02 December 2010, 11:06 | #41 | |
Banned
Join Date: Aug 2008
Location: 1
Posts: 114
|
Quote:
ALLWAYS check whole copylock. |
|
02 December 2010, 21:07 | #42 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,187
|
Lethal Weapon
Marty is so right!
Code:
Copylock Decrypter v0.01 (c) 2004 Codetapper of Action (codetapper@hotmail.com) Copylock header found at $0 Copylock stack 1 found at $7a Copylock stack 2 found at $3f0 Copylock key wiring position found at $40e Copylock key wiring skip to position found at $458 Post copylock branch to address starts at $804 Copylock new magic number ($a573632c) compare at $47c ======[ Key calculation routine found at $4de: ]====== _4de move.w #$b,d1 _4e2 add.l d6,d6 _4e4 sub.l (a0)+,d6 _4e6 dbra d1,_4e2 _4ea move.l d6,($100).w ;Serial number stored at $100 _4ee addq.l #4,sp _4f0 rts ======[ Post copylock code starts at $804: ]====== _804 lea $78(sp),a6 ;Set a6 to real copylock registers _808 move.l d0,$1c(a6) ;Store serial number in real d7 register _80c rol.l #1,d0 _80e move.l d0,(a6)+ _810 move.l d1,(a6)+ _812 rol.l #1,d0 _814 move.l d0,(a6)+ _816 rol.l #1,d0 _818 move.l d0,(a6)+ _81a rol.l #1,d0 _81c rol.l #1,d0 _81e move.l d0,(a6)+ _820 rol.l #1,d0 _822 move.l d0,(a6)+ _824 rol.l #1,d0 _826 move.l d0,(a6)+ _828 moveq #$0,d0 _82a moveq #$1,d0 _82c lea _83e(pc),a6 _830 move.l -$4(a6),d6 _834 add.l $8,d6 _83a or.w #$a71f,sr _83e addi.l #$44,($24).l Copylock stack 2 ends at $83e |
03 December 2010, 14:47 | #43 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 40
Posts: 2,731
|
Okay, I'll keep all this in mind.
Incidentally, do any of you lot happen to have the copylock key for Doodlebug on hand? |
03 December 2010, 15:50 | #44 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
MethodGit.. Surely the idea is for you to decrypt and find it???
Or am I missing something? |
03 December 2010, 20:19 | #45 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,187
|
Doodlebug
I have to agree with Bippy here!
MethodGit: You claim to have cracked several titles, yet Doodlebug is one of the easiest to crack titles of them all! If you can't work out the key on this title (even without the original) there's something seriously wrong, as the key is even in the game (3 times) with a basic compare instruction! This should make the job even more trivial: Code:
Copylock Decrypter v0.01 (c) 2004 Codetapper of Action (codetapper@hotmail.com) Copylock header found at $4 Copylock stack 1 found at $7e Copylock stack 2 found at $3f4 Copylock key wiring position found at $412 Copylock key wiring skip to position found at $45c Post copylock branch to address starts at $808 Copylock new magic number ($a573632c) compare at $480 ======[ Key calculation routine found at $4e2: ]====== _4e2 move.w #$b,d1 _4e6 add.l d6,d6 _4e8 sub.l (a0)+,d6 _4ea dbra d1,_4e6 _4ee move.l d6,($100).w ;Serial number stored at $100 _4f2 addq.l #4,sp _4f4 rts ======[ Post copylock code starts at $808: ]====== _808 lea $78(sp),a6 ;Set a6 to real copylock registers _80c move.l d0,$1c(a6) ;Store serial number in real d7 register _810 rol.l #1,d0 _812 move.l d0,(a6)+ _814 move.l d1,(a6)+ _816 rol.l #1,d0 _818 move.l d0,(a6)+ _81a rol.l #1,d0 _81c move.l d0,(a6)+ _81e rol.l #1,d0 _820 rol.l #1,d0 _822 move.l d0,(a6)+ _824 rol.l #1,d0 _826 move.l d0,(a6)+ _828 rol.l #1,d0 _82a move.l d0,(a6)+ _82c moveq #$0,d0 _82e moveq #$1,d0 _830 lea _842(pc),a6 _834 move.l -$4(a6),d6 _838 add.l $8,d6 _83e or.w #$a71f,sr _842 addi.l #$44,($24).l Copylock stack 2 ends at $842 |
04 December 2010, 11:20 | #46 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 40
Posts: 2,731
|
Funnily enough, I thought I had found the key before (35B23068), but if according to your log it uses a different key altogether, then that shows me!
|
04 December 2010, 12:27 | #47 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 40
Posts: 2,731
|
Where on the WHDLoad site is CopylockDecrypter? I can't find it, and it's not in whdload.de/whdload either.
|
04 December 2010, 14:35 | #48 |
R.I.P Smudge 18-08-16
Join Date: Aug 2005
Location: Leicester/UK
Age: 66
Posts: 3,968
|
|
04 December 2010, 15:34 | #49 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 40
Posts: 2,731
|
I don't think that's the same program, tbh. The program CT uses is called "Copylock Decrypter" and is credited solely to him.
|
04 December 2010, 17:57 | #50 | |
R.I.P Smudge 18-08-16
Join Date: Aug 2005
Location: Leicester/UK
Age: 66
Posts: 3,968
|
Quote:
|
|
04 December 2010, 19:03 | #51 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,187
|
I'm not sure I've ever released my decrypter, it's a C program that looks through a file for the telltale copylock chunks of code, does the decryption (eor.l the following instructions with the previous longword, and takes into account some extra modifications in a few games - eg. Krusty's Fun House) and prints out the relevant bits with automatic comments based on what part of the copylock it is in.
The tool isn't complete as I originally intended it to decrypt the copylock part and save that so you can look at it in a proper disassembler, but other things came up. CopylockDecoder will show you exactly what instructions are executed in a copylock so you can use that or the AR 'robd' command. The key for Doodlebug is indeed $35b23068. |
05 December 2010, 14:09 | #52 | |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 40
Posts: 2,731
|
Quote:
And thank you for the Doodlebug listing above, and for confirming that I had the key in my possession all along. Now looking at the "key wiring" and "skip to" positions, what are said positions relevant to? Is this after loading just the copylock chunk into the program like with those example copylocks you provided (run through CopylockDecoder etc)? It might help me work out what I must be doing wrong as said typical hardwire trick does not work straight away on it. |
|
05 December 2010, 20:11 | #53 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,187
|
The offsets are all relative to wherever the copylock was found in the file. If you just save a binary dump of memory from $0-$80000 then it'll be at that offset.
I have a collection of just the copylock starting with either the 2 moveq #0 instructions that are usually before the copylock, or starting with the normal copylock code. Attached is the Doodlebug copylock so you can compare and work out the position. Note that Doodlebug again stores the key at $100 based on the key calculation routine running. If you wire the copylock and skip the disk check, that key won't be set, so you need to crack it properly. |
05 December 2010, 21:36 | #54 | |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 40
Posts: 2,731
|
Quote:
|
|
05 December 2010, 21:39 | #55 |
Banned
Join Date: Aug 2008
Location: 1
Posts: 114
|
|
05 December 2010, 21:48 | #56 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 40
Posts: 2,731
|
Actually, I didn't say anything earlier - I thought I had made a certain post earlier but it's still sitting in the edit window on one of my tabs! >.<
And marty, what are you suggesting? Does the game do a check much later on and act funny if it doesn't find that key in $100? Because what I was originally going to say much earlier was that I did my usual hardwire trick in the copylock (after extracting the RNC chunk containing it, unpacking, editing, repacking and then injecting into the ADF) and I didn't get any of that Illegal Copy bollocks. I tested as far as beating (the first half of?) Level 1. |
05 December 2010, 21:55 | #57 | |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 9,014
|
Quote:
Its clear that someone realised exactly how the better crackers were defeating older Copylocks by hardwiring the key and bypassing the read routines, so no matter what, the Copylock would always give back 100% the correct information that the game was expecting. So, some clever sods (someone at Ocean) asked Rob Northen to put some extra code into the Copylock, which, if the Copylock was cracked in the normal manner by hardwiring the key and bypassing the read routines, would mean the extra code would never get executed which was an extra layer of copy protection. Gaston of Fairlight was caught out by Hook, as was every cracking group that cracked it for foreign versions. I would suspect Hook was not exclusive in its use of extra code. |
|
05 December 2010, 21:56 | #58 | |
Banned
Join Date: Aug 2008
Location: 1
Posts: 114
|
Quote:
WHATEVER REGISTERS AND / OR MEMORY ADDRESSES THE COPYLOCK MODIFY, YOU EMULATE IT 100%. NEVER EVER SKIP ANYTHING!! |
|
05 December 2010, 22:17 | #59 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 40
Posts: 2,731
|
Funnily enough, I had also been snooping at Hook's seven(!) copylocks lately, and didn't get far with them. Now you've helped save me the bother of messing with this game any further, Galahad!
Back to Lethal Weapon....... so, ummm, all I literally have to do is get the key number copied to address 100? Please tell me it's as simple as a couple of instructions in the copylock to get that sorted.... |
05 December 2010, 22:21 | #60 | |
Banned
Join Date: Aug 2008
Location: 1
Posts: 114
|
Quote:
move.l #$daeb43cf,$100 |
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
"The Amiga Works" by Allister Brimble - Kickstarter Project | BuZz | News | 46 | 18 September 2014 11:30 |
HELP NEEDED! New "Amiga-daptor" project to support Analogue controllers! | SunChild | support.Hardware | 10 | 03 November 2013 07:51 |
How "Brick Games" and "Game' n' Watches" works | Leandro Jardim | Retrogaming General Discussion | 2 | 03 August 2013 17:48 |
"Reminder "Lincs Amiga User Group aka "LAG" Meet Sat 5th of January 2013" | rockape | News | 4 | 30 January 2013 00:06 |
Scanned reviews of "Drop It" & "Project Ikarus" | Tim Janssen | HOL contributions | 1 | 15 May 2003 09:55 |
|
|