Submitted by: Rob
Date: 2005-06-25 20:28
? Core Design
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Three blank disks - find it in your local Amiga store
Bottblock crack can be downloaded in top of this tutorial. Remember! Only bootblock
is supplied (0-400).
Start by making a copy of original game disks. This is to determine type of protection.
You?ll notice an error on track 0 on all three disks. This is probably a copylock protection.
You can start copy of game and begin playing it, but it will crash within a few minutes.
Let?s start by getting the copylock key, so we can wire it into the encrypted copylock code.
It's not needed for this type of copylock, but it makes patch simpler.
Boot original game and enter AR when the options screen appears. The copylock routine has now been decrunched, but not executed yet. Copylocks start with the instruction ? PEA xxxx(PC) ?. Find copylock by searching for the opcodes: ? F 48 7A ?. AR returns address 808 & 818. Let?s see what happens after the encrypted code. Disassemble address 808 and stop when normal code appears again.
Normal code seems to start around address 10D4. Address 10E0 looks interesting. It moves byte contents of register D5 into what A5 points to + 1DA8. The copylock key is returned in register D5. Stick a breakpoint to address 10D4, exit and continue game: ? BS 10D4 ?.
When copylock has run and passed, AR pops up. The breakpoint is inserted at the first address after the encrypted code, so we have the correct registers. Press ? R ? to see them. Key can be grabbed from D5.
Next part is making out new opcodes to insert in copylock.
Execute ARIV and insert copy of disk 1. Reboot and enter ARIV right away (RMB). Disable exceptions, to avoid it from popping up all the time: ? ALLEXC ? exit and continue game. Enter again, when the title screen appears.
Enable the RNC decrypter so we decrypt the copylock: ? ROBD ?.
Copylock started at address 808, disassemble and look out for this part:
The disk accessing part and key calculations of copylock key are done within the code from address BEA ? C30.
Registers are saved by the code at address BEA. Address BFE is a good place to wire key in, as no disk routines has been called yet. When key is inserted in D0, we clear D1. We can then branch to the address that restores registers again. D0 & D1 is not saved. Disassemble a bit further:
Address C2E moves key from D6 to D0 (we skip this part) and registers are restored at C30, our branch address.
Address C34 branches to second part of copylock.
Assemble address BFE and insert the code you see above, to wire key in.
The copylock is crunched, so we have to patch the decrunched copylock, before it?s executed. We do this by moving new opcodes into the code. New opcodes are marked in the above picture and the addresses where they belong too.
Let?s have a look at what the boot block is doing. Read it into memory, starting at address 70000: ? RT 0 1 70000 ?.
Disassemble start of boot code (D 7000C) and stop when above appears. It seems like we have a little track loader routine that moves data into address 7A000. Reboot and enter AR when the loading screen appears.
Disassemble address 7A000 and look out for other jumps:
Address 7EB90 is very interesting. When game reaches this part, it has decrunched the copylock, but not executed it yet. A perfect place to insert a call to a crack patch. Take note of the code at address 7EB8A + 7EB90.
We will insert a ? JMP 210.S ? at address 7EB8A and start the crack patch at address 200.
To move a crack patch to address 200, we need a routine to do so. This routine can be added on the boot block & crack patch can also be located here.
Read boot block into memory, starting at address 70000: ? RT 0 1 70000 ? and disassemble start of it: ? D 7000C ?
Boot block starts by clearing address 0. Alter this to ? BSR 70140 ? & a NOP, see picture above. This will call our copy routine that will be located at offset $140. Assemble 70140 and make copy routine, to move crack into memory.
70140; save registers
70144; destination address 200 for patch
7014A; copy from offset $300 on disk
7014E; amount to copy (size of patch)
70158; restore registers
7015C; restore code we removed in start of boot block
70162; return to original boot code
We also need to change the jump into the main loader ? ? JMP 7A000 ? We change this to ? JMP 200 ?, to call our patch. Jump was located at 70086. Assemble and change it:
Assemble 70300 and code the crack patch:
70300; take over game, making it jump to address 210
7030A; execute main loader, jump we too over on boot block
70310; restore code we removed at address 7EB8A
70316; patch copylock with new opcodes
7031E; patch copylock with new opcodes
70326; patch copylock with new opcodes
7032E; restore code, execute game
What will happen when game is started is as follows; The copy routine will be run and move crack patch to address 200.
Game then jumps to the patch, which alters main loader to jump to address 210 when copylock is decrunched.
When this happens, patch moves new opcodes into copylock and executes game.
Correct boot block checksum: ? BOOTCHK 70000 ?.
And write back: ? WT 0 1 70000 ?.
Thanks to DLFSIVER for supplying the original!
Testing by the very fat Yuggi Bear.
Filesize: 0KB, downloaded 3 times