Archer Maclean Pool

Hits: 6283

Crack Copylock, Novella & Bypass Checksums

Author: Rob
Submitted by: Rob
Date: 2005-05-26 19:44
No tags
Archer Maclean Pool
? Archer Maclean

1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk - find it in your local Amiga store
During this txt, a lot of addresses and values are shown. It?s probably a good idea to take note of them during reading, as it will makes it easier to do the final patch.
This game is very similar to Jimmy White?s Whirlwind Snooker, both in game play and protection.
This one has just been optimised both in game functions and the protection is also at a higher level.
As for Jimmy White?s Whirlwind Snooker, this game also has checksum routines which causes
the Amiga to crash if it fails (reset). Checksums seems to be more sensitive in this one, taking better ? care ? of the novella. I still can?t locate the routines, so we bypass them by restoring all values we alter, back to original state.
Copylock is way more tricky, as it?s NOT enough to wire copylock key into the encrypted code. Copylock key are moved to address 60 after the key calculation routine and different values are moved into memory. If these are not simulated, game will crash.
Let?s begin.
Start by backing up original game disk, so we have something to work with. If a copy of game is used, the screen will be filled with the txt ? FAIL ?.
We start by getting the copylock key. Execute ARIV, insert original game and reboot. Enter ARIV just after boot, using RMB. Disable exceptions and exit: ? ALLEXC ?.
This disable ARIV from popping up, when an exception is reached.

When the Presentation screen appears, game has been decrunched and copylock has run. Enable the RNC decrypter, so we can have a look at the copylock inside: ? ROBD ?. Copylocks start with the instruction ? PEA xxxxx(PC) ?.
Search for the opcodes: ? F 48 7A ?. You will receive address 32A0E & 32A1E. Disassemble the first address and stop when you reach end of the key calc. routine:

Address 32EF6 look very interesting, as it moves the final calculated key into address 60. Take a look at address 60, to get key: ? M 60 ?.
More ? not so normal ? stuff happens in here. When I was stepping through the code, I fell over these two addresses:

When inserting key into the encrypted code and branching past the disk access stuff, the above are skipped.
This is very BAD?
If we don?t emulate address 32F66 & 33198, game will crash. Let? have a look at where to wire key in.
Disassemble address 32E14 and hit enter a few times:

The disk accessing part and key calculations of copylock key are done within the code from address 32E14 ? 32E5A.
Registers are saved by the code at address 32E14. Address 32E28 is a good place to wire key in, as no disk routines has been called yet. We wire key into D0, clear D1 and then branch to address 32E5A. This should give the best result.
Disassemble a bit further:

Address 32E58 moves key from D6 to D0 (we skip this part) and registers are restored at 32E5A, our branch address.
Address 32E5E branches to second part of copylock which fills registers with different values, based on D0.
Take note of original opcodes in copylock and their addresses, marked with green above.
Assemble 32E28 and insert the code you see above. After that, take note of the new opcodes and their address.
We have to restore opcodes in copylock after it has run, to avoid problems with checksums. We can do this by inserting a call after the copylock, to a patch, which restore opcodes. Have a look at code after copylock:

Copylock ends at address 3330A. This is a good place to insert a call to patch, which restores original opcodes in copylock. See the original opcodes for the code at address 3330A, assemble and insert a ? JSR 12C.S ?.
Then see opcodes for new code. Every step is shown in the picture above.
There is still the annoying novella left. Boot original game and bring up the protection screen.
Type in the word ? DAMM ?.

Enter AR and search for the word: ? FS DAMM ?. AR returns address 16AFA.

We are interested in what game might do with address 16AFA. Before we check this, see registers: ? R ?.
A1 points to address 16AFA. Set A1 to #0, to avoid getting false references. ? R A1 0 ?.
Then type ? FA 16AFA ?. AR returns address 16ED6. Let?s look at the code around this address:

The protection check is done at address 16EB8. This address subtracts 14+what A0 pints to from D3.
If the result is #0, address 16B10 is cleared and game starts. If it fails, protection just restarts.
Take note of address 16B10 getting cleared, as we shall use this info later on.
We?ll crack it by clearing D3, just as if the protection had passed. This can be inserted at address 16EB8.
To make addresses add up, three NOP?s is also needed. Just as with the copylock, we need to restore novella to it?s original state when it has run. Take note of the original opcodes, see picture above. Assemble 16EB8 and insert code marked with yellow. When done, see new opcodes:

Next question is where to take over novella? I tried patching it just after running the copylock, but this caused a crash. It seems like a checksum is run after the copylock. We then have to patch novella, AFTER this checksum has run. As I don?t know where the checksums are, I just tried taking over different addresses after copylock had run.
Address 5DDC seems to be very suitable. Have a look at it:

We can alter address 5DDC to ? JSR 176.S ?, after copylock has run, without getting troubles with checksums.
Address 176 can then wire new opcodes into the novella. See original opcodes for address 5DDC, insert a ? JSR 176.S ? and see new opcodes. See picture above.
After the novella has run, it?s probably best to restore original opcodes. This means that we need to find the code after it has run.
Remember that novella cleared address 16B10?
It does this, so it knows if the protection has been run. See what else happens with address 16B10: ? FA 16B10 ?.

AR returns three addresses. Have a look at the code around the first one:

Address 16B8A checks if address 16B10 is #0. If it is, the novella call at 16B94 is skipped. When novella has run, it returns to address 16B98. We?ll insert a ? JSR 1AA.S ? here, and restore original opcodes in novella, from a patch at 1AA. See original opcodes for 16B98 & 16B9C, insert a ? JSR 1AA.S & NOP ? and then see new opcodes.
Original opcodes are shown with green and new ones with red.
You should now be armed with a bunch of opcodes and addresses.
We now need to find a way to take over the decrunched game, before it?s executed, and make it call our crack patch.
Read boot block into memory, starting at address 70000:

? RT 0 1 70000 ?
Disassemble start and look out for jumps into loaded code:

Line 7009A makes a jump to the address A3 points to; beginning of the crunched game. Change this to a loop routine and write track back. Follow the above steps.
Reboot game and enter AR when it stops loading. We now need to find the jump into the decrunched data and take over this jump. Find start of loaded data, by looking at A3:

Address 59E8 is start address. Disassemble and look out for jumps. Address 5C48 makes a ? JMP (A7) ?, which executes decrunched game. We need to replace this with a ? JSR 100.S ?. The new code inserted is larger than original, so we have to insert at a little lower address. Address 5C40 is suitable. Take note at the code on address 5C40 & 5C42, as code has to be restored again. The opcodes for ? JSR 100.S ? is 4E B8 01 00. We move these opcodes into address 5C40. There is a little problem though, as A3 points to start of data, the start address is relative. It can be calculated where to insert the JSR by subtracting the address we wish to alter, with start address: ? ?5C40-59E8 = 258 ?.
All needed info to make a crack patch should now be in place. Only thing left, is a copy routine to move patch from disk and into address 100. Both patch and copy routine can be located on boot block, as there is free space from offset 100.
Read boot block into memory, starting at address 70000, change loop to ? BRA 70100 ?, to call copy routine upon boot.
See picture:

Assemble 70100 and code copy routine:
70100; LEA 100,A0; destination address 100
70106; LEA 70200(PC),A1; copy from offset $200 on disk
7010A; MOVE.W #D8,D7; copy $ D8 (size of crack patch)
7010E; MOVE.B (A1)+,(A0)+; copy
70110; DBF D7,7010E; copy
70114; MOVE.L #4EB80100,258(A3); call patch with a ? JSR 100.S ?, when game is decrunched
7011C; JMP (A3); jump we took over

Assemble 70200 and code the crack patch:
70200; MOVE.L A0,D0; restore code from end of decruncher
70202; SUB.L A6,D0 restore code from end of decruncher
70204, MOVE.L #6B87AF4E,32E28; wire new opcodes into copylock
7020E; MOVE.L #F6EBDD4E,32E2C; wire new opcodes into copylock
70218; MOVE.W #96C3,32E30; wire new opcodes into copylock
70220; MOVE.L #4EB8012C,3330A; call patch after copylock has run
7022A; RTS; return to decruncher
7022C; EORI.W #BD50,D0; run code we removed at 3330A
70230; MOVE.L #2ABB9D8C,32E28; wire original opcodes into copylock
7023A; MOVE.L #4DB5ED8D,32E2C; wire original opcodes into copylock
70244; MOVE.W #2CB5,32E30; wire original opcodes into copylock
7024C; MOVE.L #33CABD50,60.S; return copylock key at address 60
70254; MOVE.W #9290,37994; emulate code we skip inside copylock
7025C; MOVE.W #A9D0,3E8.S; emulate code we skip inside copylock
70262; MOVE.L #A40BD50,3330A; restore code at address 3330A
7026C; MOVE.L #4EB80176,5DDC.S; call patch, to crack novella
70274; RTS; return to game
70276; MOVE.W #535E.S,D0; run code we removed at 5DDC
7027A; MOVE.L #3038535E,5DDC.S; restore at address 5DDC
70282; MOVE.L #42434E71,16EB8; crack novella
7028C; MOVE.L #4E714E71,16EBC; crack novella
70296; MOVE.L #4EF801AA,16B98; call patch after novella has run
702A0; MOVE.W #4E71,16B9C; call patch after novella has run
702A8; RTS; return to game
702AA; LEA 12464,A0; run code we removed at 16B98
702B0; MOVE.L #41F90001,16B98; restore code at address 16B98
702BA; MOVE.W #2464,16B9C; restore code at address 16B98
702C2; MOVE.L #96680014,16EB8; wire original opcodes into novella
702CC; MOVE.L #66000008,16EBC; wire original opcodes into novella
702D6; RTS; return to game

When patch is first called, it will wire new opcodes into copylock and a call back to patch, after copylock has run.
When it returns original opcodes are returned in copylock, code we skip inside copylock is emulated and a call back to patch is inserted at 5DDC. When game reaches the call at 5DDC, patch will wire new opcodes into novella and insert a call back to patch at address 16B98. When patch is called for the last time, original opcodes are wired into novella and it returns to game. This should ensure that all values are original, to fool the checksums at the correct stages.
Correct boot checksum: ? BOOTCHK 70000 ?

Write track: ? WT 0 1 70000 ?.

When novella appears, just press Enter.
There have been done lot of testing with this one, and no faults were found. If you any, please let me know. By faults, I mean actual errors you find, like the game is crashing at a certain point. I don't care about what you " suppose, think, assume ", hard facts please.
Many greets to DLFRSILVER for testing!

Download: Archer Maclean Pool
Filesize: 0KB, downloaded 3 times
Powered by the best online Amiga mod player: FLOD

Some more you may like:
LSD - Archer Macleans PoolTristar - 3d Pool


Leave a Comment!

: Use this calculator
Your comment will be available for editing for 10 minutes
2005-05-27 09:04

1. WayneK writes

Nicely done Rob, good way to beat the CRC routines even when you can't detect them :)
2005-05-27 09:26

2. aLpHa oNe writes

Really great tutorial, Rob!
2005-05-27 15:13

3. Rob writes

Thanks dudes :)
2005-05-28 23:35

4. Phantasm writes

Just for forther information the checksum routine is at $4831e - $483cc.

Basically it uses some fancy code ( I guess to try and disguise itself) but doesn't do much more than total up the word values of two areas of memory starting at $328c0 and $16b36.

The calculated checksum is written to two different addresses by the code at $4837c and $4838a.

If you wish to deal with this checksum by hand rather than using robs technique you can either hardwire #$253f into d0 at the relevant point, or since this is a simple addition calculation, you can easily modify one of the unused values in the code (eg. in the no longer used RNC code) to ensure that the checksum remains correct and then no changes are required to the checksum routine.

In this case robs solution is probably a better one since there may be other crc routines as well (i've seen at least one other one at $42016 but it may have been a dummy and it too was a simpe add.w as well).

2005-05-28 23:37

5. Phantasm writes

hmm screenshots should probably have been smaller. my apologies.
2005-05-29 10:17

6. musashi9 writes

fixed ;)
keep up the contributions
2005-05-29 10:29

7. Rob writes

Interesting stuff!
There is a thing that puzzels me though. Why is game crashing, if address 3E8 isn't set to the correct value ?
3E8 is out of the above checksum range. Perhaps it's checked by another checksum?
2005-05-31 08:12

8. Codetapper writes

Easy. The game sets the stack to $400 when it starts up, and dumps stuff onto the stack. Later on, it pulls the values off the stack into the registers and therefore the value at $3e8 is used despite you not being able to find it easily in the code.

I don't think this crack will work properly anyway because the checksum at $41ffc has not been handled. If the checksum has been tested, the word at $41fee is set to 1. The checksum (as a word) is calculated and stored at $41ff0. This is the 2nd version of Archer Maclean Pool (there are 3 supported WHDLoad versions) and this version needs the checksum set to $6e20. Therefore to crack it you also need a move.l #$16e20, $41fee early on which avoids it calculating the checksum as it thinks it's already tested it:

00005d98 JSR.L $00041ff2 ;Call checksum routine
00041ff2 TST.W $00041fee ;Test if checksum already tested
00041ff8 BNE.W #$0022 == 0004201c
00041ffc MOVE.W #$0001,$00041fee
00042004 LEA.L $000328c0,A0
0004200a EOR.L D1,D1
0004200c MOVE.W #$013f,D0
00042010 ADD.W (A0)+,D1
00042012 DBF .W D0,#$fffc == 00042010
00042016 MOVE.W D1,$00041ff0
0004201c RTS.L

Moving the longword in manually is the most elegant way to crack it as no code is changed, thus any other checksums would not realise we have bypassed it.

This is NOT a good game to learn cracking on - it has some sneaky tricks in it so should be left to the pros! :)
2005-05-31 08:17

9. Codetapper writes

Incidentally, the main part of the copylock for those that are interested:

Copylock Decrypter v0.01
(c) 2004 Codetapper of Action (

Copylock header found at $32a0e
Copylock stack 1 found at $32a88
Copylock stack 2 found at $32df6
Copylock key wiring position found at $32e14
Copylock key wiring skip to position found at $32e5e
Post copylock branch to address starts at $3321e
Copylock new magic number ($a573632c) compare at $32e82

======[ Key calculation routine found at $32ee4: ]======
_32ee4 move.w #$b,d1
_32ee8 add.l d6,d6
_32eea sub.l (a0)+,d6
_32eec dbra d1,_32ee8
_32ef0 eor.l #$71895a65,d6 ;Modify serial number
_32ef6 move.l d6,($60).w ;Serial number stored at $60
_32efa addq.l #4,sp
_32efc rts

======[ Special copylock modifications: ]======
_32f66 move.w #$9290,$37994
_33198 move.w #$a9d0,($3e8).w

======[ Post copylock code starts at $3321e: ]======
_3321e lea $78(sp),a6 ;Set a6 to real copylock registers
_33222 move.l d0,(a6)+
_33224 move.l d1,(a6)+
_33226 rol.l #1,d0
_33228 move.l d0,(a6)+
_3322a rol.l #1,d0
_3322c move.l d0,(a6)+
_3322e rol.l #1,d0
_33230 move.l d0,(a6)+
_33232 rol.l #1,d0
_33234 rol.l #1,d0
_33236 move.l d0,(a6)+
_33238 rol.l #1,d0
_3323a move.l d0,(a6)+
_3323c rol.l #1,d0
_3323e move.l d0,(a6)+
_33240 moveq #$0,d0
_33242 moveq #$1,d0
_33244 lea _33256(pc),a6
_33248 move.l -$4(a6),d6
_3324c add.l $8,d6
_33252 or.w #$a71f,sr
_33256 addi.l #$44,($24).l
Copylock stack 2 ends at $33256
2005-05-31 11:11

10. Rob writes

You don't think ?
Have you actually testet it ???

I have been through all menus any played against diffrent players, and game worked fine all the way.
Could you please specify, where the game is supposed to crash ?
2005-06-01 06:26

11. Codetapper writes

It's not easy to test your cracks because there are no obvious download links to grab your version. From what I can see and my knowledge of this game (having supported 3 different versions for WHDLoad and cracking them properly) I would guess that this version screws up at some point due to the missed checksum.

It is also a farce to title this tutorial (and Jimmy Whites) anything like "bypass checksums" when you didn't even locate them in the code. If there are 2 checksums and you do all sorts of patches to get around 1 of them, the game has beaten you - at some point it will screw up if it does any testing before your patches have cleaned up after themselves.

Archer Maclean is a clever guy - it could be that if you pot 3 balls in a row or something it screws up - it is foolish of anyone to say they have tested it and "the game worked fine all the way" when clearly it is not a simple game to test due to the nature of it.

The correct way to crack a game like this is to use memory watchpoints over the code that has been changed and see where the game accesses it. Then you have located a checksum and can patch around it. And you then have to check the checksum patch to see if any other code checks that and so on. Often the same type of checksum routines are used so you can search for common code.

If you actually want to learn something new instead of continuous RNC cracks of varying quality, I suggest you try and crack something like Death Trap from Anco which has some real checksums.
2005-06-01 06:48

12. Rob writes

Oki, Betsy...
Whole thing is cracked from boot block, so if you wasn't so lazy, pehaps you could tap the few lines of code in yourself..

If you can say Whd versions are cracked correctly, I assume you also tested them, cause Archer is " a clever guy "...
Then i can't see why my version can't be tested..

Learn something new ?
Hmm sounds like one of your usually challenges.
First it was Puzznic, Archer and so on, now it's Death Trap. Whats going to be next ?

Now you started dissing this, which is ok, I atleast expect to see a proof, of where game is crashing.
Oki, Clara ?
2005-06-01 08:22

13. Codetapper writes

I can guarantee the WHDLoad versions are cracked correctly because I used the MMU to put breakpoints over the parts that were changed. If the game was reading those at any point, WHDLoad would quit the game on the exact instruction that caused the read. Unlike your version which would simply start misbehaving until it crashes or whatever Archer Maclean made it do.

It is a waste of time to type out hundreds of bytes when you could easily create an ADF of your version. The game compresses to about 200k, and would be downloaded quicker than anybody could type it out.

You admit yourself you couldn't find the checksums so why are you being so insistent that your version is 100%? And just remember who taught you how to wire stuff into the copylock in the first place - just because you can eor.w a few bytes in a copylock doesn't mean you know it all...
2005-06-01 09:42

14. Rob writes

Ahh, sorry Nancy.
Could you please tell me, where I have written 100%
crack ?
As i recall it, i kindly ask people to tell, if they find any errors, that can be dockumented.
I'll think it's best to wait for someone to show where, (if any) errors are.
As you say " left to the pros! "
Well, that exclude you, right ?
The checksum writes the calculated value to a memory address, so if my version is faulty, this value would differ from original, right ?
As you know where all the checksums are and how they work, just comare values.
2005-06-01 10:47

15. Codetapper writes

As I told you before, if you uploaded the ADF it would be easy to check. I've told you the exact location of the missed checksum and the expected value so you could do it yourself.
2005-06-01 13:50

16. Rob writes

1. Upload copyrighted software ? Thats a real bad idea, now isn't Camilla ?

2. Tapping in the code, takes less than 10 mins, even you should be able to find that time. (Unless of course, you are too busy trying to control the universe or the weather)

3. The checksum value you talk about, appears as you say.

4. To save your everlasting memory, where we thank you, as wireing key into the coylock opened up for a lot of new cracks, no doubt about that, see this, dated 16-10-04:

5. I'll try hire some guys, who can throw rose leaf in front of you, when walking down the street - a red carpet is just too expensive

6. Tell me honestely, are you the last Sith prince ?

7. I guss all the time and key strokes you used discuss with me, you could have used cracking the game...
I look foreward to hear from you
2005-06-01 20:09

17. Codetapper writes

In that case your crack worked by luck not by skill. I've told you how to find checksum tests and you simply ignore my comments about mem watchpoints - therefore you might as well not bother trying to crack anything as you do not have the skill to find anything remotely tricky.

You have simply learnt some cracking tricks and apply those to every game with a sledge hammer approach - even when it doesn't apply to every game.

You could have also uploaded a text file with just the code in if or the bootblock since you are too scared to upload an ADF but I guess you don't have the brains to realise this - the typical sledge hammer approach.

Just thank goodness that the real crackers that cracked these games back in the day actually knew about checksums - otherwise lots of games like Lemmings, Ballistix, Death Trap etc would all have been buggy cracks.

Leave the hard cracks to the pros please...
2005-06-01 20:50

18. Rob writes

Good to hear from you, Mary.

I'am, as you say, not the fastest guy around, but in your own words, are you trying to say that my crack work ?

Well, isn't this just my " lucky " day ?

Ahh... yes, I learned some cracking tricks, and yes, I use them, I guess you don't.

Now, apply same tricks to every game ? Nah, sorry again Mary. As you know, a game like this can not settle with just the key being wired in, but other values also needs to be added.
Then some can settle with more simple stuff.

I'am too scared to upload a ADF, well, Mary darling, not scared but carefull.

And now, we come to the most amazing part; You actually comming with a good idea; Adding the code as a txt file. Well, bravo, you might want to sit down, as an ida like that proably used most of your brain capacity.

" Leave the hard cracks to the pros please... "

Now, when have you started using words like " please " ?

And when did you turn to the dark side ?

Well, ta ta sweetie, look foreward to hear from you...
2005-06-01 22:04

19. Codetapper writes

Jesus Christ, I try and help a lamer out so they can improve their skills and get flamed for it.

If you are too stupid to learn about memory watchpoints and checksums then that's your problem not mine.

Just don't keep churning out tutorials pretending you know what you're doing when clearly you don't. Anyone that disagrees with your methods gets abused - how lame.

BTW your remark about Puzznic, Archer etc is also a joke. You were not able to crack ANY of those games before I showed you how to wire a key into a copylock.

And if producing quality working (and tested) cracks is turning to the dark side, then I'm glad YOU are on the other side - in blissful ignorance of your lack of skills.
2005-06-02 08:39

20. Rob writes

Hello Jill, havn't got time for you now, I'll be back later.
2005-06-02 14:22

21. Rob writes

Hello Elisabeth.

You said this: ?Jesus Christ, I try and help a lamer out so they can improve their skills and get flamed for it. ?
Who are you attacking now? Words like ? they ? & ? their ? confuses me a little. Are you still just attacking me, or other poor souls too ?
Are you aware of, you tapped your keyboard around 4572 times, having this nice chat with me ? My cracking code
requires you to press the keys around 600 times, do you see my point, stupid ?
I?m still waiting for your answer, about you verified my crack. After all, you are the all mighty Codetapper..
The problem might just be, that it works ok, and you would hate that, right Elisabeth ?

I will of course want to say sorry if I flamed you, Little Nicky, I just assumed you where used to HOT surroundings.

? Just don't keep churning out tutorials pretending you know what you're doing when clearly you don't. Anyone that disagrees with your methods gets abused - how lame. ?
Well, Marie, you are hardly the right guy to tell me what to do. And no, not all gets abused when they disagree with me, it?s actually mostly you, perhaps because the way of your sweet nature and ugly appearance.
2005-06-02 14:24

22. Rob writes

BTW your remark about Puzznic, Archer etc is also a joke. You were not able to crack ANY of those games before I showed you how to wire a key into a copylock. ?
First of all, I?am always seriously. And no, you are absolutely right, I couldn?t, when did I clam this ?
And surely, sweet lips, you should of course not mention, I improved this method, making it much easier, by using
ARIV, so people don?t have to make calculations. And also I don?t recall you telling, that setting register D1 to #0, is also a good thing in some copylocks.

? And if producing quality working (and tested) cracks is turning to the dark side, then I\'m glad YOU are on the other side - in blissful ignorance of your lack of skills. ?
I just need to know following; Isn?t it getting a bit hot inside that stupid black helmet ?
2005-06-02 14:25

23. Rob writes

Hmmm? I don?t think we are quite finished talking about this abusing and attacking people.
Here are a few of your other (sorry for using your words, sweetie) lame comments:
Congratulations on butchering a simple crack - by skipping the copylock check the game does not work properly.
I have to admit that the quality of crack is not very good
"cracked" in this nasty manner
to show you guys how it should be done.
I have learned a lot of tricks ? ? now, doll face, wasn?t you blaming me for using tricks ? ?
If d3 is 0, it\'s an easy copylock ? ? now, thats now always true, right Sarah ?
If you really love RNC\'s and want a challenge, try cracking Hydra, Neighbours or Magic Pockets copylocks!
how the pros do it
Can anyone step up to the challenge?
In cause you shouldn?t notice (probably because you are too busy checking with the mirror on the wall, who are the best cracker in the universe?), mine comments to yours, where in ? ?

Do you have some urge or need to prove your self?
Perhaps you are calling me ? ignorance ?, but I?m at least not an arrogant frekazoid like you.

My final words for today must be good luck with world dominance, as so many before you have failed.
As usually, I?m waiting to hear from you, bye bye sweet chicks
2005-06-02 18:43

24. WayneK writes

Hey... as they say, "Can't we all just get along?" (usually followed by a brutal beating...)

Codetapper, most of the cracks people are writing tutorials for here... they are doing so to revisit their amiga scene days, now that they feel they can understand how to crack a few things - they also want to use (mostly) the tools that were available in those days... now I'm not expecting everyone to use ancient warpers and figure everything out from there, but I would say that excludes using whdload and MMU techniques to place memwatch points. If you want people to learn, why not suggest ways in which Rob could've found the CRC routs using his tools of choice (AR + A500 stuff that was available at the time of the games release).

There's no need for girls names and calling everyone a lamer, this isn't school playtime, we're all older than that now (I hope...).

We now return you to your scheduled programming.
2005-06-02 19:20

25. Rob writes

2016-03-17 15:30

26. Pollie writes

Hi there, Is somebody able to explain, how to decode rnc encryted code manually? I know you can use ARIV, just wondering how Crystal did this back in the day. Thought ARIV came out after this game. Obviously there must be a formula, as this is how ARIV does it. Take encrypted code above at 32EF6 - MOVEA.l A6,A7 - 2E4EA148 , once decrytped this becomes 32EF6 - MOVE.L D6,00000060.S - 21C60060 How do you turn 2E4EA148 into 21C60060? Cheers :)
Reply to comment #26
2016-03-17 22:05

27. WayneK writes

Usually it's just done with EOR... if you EOR the previous longword with the current longword, you will get the decrypted opcode (or, 4 bytes of it since you only did 1 longword!). This is exactly how Blackhawk's ARIV RNC mode works, and as such won't work for any RNC's that don't use EOR (quite a few early ones, if I remember correctly). A bit more is explained in "TVD's explained", an old tutorial I wrote for Flashtro, and covered in detail by a tutorial Codetapper wrote too!
2016-03-18 14:02

28. Pollie writes

Ah ha I see, in this example the previous longword at 32EF2 is 0F88A12E, and 0F88A12E EOR with 2E4EA14E (at 32EF6) = 21c60060 = MOVE.L D6, 00000060.S, Thanks for that WayneK. I assume back in the day before ARIV people would have wrote their own decryptor?, or did they manually go through each instruction??, or is it possible to get the copylock to decrypt itself to memory somewhere??
Reply to comment #28
2016-03-18 14:24

29. aLpHa oNe writes

You can decrypt it to memory via patching the tvd. I think I did something like this here:
2016-03-18 16:10

30. Pollie writes

Ok thanks I will check it out and get back to ya. So this is how they would have done it back in the day?
Reply to comment #30
2016-03-19 10:12

31. WayneK writes

Yes, patching the TVD to store the decrypted bytes somewhere else in memory is probably what I would have done back in the day (if I could code anything at all back then!). Making a little decrypter is also possible, just look at the TVD to see how it does the decryption (as I said, ARIV RNC mode fails on some games since they use something like ADDI.W #1234,D0; NOT D0 and other simple methods). Once you have mastered the copylock stuff, take a look at the TVD's by Pierre Adane (games like Toki, Ilyad + some others) :)