English Amiga Board


Go Back   English Amiga Board > Coders > Coders. General

 
 
Thread Tools
Old 30 November 2010, 01:20   #21
StingRay
move.l #$c0ff33,throat

StingRay's Avatar
 
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 5,586
Quote:
Originally Posted by marty View Post
I'am happy to hear that, a bit dissapointed though.
Nah, you don't have to be, I am actually pretty entertained.
StingRay is offline  
AdSense AdSense  
Old 30 November 2010, 01:23   #22
TCD
Registered User

TCD's Avatar
 
Join Date: Sep 2006
Location: Germany
Age: 39
Posts: 24,032
Back to the topic, m'kay?
TCD is offline  
Old 30 November 2010, 01:27   #23
marty
Banned
 
Join Date: Aug 2008
Location: 1
Posts: 114
Quote:
Originally Posted by StingRay View Post
Nah, you don't have to be, I am actually pretty entertained.
Ohh, I'am happy for you then.
But, I know you are exploiding of excitement, so I'll let you know.
Just to let you know why I'am disappointed; reading the formum here, you seem to be very skilled at cracking...
Anyway, just load in the file "load" and execute it, then decrypted file can be grapped from memory.
marty is offline  
Old 30 November 2010, 01:27   #24
Galahad/FLT
Going nowhere

Galahad/FLT's Avatar
 
Join Date: Oct 2001
Location: United Kingdom
Age: 44
Posts: 6,603
Quote:
Originally Posted by StingRay View Post
It actually looks like a bytekiller clone to me.
Possible, but either way, it wouldn't take long to find the right depack routine to depack the file thus utterly negating the point of the Copylock 'protected' file
Galahad/FLT is online now  
Old 30 November 2010, 01:52   #25
MethodGit
Junior Member
MethodGit's Avatar
 
Join Date: Dec 2002
Location: The Streets
Age: 33
Posts: 2,723
Quote:
Originally Posted by StingRay View Post
I thought he was asking for a patch which didn't touch the original file? Also, mind telling how you did it?
Technically, if you have to find a place to call your patch - which is usually in the executable - and you have to change a small part of it, that's pretty much still touching it.

I'll check your version out tomorrow Marty, right now I'm feeling bladdy knackered!

BTW, I do know of one sneaky (yet no doubt considered 'lame') way of getting round the encrypted "load" program entirely, but I'll let you find that out for yourself.
MethodGit is offline  
Old 30 November 2010, 02:02   #26
StingRay
move.l #$c0ff33,throat

StingRay's Avatar
 
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 5,586
Quote:
Originally Posted by marty View Post
Just to let you know why I'am disappointed; reading the formum here, you seem to be very skilled at cracking...
Just to let you know why I'm entertained, reading the forum here you seem to have deleted a lot of your posts so I'm wondering why you are back.

Quote:
Originally Posted by MethodGit View Post
Technically, if you have to find a place to call your patch - which is usually in the executable - and you have to change a small part of it, that's pretty much still touching it.
Read my post again, specially the part about using LoadSeg and you'll see that it's entirely possible to patch an executable on the fly without ever touching its binary on disk.
StingRay is offline  
Old 30 November 2010, 02:05   #27
marty
Banned
 
Join Date: Aug 2008
Location: 1
Posts: 114
Quote:
Originally Posted by MethodGit View Post
BTW, I do know of one sneaky (yet no doubt considered 'lame') way of getting round the encrypted "load" program entirely, but I'll let you find that out for yourself.
My guess:
Ripping the decrunched the file "GAME.STG" and repack it to address $ 1000 with something like Bytekiller ?
If it works, I don't think its lame.

Sweet dreams

Quote:
Originally Posted by StingRay View Post
Just to let you know why I'm entertained, reading the forum here you seem to have deleted a lot of your posts so I'm wondering why you are back.
I have not deleted one single post.
Please be a bit more clear

Last edited by TCD; 30 November 2010 at 07:53.
marty is offline  
Old 01 December 2010, 13:58   #28
MethodGit
Junior Member
MethodGit's Avatar
 
Join Date: Dec 2002
Location: The Streets
Age: 33
Posts: 2,723
Quote:
Originally Posted by marty View Post
My guess:
Ripping the decrunched the file "GAME.STG" and repack it to address $ 1000 with something like Bytekiller ?
If it works, I don't think its lame.
Not quite. Think, erm, "switcheroo".

BTW, I looked at your decrypted loader, and wondered if you just simply found it in memory and saved it to a new file. However, I snooped around the code myself (with the original) after it goes to a black screen but noticed key parts of the loader were seperated from one another rather than in one specific place. =\ So did you have to do it a different way with AR3?


In the meantime, I looked at the Crystal crack, and noticed they changed a tiny part of the encrypted loader to crack the copylock. The new opcodes aren't recognisable so I assumed it was done through encryption a la AR4, but I looked at the thing through both ARs and I can't make head nor tail of the new instruction differences, nor work out which one of the two reports is more accurate. It certainly doesn't look like a hardwiring trick anyhow.

(Hex details: $202C = 4E 83 1B B8 50 9B 17 41 (old) to 26 58 78 C8 61 3F 2E A3 (new))

Original: Crystal:
MethodGit is offline  
Old 01 December 2010, 14:45   #29
StingRay
move.l #$c0ff33,throat

StingRay's Avatar
 
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 5,586
Quote:
Originally Posted by MethodGit View Post
In the meantime, I looked at the Crystal crack, and noticed they changed a tiny part of the encrypted loader to crack the copylock. It certainly doesn't look like a hardwiring trick anyhow.
The Crystal cracker simply wired in the key and skipped the code which reads protection track.

Last edited by StingRay; 01 December 2010 at 14:58.
StingRay is offline  
Old 01 December 2010, 15:02   #30
marty
Banned
 
Join Date: Aug 2008
Location: 1
Posts: 114
Quote:
Originally Posted by MethodGit View Post
Not quite. Think, erm, "switcheroo".

BTW, I looked at your decrypted loader, and wondered if you just simply found it in memory and saved it to a new file. However, I snooped around the code myself (with the original) after it goes to a black screen but noticed key parts of the loader were seperated from one another rather than in one specific place. =\ So did you have to do it a different way with AR3?


In the meantime, I looked at the Crystal crack, and noticed they changed a tiny part of the encrypted loader to crack the copylock. The new opcodes aren't recognisable so I assumed it was done through encryption a la AR4, but I looked at the thing through both ARs and I can't make head nor tail of the new instruction differences, nor work out which one of the two reports is more accurate. It certainly doesn't look like a hardwiring trick anyhow.

(Hex details: $202C = 4E 83 1B B8 50 9B 17 41 (old) to 26 58 78 C8 61 3F 2E A3 (new))

Original: Crystal:
With original disk in drive, load crypted file to ex. $ 10000. Notice where it ends, lets say $ 12000. Execute file with G 10000. wait a few secs and re-enter AR. File is now sitting decrypted in memory and you can save $ 10000-12000. Very very simple, in this case.
marty is offline  
Old 01 December 2010, 18:25   #31
MethodGit
Junior Member
MethodGit's Avatar
 
Join Date: Dec 2002
Location: The Streets
Age: 33
Posts: 2,723
Quote:
Originally Posted by StingRay View Post
The Crystal cracker simply wired in the key and skipped the code which reads protection track.
So it is a hardwire? It's just I couldn't even find the part of the copylock the tutorials (on hardwiring) caused me to familiarise myself with (replace BSR with MOVE.L key, new BRA etc etc).
MethodGit is offline  
Old 01 December 2010, 20:59   #32
Codetapper
2 contact me: email only!

Codetapper's Avatar
 
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,135
MethodGit: You haven't looked very hard! I showed Rob on Flashtro how to do the hard-wiring trick and almost all his tutorials (all pretty much the same) use that method! Look again! To work out the opcode you just do an exclusive-or or two, you don't need AR to do that!
Codetapper is offline  
Old 02 December 2010, 04:30   #33
MethodGit
Junior Member
MethodGit's Avatar
 
Join Date: Dec 2002
Location: The Streets
Age: 33
Posts: 2,723
Quote:
Originally Posted by Codetapper View Post
MethodGit: You haven't looked very hard! I showed Rob on Flashtro how to do the hard-wiring trick and almost all his tutorials (all pretty much the same) use that method! Look again!
Looked at "load" several times over now under AR4, both with and without ROBD, and I'm telling you I cannot find any section that looks anything like this inside (example from another game):


(Key giveaways: easy to spot MOVEM.L command followed by a bevy of small ROXR/ROXL/MOVE commands, then the first BSR which you're supposed to change into a BRA aimed at the next MOVEM.L further down, after which follows another BRA that goes to the rest of the game.)
(Which is what the tutorials taught me to hunt down!)

Besides, if you look at my captures in my second-to-last post, I showed the new opcodes as AR4 viewed them with ROBD, and those instructions look nothing like a typical hardwire trick. It's almost as if it's double-encrypted or something and it's causing AR4 to get awfully confused.

Quote:
To work out the opcode you just do an exclusive-or or two, you don't need AR to do that!
"exclusive-or"?
MethodGit is offline  
Old 02 December 2010, 06:02   #34
Codetapper
2 contact me: email only!

Codetapper's Avatar
 
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,135
Look again MethodGit! You're doing something wrong. Attached are some example copylocks, and a decryption using my tool. You can load them in AR to a known address such as $40000, enable 'robd', then look through the code. The offsets are listed for you.

I have no idea what you're doing wrong. I can only assume you're not looking far enough through the copylocks.
Attached Files
File Type: zip CopylocksForMethodGit.zip (12.2 KB, 128 views)
Codetapper is offline  
Old 02 December 2010, 06:04   #35
Codetapper
2 contact me: email only!

Codetapper's Avatar
 
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,135
Archer Maclean's Pool

Code:
Copylock Decrypter v0.01
(c) 2004 Codetapper of Action (codetapper@hotmail.com)

Copylock header found at $0
Copylock stack 1 found at $7a
Copylock stack 2 found at $3e8
Copylock key wiring position found at $406
Copylock key wiring skip to position found at $450
Post copylock branch to address starts at $810
Copylock new magic number ($a573632c) compare at $474

======[ Key calculation routine found at $4d6: ]======
_4d6   	move.w	#$b,d1
_4da   	add.l	d6,d6
_4dc   	sub.l	(a0)+,d6
_4de   	dbra	d1,_4da
_4e2   	eor.l	#$71895a65,d6	;Modify serial number
_4e8   	move.l	d6,($60).w	;Serial number stored at $60
_4ec   	addq.l	#4,sp
_4ee   	rts	

======[ Special copylock modifications: ]======
_558   	move.w	#$9290,$37994
_78a   	move.w	#$a9d0,($3e8).w

======[ Post copylock code starts at $810: ]======
_810   	lea	$78(sp),a6	;Set a6 to real copylock registers
_814   	move.l	d0,(a6)+
_816   	move.l	d1,(a6)+
_818   	rol.l	#1,d0
_81a   	move.l	d0,(a6)+
_81c   	rol.l	#1,d0
_81e   	move.l	d0,(a6)+
_820   	rol.l	#1,d0
_822   	move.l	d0,(a6)+
_824   	rol.l	#1,d0
_826   	rol.l	#1,d0
_828   	move.l	d0,(a6)+
_82a   	rol.l	#1,d0
_82c   	move.l	d0,(a6)+
_82e   	rol.l	#1,d0
_830   	move.l	d0,(a6)+
_832   	moveq	#$0,d0
_834   	moveq	#$1,d0
_836   	lea	_848(pc),a6
_83a   	move.l	-$4(a6),d6
_83e   	add.l	$8,d6
_844   	or.w	#$a71f,sr
_848   	addi.l	#$44,($24).l
Copylock stack 2 ends at $848
Codetapper is offline  
Old 02 December 2010, 06:05   #36
Codetapper
2 contact me: email only!

Codetapper's Avatar
 
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,135
Post Krusty's Super Fun House

Code:
Copylock Decrypter v0.01
(c) 2004 Codetapper of Action (codetapper@hotmail.com)

Copylock header found at $0
Copylock stack 1 found at $7a
Encryption routine adds on $b5862f3c to previous longword before eor'ing!
Copylock stack 2 found at $3c4
Copylock key wiring skip to position found at $42c
Post copylock branch to address starts at $7e4
Copylock new magic number ($a573632c) compare at $450

======[ Key calculation routine found at $4b2: ]======
_4b2   	move.w	#$b,d1
_4b6   	add.l	d6,d6
_4b8   	sub.l	(a0)+,d6
_4ba   	dbra	d1,_4b6
_4be   	move.l	d6,($80).w	;Serial number stored at $80
_4c2   	not.l	($80).w		;Modify memory at $80
_4c6   	addq.l	#4,sp
_4c8   	rts	

======[ Post copylock code starts at $7e4: ]======
_7e4   	lea	$78(sp),a6	;Set a6 to real copylock registers
_7e8   	move.l	d0,$14(a6)	;Store serial number in real d5 register
_7ec   	rol.l	#1,d0
_7ee   	move.l	d0,(a6)+
_7f0   	move.l	d1,(a6)+
_7f2   	rol.l	#1,d0
_7f4   	move.l	d0,(a6)+
_7f6   	rol.l	#1,d0
_7f8   	move.l	d0,(a6)+
_7fa   	rol.l	#1,d0
_7fc   	rol.l	#1,d0
_7fe   	move.l	d0,(a6)+
_800   	addq.w	#4,a6
_802   	rol.l	#1,d0
_804   	move.l	d0,(a6)+
_806   	rol.l	#1,d0
_808   	move.l	d0,(a6)+
_80a   	moveq	#$0,d0
_80c   	moveq	#$1,d0
_80e   	lea	_820(pc),a6
_812   	move.l	-$4(a6),d6
_816   	add.l	$8,d6
_81c   	or.w	#$a71f,sr
_820   	addi.l	#$44,($24).l
Copylock stack 2 ends at $820
Codetapper is offline  
Old 02 December 2010, 06:06   #37
Codetapper
2 contact me: email only!

Codetapper's Avatar
 
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,135
Floppy disk Vector Championship Run (VCR.bin)

Code:
Copylock Decrypter v0.01
(c) 2004 Codetapper of Action (codetapper@hotmail.com)

Copylock header found at $0
Copylock stack 1 found at $7a
Copylock stack 2 found at $3e8
Copylock key wiring position found at $406
Copylock key wiring skip to position found at $450
Post copylock branch to address starts at $7f6
Copylock new magic number ($a573632c) compare at $472

======[ Key calculation routine found at $4d4: ]======
_4d4   	move.w	#$b,d1
_4d8   	add.l	(a0)+,d6
_4da   	swap	d6
_4dc   	dbra	d1,_4d8
_4e0   	addq.l	#4,sp
_4e2   	rts	

======[ Post copylock code starts at $7f6: ]======
_7f6   	move.l	$a8(a7),a6	;Set a6 to real a4 register
_7fa   	add.l	d0,(a6)		;Store serial number in real a4 register
_7fc   	move.l	d1,$78(a7)
_800   	moveq	#$0,d0
_802   	moveq	#$1,d0
_804   	lea	_816(pc),a6
_808   	move.l	-$4(a6),d6
_80c   	add.l	$8,d6
_812   	or.w	#$a71f,sr
_816   	addi.l	#$44,($24).l
Copylock stack 2 ends at $816
Codetapper is offline  
Old 02 December 2010, 06:11   #38
Codetapper
2 contact me: email only!

Codetapper's Avatar
 
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,135
Floppy disk Wiz'n'Liz

Code:
Copylock Decrypter v0.01
(c) 2004 Codetapper of Action (codetapper@hotmail.com)

Copylock header found at $0
Copylock stack 1 found at $7a
Copylock stack 2 found at $3c4
Copylock key wiring position found at $3e2
Copylock key wiring skip to position found at $42c
Post copylock branch to address starts at $7d4
Copylock new magic number ($a573632c) compare at $450

======[ Key calculation routine found at $4b2: ]======
_4b2   	move.w	#$b,d1
_4b6   	add.l	d6,d6
_4b8   	sub.l	(a0)+,d6
_4ba   	dbra	d1,_4b6
_4be   	addq.l	#4,sp
_4c0   	rts	

======[ Post copylock code starts at $7d4: ]======
_7d4   	lea	$78(sp),a6	;Set a6 to real copylock registers
_7d8   	move.l	d0,$14(a6)	;Store serial number in real d5 register
_7dc   	move.l	d0,($f4).w	;Serial number stored at $f4
_7e0   	move.l	$3984ec01,d0
_7e6   	move.l	d0,(a6)+
_7e8   	move.l	d1,(a6)+
_7ea   	rol.l	#1,d0
_7ec   	move.l	d0,(a6)+
_7ee   	rol.l	#1,d0
_7f0   	move.l	d0,(a6)+
_7f2   	rol.l	#1,d0
_7f4   	move.l	d0,(a6)+
_7f6   	rol.l	#2,d0
_7f8   	addq.w	#4,a6
_7fa   	move.l	d0,(a6)+
_7fc   	rol.l	#1,d0
_7fe   	move.l	d0,(a6)+
_800   	moveq	#$0,d0
_802   	moveq	#$1,d0
_804   	lea	_816(pc),a6
_808   	move.l	-$4(a6),d6
_80c   	add.l	$8,d6
_812   	or.w	#$a71f,sr
_816   	addi.l	#$44,($24).l
Copylock stack 2 ends at $816
Codetapper is offline  
Old 02 December 2010, 06:35   #39
MethodGit
Junior Member
MethodGit's Avatar
 
Join Date: Dec 2002
Location: The Streets
Age: 33
Posts: 2,723
Ah, maybe I'm supposed to decrypt/decode the copylock first after all. >.< Dang.
MethodGit is offline  
Old 02 December 2010, 09:21   #40
Codetapper
2 contact me: email only!

Codetapper's Avatar
 
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,135
MethodGit: I suggest you would learn a lot by using CopylockDecoder, put the original IPF in the drive and let it decode. Then you can disassemble the decoded file without needing the AR cart and you can study the code that the copylock runs.

Note that it only decodes instructions that it runs, so there will be large blank areas in the decoded file where the code doesn't run.

Read the docs that come with CopylockDecoder. Seriously. Do it! It should answer all your questions!

PS: CopylockDecoder is on the WHDLoad site if you can't find it.
Codetapper is offline  
AdSense AdSense  
 


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Similar Threads
Thread Thread Starter Forum Replies Last Post
"The Amiga Works" by Allister Brimble - Kickstarter Project BuZz News 46 18 September 2014 12:30
HELP NEEDED! New "Amiga-daptor" project to support Analogue controllers! SunChild support.Hardware 10 03 November 2013 08:51
How "Brick Games" and "Game' n' Watches" works Leandro Jardim Retrogaming General Discussion 2 03 August 2013 18:48
"Reminder "Lincs Amiga User Group aka "LAG" Meet Sat 5th of January 2013" rockape News 4 30 January 2013 01:06
Scanned reviews of "Drop It" & "Project Ikarus" Tim Janssen HOL contributions 1 15 May 2003 10:55

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 11:42.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Page generated in 0.37216 seconds with 13 queries