Submitted by: Rob
Date: 2005-07-14 15:38
You will need following:
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. ByteKiller V1.3 ? find on amigastuff.com
Start by making a copy of original game disk. This is to determine type of protection.
You?ll notice an error on track 0. This is some type of a disk based protection, where you can?t duplicate a specially written track.
Boot copy of game. After some loading, a screen like this will appear:
Perhaps you heard the classic sound of copylock working or noticed track counter moving to 0, before this appeared ?
Let?s grab the decrunched main file and crack the annoying copylock.
Boot copy of game and enter AR when it begins to load. Press ? D ? +enter. You will receive an address in the 300 area of memory. Let?s see where this starts; Type ? N 0 ? and hit enter a few times.
Data seems to start around address 100. Disassemble and look out for jumps:
Address 14A jumps into loaded data. Stick a breakpoint to this address and exit AR; ? BS 14A ?. When it?s finished loading, AR will pop up.
When AR activates, press ? R ? to see registers. A2 points to start of file. This file is crunched, and we are of course interested in the decrunched data. Disassemble address 20000 and watch out for jumps:
Address 2005A jumps into the decrunched data. Assemble 2005A and insert a ? BRA 2005A ?, causing it to loop. A breakpoint is not suitable here, as the file is moved to lower chip, and a breakpoint will cause the Amiga to crash.
Exit AR and wait a few secs for the file to get decrunched.
Enter AR again and press ? D ? + enter. If you are stuck at the loop, file is decrunched. Then see start address of it, by pressing ? R ? + enter. Address 1000 is start of file.
Locate the copylock, by searching for the opcodes 48 7A (? PEA xxxx(PC) ?), which copylocks always starts with: ? F 48 7A ?. AR returns address 1872 & 1882. Disassemble 1872 and hold enter down till bottom of screen has been reached. Scroll back up and stop when you find start of the routine:
It seems to start at 186C. Checks what calls it: ? FA 186C ?. AR returns address 1032. Disassemble and hit enter a few times. Copylock is called by a BSR, right after this, we have another BSR. Disassemble 1652 and hit enter a few times:
Copylock key is compared at address 1656. If it matches, game branches to address 1662 and game continues to load. Change the routine from ? CMPI.L ? to ? MOVE.L ?. This will move key to the correct memory location. Then NOP out the BEQ and RTS, see above. There is no need for the copylock routine to be called, so NOP out the call:
We now have a cracked version of the main file in memory. Let?s save file and repack it. File starts at address 1000, but where does it end? Type ? NQ 1000 ? and press enter. Lot?s of crap will flash over your screen and it seems to end around address 9BD5.
Insert a blank disk and save memory: ? SM 1,1000 9D00 ?. This should ensure that we have all data. ? Greets Alpha 1 :)
Copy file to the same disk as you have ByteKiller on. Start BK and crunch file. Fill in spaces, marked with red:
This will crunch our file to an exe file called ? VC ?. File will load & decrunch data to address 1000.
Why a file called VC? ? Because this is name of the main file :)
Copy crunched file to copy of game, overwriting the old one.
Last thing is to make a little modification to the boot block.
Read boot block into mem, starting at address 70000: ? RT 0 1 70000 ?. Disassemble 7000C and stop when this appears:
Original file is executed by the ? JMP (A2) at line 70084. This won?t work any more, due
to the copy routine. Boot block load file to address 600. Assemble 70076 and insert a ? JMP 600.S ?. Correct boot block checksum:
Write boot block back: ? WT 0 1 70000 ?.
And you are done :)