Submitted by: Rob
Date: 2005-05-29 08:39
? Acclaim Entertainment
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks - find it in your local Amiga store
This tutorial is based on a crack by a good ? friend ? of mine, who wouldn?t write a tutorial over it.
Start by making a copy of original game disks. This is to determine type of protection. You?ll notice an error on track 0, on both disks. This is probably a copylock protection.
When the protection fails, it will cause game to hang.
First we need to get hold of the copylock registers. Boot original game and enter AR when you hear the drive grinding sound of the copylock working. This copylock is not very interested in being decrypted, so we have to take good note of low chip, where copylock?s often return data. Copy low chip from address 0 ? 200 into your expansion memory: ? TRANS 0 200 C00000 ?. Copylock routines start with the instruction ? PEA xxxx(PC) ?. Find copylock by searching for the opcodes for it: ? F 48 7A ?. AR returns address 69C& 6AC. Disassemble start of copylock and continue till you find end of it.
It?s not hard to where it ends, as the whole copylock is encrypted and makes no sense. Normal code starts around address F70. Stick a breakpoint to address F70 and exit AR: ? BS F70 ?. When the copylock has run and the normal code is executed, AR will pop up. We can then grab the values from the registers.
When AR activates, press ? R ? to see registers. Take note of all data registers. We copied low chip into expansion memory, before copylock was finished working. Compare actual chip with saved one: ? COMP 0 200 C00000 ?
You will see that quite some addresses have been modified. I don?t think we should worry about address 10, as copylock uses this area during decryption for storing data. At address 40, we have a strange loop routine, which is probably also not important. Address 80 might be important. Some copylocks store data at this address (i.e Krusty?s Super Fun House-
which seems very similar to this one). So it?s probably a good idea to take note of the long word on address 80.
When this is done, we?ll better check if any of the registers are returned at memory addresses too.
Search for them, one by one, and yes, you do not have to search for D1?.
Real copylock key is returned in D5. There is no need to return it at address F72, as this is part of the game?s compare routine.
Next fun step is patching the copylock. Copylock is stored within a RNC crunched file. We have to take over the game after this file has been decrunched, but not yet executed.
Start by reading boot block out and disassemble it, so we can see what it is doing:
? RT 0 1 70000 ?. Followed by ? D 7000C ? + enter.
Line 70066 is interesting, as it executes what boot block load into memory. Start address of the loaded data is indicated by A3. Change the jump to a loop and write boot block back, see above picture. Reboot and enter AR when game hangs. Press ? R ? to see registers. A3 points to address 59E8, start of data. Disassemble this address and look out for jumps. Jumps are usual interesting, as they execute code :)
And sure enough, we have a ? JMP 78000 ? at address D8C8. I ?am sorry to tell you, that copylock has not been decrunched when this jump is reached. However, it?s a step on the way. Let?s continue to follow the code. Stick a breakpoint to address D8C8: ? BS D8C8 ?.
And execute loaded data: ? G 59E8 ?
The virgin logo appears and game starts to move data to address 78000. When it?s done, AR will activate, due to the breakpoint at address D8C8. Disassemble address 78000 and look out for other jumps.
Address 7809A makes A1 point to address 77000. Then contents of address A1 is moved to A0. Address 780A2 then executes the data, by doing a ? JMP (A0) ?. Stick a breakpoint to address 780A2 and exit AR: ? BS 780A2 ?.
After a while, AR pops up. Search for copylock: ? F 48 7A ?. It seems to be decrunched now. Let?s reboot and check if this ? JMP (A0) ? should appear in memory, when our loop routine kicks in. if it does, it would save us some patching.
Reboot and enter AR when game hangs. See what happens with address 77000: ? FA 77000 ?
You?ll receive four addresses. We are interested in the last one. This is our little routine that is moved into high chip.
It?s already loaded at this early stage, so we might as well patch it at this point. We could change the code, so address DC68 will look like this: ? LEA C0,A1 ?. We will then ensure that address C0 is set to value 100. This will cause game to jump to address 100 instead of into decrunched data.
Next step is to determine where to modify the copylock. Change address DC70 to a loop and jump to address 59E8, start of data. Follow this:
When game hangs, enter AR. Address 77000 holds start address of the decrunched data. See contents of address 77000:
The value is 600. Data must start at address 600 then. Disassemble address 600 and stop when you reach the copylock.
This happens at address 69C. This will be start address of copylock to patch. A0 points to address 600 and copylock starts at address 69C. When we make our patch, we are going to use A0 as an offset and patch from there.
To make A0 point to start of copylock, we have to add: 69C-600 = 9C to A0. Copylock ends at address F70, so this is branch address, after keys have been wired to the correct locations. Before we can make final patching, there is one more little problem.
Boot original game and enter AR when level one starts.
Assemble start of the copylock routine and insert a ? NOP ?. Exit AR and finish level one. What happens when level one has finished ? Game restarts!
Guess what!, we have a checksum routine. These are always annoying to find. (Mick, you drive me crazy). Enter AR again.
We know that main file starts at address 600. Let?s see if anything fools around with this address: ? FA 600 ?.
You receive two addresses. Disassemble the first one and hit enter a few times.
It seems like the routine from address 136C ? 1380 calculates a value, based on DBF loop.
The start address is A0+98 = 698. If you disassemble this address, guess what you will see? the copylock.
The calculated value in D0 is compared with address 167BE. If they are the same, the branch at address 1386 is ok, and game will continue to next level. If not, level will restart. See contents of address 1386: ? M 1386 ?. Change the first value from 67 to 60. This will alter the ? BEQ ? to a ? BRA ?. Exit and replay level. You will now be allowed to play the next levels. Yes, I know some of you are thinking ? what about the wrong value in D0, what if it?s used later on ?. Well dudes, it?s not! Follow the code, and you?ll see that D0 is cleared. To crack the checksum, we need to insert the value ? 60 ? at address 1386. Take note. The crack patch will work as follows: We take over the game before main file at address 600 are executed and makes it jump to address 100. At address 100 a copy routine will be activated and move a crack patch over first part of the copylock code. The crack patch itself will work by restoring all data registers to correct copylock values and addresses. Then value ? 60 ? will be moved to address 1386 to crack checksum and then we branch to end of copylock.
Insert copy of game and read boot block into memory, starting at address 70000; ? RT 0 1 70000 ?. Assemble 70066 and change the loop to ? BRA 700C0 ?. Assemble 700C0 and make the first copy routine, to move patch into memory.
700C0; destination address 100 for patch
700C6; copy from offset #100 on disk
700CA; copy $200, amount to copy
700D4; move value #100 to address C0
700DC; add #8282 to A3, so it point to ? 77000 ? in instruction ? LEA 77000,A1 ?
700E2; change above instruction to ? LEA C0,A1 ?, making A1 point to address 100
700E8; restore A3 to it?s original value
700EE; execute loaded data.
Assemble 70100 and make patch, that will appear at address 100:
7100; MOVEA.L 77000,A0; make A0 point to start of decrunched data
70106; ADDA.L #9C,A0; add #9C to A0, so it points to start of copylock
7010C; LEA 124,A1; copy routine starts here, copy data from address 124
70112; MOVE.W #200,D7; amount to copy
70116; MOVE.B (A1)+,(A0)+; copy
70118; DBF D7,70116; copy
7011C; MOVEA.L 77000,A0; make A0 point to start of decrunched data
70122; JMP (A0); start game
70124; MOVE.L #318278E4,D0; this is start of address 124 and data from here will be moved over copylcok routine
7012A; CLR.L D1; from address 12A ? 178 copylock values are set
7012C; MOVE.L #6304F1C8,D2
70132; MOVE.L C609E390,D3
70138; MOVE.L #18278E43,D4
7013E; MOVE.L #18C13C72,D5
70144; MOVE.L #304F1C86,D6
7014A; MOVE.L #609E390C,D7
70150; MOVE.L #E73EC38D,80.S
70158; MOVE.L D0,4BA.S
7015C; MOVE.L D2,4C2.S
70160; MOVE.L D3,4C6.S
70164; MOVE.L D4,4CA.S
70168; MOVE.L D5,40C.S
7016C; MOVE.L D5,4CE.S
70170; MOVE.L D5,73CD4
70176; MOVE.L D5,3DE.S
7017A; MOVE.L D6,4D2.S
7017E; MOVE.L D7,4D6.S
70182; MOVE.B #60,1386.S; crack checksum
70188; BRA 709F8; branch to end of copylock
Correct boot block check sum: ? BOOTCHK 70000 ?
Write boot block back: ? WT 0 1 70000 ?
All coding by anonymous. Txt written by Rob