Ruff 'n'
Tumble
Renegade/Worldwide (1994)
Renegade/Worldwide (1994)
- I used original disk from the IPF #199
- AR and/or disassembler/debugger (not specific tuto)
- an assembler (AsmOne/DevPac/Barfly...) if you want to crack from the boot.
first of all, make a copy of disk 1. the copy stop at the start on a black screen.
a quick scan of the disk with X-Copy show an error on track 1. Seems to be a disk based protection.
Take a look at the bootblock :
bingo, it's a copylock ;)
there are several ways to find copylock.
from AR or by disassembling the boot (I loaded and disassembled the starter program - 11 block loaded from block 24).
quickly, I found the copylock routine by searching pea and/or illegal instruction :
Code:
moveq #0,d0
mobeq #1,d1
lea $110.w,a3
pea getvalue(pc) ; copylock : patch here
move.l (sp)+,$10
illegal
getvalue: ...
mobeq #1,d1
lea $110.w,a3
pea getvalue(pc) ; copylock : patch here
move.l (sp)+,$10
illegal
getvalue: ...
the key is saved at $110.
just after copylock, starter load main program at 804 and decode it with the key before start it :
Code:
move.l $110.w,d0 ; the copylock key
lea $804.w,a0
move.w #$e80,d7
.decrypt:
move.l (a0),d1
eor.l d0,d1
move.l d1,(a0)+
rol.l #1,d0
dbf d7,.decrypt
jmp $804.w ; start main
lea $804.w,a0
move.w #$e80,d7
.decrypt:
move.l (a0),d1
eor.l d0,d1
move.l d1,(a0)+
rol.l #1,d0
dbf d7,.decrypt
jmp $804.w ; start main
reboot, and with AR, stop when picture appear.
take a look at the address 110 in memory : m 110
Code:
BE D7 B5 7D
here is the copylock code.
now we have to patch copylock with the good key
directly in the starter program or from the boot after loading and before start it.
patch after lea $110.w,a3 :
Code:
move.l #$BED7B57D,d0
move.l d0,(a3) ; put good key at 110
rts ; no more copylock test
move.l d0,(a3) ; put good key at 110
rts ; no more copylock test
I used this way from the boot by rewriting the boot :
code added in the boot before start. address program in a3 :
Code:
loader
...
lea patch(pc),a0
lea $77c(a3),a1 ; here is the copylock routine to patch
moveq #s-1,d7
.copy move.b (a0)+,(a1)+
dbf d7,.copy
; original code
movea.l 8.l,a5
jmp (a3) ; start
patch:
move.l #$BED7B57D,d0
move.l d0,(a3) ; put good key at 110
rts
s=*-patch
...
lea patch(pc),a0
lea $77c(a3),a1 ; here is the copylock routine to patch
moveq #s-1,d7
.copy move.b (a0)+,(a1)+
dbf d7,.copy
; original code
movea.l 8.l,a5
jmp (a3) ; start
patch:
move.l #$BED7B57D,d0
move.l d0,(a3) ; put good key at 110
rts
s=*-patch
you have just enough place in boot to put a trainer (and even a little "textro" or other tiny code)
reboot, and enjoy. Seems to work.
if you have doubt about another copylock in main "crypted" program, put a breakpoint with AR at 804 to take a look at the decrypted code. Seems to be nothing more for this game.
we can see that the prog load a "directory" file with the informations of all the files of the game (sector position, len, num disk...) : great ;)
ps: tested with the trainer by Gradius/Anthrox
(0)
