Attempting to crack a game not on Flashtro!

[MethodGit]

Having completed the Captain Dynamo tutorial, I thought I'd try and adapt what I've learnt into another Codemasters title - Fantasy World Dizzy.

This game is in NDOS format and therefore I can't exactly replicate every step I made before, but I can at least track down the copylock calls and try to dummy/redirect them.

Okay, so I booted a copy of the disk, and entered AR when the drive went to track 0 (to start the check) - this seems to be almost instant btw, so it must be happening in the bootblock.

First things first, my commands:
f 48 7a
(reveals two addresses: D28 and D38)
d d28
(go up a bit, and the routine appears to start at D1A)
fa d1a
(finds one result: 57E = BSR D1A)
d 57e
(directly after 57e is another BSR at 582: BSR 163A)
d 163a
(reveals....)

Code:

00163A MOVE.L   27E6(PC),D0
00163E CMP.L    #BEBF833A,D0
001644 BEQ      0000164A
001646 MOVE.Q   #FFFFFFFF,D0
001648 RTS

a 163e
>> 163e move.l #bebf833a,d0
>> 1644 nop
>> 1648 nop
d 57e
>> 57e nop
>> 582 nop
()

Now I'm just stuck with something - how to save my edits afterwards? The game doesn't appear to contain any crunched data, I didn't have to wait for anything to load into memory like I had to with the Dynamo tutorial. (Though thinking about it, if it weren't crunched then surely I'd be able to find the helpine references directly in the ADF, which doesn't appear to have them after all, even though the game definitely boots up a helpine screen if the copylock fails. Hmmm.) I also didn't load any tracks into memory before starting. Still, I love how quickly I'm understanding some of these assembler commands!

[StingRay]

Quote:

Originally Posted by MethodGit

This game is in NDOS format and therefore I can't exactly replicate every step I made before, but I can at least track down the copylock calls and try to dummy/redirect them.

This is not how you correctly crack a copylock, you need to decrypt the trace vector code to see what happens there otherwise you might be in for some serious surprises. Rule of thumb: if something is encrypted the coder most probably wanted to hide something. Without decrypting the code you can never be sure what happens.

Quote:

Originally Posted by MethodGit

Okay, so I booted a copy of the disk, and entered AR when the drive went to track 0 (to start the check) - this seems to be almost instant btw, so it must be happening in the bootblock.

Game loads a file in the bootblock which contains the protection check, it isn't really happening in the bootblock.

Quote:

Originally Posted by MethodGit

Now I'm just stuck with something - how to save my edits afterwards? The game doesn't appear to contain any crunched data, I didn't have to wait for anything to load into memory like I had to with the Dynamo tutorial.

As said, the game loads a file into memory which contains the protection check. This file is crunched and will be decrunched in the bootblock.
Since you are using the Action Replay, you can use the RT/WT commands (R.ead T.rack/W.rite T.rack) commands to load/save tracks. Just consult the AR manual or press help to get a short help text when you are inside AR3.

Quote:

Originally Posted by MethodGit

(Though thinking about it, if it weren't crunched then surely I'd be able to find the helpine references directly in the ADF, which doesn't appear to have them after all, even though the game definitely boots up a helpine screen if the copylock fails. Hmmm.)

Exactly.

Quote:

Originally Posted by MethodGit

Still, I love how quickly I'm understanding some of these assembler commands!

Can you explain me what happens here?

Quote:

Originally Posted by MethodGit

Code:
00163A MOVE.L 27E6(PC),D0
00163E CMP.L #BEBF833A,D0
001644 BEQ 0000164A
001646 MOVE.Q #FFFFFFFF,D0

001648 RTS
a 163e
>> 163e move.l #bebf833a,d0
>> 1644 nop
>> 1648 nop
d 57e

[Plagueis/KRX]

@MethodGit: One thing you might find rewarding is to just go after an older title that simply has Novella protection only (not one of the ones already explained on Flashtro). You know the routine, look up a word in the manual....page 25, paragraph 1 sentence 2 word 3 and enter it to pass the protection. Now some of these games have additional checks (such as a checksum or byte counting routine) later on or during the novella check, but some do not.

Last year I was able to find a game that hadn't been discussed in any of the tutorials and crack it myself without consulting anyone, simply with what little I knew of 68000 code at the time and from experience with the cartridge I'd gained through the Flashtro tutorials. If that's too easy, supposedly the game Elite has Novella protection, plus two other routines protecting that routine. I haven't played with it, but there is an old text file explaining supposedly how to crack it 100%. If you haven't read that yet, maybe it would be a good exercise in reverse engineering to find that protection and disable it's defenses to get a working cracked game.

The Flashtro.com community is one of the best ideas I've seen on the web for resurrecting the excitement of the old amiga scene, but it sure needs more participation. For me, the best thing I got out of the cracking tutorials is a better understanding of the mental process you go through when you take apart simple protections with the Action Replay. After reading through those, and playing with a few, my AR skills had aggrandized. For me personally, the key to getting better at cracking and reversing, is to try and practice them both as often as possible and think of them as a complimentary symbiosis. I've got a long way to go too, but if you are coding, you learn cracking faster and vice versa. At least that's the way my brain works.

Also...if you are going to be a cracker, it's good to understand a little data abstraction called "the stack". All architectures (I know about) have it, and protection can play havoc with it, plus try and trash it (to cover their tracks) when you return from a cart freeze.

[MethodGit]

Quote:

Originally Posted by StingRay

This is not how you correctly crack a copylock, you need to decrypt the trace vector code to see what happens there otherwise you might be in for some serious surprises. Rule of thumb: if something is encrypted the coder most probably wanted to hide something. Without decrypting the code you can never be sure what happens.

You're right - having looked at and tackled both Wolfchild tutorials I can see some similarities. I've been trying hard to decrypt the code and all.

Alas, F.W.Dizzy doesn't seem to like breakpoints at the start of the copylock routine, preferring to guru rather than take me to AR....... so I can't do a memory difference test. I also can't seem to find the magic number so I can use it with Copylock Decoder - evidently this is one of those games that doesn't leave said number laying around at address 60.

[BippyM]

While I think the flashtro tutorials are great, I agree that it doesn't teach one how to crack per se.

Once you have followed say 20-30 of the tutorials you might be better and have a better understanding of asm, you'd certainly not have learnt much.

If you insist on hacking/cracking or whatever then start playing with the games themselves. Train them, change things. Find sprite and gfx routines and play with them.. Learn what is happening under the bonnet before you try to fix/modify it too much!

Good luck with what you are doing MethodGit, but don't bite off more than you can chew!!!

[StingRay]

Quote:

Originally Posted by MethodGit

You're right - having looked at and tackled both Wolfchild tutorials I can see some similarities. I've been trying hard to decrypt the code and all.

Well, what did you try? In all honesty, you won't be able to decrypt the trace vector code with your current knowledge. That's nothing to be ashamed of, just read what Plagueis wrote, start with something simpler first. You need to learn to walk before you run. I might write a tutorial one day (don't expect anything before 2020 ;D) about how to crack a copylock without any Action Replay and stuff.

Quote:

Originally Posted by MethodGit

Alas, F.W.Dizzy doesn't seem to like breakpoints at the start of the copylock routine, preferring to guru rather than take me to AR....... so I can't do a memory difference test. I also can't seem to find the magic number so I can use it with Copylock Decoder - evidently this is one of those games that doesn't leave said number laying around at address 60.

Well, as said, try something simpler first. You could also use Copylock Decoder (which is a great piece of code btw!) but well, who cracked the game then? You? Or a tool that someone else coded for you?

Quote:

Originally Posted by bippym

While I think the flashtro tutorials are great, I agree that it doesn't teach one how to crack per se.

Once you have followed say 20-30 of the tutorials you might be better and have a better understanding of asm, you'd certainly not have learnt much.

If you insist on hacking/cracking or whatever then start playing with the games themselves. Train them, change things. Find sprite and gfx routines and play with them.. Learn what is happening under the bonnet before you try to fix/modify it too much!

Good luck with what you are doing MethodGit, but don't bite off more than you can chew!!!

Well said Bippy, couldn't agree more!

[Big-Byte]

First game I ever cracked was the manual protection on Battlehawks 1942.
Then I followed that with F15 Strike Eagle II.

They were quite easy to do with an action replay.

I think I managed to do first copyprotection check on Midnight resistance as well (memory very hazy here though). Wish Id kept up my assembler skills now as all the code tutorials look like gobbledygook again

[MethodGit]

Quote:

Originally Posted by StingRay

Well, what did you try?

Well I did try to hunt out the changes the trace decoder makes to the data in memory like how the WC page showed, for one thing. Seems it's smart enough to prevent me from even doing that though!

Quote:

Well, as said, try something simpler first. You could also use Copylock Decoder (which is a great piece of code btw!) but well, who cracked the game then? You? Or a tool that someone else coded for you?

I'm not looking for cracker status in all honesty. These are just personal quests for myself to learn how certain games work as I was always interested in knowing the guts of some of my favourite titles. I did already defeat the protection in a couple of Codemasters games before without reading specific tutorials for them (such as Quest of Agravain - via hex - before I even read Flashtro's page for it!), so I'm not a total failure when it comes to hacking not-covered titles.

[StingRay]

Quote:

Originally Posted by MethodGit

Well I did try to hunt out the changes the trace decoder makes to the data in memory like how the WC page showed, for one thing. Seems it's smart enough to prevent me from even doing that though!

Well, might be that it doesn't change anything in memory. You'll only know that once you decrypted the code.

Quote:

Originally Posted by MethodGit

I'm not looking for cracker status in all honesty. These are just personal quests for myself to learn how certain games work as I was always interested in knowing the guts of some of my favourite titles. I did already defeat the protection in a couple of Codemasters games before without reading specific tutorials for them (such as Quest of Agravain - via hex - before I even read Flashtro's page for it!), so I'm not a total failure when it comes to hacking not-covered titles.

I know that you're doing it for fun. Which is why I said you should start with simpler things first and then move on to more advanced protections (and a Copylock is nothing for a beginner since you need a fair bit of 68k knowlegde if you want to defeat it without any external decoders/cartridges). Start with DOS games that have a manual protection, you can easily load the executable into a disassembler and examine the code. Try f.e. to remove the protections in The Clou! or Whales Voyage if you need a little challenge. If you know what you're doing both games can be cracked easily but you need to be careful!

[Plagueis/KRX]

Correction on my earlier post. I had meant to say, "coding and reversing are complimentary skills in my opinion." If you are working on at least some small coding projects, and at the same time doing some reversing, like finding trainers and doing relatively easy cracks, I think you find you can build your skill even faster.

[MethodGit]

Just one question..... are there any other common addresses aside from 60 that a Trace-Vector-protected game places a copylock key in? I feel as long as I can work out the key I might be able to at least code some kind of boot patch to hardwire it in.

Or would it be a lot easier to just note down all the copylock keys reported by WWarp and try my luck with one at a time until I strike gold?

[Codetapper]

You need to decrypt the copylock to see what it is doing. eg. Archer Maclean's Pool:

Code:

Copylock Decrypter v0.01
(c) 2004 Codetapper of Action (codetapper@hotmail.com)

Copylock header found at $32a0e
Copylock stack 1 found at $32a88
Copylock stack 2 found at $32df6
Copylock key wiring position found at $32e14
Copylock key wiring skip to position found at $32e5e
Post copylock branch to address starts at $3321e
Copylock new magic number ($a573632c) compare at $32e82

======[ Key calculation routine found at $32ee4: ]======
_32ee4	move.w #$b,d1
_32ee8	add.l d6,d6
_32eea	sub.l (a0)+,d6
_32eec	dbra d1,_32ee8
_32ef0	eor.l #$71895a65,d6 ;Modify serial number
_32ef6	move.l d6,($60).w ;Serial number stored at $60
_32efa	addq.l #4,sp
_32efc	rts

======[ Special copylock modifications: ]======
_32f66	move.w #$9290,$37994
_33198	move.w #$a9d0,($3e8).w

======[ Post copylock code starts at $3321e: ]======
_3321e	lea $78(sp),a6 ;Set a6 to real copylock registers
_33222	move.l d0,(a6)+
_33224	move.l d1,(a6)+
_33226	rol.l #1,d0
_33228	move.l d0,(a6)+
_3322a	rol.l #1,d0
_3322c	move.l d0,(a6)+
_3322e	rol.l #1,d0
_33230	move.l d0,(a6)+
_33232	rol.l #1,d0
_33234	rol.l #1,d0
_33236	move.l d0,(a6)+
_33238	rol.l #1,d0
_3323a	move.l d0,(a6)+
_3323c	rol.l #1,d0
_3323e	move.l d0,(a6)+
_33240	moveq #$0,d0
_33242	moveq #$1,d0
_33244	lea _33256(pc),a6
_33248	move.l -$4(a6),d6
_3324c	add.l $8,d6
_33252	or.w #$a71f,sr
_33256	addi.l #$44,($24).l
Copylock stack 2 ends at $33256

If you don't decrypt it (use some tool like CopylockDecoder, ARIV, or my utility) you will miss the special stuff (note the "Special copylock modifications" section above that screw the game up if not run).

[MethodGit]

I did try Fantasy World Dizzy on ARIV and using ROBD, but it couldn't find anything via "f 48 7a". Then again, I just read a small chunk of tracks into memory and went from there. Not sure if I'm supposed to do it while the game is running in the background...

And for me to get CopyLockDecoder working with it I first need to work out which address the game saves the key in, as 60 doesn't reveal anything.

Edit: If I go into AR when the disk starts doing that loud crunch typical of copylock procedures, then search for "48 7a", it reveals the decoded copylock to reside in D28. Suffice to say, attempting to insert a breakpoint at this address yields nothing for me - it just gets ignored. Even if I try to repeatedly go back and forth between game and AR during the initial loading process to see which places it jumps to during that time, I'm still nonplussed. Then again, maybe I just need some sleep at this point!

[MethodGit]

Hang about, I think I may well have overthunk my thinkingness here!

I had the brainstorm of replacing JMP 324.S with a BRA FOREVER command, so that it at least keeps the decrunced copylock in memory for me to look at. And upon some playing about, it turns out I only really need to change a few bits and bobs, much like how I demonstrated at the top of this thread. Now I just need to think up the listings for an appropriate boot patch. I may well be close to defeating my last remaining Dizzy title!

[StingRay]

Quote:

Originally Posted by MethodGit

Just one question..... are there any other common addresses aside from 60 that a Trace-Vector-protected game places a copylock key in? I feel as long as I can work out the key I might be able to at least code some kind of boot patch to hardwire it in.

Or would it be a lot easier to just note down all the copylock keys reported by WWarp and try my luck with one at a time until I strike gold?

As Codetapper (and me too earlier in this thread) said, you need to decrypt the copylock. That's the only way to know what happens in the crypted code. Everything else is more or less guess work and you'll end up with non-working/faulty cracks sooner or later.

[MethodGit]

Well the copylock itself isn't too bad - it's essentially the same one along the lines of the other Codemasters titles!

Here's the lowdown at the moment. The boot code from 7000C (bootblock loaded at 70000 of course) is as follows:

Code:

7000C = MOVE.W  #2,1C(A1)
70012 = MOVE.L  #20000,28(A1)
7001A = MOVE.L  #D6800,2C(A1)
70022 = MOVE.L  #5800,24(A1)
7002A = MOVEA.L 00000004.S,A6
7002E = JSR     -1C8(A6)
70032 = MOVE.W  #9,1C(A1)
70038 = MOVE.L  #0,24(A1)
70040 = MOVEA.L 00000004.S,A6
70044 = JSR     -1C8(A6)
70048 = LEA     00DFF000,A6
7004E = MOVE.W  #7FFF,96(A6)
70054 = MOVE.W  #7FFF,9A(A6)
7005A = MOVE.W  #0,180(A6)
70060 = LEA     00080000,A7
70066 = LEA     70080(PC),A0
7006A = LEA     0007E000,A1
70070 = LEA     70190(PC),A2
70074 = MOVE.L  A1,00000080.S
70078 = MOVE.B  (A0)+,(A1)+
7007A = CMPA.L  A2,A0
7007C = BNE     00070078
7007E = TRAP    #0
70080 = LEA     00080000,A7
70086 = MOVE.W  #2700,SR
7008A = LEA     00020000,A0
70090 = LEA     00000300.S,A1
70094 = MOVEA.L A1,A6
70096 = MOVE.W  #3E7F,D0
7009A = MOVE.B  (A0)+,(A1)+
7009C = DBF     D0,0007009A
700A0 = LEA     70190(PC),A0
700A4 = LEA     7018C(PC),A1
700A8 = MOVE.L  A0,(A1)
700AA = BSR     000700B0
700AC = JMP     00000324.S

By turning JMP 324.S into BRA 700AC, I can hang the game and look at where everything is after being loaded into memory. Soooo....

I start off by disassembling where I am and notice that my BRA FOREVER command above is sitting at 7E02C - a difference of $DF80. Then I look at the current registers, which are as follows:

Code:

D0=000000F2 8000FFFF 0000FFBB 00000000  000001FC 000080F2 00000000 00000005
A0=0000070C 00004148 000016E8 00006AAC  00006AEC 0007E310 0007E110 00080000
PC = 0007E02C USP = 00080000 SR = 2704 T=0 S=1 I=111 X=0 N=0 Z=1 V=0 C=0

Searching for 48 7a reveals finds at D28 and D38 as before. The code in D28 is part of a routine that starts at D1A. D1A is called by a BSR at 573. Below 573 is a BSR command at 582 going to 163A, where the copylock key is referenced. This is all in the first post, btw.

Here's the patch code I basically want to load...

Code:

MOVE.L #4E714E71,57E (nops out the BSR command to load the copylock check)
MOVE.W #203C,163E (changes the CMP.L command to a MOVE.L one)
MOVE.B #60,1644 (changes the BEQ into a BRA)
JMP 324.S (restore the command originally taken out of the boot code)

I did initially test my patches manually when dealing with the hung copy (assembling the addresses, changing the BRA FOREVER command back to JMP 324.S, then exiting AR, and the game loaded perfickly!) so I know I'm doing the right thing here.

Now my problem is that I can't work out the best place on the bootblock to put the patch in, since all the boot code gets shunted several places forward in memory and I subsequently notice that my BRA (wherever, say for example 70200) command is pointing elsewhere where data exists, thus causing a guru upon load. I suspect it has to do with everything that is done before where JMP 324.S normally is, but I've looked at that and the registers and can't seem to join the dots still. I did see what happened if I replaced the command above it (BSR 700B0) with BRA FOREVER but it revealed totally different registers and furthermore none of the important data existed in memory, so obviously it's JMP I have to replace. I'm also aware that you usually need to have two patches on a bootblock - one to load the main patch into memory - but I've been struggling to get this working also.

What sort of changes should I be making to my patch code, or is it (mostly) fine?

[Codetapper]

All you need is about 20 spare bytes anywhere in the bootblock, change the jmp $324 to run your patch and then jmp $324. Most bootblocks have a few spare bytes in them!

[MethodGit]

Oh, that I understand already. Just one problem...

I probably should've mentioned this the first time, but there's about $188 bytes worth of data from 0C onwards (including the bit I've showed above). It seems that BNE command loads this list of commands after (but before executing) JMP 324.S....

Code:

700B0 = MOVEA.L A6,A3
700B2 = ADDQ.W  #4,A6
700B4 = MOVE.L  (A6)+,D3
700B6 = MOVE.L  (A6)+,D4
700B8 = MOVEA.L 7018C(PC),A0
700BC = MOVE.W  #FF,D7
700C0 = MOVE.L  (A6)+,(A0)+
700C2 = DBF     D7,000700C0
700C6 = SUBI.L  #400,D4
700CC = MOVEA.L A6,A0
700CE = ADDA.L  D4,A0
700D0 = MOVEA.L A3,A1
700D2 = ADDA.L  D3,A1
700D4 = LEA     40(A1),A1
700D8 = MOVE.B  -(A0),-(A1)
700DA = SUBQ.L  #1,D4
700DC = BNE     000700D8
700DE = MOVEA.L A1,A4
700E0 = MOVEA.L 7018C(PC),A6
700E4 = LEA     200(A6),A5
700E8 = MOVEQ   #0,D7
700EA = MOVE.W  1FE(A6),D4
700EE = MOVE.W  D4,D5
700F0 = DBF     D7,000700F8
700F4 = MOVEQ   #1F,D7
700F6 = MOVE.L  (A4)+,D6
700F8 = LSR.L   #1,D6
700FA = BCC     00070104
700FC = MOVE.W  0(A5,D5.W),D5
70100 = BPL     000700F0
70102 = BRA     0007010A
70104 = MOVE.W  0(A6,D5.W),D5
70108 = BPL     000700F0
7010A = MOVE.B  D5,D0
7010C = MOVE.W  D0,D2
7010E = MOVE.W  D4,D5
70110 = DBF     D7,00070118
70114 = MOVEQ   #1F,D7
70116 = MOVE.L  (A4)+,D6
70118 = LSR.L   #1,D6
7011A = BCC     00070124
7011C = MOVE.W  0(A5,D5.W),D5
70120 = BPL     00070110
70122 = BRA     0007012A
70124 = MOVE.W  0(A6,D5.W),D5
70128 = BPL     00070110
7012A = MOVE.B  D5,D0
7012C = CMP.B   D0,D2
7012E = BEQ     00070138
70130 = MOVE.B  D0,(A3)+
70132 = SUBQ.L  #1,D3
70134 = BNE     0007010E
70136 = RTS
70138 = MOVEQ   #0,D0
7013A = MOVE.W  D4,D5
7013C = DBF     D7,00070144
70140 = MOVEQ   #1F,D7
70142 = MOVE.L  (A4)+,D6
70144 = LSR.L   #1,D6
70146 = BCC     00070150
70148 = MOVE.W  0(A5,D5.W),D5
7014C = BPL     0007013C
7014E = BRA     00070156
70150 = MOVE.W  0(A6,D5.W),D5
70154 = BPL     0007013C
70156 = MOVE.B  D5,D0
70158 = BEQ     00070188
7015A = ADDQ.W  #2,D0
7015C = MOVE.W  D0,D1
7015E = MOVE.W  D4,D5
70160 = DBF     D7,00070168
70164 = MOVEQ   #1F,D7
70166 = MOVE.L  (A4)+,D6
70168 = LSR.L   #1,D6
7016A = BCC     00070174
7016C = MOVE.W  0(A5,D5.W),D5
70170 = BPL     00070160
70172 = BRA     0007017A
70174 = MOVE.W  0(A6,D5.W),D5
70178 = BPL     00070160
7017A = MOVE.B  D5,D0
7017C = MOVE.B  D0,(A3)+
7017E = SUBQ.L  #1,D3
70180 = DBEQ    D1,0007017C
70184 = BNE     0007010E
70186 = RTS

This must be what puts stuff like the copylock in memory, since without it it's just blank spots in the same addresses. It's from $194 that the data ends and the space-filling Codemasters text begins until $400.

I did look at the two Wolfchild tutorials yet again, but I think those boot patches were designed mainly for a game that uses nothing but crunched data throughout - this little game in comparison only compresses the loader. So, ummm, if putting my patch in $200 won't do the trick (I've tried that), where else? I hope following all these Ax's won't require a flowchart...

[MethodGit]

Okay, here's the lowdown - it doesn't matter where I put my code in after $(70)194 onwards, because anything after (70)18A doesn't get copied into memory, meaning my replacement of JMP 324.S with, say, BRA 70194 where the start of my patch code would be, is meaningless.

This game's loader does so many instructions on the bootblock that it's not as simple as adding code to other bootblocks, and even if I try to 'piggyback' by putting my instructions towards the end and adjusting other addresses if necessary (such as BRA/BEQ/BNE ones), I'm still treated to a bloody guru.

I think now is the time where I'll have to come out screaming for help, because I really need to sleep and I can't keep melting my brain over this stupid loader and its stubborn bastardness. Trying to look at all the Flashtro tutorials bit by bit to see if there are any slight tricks I could re-adapt is coming to nothing. The protection isn't even over-the-top, it's simple in itself - I just have to contend with a custom loader that'll only load a certain amount of data and cut off just where there's room for my patch!

P.S. I did try, for example, changing MOVE.W #FF,D7 to read #200,D7 to see if that would make it load just a bit more data. No dice.

[Codetapper]

This appears to be a very simple task. You need to change $70070 as that is only copying the initial data, not your patch into the $7e000 range:

Code:

70066 = LEA     70080(PC),A0
7006A = LEA     0007E000,A1
70070 = LEA     70190(PC),A2
70074 = MOVE.L  A1,00000080.S
70078 = MOVE.B  (A0)+,(A1)+
7007A = CMPA.L  A2,A0
7007C = BNE     00070078

There is no need to change the $ff as that's copying $ff+1 longwords = $400 bytes, the entire bootblock.

Code:

700BC = MOVE.W  #FF,D7
700C0 = MOVE.L  (A6)+,(A0)+
700C2 = DBF     D7,000700C0

You should be able to finish it from here!