Submitted by: Rob
Date: 2005-06-28 15:58
? Image Works
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk - find it in your local Amiga store
For those who cares, a boot block crack can be downloaded in top of this tutorial. Just install supplied boot on a fresh copy of game, and it?s cracked.
Start by making a copy of original game. This is to determine type of protection. You?ll notice an error on track 0, probably a copylock track.
Our first mission is getting hold of the copylock key. Start ARIV, insert copy of game and reboot.
Enter ARIV JUST after boot (use RMB) and disable exceptions: ? ALLEXC ?. Exit and let game continue loading. If exceptions is not disabled, ARIV will pop up when exceptions occurs.
Enter ARIV when the protection fails; the title screen will look very weird. Enable the RNC decrypter: ? ROBD ?
Search memory for copylock routines: ? F 48 7A ?. You?ll receive address 15F2 & 1602.
Disassemble the first address and stop when you reach ? second ? part of the copylock code:
Address 1DFA shows us, that copylock moves the key from D0 and into address 60.
Next step is easy?
Boot original game and enter ARIV when game starts. Copylock has now run and we can grab the key from address 60.
See contents from address 60: ? M 60 ?.
Take note of key.
Copylock seems to be doing funny stuff to the game, so we need to wire key into the encrypted code, to make game work correctly.
Your car is a bit difficult to control if game isn?t cracked probably?. (try it yourself)
Copylock is located at track 45. Insert copy of game and read track 45 into memory, starting at address 30000: ? RT 5A 2 30000 ?
Find copylock in memory, starting at address 30000: ? F 48 7A,30000 ?.
Enable the RNC decrypter and disassemble start of copylock. Stop when this code appears:
The copylock key needs to be wired into address 32632. After that, we set register D1 to #0. This will emulate Copylock in the best possible way. We can then branch past the whole disk accessing part. Continue to disassemble a few lines further:
The registers are restored at address 32664, so this must be our branch address.
Assemble address 32632 and wire key in, see picture above. The code we type in will encrypted by ARIV, so need for any EOR calculations.
And finally write track back: ? WT 5A 2 30000 ?
Have fun and drive responsible?..