06 August 2011, 20:26 | #1 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
How does one work out the 16-bit key for an RNC archive?
I'll admit, it was only because HOL published the key on PushOver's page that I could decrunch the data for that game, but there's no such convenient information for Legacy Of Sorasil. I even consulted the source for the WHDLoad install and it made no reference to it.
So is it an easy thing to work out manually, or fiendishly difficult? |
06 August 2011, 21:08 | #2 | |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 9,003
|
Quote:
Er, its the easiest thing in the world. The RNC depack routine is passed it as a parameter in one of the Data registers (can't remember which one, its been a long time), so simply breakpoint when the RNC depack is called, or simply track back through the code and find something that sticks a big longword into one of the data registers, and that'll be the key. |
|
06 August 2011, 23:36 | #3 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Well, first I noticed how PushOver's EXE does reference its own key during the depack routine, moving #1984 to D5, so I thought there'd be something similar in LoS's executable.
No such luck! Code:
CMPI.L #524E4301,(A0)+ BNE.B (E2) MOVE.L (A0)+,D0 LEA A(A0),A3 LEA 0(A5,D0.L),A6 MOVE.L (A0)+,D0 LEA 0(A3,D0.L),A4 MOVE.L -E(A3),-(A7) MOVEQ #0,D0 MOVE.B -2(A3),D0 LEA 0(A6,D0.L),A0 MOVE.L A4,D0 BTST #0,D0 BEQ.B (04) Mind you, with Pushover I'm looking at the routine deep inside an already depacked EXE, whereas the EXE for LoS is itself packed and seemingly key-protected, so that probably explains it. |
07 August 2011, 01:21 | #4 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
The key is $5ED0 and it took me about 30 seconds to find it. I explained in your other threads what to do so I won't repeat myself here.
|
07 August 2011, 01:35 | #5 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Well that showed me! Perhaps I shouldn't have taken the "find an instruction moving key to data register" suggestion at such face value. The only reference to $5ED0 I could find in the EXE was deep inside one of the RNC chunks within the file. So it's obviously getting its key through a calculation rather than being fed it directly.
EDIT: Hmmm, for some reason ProPack is claiming it to be the wrong key when I try to unpack the file with $5ED0. And XFDDecrunch thinks the EXE isn't even crunched at all. Last edited by MethodGit; 07 August 2011 at 01:45. |
07 August 2011, 01:37 | #6 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
|
07 August 2011, 01:48 | #7 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
You sure that doesn't appear until after depacking or something? I've looked at the depack routine at the start of the EXE again and at no point does it list a "move.w #$5ed0,d0".
EDIT: Hang on, after unpacking the EXE from the TRZ crack release - which isn't key-protected - I finally discover a couple of references to the above instruction - which was inside a packed RNC chunk to begin with. No wonder I couldn't find it! Also, without knowing you posted again at the time, I just updated my previous post. In short, that key still won't let me unpack for whatever reason? |
07 August 2011, 03:24 | #8 |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 9,003
|
For a start there are two types of RNC Propack files.
RNC1 and RNC2 Legacy of Sorasil is packed with RNC1 which only uses a WORD size key RNC2 uses a LONGWORD size key I don't know why I bothered to check seeing as Stingray already did so, but frankly, I can't understand why you had a problem. As I suspected, checking any routines that goto the depack routine took me straight to a MOVE.L #$00005ED0,d0 line of code. The reason they've used a longword is to ensure that the higher word of D0 is clear, could be that they were going to use RNC2 at some point, but opted not to bother, but the code for the RNC Propack depack clearly only uses a word size key, therefore it is RNC1 depack. |
07 August 2011, 05:22 | #9 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Aaaah, so I see. I always wondered what differences between RNC1 and RNC2 existed.
BTW, Galahad, do you know if Sorasil's executable ("QuestII") is even unpackable with any tool? This is the command I feed to ProPack: Code:
ProPack u a -k 0x5ed0 QuestII |
07 August 2011, 09:57 | #10 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Of course it is unpackable, after all the game must run so it has to depack itself. And if you use the right key you won't get a "WRONG KEY" message either. $5ed0 is the key for the data files, to get the key for the executable you have to look at the decruncher code (as I said so often before) and then you need to find a way to obtain the key. Not very hard. I could give you the key (it's not much different to the key for the data files) but this time I want you to come up with a solution since you have all info you need.
|
07 August 2011, 10:20 | #11 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,182
|
I can't help but thinking that this thread is another case of some pretty slick tools showing up a lack of knowledge.
Finding the checksums in Player Manager 3 is probably 100 times more difficult than obtaining the key from this game. Cracking a copylock by wiring a key into the encrypted part of a game would be also be far more difficult. MethodGit has "achieved" both of the above, yet can't do this basic task?! This shows the tools (Stingray's source code for the crack of PM3) and the ROBD command (in Action Replay 4) are the tools that mean you don't actually require any knowledge of what's actually going on to be able to make something work. I am guessing that a game that can't be decrypted with the ROBD command (such as Krusty's Fun House) would be an impossible task as you cannot rely on the tool to do the work for you. Simple deduction would indicate that a compressed game must have the decompressor in it, and therefore the key must be visible there. Therefore the comment about the key only becoming visible after depacking is rather amusing. There are a number of ways to obtain it but as Stingray says, you need to work some things out for yourself rather than relying on disassembling other people's cracks and WHDLoad installs to do "your" work for you. Incidentally, why do you need to unpack this game? If it is to crack it yourself, that's a bit of a joke when you haven't been able to even decompress the executable without asking for assistance! Running score: Legacy Of Sorasil: 1, MethodGit: 0. |
07 August 2011, 18:49 | #12 | ||||
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Quote:
Quote:
(Yes, I found the key in the end. Mainly by inserting a BRA loop at the start of the routine, booting the disk, getting rid of the loop, then keeping an eye on the debugger and noting down any shortwords in the data registers that may look like keys. And eventually I whittled the small list down to one. Success!) Quote:
Quote:
|
||||
07 August 2011, 19:36 | #13 | ||
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Second digit in both keys is $E. Rest was for you to find out anyway and I don't think I have to explain anything seeing how often I already did that!
Quote:
Quote:
|
||
16 August 2011, 02:09 | #14 | |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Quote:
Anyhoo, I mainly wanted to post in here again to report another troublesome game, but this time I'm getting strange results. Overlord is pretty obviously hiding away a copylock within its executable, but I wanted to take a closer look at the file anyway. I quickly discover it's another file that doesn't want to unpack so easily. Fine, I go away and do what I did with Sorasil and note down as many different four-digit values in the data registers as I can find. Now here's where it all goes rather pear-shaped. That or I'm not using the right tools. XFDDecrunch - as with Sorasil - can't even detect that the exe is compressed. A quick WRipping the RNC chunk out of it later though, and I get the "enter 16-bit key" prompt. So far so good. Except it gurus the whole system regardless of what key I feed it. ProPack seems to report no problem with the exe, except - erm - the file it outputs doesn't appear to be all that decompressed to me. If anything, all it did was recreate the file without the decruncher routine at the start of it. Flummoxed, I try the same command again on the new file ("pp u a OVERLORD.RNC"). This time it replaces it with a 20-byte file. Oh dear. So I try feeding it the RNC chunk I took out with WRip. At least it can detect that it's key-locked! Okay, so I try feeding it a key........ instead of giving me the "WRONG KEY" error though, it takes a few seconds appearing to unpack it, and then reports "UNPACKED DATA CRC ERROR". I take a look at the file it sent to the Recycle Bin (that's WinUAE+ClassicWB for you! ) and I noticed the tool had somehow expanded the file to over 2Mb before ditching it. Does anyone know if any other RNC-unpacking tool exists out there - perhaps something that doesn't keel over and die over a bloody executable such as this one? I'm unable to tell if I have the right key already because these two don't tell me if I'm wrong! |
|
16 August 2011, 12:06 | #15 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,182
|
Firstly let me state that it's dangerous to simply assume the file is a standard RNC encrypted file and expect a tool to do your work for you. The programmer could make a tiny change somewhere in the routine, insert a longword somewhere and alter the decruncher by a few bytes and you would never be able to decrypt it.
But you don't need to worry about this. The decruncher is in the code, so it's possible to patch around it. Remember all the other threads you have started where people tell you to patch around the decruncher? This is exactly the same. If you intercept it after it's run, you can then alter memory to your heart's content. I had a quick look at SPS 1312 and there's another method too. You need to read something about AmigaDOS files, hunks etc to understand it. If you really wish to get at the file (presumably so "you" can "crack it") then in WinUAE it's a pretty simple task to intercept the decruncher at a couple of vital points. First you grab the decrunched data, and save that. Then you grab the RELOC32 table (again very simple to see where that is), bolt them together and bingo, you have the game. You have to do it this way as if you simply grabbed the data after it's fully depacked and relocated itself, it will only run from a specific memory address which is very lame. |
16 August 2011, 17:20 | #16 | ||||
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Quote:
Quote:
Quote:
Quote:
|
||||
16 August 2011, 21:07 | #17 | ||||
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,182
|
Quote:
Quote:
Quote:
Quote:
Why don't you read something about AmigaDos file hunks and experiment a little rather than wanting me to give away the answers? Like Stingray does, you'll learn nothing if I just tell you how to do it. BTW what is this for? Why do you need to decrunch this game so badly? If it's just to wire yet another copylock key in I'm not going to be impressed. |
||||
19 August 2011, 13:38 | #18 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Well, from looking at some other Rowan titles, it's now obvious this was an intentional trick adopted by the company starting with v1.03D (revision 1993/04/05) of Reach For The Skies (the Ministry crack is dated 1992/11/05 but is repacked in a traditional Imploder format, and rather poorly at that as it won't run on 512k/512k setups (post-relocation packing is not a good idea!), so whether it was introduced any earlier than 1993 is down to whether someone with a 1992 original can confirm it or not. Now shut up MG!).
The one flaw with their means of protecting Overlord and Dawn Patrol, btw, is that I'm still free to hardwire the file regardless (magic line still visible, huzzah!), though I'm sure everyone will consider this "lame" anyway. From looking at a few cracks of DP and RFTS however, I've gotten a better understanding of what CT was talking about - altering the executables to squeeze some code in between the decruncher and the RNC chunk, though this requires a significant rebuild of the executable itself to make possible. Another thing I've discovered is that the copylock in OL and DP will only activate in the first place if the game is run in "floppy mode" (with the -f parameter). "Smart Alecs" assuming they can get round the protection by removing the parameter from the startup-sequence will be disappointed to discover that the disk requests will not pop up outside of this mode, resulting in an unplayable game. So all in all, not something to shout about, just that nosey parkers won't be able to inspect the contents of both the executable and the hard-disk installer program straight off. Only RTFS needs a bit more work to crack due to it using manual protection. |
21 December 2011, 16:19 | #19 |
Posts: n/a
|
Can someone help me on Tomb Raider 1 RNC2 Compression
|
27 December 2011, 23:27 | #20 |
AMOS Extensions Developer
Join Date: Jun 2007
Location: near Cambridge, UK
Age: 44
Posts: 1,924
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
graal.key to make GPRO from the GRAAL package work | Shoonay | request.Apps | 0 | 09 January 2012 01:00 |
Ripping the RNC sector loader... | h0ffman | Coders. General | 13 | 07 September 2011 23:00 |
BUG: Mapping the END key does not work | Zyphrus | support.WinUAE | 2 | 19 November 2010 17:26 |
RNC IDE CD32 loader | Galahad/FLT | support.WinUAE | 19 | 24 June 2006 10:05 |
RNC Data File Depacker v2.1 | Nico | New to Emulation or Amiga scene | 8 | 05 May 2002 18:05 |
|
|