Any other programs that make hardwiring copylocks possible?

MethodGit · 26 July 2012, 03:42

It's all because of the Flashtro tutorials I decided to follow a couple of years ago that I became accustomed to using a mixture of Action Replays III and IV to examine copylock routines and general code, even when many on here would suggest better ways of doing so (though the WinUAE debugger is a godsend for tracking live code executions and alerting of changes to specific offsets!).

One of my favourite ways of cracking a copylock in particular is to find what I call the 'magic area' - a section of the encrypted routine that begins with "MOVEM.L D2-D7/A0-A3,-(A7)", then "MOVEQ #0,D2" (it's pretty recognisable).... as detailed in some of the aforementioned Flashtro tutorials.

Now I've already been using Copylock Decoder to study the decrypted code and occasionally learn the odd key for a game if the routine didn't already make it obvious. But at the end of the day, that's just what it is - a decoder. I do not know of anything that could reverse the process and turn it back into its original form again - something that had to have been possible for the likes of, say, Crystal to find and modify the correct values in Steg The Slug.

While ARIV has served a purpose most of the time, I've come across a few particular titles where it fails to find the spot I wanted no matter how deep into said executable or disktrack I disassemble (and yes, I do use the built-in on-the-fly decrypter), and for which I know the copylock is of the correct type (not classic "2F0E", or "rnclo" with just two possible keys), especially if the key it uses has proven to be possible to hardwire in many other titles before (I keep a log of all known copylock keys and which games use them, and determine patterns from there). Alien³ and Krusty's Fun House I mentioned before and had explained to me, but there are two others. Namely:

* Spellfire the Sorcerer (SPS #0231). Key is 9EA62DB3. The Skid Row crack proves that only the first of two copylocks on the disk is used at all (though they defeated it by overwriting it with the decrypted game code). The stubborness of this disk confused me as - like with The Sword And The Rose (#2434) - it has a copylock start bang on at $2C00 on the ADF, except (as Flashtro proved) ARIV could hardwire S.A.T.R. with no problem.

* 3D Pool, Mirror Image reissue (No SPS ID, got this disk recently for use in my Kryoflux). Without an IPF to determine keys, I looked at the Copylock Decoder guide, consulted the examples section, and got AD44BA13 out of that. This is the most likely key seeing as A) the retail 3D Pool currently in SPS uses the "2F0E" routine, and B) it matches the style of Mirror Image's Strike Force Harrier reissue (#2005), which uses the same key and whose executable is also built in a similar manner (encrypted copylock first, normal game code further down).

In both cases, the keys mentioned above have been used in other games, which ARE hardwireable through the ARIV method.

This leads me to suspect that maybe ARIV isn't such a reliable tool as I used to think it was. Being able to decode the copylock into a new, decrypted file is a good start but it doesn't help me work out which 8 bytes worth of encrypted values I can get away with modifying to fool the routine. So what else is out there besides the tools I already mentioned?

Thanks.

Codetapper · 26 July 2012, 05:36

Spellfire is a completely encrypted initial file and much larger than normal copylocks and I don't think the current automated tools work particularly well on those.

The major weak spot is the game decrypts itself then relocates itself back over the encrypted part so it's much easier just to save the decrypted version and that's what the crackers have done.

As a comparison, Sword and the Rose looks pretty normal to me, my decrypter outputs the following when I put the data starting at $2c00 into it:

Code:

1.> cl SwordRose.bin
Copylock Decrypter v0.01
(c) 2004 Codetapper of Action (codetapper@hotmail.com)

Copylock header found at $0
Copylock stack 1 found at $7a
Copylock key wiring position found at $3d8
Copylock key wiring skip to position found at $422
Post copylock branch to address starts at $7c6
Copylock new magic number ($a573632c) compare at $444

======[ Key calculation routine found at $4a6: ]======
_4a6    move.w  #$b,d1
_4aa    sub.l   (a0)+,d6
_4ac    dbra    d1,_4aa
_4b0    addq.w  #4,sp
_4b2    rts

======[ Post copylock code starts at $7c6: ]======
_7c6    moveq   #$1,d0
_7c8    lea     _7c8(pc),a6
_7cc    adda.l  #$e8,a6
_7d2    move.l  #$880,d6
_7d8    add.l   d5,d0
_7da    add.l   d0,d1
_7dc    add.l   d1,d2
_7de    add.l   d2,d3
_7e0    add.l   d3,d4
_7e2    add.l   d4,d5
_7e4    sub.l   d5,(a6)+
_7e6    subq.l  #4,d6
_7e8    bne.b   _7d8
_7ea    lea     _7fc(pc),a6
_7ee    move.l  -$4(a6),d6
_7f2    add.l   $8,d6
_7f8    or.w    #$a71f,sr
_7fc    addi.l  #$44,($24).l
Copylock stack 2 ends at $7fc

This final part is decrypting the next part of the code. At offset $7c8 + $e8 it decrypts the next $880 bytes of data with a rotating key. If the key is wrong, at the end of the copylock routine you will have garbage data causing a crash as it continues to execute. But to me this is still a standard copylock and a piece of cake to crack.

From memory 3D Pool is similar to the one above, a small copylock with the routine that decrypts the rest of the game built into it. I think you can work out what the relevant keys and copy the decryption routine yourself. I'm sure that's what my WHDLoad version does.

26 July 2012, 03:42	#1
MethodGit Junior Member Join Date: Dec 2002 Location: The Streets Age: 39 Posts: 2,731	Any other programs that make hardwiring copylocks possible? It's all because of the Flashtro tutorials I decided to follow a couple of years ago that I became accustomed to using a mixture of Action Replays III and IV to examine copylock routines and general code, even when many on here would suggest better ways of doing so (though the WinUAE debugger is a godsend for tracking live code executions and alerting of changes to specific offsets!). One of my favourite ways of cracking a copylock in particular is to find what I call the 'magic area' - a section of the encrypted routine that begins with "MOVEM.L D2-D7/A0-A3,-(A7)", then "MOVEQ #0,D2" (it's pretty recognisable).... as detailed in some of the aforementioned Flashtro tutorials. Now I've already been using Copylock Decoder to study the decrypted code and occasionally learn the odd key for a game if the routine didn't already make it obvious. But at the end of the day, that's just what it is - a decoder. I do not know of anything that could reverse the process and turn it back into its original form again - something that had to have been possible for the likes of, say, Crystal to find and modify the correct values in Steg The Slug. While ARIV has served a purpose most of the time, I've come across a few particular titles where it fails to find the spot I wanted no matter how deep into said executable or disktrack I disassemble (and yes, I do use the built-in on-the-fly decrypter), and for which I know the copylock is of the correct type (not classic "2F0E", or "rnclo" with just two possible keys), especially if the key it uses has proven to be possible to hardwire in many other titles before (I keep a log of all known copylock keys and which games use them, and determine patterns from there). Alien³ and Krusty's Fun House I mentioned before and had explained to me, but there are two others. Namely: * Spellfire the Sorcerer (SPS #0231). Key is 9EA62DB3. The Skid Row crack proves that only the first of two copylocks on the disk is used at all (though they defeated it by overwriting it with the decrypted game code). The stubborness of this disk confused me as - like with The Sword And The Rose (#2434) - it has a copylock start bang on at $2C00 on the ADF, except (as Flashtro proved) ARIV could hardwire S.A.T.R. with no problem. * 3D Pool, Mirror Image reissue (No SPS ID, got this disk recently for use in my Kryoflux). Without an IPF to determine keys, I looked at the Copylock Decoder guide, consulted the examples section, and got AD44BA13 out of that. This is the most likely key seeing as A) the retail 3D Pool currently in SPS uses the "2F0E" routine, and B) it matches the style of Mirror Image's Strike Force Harrier reissue (#2005), which uses the same key and whose executable is also built in a similar manner (encrypted copylock first, normal game code further down). In both cases, the keys mentioned above have been used in other games, which ARE hardwireable through the ARIV method. This leads me to suspect that maybe ARIV isn't such a reliable tool as I used to think it was. Being able to decode the copylock into a new, decrypted file is a good start but it doesn't help me work out which 8 bytes worth of encrypted values I can get away with modifying to fool the routine. So what else is out there besides the tools I already mentioned? Thanks.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
The thing about certain copylocks	MethodGit	Coders. General	28	04 March 2011 09:33
Where to find a good list of games with copylocks?	MethodGit	Amiga scene	7	30 October 2010 22:05
Old style copylocks	musashi5150	Coders. General	6	11 February 2006 12:51
Greetings Programs!	A3K	Amiga scene	0	26 April 2002 07:04
What programs I need and what i need to do	newman	New to Emulation or Amiga scene	1	19 April 2002 11:42

26 July 2012, 05:36	#2
Codetapper 2 contact me: email only! Join Date: May 2001 Location: Auckland / New Zealand Posts: 3,182	Spellfire is a completely encrypted initial file and much larger than normal copylocks and I don't think the current automated tools work particularly well on those. The major weak spot is the game decrypts itself then relocates itself back over the encrypted part so it's much easier just to save the decrypted version and that's what the crackers have done. As a comparison, Sword and the Rose looks pretty normal to me, my decrypter outputs the following when I put the data starting at $2c00 into it: Code: 1.> cl SwordRose.bin Copylock Decrypter v0.01 (c) 2004 Codetapper of Action (codetapper@hotmail.com) Copylock header found at $0 Copylock stack 1 found at $7a Copylock key wiring position found at $3d8 Copylock key wiring skip to position found at $422 Post copylock branch to address starts at $7c6 Copylock new magic number ($a573632c) compare at $444 ======[ Key calculation routine found at $4a6: ]====== _4a6 move.w #$b,d1 _4aa sub.l (a0)+,d6 _4ac dbra d1,_4aa _4b0 addq.w #4,sp _4b2 rts ======[ Post copylock code starts at $7c6: ]====== _7c6 moveq #$1,d0 _7c8 lea _7c8(pc),a6 _7cc adda.l #$e8,a6 _7d2 move.l #$880,d6 _7d8 add.l d5,d0 _7da add.l d0,d1 _7dc add.l d1,d2 _7de add.l d2,d3 _7e0 add.l d3,d4 _7e2 add.l d4,d5 _7e4 sub.l d5,(a6)+ _7e6 subq.l #4,d6 _7e8 bne.b _7d8 _7ea lea _7fc(pc),a6 _7ee move.l -$4(a6),d6 _7f2 add.l $8,d6 _7f8 or.w #$a71f,sr _7fc addi.l #$44,($24).l Copylock stack 2 ends at $7fc This final part is decrypting the next part of the code. At offset $7c8 + $e8 it decrypts the next $880 bytes of data with a rotating key. If the key is wrong, at the end of the copylock routine you will have garbage data causing a crash as it continues to execute. But to me this is still a standard copylock and a piece of cake to crack. From memory 3D Pool is similar to the one above, a small copylock with the routine that decrypts the rest of the game built into it. I think you can work out what the relevant keys and copy the decryption routine yourself. I'm sure that's what my WHDLoad version does. Last edited by Codetapper; 26 July 2012 at 05:48.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)