Submitted by: Rob
Date: 2005-07-04 09:37
? Core Design
1. Original game or copy
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk - find it in your local Amiga store
Some addresses may differ on your computer.
Normally we would start the tutorial with ? make a copy of original disks ? bla bla bla?.
Problem is, I don?t have original disk, but since game is copylock protected I assume track 0 would be faulty.
Boot copy of game and enter AR, when you hear the drive grinding sound of the copylock routine working.
First, we need to get the copylock key. Search for copylock routines: ? F 48 7A ?.
AR returns address 14C1C & 14C2C. Disassemble address 14C1C and hold enter down, and stop when normal code appears. Perhaps we have something interesting right after the encrypted code.
Address 154E8 makes A1 point to address C19D4 and address 154EE compares (A1) with D5. IF they does not match, address 154F0 crashes the game. This tells us that copylock key is returned in D5 (which most be empty now) and the key is stored at address C19D54, used for reference. See key with ? M C19D54 ?. ? I think key been used before?
Start up ARIV, enter it and load in file ? blob ? from copy of game: ? LM Blob,30000 ?.
File is located between address 30000 ? 445C8. Enable the built in RNC decrypter, so we can decrypt the copylock and wire key into it: ? ROBD ?.
This isn?t a real nasty copylock containing decryption routines or similar. If we had original disk, a breakpoint could be insert after the encrypted code and we cold read out the registers. Then crack the game by setting the registers to the original values ? and address F4. But this is easier.
Search for copylock in the file loaded into memory; ? F 48 7A ?.
Disassemble the first address ARIV returns and stop when this appears:
The copylock key needs to be wired into address 315A4. After that, we set register D1 to #0. This will emulate Copylock in the best possible way. We can then branch past the whole disk accessing part. Continue to disassemble a few lines further:
The registers are restored at address 315D6, so this must be our branch address.
Assemble address 315A4 and wire key in, see picture above. The code we type in will be encrypted by ARIV, so need for any EOR calculations.
And finally save file back: ? SM BLOB,30000 445C8 ?.
Reboot and blob around.
Dedicated to sweeet Victoria.