look at it; ? N 60000 ? + enter
Well, what should I say ? I spend hours on that encryption and when I finally got it, I realized it?s pretty easy, when you
know how to do it.
Disassemble address 60000 and hit enter several times:
The encryption is doing a LONG series of moving data between address 78000 and 8. Every time, a bit of the file is
decrypted.
We?ll get the decrypted data, by replacing the LAST jump to a loop routine. We?ll put this loop at address 4, as it stays
untouched. At start, I altered the jump to a loop ? BRA 8 ?, but the file kept getting corrupted, perhaps because part of the
? JMP ? instruction is used as a decryption key?
Scan memory for jumps, starting at address 60000: ? F 4E F9 ? (opcodes for JMP).
Last returned address is 6091A. Disassemble this address and hit enter: ? D 6091A ? + enter
6091A jumps to address 8. Assemble 6091A and change it to ? JMP 4 ?. Assemble address 4 and insert a loop, see
picture above.
When the file is decrypted, it will get stuck at address 4 in stead of executing itself.
Execute encryption: ? G 60000 ?. Wait about 10 secs, enter AR and press ? D ? + enter.
You should now be stuck at address 4. We know that encryption would originally jump to address 8, so this is our
start address. To find end address, type ? NQ 8 ?. You?ll see lots of crap flashing over you screen and it seems to end
around address 14770. ( data continues at higher addresses, but is leftover from the encryption)
To ensure we have all data, set address 147B8 to end address. Insert a blank disk and save memory, as a file called ? A ?;
? SM A,8 147B8 ?.
Reboot and enter AR when kickstart logo appears. Load saved file into memory, starting at address 60000:
? LM A,60000 ?. Disassemble address 60000 and hit enter a few times.
You?ll see some ? leftover ? from the decryption routine, moving data to address 40000.
We need to branch past this part and to address 30032.
Assemble address 60000, insert a ? BRA 30032 ? and save memory back, as a file called ? B ?. See picture:
Next part, is cracking the three coylocks. These are identical and can be cracked the same way. We start by finding
the copylock key, and then we wire the key into the encrypted code.
Insert original game and reboot. Enter AR immediately when the Darkman logo appears.
Copylocks start with ? PEA xxxxx(PC) ?, search for the opcodes: ? F 48 7A ? + enter. You?ll receive six addresses and
game executes the one starting at address 991C first. Disassemble address 991C, and hold enter pressed down until
normal code appears again.
The encrypted code seems to end at address A240. Stick a breakpoint to address A240 and exit AR, see picture above.
When game reaches end of copylock, AR pops up, and we can read out key from D0 before game EOR?s it.
When AR pops up, press ? R ? + enter to see registers. Take note of key from D0.
Armed with the key, we can wire it into the copylock.
Start ARIV and enter with RMB. Insert disk with saved file ? B ? and load it onto memory, starting at address 60000:
? LM B,60000 ?. File is located between address 60000 ? 747B0.
Enable the built - in RNC decrypter: ? ROBD ? + enter.
Find the copylock routines, starting at address 60000: ? F 48 7A,60000 ?. It doesn?t matter which of the copylocks we
choose, as they are all alike.
Pick the first one, disassemble address 65022 and hold enter down until this appears:
Address 65408 is the one we are looking for. This code will appear in newer copylocks and it?s here we?ll wire
copylock key. When we crack the copylock this way, ? part two ? of copylock will also be executed, which sometimes
contains decryption routines, etc. But it seems like this one only moves the key to address 60, and nothing more.
When we have done that, there is no need for disk access part to be executed, so we can branch past that part.
Continue disassembling a few lines further. You?ll notice a BRA at address 65452, this BRA also appears in most
copylocks, and it branches to ? second ? part of copylock, as mentioned earlier. We can either branch directly to
657F8, or to 65452, it makes no difference.
Take note of the original opcodes at address 65408: ? M 65408 ?, I have marked them with red in the picture beneath.
We need them to find the same location in the two other copylocks.
Assemble address 65408 and insert key in D0 and branch to ? part two ? of copylock, see picture beneath.
Take note of new encrypted opcodes, marked with green. The RNC decrypter is still active, so the normal code we
insert, will be transformed to encrypted code.
Find the two other copylocks that needs to be modified, by searching for the original encrypted opcodes:
? F EC 9C C7 85 98 9C 21 15,60000 ?. AR returns two addresses: 69834 & 70970. Insert new encrypted opcodes
at these addresses, and don?t forget to press enter when done.
Save memory back to disk, as a file called ? C ?: ? SM C,60000 747B0.
Next part is the checksum routines. I had lot of troubles with them, so I had to call for help.

Musashi9 will take over the keys now.

:O
ok ok so now we have the copylocks cracked in memory ready to run
insert your darkman disk (original or copy it doesnt matter) and lets try play the game
so execute the cracked code by jumping to 60000
g 60000

everythig seems fine n dandy, game starts to load untill the first level appears

HMMM! nothing no movement at all
me thinks a checksum has kicked in (checking the memory around our copylocks to see if it has been modified, which it has)
and thus crashing the game

i dont know much about finding checksums so i had to find my own way and one thing i noticed is that when the checksum version of the game loads level 1, the game freezers nothing much happens
but 1 thing struck me about this, do you notice there are no digits in the TOP MIDDLE to represent the TIME + AMOUNT OF PHOTOS
and we know in the original game when you play level 1, the timer and photo digits appear and start to count down
so i came to the conclusion that the checksum performs its check before the game code activates '20' for amount of photos
so i decided to search for the code that places 20(hex 14) in memory
how? well i done a simple trainer search
so start up your original disk and when you reach level 1 you will notice you have 20 snaps (right side)

so enter action replay and search for those 20, by using the trainer option
but hmm you cant just search for 20 because it is most likely to be in HEX format which would be 14
why? well hex works like this 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14
count from 01 - 14 = 20
so lets activate our trainer
TS 14
let it do a search
eventualy it will say ready, when it does you exit action replay and take just 1 snap by pressing fire button
your snap counter goes down to 19
so now we enter action replay again and carry on our trainer search for 14 - 1 = 13
so
T 13
it will return 1 address only which is 71B9
lets take alook at 71b9 hmm well 71b8 because it's probably a .W address meaning 4 hex digits

you can test it further to make sure this is the right address by adding 14 again then re-entering the game take some snaps then re enter action replay and top up the amount back to 14
you will notice your snap counter goes back upto 20 every time
cool eh?
ok so now we have the address our snap counter is at
we need to search the game code
so do a find addres 71b8
FA 71B8
it will return several address

the ones we're interested in are the first 2
the second one in perticular because this part of code is not executed if the checksum fails (we know this because the counter is empty if it fails)
my first idea was to goto this address and work my way backwards
but then i thought why would it tst 71B8 after a checksum? didnt make sense to me so i came to the conclustion the checksum is somewere between these 2 address points
6212 and 632e
so lets search from 6212 onwards
D 6212
scroll down just a little and you will bypass all the bsrs and jsrs ect.. and you will come to a odd looking piece of code

reason i say its weird is its moving alot of numbers around subtracting adding ect... so look like its calculating something
so i decided to bypass this, i noticed at the bottom is a BRA 62a90 so i placed this at the start of this code
A 6250
`6250 BRA 62A0
and then i executed the game and it worked :) level one now loads up
i pased on this information to Rob and he worked out that if you put a NOP at address 628E this creates the same result (working level1)
infact here is what he found out
if you play the original disk and put a breakpoint at address 628E when the breakpoint is raised D0 is set to 0
but if you do the same with the copy D0 is not set to 0
so address 628E writes d0's value into the address A0 points to
so what we need to do is find all the SUB.W d0,(a0) and while we are at it all the ADD.W d0,(a0)
so lets load our C file that rob made earlier to 60000 anf do a search for
F 91 50
and nop out them all
and also
F D1 50
and nop out them all
save back your C file
SM C,60000 747B0
try the game out by jumping at 60000
G 60000
works?
well yah but rob noticed something odd here
when your time runs out, the game crashes, this cant be good can it
rob found that if you noped out op codes D1 C8 the game wont crash
he found these by searching for similar code like the code surrounding both the above opcodes and noping each suspicious line out in trial and error
so search and destroy the remaining opcodes (should be 3) and then save back the file

Last step is packing our cracked file. Copy ProPack to crack-disk and boot it.
Game?s boot block moves the file to address 60000 and executes it. We are going to pack the file using ProPack and
set address 60000 as jump address. The file will load & decrunch over itself. Type this In DOS, to pack file:
? PP P M ?M2 ?X0X60000 DF0:D ? +enter.
The ? ?M2 ? option will cause less crunch gain (doesn?t matter), but final file ill decrunch faster.
You should now have a file called ? D.RNC ?. Next step is writing the file back to copy of game, replacing the original
encrypted one.
Insert copy of game and read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?.
Disassemble start of boot code and hit enter a few times:
We are interested in line 1003C. This shows the start offset on disk, where the boot loader begins to read data from.
The offset is $2C00. If we read tracks into memory, starting at address 10000, we have to load the new file to address
12C00. We also have to change the loop routine back to ? JMP 60000 ?.
Start by reading the first eight tracks into memory, starting at address 10000: ? RT 0 12 10000 ?. Insert disk with saved
files on, and load file ? D.RNC ? to address 12C00: ? LM D.RNC,10000 ?.
Alter the loop at line 1006A to a ? JMP 60000 ?, see picture beneath.
Correct boot block checksum: ? BOOTCHK 10000 ?.
Insert copy of game and write tracks back: ? WT 0 12 10000 ?
now play your fully cracked Darkman
Rob - Musashi9
playtesting by DLFRSilver
Powered by the best online Amiga mod player: FLOD


Some more you may like:
Supplex - DarkmanHawk - Darkman

Comments

Leave a Comment!

Name:
: Use this calculator
Your comment will be available for editing for 10 minutes
2005-05-09 15:10

1. Rob writes

To ensure there is no doubt about which code might be checksums, here is a list.
All in all there is 14.
Each address can be killed with a single NOP or
CLR.L D0:

628E - SUB.W D0,(A0)
7806 - ADD.W D0,(A0)
7844 - ADD.W D0,(A0)
7D1A - SUB.W D0,(A0)
7DCC -SUB.W D0,(A0)
A57A - SUB.W D0,(A0)
A9AA - ADD.W D0,(A0)
AE04 - ADD.W D0,(A0)
AEA6 - EOR.W D0,(A3)
B684 - ADD.W D0,(A0)
C47C - ADD.W D0,(A0)
C506 - EOR.W D0,(A3)
11DE6 - EOR.W D0,(A3)
12088 - ADD.W D0,(A0)
reply
2005-05-09 15:11

2. Rob writes

To locate them, here is opocdes:

SUB.W D0,(A0) - 91 50
ADD.W D0,(A0) - D1 50
EOR.W D0,(A3) - B1 53
reply
2005-05-12 14:38

3. Rob writes

Instead of toutching any files, whole game can be cracked from the boot block.
Following will take over decrypted file and put a patch at $75000.
When file is decrypted, patch is executed and will crack checksums with " CLR.L D0 ".
Then new encrypted opcodes are wired into the three copylocks.

Copy original game. Do following with copy:

Read booot block to $70000. Assemble 7006A and insert a " BRA 700C0 ". Assemble 700C0 and insert following code:

700C0; MOVEM.L D0-D7/A0-A6,-(A7)
700C4; LEA 75000,A0
700CA; LEA 70100(PC),A1
700CE; MOVE.W #AC,D7
700D2; MOVE.B (A1)+,(A0)+
700D4; DBF D7,700D2
700D8; MOVEM.L (A7)+,D0-D7/A0-A6
700DC; JMP 75000

Assemble 70100 and insert following code:

70100; MOVE.L #75010,6091C; takeover decrypted
7010A; JMP 60000
70110; MOVE.L #4280,D0; crack checksums
70116; MOVE.W D0,5DC8.S
7011A; MOVE.W D0,7854.S
7011E; MOVE.W D0,7906.S
70122; MOVE.W D0,A0B4
70128; MOVE.W D0,7340.S
7012C; MOVE.W D0,737E.S
70130; MOVE.W D0,A4E4
70136; MOVE.W D0,A93E
7013C; MOVE.W D0,B1BE
70142; MOVE.W D0,BFB6
70148; MOVE.W D0,11BC2
7014E; MOVE.W D0,A9E0
70154; MOVE.W D0,C040
7015A; MOVE.W D0,11920
70160; CLR.L D0
70162; MOVE.L #30310A45,5424.S; 1.copylock
7016A; MOVE.L #BAF37845,5428.S
70172; MOVE.W #DADB,542C.S
70178; MOVE.L 5424.S,9850; 2.copylock
70180; MOVE.L 5428.S,9854
70188; MOVE.W 542C.S,9858
70190; MOVE.L 5424.S,1098C; 3.copylock
70198; MOVE.L 5428.S,10990
701A0; MOVE.W 542C.S,10994
701A8; JMP 8.S; jump back to decrypter

Correct boot block chk.: BOOTCHK 70000
Write back: WT 0 1 70000
reply
2005-06-06 20:45
Avatar

4. Nobody writes

Nice work boys :)
reply
2005-08-04 08:21

5. Rob writes

Trainer updated, so energy is now trained 100%.
reply