30 March 2009, 02:44 | #1 |
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
The Amiga Action Replay Utilities v2.01 *HELP*
Hi,
once upon a time, in a long and distant valley, I bought my shiny new Amiga Action Replay (v1.5) in a shop in Milan - Italy - named NEWEL / NUOVA NEWEL. Along with the "official" utility floppy (which was contained in the sealed package) I received a custom floppy, made by NEWEL's staff, which I could never run on my Amiga 500. This floppy has a strange bootblock. When you insert it in the drive, it then jumps to track 80 and there remains, with a red screen. The strange thing is that track 80 is absolutely empty, and the disk has no protections (I remember having asked them about it). I wanted to get a replacement, but time passed, I lived far from the shop (in another city) and I never got one. I was happy with the AAR and its "official" floppy and didn't think any more about it. However, I still have that floppy . (perhaps I'm the only one having it, but I hope not) So, I dumped it into a nice new .adf file. I uploaded two versions to The Zone: - one with the original bootblock (the one which jumps to track 80). I don't know if it's a protection, a virus or whatever. If someone finds it out I would be glad to know, after all these years - one with a normal bootblock. This one loads, shows some loading screens, credits etc., but at the end it shows a severe error onscreen and you have to reset Is someone able to tell me where is the issue? EDIT: of course I tried it in WinUAE, with a loaded AAR 1.5 ROM, but with the same results Last edited by Supamax; 05 April 2009 at 02:56. Reason: typos |
05 April 2009, 01:48 | #2 |
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
|
05 April 2009, 02:24 | #3 |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 8,994
|
The utility disk is copy protected. Same style of protection as Insector Hecti in the Interchange by Hi-Tec software.
Bootblock is encrypted, decrypts then reads protection track 80, on track 80 is a new bootblock that gets copied over the old one thats already loaded in memory, it must set up a variable that is then checked by the file 'loader'. Et Voila Last edited by Galahad/FLT; 05 April 2009 at 02:36. |
05 April 2009, 02:32 | #4 | |
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
Quote:
So I was given a faulty disk? Damned NEWEL! Is there a way to crack it? |
|
05 April 2009, 02:38 | #5 | |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 8,994
|
Quote:
I will take a look tomorrow for you. |
|
05 April 2009, 02:50 | #6 |
Global Moderator
Join Date: Aug 2008
Location: Sidcup, England
Posts: 10,300
|
Galahad to the rescue!
|
05 April 2009, 02:51 | #7 | |
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
Quote:
And perhaps some day someone (owning a working original) will read this thread and dump it in extended adf format (including track 80). Or he could use Powercopy. I would give him my help in dumping it . |
|
25 April 2009, 17:19 | #8 |
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
hi Galahad,
did you (or some other cracking genius here in EAB) have some time to give a look at the protection? P.S. I tried to PM you, but you don't often read them |
28 April 2009, 21:47 | #9 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Crash is caused by uninitialised trap #4 vector. It's used to decrypt a file which fails for obvious reasons. Not sure if it'll be possible to decrypt the file without the protection track data. But I'll have some more fun with it tomorrow at work.
|
28 April 2009, 22:20 | #10 |
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
@ StingRay
Thanks, your effort is very much appreciated! |
29 April 2009, 10:16 | #11 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
I decrypted it using some "common sense" (i.e. just analyzing the crypted data to figure out the decryption key), was easier than I thought. There's more to do though as there are more trap #xx calls in the decrypted file. Quite fun so far. =)
|
29 April 2009, 11:12 | #12 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Here's little teaser what I have managed so far (2 traps "emulated", 2 still left to do). This is all guesswork which is quite fun. =)
|
29 April 2009, 13:14 | #13 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Ok, had a bit more fun with it and it seems it fully works now. Didn't really test it much though. Anyway, attached is cracked disk image, have fun. Could be a nice one for a cracking tutorial.
Edit: would be nice to see the original disk one day as I'd like to see what the original bootblock does. Last edited by StingRay; 29 April 2009 at 14:11. |
29 April 2009, 19:38 | #14 | ||||
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
Quote:
I'm happy you're calling it "fun" ... I wouldn't know where to start, I envy you! Quote:
Quote:
But I understand it may be very difficult to explain it to noobs like me. Quote:
But I don't know how many people could have it . It was only sold here in Italy, from the NUOVA NEWEL shop and in bundle with the AR 1.5. Last edited by Supamax; 29 April 2009 at 19:45. |
||||
29 April 2009, 19:48 | #15 |
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
By the way, StingRay, since no one dumped&cracked this one before, how could we name it for - let's say - TOSEC?
It's OK for you to add [cr StingRay] ? |
29 April 2009, 20:03 | #16 |
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
Hi again StingRay,
which are "good" answers (for an A500 basic config) to the following questions? - Where can I put my ripper routine? - Where is located the buffer? |
29 April 2009, 20:09 | #17 | ||||
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
Quote:
Quote:
Quote:
Just use some free memory area, I used $50000/$60000. |
||||
29 April 2009, 22:17 | #18 |
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
I tried it a little, and it seems to work .
Thank you very much! It's a pity they (the authors) didn't write a manual. Or they did and I was not given it. Now, StingRay, are you in the mood of having more "fun" and completely crack Powercopy? |
29 April 2009, 22:31 | #19 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
My pleasure. As for PowerCopy, it's been quite a while since I last had a look at it but it's not forgotten, one day I'll defeat it! ATM I'm busy doing some other things tho (PSP coding etc.) so you'll have to be patient.
|
29 April 2009, 22:34 | #20 | |
Da Digger :)
Join Date: Nov 2008
Location: Monza, Italy
Posts: 2,822
|
Quote:
I spammed my own thread, too . |
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Amiga Action Replay MKIV (A1200-3000) | ProxyShare | support.WinUAE | 29 | 15 September 2015 08:31 |
Action Replay 3 | Hungry Horace | Hardware mods | 45 | 03 October 2008 01:27 |
Action Replay for Amiga 1200 | Phantomz | New to Emulation or Amiga scene | 4 | 08 August 2005 10:21 |
Action Replay? | Unregistered | support.Hardware | 53 | 26 March 2005 21:52 |
Using Action Replay Codes in Amiga emulator | Tim Janssen | New to Emulation or Amiga scene | 3 | 08 November 2001 14:25 |
|
|