Submitted by: Rob
Date: 2005-07-08 15:17
Bubble & Squeak - AGA
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks - find it in your local Amiga store
This will be a quickie!
Start by backing up original game disks. Only disk 1 is copy protected, with a copylock track.
We?ll crack this one by wire to copylock key into the encrypted copylock.
You could also just return key address F4 + set all D registers to correct values?
To do this, we need the key?.
Insert original game disk, start and enter ARIV. (enter = RMB). Disable exceptions: ? ALLEXC ?
Load main file into memory, starting at address 30000: ? LM CODE,30000 ? .
File is located between 30000 ? 52BD8.
Locate copylock, by searching for the ? PEA xxxx(PC) ? instruction: ? F 48 7A ?. Enable the RNC decrypter so we can decrypt the code: ? ROBD ?.
Disassemble address 522DA and stop when this appears:
Address 52AAE is start of second part in copylock code, this is where all the fun happens. Address 52AB6 looks interesting to us, as moves the correct copylock key into address F4. We will simply execute the copylock and read out the key from address F4.
Disable the decrypter: ? ROBD ?. Continue disassembling from address 52AAE and look out for end of copylock. Copylock seems to end around address 52BA6, with a ? RTE ?. It ends like this because the copylock routine is executed with a ? TRAP #0 ?. We will NOT do this, as it will prevent us from entering ARIV with the mouse. (due to the exception)
Assemble address 52BA6 and insert a loop, see beneath:
After that, set registers D0 & D1 to #0: ? R D0 0 ? & ? R D1 0 ?. Game sets these values before copylock is executed, so we?ll better do that too. Execute the copylock: ? G 522DA ?.
Wait a few seconds for the routine to finish and enter ARIV again. See contents of address F4: ? M F4 ?.
Armed with copylock key, insert copy of disk 1 and load in main file: ? LM CODE, 30000 ?. Just as earlier, enable the decrypter: ? ROBD ? and disassemble start of copylock: ? D 522DA ?. Stop when this appears:
The disk accessing part and key calculations of copylock key are done within the code from address 526BC ? 52702.
Registers are saved by the code at address 526BC. Address 526D0 is a good place to wire key in, as no disk routines has been called yet. When key is inserted in D0, we clear D1. We can then branch to the address that restores registers again. D0 & D1 is not saved. Disassemble a bit further:
Address 52700 moves key from D6 to D0 (we skip this part) and registers are restored at 52702, our branch address.
Address 52706 branches to second part of copylock ? you know where key is moved to F4 and fake is moved to D0..
Assemble address 526D0 and insert the code you see above to wire key in.
The decrypter is still active, so the code we insert will automatically be EOR?ed, no need for a calculator. All to do now is saving file back: ? SM CODE,30000 52BD8 ?
Dedicated to sweet sweet Victoria