the amiga action replay utilities v2.01 *HELP*

[Supamax]

Hi,

once upon a time, in a long and distant valley, I bought my shiny new Amiga Action Replay (v1.5) in a shop in Milan - Italy - named NEWEL / NUOVA NEWEL.
Along with the "official" utility floppy (which was contained in the sealed package) I received a custom floppy, made by NEWEL's staff, which I could never run on my Amiga 500.

This floppy has a strange bootblock. When you insert it in the drive, it then jumps to track 80 and there remains, with a red screen.
The strange thing is that track 80 is absolutely empty, and the disk has no protections (I remember having asked them about it). I wanted to get a replacement, but time passed, I lived far from the shop (in another city) and I never got one. I was happy with the AAR and its "official" floppy and didn't think any more about it.

However, I still have that floppy .
(perhaps I'm the only one having it, but I hope not)
So, I dumped it into a nice new .adf file.

I uploaded two versions to The Zone:

- one with the original bootblock (the one which jumps to track 80).
I don't know if it's a protection, a virus or whatever. If someone finds it out I would be glad to know, after all these years

- one with a normal bootblock.
This one loads, shows some loading screens, credits etc., but at the end it shows a severe error onscreen and you have to reset

Is someone able to tell me where is the issue?

EDIT: of course I tried it in WinUAE, with a loaded AAR 1.5 ROM, but with the same results

[Supamax]

[Galahad/FLT]

The utility disk is copy protected. Same style of protection as Insector Hecti in the Interchange by Hi-Tec software.

Bootblock is encrypted, decrypts then reads protection track 80, on track 80 is a new bootblock that gets copied over the old one thats already loaded in memory, it must set up a variable that is then checked by the file 'loader'.

Et Voila

[Supamax]

Quote:

Originally Posted by Galahad/FLT

The utility disk is copy protected. Same style of protection as Insector Hecti in the Interchange by Hi-Tec software.

Bootblock is encrypted, decrypts then reads protection track 80, if correct, sets up a variable that is checked by file 'loader', if variable not present, it crashes.

Et Voila

Nooooooooooooooooooo

So I was given a faulty disk? Damned NEWEL!

Is there a way to crack it?

[Galahad/FLT]

Quote:

Originally Posted by Supamax

Nooooooooooooooooooo

So I was given a faulty disk? Damned NEWEL!

Is there a way to crack it?

I would imagine so, the bootblock is nothing special I would think its just a standard amigados loader, but its the variable it sets that needs to be discovered.

I will take a look tomorrow for you.

[prowler]

Galahad to the rescue!

[Supamax]

Quote:

Originally Posted by Galahad/FLT

I would imagine so, the bootblock is nothing special I would think its just a standard amigados loader, but its the variable it sets that needs to be discovered.

I will take a look tomorrow for you.

Great, thanks!
And perhaps some day someone (owning a working original) will read this thread and dump it in extended adf format (including track 80). Or he could use Powercopy. I would give him my help in dumping it .

[Supamax]

hi Galahad,
did you (or some other cracking genius here in EAB) have some time to give a look at the protection?

P.S. I tried to PM you, but you don't often read them

[StingRay]

Quote:

Originally Posted by Supamax

- one with a normal bootblock.
This one loads, shows some loading screens, credits etc., but at the end it shows a severe error onscreen and you have to reset

Is someone able to tell me where is the issue?

Crash is caused by uninitialised trap #4 vector. It's used to decrypt a file which fails for obvious reasons. Not sure if it'll be possible to decrypt the file without the protection track data. But I'll have some more fun with it tomorrow at work.

[Supamax]

@ StingRay

Thanks, your effort is very much appreciated!

[StingRay]

Quote:

Originally Posted by StingRay

Not sure if it'll be possible to decrypt the file without the protection track data.

I decrypted it using some "common sense" (i.e. just analyzing the crypted data to figure out the decryption key), was easier than I thought. There's more to do though as there are more trap #xx calls in the decrypted file. Quite fun so far. =)

[StingRay]

Here's little teaser what I have managed so far (2 traps "emulated", 2 still left to do). This is all guesswork which is quite fun. =)

[StingRay]

Ok, had a bit more fun with it and it seems it fully works now. Didn't really test it much though. Anyway, attached is cracked disk image, have fun. Could be a nice one for a cracking tutorial.

Edit: would be nice to see the original disk one day as I'd like to see what the original bootblock does.

[Supamax]

Quote:

Originally Posted by StingRay

I decrypted it using some "common sense" (i.e. just analyzing the crypted data to figure out the decryption key), was easier than I thought. There's more to do though as there are more trap #xx calls in the decrypted file. Quite fun so far. =)

Hi StingRay,
I'm happy you're calling it "fun" ... I wouldn't know where to start, I envy you!

Quote:

Originally Posted by StingRay

Ok, had a bit more fun with it and it seems it fully works now. Didn't really test it much though. Anyway, attached is cracked disk image, have fun.

WOW, I'll try it ASAP! In the meantime I'm bowing down

Quote:

Could be a nice one for a cracking tutorial.

Yes! Would you do it please? Tools used, your approach, etc.
But I understand it may be very difficult to explain it to noobs like me.

Quote:

Edit: would be nice to see the original disk one day as I'd like to see what the original bootblock does.

I SUPER-QUOTE this, and I wrote it at the beginning of the thread.
But I don't know how many people could have it . It was only sold here in Italy, from the NUOVA NEWEL shop and in bundle with the AR 1.5.

[Supamax]

By the way, StingRay, since no one dumped&cracked this one before, how could we name it for - let's say - TOSEC?

It's OK for you to add [cr StingRay] ?

[Supamax]

Hi again StingRay,

which are "good" answers (for an A500 basic config) to the following questions?

- Where can I put my ripper routine?
- Where is located the buffer?

[StingRay]

Quote:

Originally Posted by Supamax

Yes! Would you do it please? Tools used, your approach, etc.
But I understand it may be very difficult to explain it to noobs like me.

As this one was quite interesting (yet still not too hard) to do I may write a tutorial. I just don't know when I'll do that though.

Quote:

It was only sold here in Italy, from the NUOVA NEWEL shop and in bundle with the AR 1.5.

There's still hope that some other italian guys have got the disk.

Quote:

Originally Posted by Supamax

By the way, StingRay, since no one dumped&cracked this one before, how could we name it for - let's say - TOSEC?

It's OK for you to add [cr StingRay] ?

I don't mind. Feel free to name it in whichever way you want.

Quote:

Originally Posted by Supamax

Hi again StingRay,

which are "good" answers (for an A500 basic config) to the following questions?

- Where can I put my ripper routine?
- Where is located the buffer?

Just use some free memory area, I used $50000/$60000.

[Supamax]

I tried it a little, and it seems to work .
Thank you very much!

It's a pity they (the authors) didn't write a manual. Or they did and I was not given it.

Now, StingRay, are you in the mood of having more "fun" and completely crack Powercopy?

[StingRay]

My pleasure. As for PowerCopy, it's been quite a while since I last had a look at it but it's not forgotten, one day I'll defeat it! ATM I'm busy doing some other things tho (PSP coding etc.) so you'll have to be patient.

[Supamax]

Quote:

Originally Posted by StingRay

My pleasure. As for PowerCopy, it's been quite a while since I last had a look at it but it's not forgotten, one day I'll defeat it! ATM I'm busy doing some other things tho (PSP coding etc.) so you'll have to be patient.

and... sorry, I should have PMed you.
I spammed my own thread, too .