26 July 2012, 03:42 | #1 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Any other programs that make hardwiring copylocks possible?
It's all because of the Flashtro tutorials I decided to follow a couple of years ago that I became accustomed to using a mixture of Action Replays III and IV to examine copylock routines and general code, even when many on here would suggest better ways of doing so (though the WinUAE debugger is a godsend for tracking live code executions and alerting of changes to specific offsets!).
One of my favourite ways of cracking a copylock in particular is to find what I call the 'magic area' - a section of the encrypted routine that begins with "MOVEM.L D2-D7/A0-A3,-(A7)", then "MOVEQ #0,D2" (it's pretty recognisable).... as detailed in some of the aforementioned Flashtro tutorials. Now I've already been using Copylock Decoder to study the decrypted code and occasionally learn the odd key for a game if the routine didn't already make it obvious. But at the end of the day, that's just what it is - a decoder. I do not know of anything that could reverse the process and turn it back into its original form again - something that had to have been possible for the likes of, say, Crystal to find and modify the correct values in Steg The Slug. While ARIV has served a purpose most of the time, I've come across a few particular titles where it fails to find the spot I wanted no matter how deep into said executable or disktrack I disassemble (and yes, I do use the built-in on-the-fly decrypter), and for which I know the copylock is of the correct type (not classic "2F0E", or "rnclo" with just two possible keys), especially if the key it uses has proven to be possible to hardwire in many other titles before (I keep a log of all known copylock keys and which games use them, and determine patterns from there). Alien³ and Krusty's Fun House I mentioned before and had explained to me, but there are two others. Namely: * Spellfire the Sorcerer (SPS #0231). Key is 9EA62DB3. The Skid Row crack proves that only the first of two copylocks on the disk is used at all (though they defeated it by overwriting it with the decrypted game code). The stubborness of this disk confused me as - like with The Sword And The Rose (#2434) - it has a copylock start bang on at $2C00 on the ADF, except (as Flashtro proved) ARIV could hardwire S.A.T.R. with no problem. * 3D Pool, Mirror Image reissue (No SPS ID, got this disk recently for use in my Kryoflux). Without an IPF to determine keys, I looked at the Copylock Decoder guide, consulted the examples section, and got AD44BA13 out of that. This is the most likely key seeing as A) the retail 3D Pool currently in SPS uses the "2F0E" routine, and B) it matches the style of Mirror Image's Strike Force Harrier reissue (#2005), which uses the same key and whose executable is also built in a similar manner (encrypted copylock first, normal game code further down). In both cases, the keys mentioned above have been used in other games, which ARE hardwireable through the ARIV method. This leads me to suspect that maybe ARIV isn't such a reliable tool as I used to think it was. Being able to decode the copylock into a new, decrypted file is a good start but it doesn't help me work out which 8 bytes worth of encrypted values I can get away with modifying to fool the routine. So what else is out there besides the tools I already mentioned? Thanks. |
26 July 2012, 05:36 | #2 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,182
|
Spellfire is a completely encrypted initial file and much larger than normal copylocks and I don't think the current automated tools work particularly well on those.
The major weak spot is the game decrypts itself then relocates itself back over the encrypted part so it's much easier just to save the decrypted version and that's what the crackers have done. As a comparison, Sword and the Rose looks pretty normal to me, my decrypter outputs the following when I put the data starting at $2c00 into it: Code:
1.> cl SwordRose.bin Copylock Decrypter v0.01 (c) 2004 Codetapper of Action (codetapper@hotmail.com) Copylock header found at $0 Copylock stack 1 found at $7a Copylock key wiring position found at $3d8 Copylock key wiring skip to position found at $422 Post copylock branch to address starts at $7c6 Copylock new magic number ($a573632c) compare at $444 ======[ Key calculation routine found at $4a6: ]====== _4a6 move.w #$b,d1 _4aa sub.l (a0)+,d6 _4ac dbra d1,_4aa _4b0 addq.w #4,sp _4b2 rts ======[ Post copylock code starts at $7c6: ]====== _7c6 moveq #$1,d0 _7c8 lea _7c8(pc),a6 _7cc adda.l #$e8,a6 _7d2 move.l #$880,d6 _7d8 add.l d5,d0 _7da add.l d0,d1 _7dc add.l d1,d2 _7de add.l d2,d3 _7e0 add.l d3,d4 _7e2 add.l d4,d5 _7e4 sub.l d5,(a6)+ _7e6 subq.l #4,d6 _7e8 bne.b _7d8 _7ea lea _7fc(pc),a6 _7ee move.l -$4(a6),d6 _7f2 add.l $8,d6 _7f8 or.w #$a71f,sr _7fc addi.l #$44,($24).l Copylock stack 2 ends at $7fc From memory 3D Pool is similar to the one above, a small copylock with the routine that decrypts the rest of the game built into it. I think you can work out what the relevant keys and copy the decryption routine yourself. I'm sure that's what my WHDLoad version does. Last edited by Codetapper; 26 July 2012 at 05:48. |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
The thing about certain copylocks | MethodGit | Coders. General | 28 | 04 March 2011 09:33 |
Where to find a good list of games with copylocks? | MethodGit | Amiga scene | 7 | 30 October 2010 22:05 |
Old style copylocks | musashi5150 | Coders. General | 6 | 11 February 2006 12:51 |
Greetings Programs! | A3K | Amiga scene | 0 | 26 April 2002 07:04 |
What programs I need and what i need to do | newman | New to Emulation or Amiga scene | 1 | 19 April 2002 11:42 |
|
|