"Project 66" encryption thingy in Codemasters games

[marty]

Quote:

Originally Posted by MethodGit

Ah, maybe I'm supposed to decrypt/decode the copylock first after all. >.< Dang.

Its always important to check the whole copylock. The hardwire trick will not work on all copylocks. One example is Lethal Weapon, as it moves key to $100 in the disk-routines, and this part is skipped when hardwireing key.
ALLWAYS check whole copylock.

[Codetapper]

Marty is so right!

Code:

Copylock Decrypter v0.01
(c) 2004 Codetapper of Action (codetapper@hotmail.com)

Copylock header found at $0
Copylock stack 1 found at $7a
Copylock stack 2 found at $3f0
Copylock key wiring position found at $40e
Copylock key wiring skip to position found at $458
Post copylock branch to address starts at $804
Copylock new magic number ($a573632c) compare at $47c

======[ Key calculation routine found at $4de: ]======
_4de   	move.w	#$b,d1
_4e2   	add.l	d6,d6
_4e4   	sub.l	(a0)+,d6
_4e6   	dbra	d1,_4e2
_4ea   	move.l	d6,($100).w	;Serial number stored at $100
_4ee   	addq.l	#4,sp
_4f0   	rts	

======[ Post copylock code starts at $804: ]======
_804   	lea	$78(sp),a6	;Set a6 to real copylock registers
_808   	move.l	d0,$1c(a6)	;Store serial number in real d7 register
_80c   	rol.l	#1,d0
_80e   	move.l	d0,(a6)+
_810   	move.l	d1,(a6)+
_812   	rol.l	#1,d0
_814   	move.l	d0,(a6)+
_816   	rol.l	#1,d0
_818   	move.l	d0,(a6)+
_81a   	rol.l	#1,d0
_81c   	rol.l	#1,d0
_81e   	move.l	d0,(a6)+
_820   	rol.l	#1,d0
_822   	move.l	d0,(a6)+
_824   	rol.l	#1,d0
_826   	move.l	d0,(a6)+
_828   	moveq	#$0,d0
_82a   	moveq	#$1,d0
_82c   	lea	_83e(pc),a6
_830   	move.l	-$4(a6),d6
_834   	add.l	$8,d6
_83a   	or.w	#$a71f,sr
_83e   	addi.l	#$44,($24).l
Copylock stack 2 ends at $83e

[MethodGit]

Okay, I'll keep all this in mind.

Incidentally, do any of you lot happen to have the copylock key for Doodlebug on hand?

[BippyM]

MethodGit.. Surely the idea is for you to decrypt and find it???

Or am I missing something?

[Codetapper]

I have to agree with Bippy here!

MethodGit: You claim to have cracked several titles, yet Doodlebug is one of the easiest to crack titles of them all! If you can't work out the key on this title (even without the original) there's something seriously wrong, as the key is even in the game (3 times) with a basic compare instruction!

This should make the job even more trivial:

Code:

Copylock Decrypter v0.01
(c) 2004 Codetapper of Action (codetapper@hotmail.com)

Copylock header found at $4
Copylock stack 1 found at $7e
Copylock stack 2 found at $3f4
Copylock key wiring position found at $412
Copylock key wiring skip to position found at $45c
Post copylock branch to address starts at $808
Copylock new magic number ($a573632c) compare at $480

======[ Key calculation routine found at $4e2: ]======
_4e2   	move.w	#$b,d1
_4e6   	add.l	d6,d6
_4e8   	sub.l	(a0)+,d6
_4ea   	dbra	d1,_4e6
_4ee   	move.l	d6,($100).w	;Serial number stored at $100
_4f2   	addq.l	#4,sp
_4f4   	rts	

======[ Post copylock code starts at $808: ]======
_808   	lea	$78(sp),a6	;Set a6 to real copylock registers
_80c   	move.l	d0,$1c(a6)	;Store serial number in real d7 register
_810   	rol.l	#1,d0
_812   	move.l	d0,(a6)+
_814   	move.l	d1,(a6)+
_816   	rol.l	#1,d0
_818   	move.l	d0,(a6)+
_81a   	rol.l	#1,d0
_81c   	move.l	d0,(a6)+
_81e   	rol.l	#1,d0
_820   	rol.l	#1,d0
_822   	move.l	d0,(a6)+
_824   	rol.l	#1,d0
_826   	move.l	d0,(a6)+
_828   	rol.l	#1,d0
_82a   	move.l	d0,(a6)+
_82c   	moveq	#$0,d0
_82e   	moveq	#$1,d0
_830   	lea	_842(pc),a6
_834   	move.l	-$4(a6),d6
_838   	add.l	$8,d6
_83e   	or.w	#$a71f,sr
_842   	addi.l	#$44,($24).l
Copylock stack 2 ends at $842

[MethodGit]

Funnily enough, I thought I had found the key before (35B23068), but if according to your log it uses a different key altogether, then that shows me!

[MethodGit]

Where on the WHDLoad site is CopylockDecrypter? I can't find it, and it's not in whdload.de/whdload either.

[Arnie]

Try http://whdloadrules.tripod.com/copylock_fmwce.html or http://zakalwe.fi/~shd/amiga-cracking/

[MethodGit]

I don't think that's the same program, tbh. The program CT uses is called "Copylock Decrypter" and is credited solely to him.

[Arnie]

Quote:

Originally Posted by Codetapper

MethodGit: I suggest you would learn a lot by using CopylockDecoder, put the original IPF in the drive and let it decode. Then you can disassemble the decoded file without needing the AR cart and you can study the code that the copylock runs.

Note that it only decodes instructions that it runs, so there will be large blank areas in the decoded file where the code doesn't run.

Read the docs that come with CopylockDecoder. Seriously. Do it! It should answer all your questions!

PS: CopylockDecoder is on the WHDLoad site if you can't find it.

Sorry, iI thought you were looking for CopylockDecoder.

[Codetapper]

I'm not sure I've ever released my decrypter, it's a C program that looks through a file for the telltale copylock chunks of code, does the decryption (eor.l the following instructions with the previous longword, and takes into account some extra modifications in a few games - eg. Krusty's Fun House) and prints out the relevant bits with automatic comments based on what part of the copylock it is in.

The tool isn't complete as I originally intended it to decrypt the copylock part and save that so you can look at it in a proper disassembler, but other things came up.

CopylockDecoder will show you exactly what instructions are executed in a copylock so you can use that or the AR 'robd' command.

The key for Doodlebug is indeed $35b23068.

[MethodGit]

Quote:

Originally Posted by Codetapper

I'm not sure I've ever released my decrypter, it's a C program that looks through a file for the telltale copylock chunks of code, does the decryption (eor.l the following instructions with the previous longword, and takes into account some extra modifications in a few games - eg. Krusty's Fun House) and prints out the relevant bits with automatic comments based on what part of the copylock it is in.

The tool isn't complete as I originally intended it to decrypt the copylock part and save that so you can look at it in a proper disassembler, but other things came up.

CopylockDecoder will show you exactly what instructions are executed in a copylock so you can use that or the AR 'robd' command.

The key for Doodlebug is indeed $35b23068.

I see, thanks for clearing that up.

And thank you for the Doodlebug listing above, and for confirming that I had the key in my possession all along.

Now looking at the "key wiring" and "skip to" positions, what are said positions relevant to? Is this after loading just the copylock chunk into the program like with those example copylocks you provided (run through CopylockDecoder etc)? It might help me work out what I must be doing wrong as said typical hardwire trick does not work straight away on it.

[Codetapper]

The offsets are all relative to wherever the copylock was found in the file. If you just save a binary dump of memory from $0-$80000 then it'll be at that offset.

I have a collection of just the copylock starting with either the 2 moveq #0 instructions that are usually before the copylock, or starting with the normal copylock code. Attached is the Doodlebug copylock so you can compare and work out the position.

Note that Doodlebug again stores the key at $100 based on the key calculation routine running. If you wire the copylock and skip the disk check, that key won't be set, so you need to crack it properly.

[MethodGit]

Quote:

Originally Posted by Codetapper

The offsets are all relative to wherever the copylock was found in the file. If you just save a binary dump of memory from $0-$80000 then it'll be at that offset.

I have a collection of just the copylock starting with either the 2 moveq #0 instructions that are usually before the copylock, or starting with the normal copylock code. Attached is the Doodlebug copylock so you can compare and work out the position.

Note that Doodlebug again stores the key at $100 based on the key calculation routine running. If you wire the copylock and skip the disk check, that key won't be set, so you need to crack it properly.

Got it. Though as I said just earlier, marty said there was a similar $100 situation with Lethal Weapon but I just did my usual hardwire thing and it worked like a rocket.

[marty]

Quote:

Originally Posted by MethodGit

Got it. Though as I said just earlier, marty said there was a similar $100 situation with Lethal Weapon but I just did my usual hardwire thing and it worked like a rocket.

Yes, and now you got no key at $100.
Put it there as part of your crack patch

[MethodGit]

Actually, I didn't say anything earlier - I thought I had made a certain post earlier but it's still sitting in the edit window on one of my tabs! >.<

And marty, what are you suggesting? Does the game do a check much later on and act funny if it doesn't find that key in $100? Because what I was originally going to say much earlier was that I did my usual hardwire trick in the copylock (after extracting the RNC chunk containing it, unpacking, editing, repacking and then injecting into the ADF) and I didn't get any of that Illegal Copy bollocks. I tested as far as beating (the first half of?) Level 1.

[Galahad/FLT]

Quote:

Originally Posted by MethodGit

Actually, I didn't say anything earlier - I thought I had made a certain post earlier but it's still sitting in the edit window on one of my tabs! >.<

And marty, what are you suggesting? Does the game do a check much later on and act funny if it doesn't find that key in $100? Because what I was originally going to say much earlier was that I did my usual hardwire trick in the copylock (after extracting the RNC chunk containing it, unpacking, editing, repacking and then injecting into the ADF) and I didn't get any of that Illegal Copy bollocks. I tested as far as beating (the first half of?) Level 1.

A few Copylocks had extra information put in them.

Its clear that someone realised exactly how the better crackers were defeating older Copylocks by hardwiring the key and bypassing the read routines, so no matter what, the Copylock would always give back 100% the correct information that the game was expecting.

So, some clever sods (someone at Ocean) asked Rob Northen to put some extra code into the Copylock, which, if the Copylock was cracked in the normal manner by hardwiring the key and bypassing the read routines, would mean the extra code would never get executed which was an extra layer of copy protection.

Gaston of Fairlight was caught out by Hook, as was every cracking group that cracked it for foreign versions.

I would suspect Hook was not exclusive in its use of extra code.

[marty]

Quote:

Originally Posted by MethodGit

Actually, I didn't say anything earlier - I thought I had made a certain post earlier but it's still sitting in the edit window on one of my tabs! >.<

And marty, what are you suggesting? Does the game do a check much later on and act funny if it doesn't find that key in $100? Because what I was originally going to say much earlier was that I did my usual hardwire trick in the copylock (after extracting the RNC chunk containing it, unpacking, editing, repacking and then injecting into the ADF) and I didn't get any of that Illegal Copy bollocks. I tested as far as beating (the first half of?) Level 1.

I can't remember, but it really does not matter. This is a great advice, please read it and hopefully understand it;

WHATEVER REGISTERS AND / OR MEMORY ADDRESSES THE COPYLOCK
MODIFY, YOU EMULATE IT 100%. NEVER EVER SKIP ANYTHING!!

[MethodGit]

Funnily enough, I had also been snooping at Hook's seven(!) copylocks lately, and didn't get far with them. Now you've helped save me the bother of messing with this game any further, Galahad!

Back to Lethal Weapon....... so, ummm, all I literally have to do is get the key number copied to address 100? Please tell me it's as simple as a couple of instructions in the copylock to get that sorted....

[marty]

Quote:

Originally Posted by MethodGit

Funnily enough, I had also been snooping at Hook's seven(!) copylocks lately, and didn't get far with them. Now you've helped save me the bother of messing with this game any further, Galahad!

Back to Lethal Weapon....... so, ummm, all I literally have to do is get the key number copied to address 100? Please tell me it's as simple as a couple of instructions in the copylock to get that sorted....

You could try with;

move.l #$daeb43cf,$100