Submitted by: Rob
Date: 2005-07-01 19:15
Bubba N Stix - ECS
? Core Design
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks - find it in your local Amiga store
Addresses may differ on your computer. If you use WINUAE, then select ? cycle exact CPU & blitter ?.
Start by making a copy of original game disks. This is to determine type of protection. You?ll notice an error on track 0, on disk 1. This is probably a copylock protection.
The protection will prevent you from finishing level 1 and cause crashes on later levels.
Let?s start by retrieving the copylock key.
Boot original game and enter AR when you hear the drive grinding sound of the copylock working.
Locate start of copylock: ? F 48 7A ?. AR returns two addresses; 18D88 & 18D98. Disassemble address 18D88 and watch out for end of copylock. You have reached the end, when all the strange encrypted code stops.
This seems to happen around address 19654. This address moves contents of D5 into address 18D88, overwriting start of copylock. (strange thing) D5 will of course hold the correct copylock key. Stick a breakpoint to address 1965A; ? BS 1965A ? and exit AR.
When copylock is done, AR will pop up. Press ? R ? to see registers and grab the key from D5:
We will crack game by inserting the key into the encrypted copylock code. In this way, we don?t have to fill all the registers manually and return key at address F4, all this will be done automatically.
Copylock routine is located in an RNC crunched EXE file. The easiest thing would be to decrunch the file, so we will not choose this option :) We will instead take over the file when it has decrunched, patch decrunched data and then run it.
With copy of disk 1 in DF0:, load main file ? BUBBA ? into memory, starting at address 30000: ? LM BUBBA,30000 ?
Line 30050 is checking if the crunched data appears in memory, staring at the address A0 point to. If not, it branches to line 3003A. We then have a few lines of code, that checks if the contents of stack is 0. If it is, line 3003E branches to end of the decruncher. Let?s see it:
Line 30248 is also called, when the file HAS decrunched correctly. When game reaches address 3025E, file has been fully decrunched. Assemble line 3025E, insert a ? JMP 100.S ? & save file back, see picture above. This will cause game to jump to address 100 instead of executing itself.
We then need to put a crack patch at address 100.
We might as well begin to make the crack patch. Read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?. Besides the crack patch, we also need a routine to move it into memory. Both the crack and a copy routine can be located on the boot block. Disassemble start of boot code and hit enter a few times:
Take note of the code at line 7000C. Change this to ? BSR 700C0 ?, see above. This will call line 700C0, where we will locate the copy routine. Assemble 700C0 and insert following:
700C0; LEA 100,A0; locate patch at address 100
700C6; LEA 70100(PC),A1; copy data from offset 100 on disk
700CA; MOVE.W #200,D7; copy $200
700CE; MOVE.B (A1)+,(A0)+; copy
700D0; DBF D7,700CE; copy
700D4; LEA 70026(PC),A1; restore code we removed
700D8; RTS; return to originally boot code
The above code will move $200 of data from offset $100 on disk and into memory, starting at address 100. This is where we will put the crack patch. Before we can make this patch, we need some more information?s. We need to make new encrypted opcodes, and find out how to insert them in copylock.
Follow the steps beneath. This will put a little loop at address 100, causing the screen to flash when main file is decrunched.
Start ARIV, insert copy of game and reset. When screen flashes blue, enter ARIV using RMB. Locate copylock: ? F 48 7A ? Notice that copylock is NOT located at the same address as earlier. This means that it?s not fixed to a certain memory location. This is something we have to take in account, or the crack will be faulty.
Enable the RNC decrypter, so we decrypt the copylock: ? ROBD ?. Disassemble start of copylock (19AA8) and look out for the usual place to wire key in:
The disk accessing and key calculation calls are done within the code from address 19E8A ? 19ED0.
Registers are saved by the code at address 19E8A. Address 19E9E is a good place to wire key in, as no disk routines has been called yet. When key is inserted in D0, we clear D1. We can then branch to the address that restores registers again. D0 & D1 is not saved. In second part of copylock, key is moved to D5 + F4 and the other registers are filled with different values. Disassemble a bit further:
Address 19ECE moves key from D6 to D0 (we skip this part) and registers are restored at 19ED0, our branch address. Address 19ED4 branches to second part of copylock.
I have marked the new opcodes in the picture above. You only have to take note of the opcodes, not the addresses.
The copylock is not located at a fixed address, so we can?t assume that address 19E9E always will be start address for the new opcodes. Try pressing ? R ? + enter to see registers.
We can use A0 to calculate the correct location of copylock, as it always has the same ? distance ? to the copylock. D0 holds start address of the decrunched file.
Our new opcodes starts at address 19E9E. Subtract A0 from this: ? ?19E9E-1593C ? The result is 4562. If we add this number to A0, it will point to where new opcodes needs to be inserted.
We can now make the crack patch. Enter AR and read boot block into memory: ? RT 0 1 70000 ?.
Assemble 70100 and make the patch. I have also included a little routine, if you have problems with your energy:
70100; ADDA.L #4562,A0; add #4562 to A0, so it points to where copylock needs to be patched
70106; MOVE.L #2617A40D,(A0)+; move new opcodes into copylock
7010C; MOVE.L #14BAD60D,(A0)+; move new opcodes into copylock
70112; MOVE.W #7492,(A0)+; move new opcodes into copylock
70116; MOVE.W #F,DFF180; set background to blue
7011E; BTST #6,BFE001; check for LMB pressed
70126; BEQ 70134; if pressed, branch to 70134 and train energy
70128; BTST #A,DFF016; check for RMB pressed
70130; BEQ 70140; if pressed, branch to 70140 and start normal game
70132; BRA 70116; loop till pressed
70134; MOVEA.L D0,A0; D0 holds start of decrunched data, make A0 point to start
70136; ADDA.L #87D2,A0; add #87D2 to A0, so it points to address that subtracts #1 from energy counter
7013C; MOVE.W #4E71,(A0); kill the subtraction instruction
70140; MOVEM.L (A7)+,D0-D7/A0-A6; code we removed in main file; restore registers 70144; RTS; start game
Correct boot block checksum: ? BOOTCHK 70000 ?
And finally write track back: ? WT 0 1 70000 ?
Boot your new crack. When screen flashes blue, press LMB for unlimited energy or RMB for normal.
All testing by the extremely fat Yuggi Bear!
Dedicated to sweeeeeeeeet Victoria