26 September 2012, 15:56 | #1 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
Methodgits Cracking Thread
This thread is for Methodgit to put all his cracking queries, if you don't like him then please avoid..
|
23 April 2013, 13:40 | #2 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Guess I finally found a use for this thread then.
Well, I'm not quite sure if it's something anyone could help out with, as it's not strictly 68000-related (I think). I'm currently looking at Future Wars. I expressed in the past how great it could be if somebody came up with a fully cross-platform data-based crack for this game (and Operation Stealth) rather than rely on restricted executable hackarounds. In this thread, JOTD mentioned how the PC CD version of the game used a different startup script file (AUTO00.PRC) that could bypass the protection screen completely, and that it could also be used with the PC floppy version of the game to achieve the same effect. So far, so good. However, he then added that he tried to see if it could work with the Amiga version as well, but neither ScummVM or WHDLoad liked that teamup at all. Googling around, this thread at the ScummVM forums revealed some more information about the PC CD AUTO00.PRC file - importantly, the start of page 2 of the thread reveals one of the developers confirming that the file is 'crypted' by way of rotating all its bytes to the right by one (akin to ROL/ROR). This left me thinking: maybe if I tried decrypting this file back, other versions might be able to take it? Well, just one problem: I'm not quite sure what 'rule' this game's engine follows in regards to byte-rotating, whether it's based more on x86 or 68000, etc. I've tried general byte-adjusting across the entirety of the small file (just 253 bytes, so at least it doesn't take all day), though I'm still not quite sure if I'm supposed to be seeing clear references to files inside the PART0x resource files - the floppy AUTO00.PRC mentions "PART01" and "TOTO.PRC" (the protection script) in comparison, but nothing I've tried so far has uncovered any hidden words. Maybe there aren't supposed to be any. Who knows? Here's all that ScummVM's source code had to say on the matter (taken from 'engines\cine\part.cpp'): Code:
/** Rotate byte value to the left by n bits */ byte rolByte(byte value, uint n) { n %= 8; return (byte) ((value << n) | (value >> (8 - n))); } byte *readFile(const char *filename, bool crypted) { Common::File in; in.open(filename); if (!in.isOpen()) error("readFile(): Cannot open file %s", filename); uint32 size = in.size(); byte *dataPtr = (byte *)malloc(size); in.read(dataPtr, size); // The Sony published CD version of Future Wars has its // AUTO00.PRC file's bytes rotated to the right by one. // So we decode the so called crypting by rotating all // the bytes to the left by one. if (crypted) { for (uint index = 0; index < size; index++) { dataPtr[index] = rolByte(dataPtr[index], 1); } } return dataPtr; } (It's a shame btw that there appears to be little to no information on the Cine engine, so I have no clue as to its opcodes etc, unlike SCI or AGI.) |
23 April 2013, 16:07 | #3 |
Registered User
Join Date: Feb 2007
Location: Melbourne, Australia
Age: 41
Posts: 3,773
|
Here you go.
|
23 April 2013, 16:16 | #4 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Well dang, I obviously wasn't doing it right then!
Perhaps I misunderstood the concept of byte-rotation? From reading up on it I was made to believe it went similar to "AABBCC00 to BBCC00AA" (move one byte from one end to another in a wraparound) but comparing the encrypted and decrypted files it appears none of the numbers had to physically move. Or does the game not follow the 68000 or x86 convention? |
23 April 2013, 16:47 | #5 | |
Registered User
Join Date: Feb 2007
Location: Melbourne, Australia
Age: 41
Posts: 3,773
|
Quote:
With a bit shift, the bit on the end drops off instead of wrapping around to the other side of the byte. An LSL on 10001100 would be 00011000. |
|
30 August 2013, 01:28 | #6 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Okay, something else now. I've been left stumped by an unsuccessful bootcrack attempt at Stunt Car Racer.
Having found a bootcracked Stunt Track Racer within the latest TOSEC, I felt inspired to try and defeat Stunt Car Racer the simpler way, with no complete data replacement involved. I disassembled the WHDLoad slave to get a good idea of the decryption process and proceeded to try and implement it onto the ADF. Well, the decryption works and I can get as far as the title card before the screen suddenly glitches and the game dies after it finishes decrypting the last bit of data. Having debugged a lot, it appears to have decrypted it all just fine, but somehow part of the data much later on isn't 'right' somehow. I looked back at the slave over and over and can't see what I may have missed in the process. The bootcrack for Stunt Track Racer is a lot simpler and doesn't involve absolute Dx values, but I have no clue how they did it to begin with and can't think of how to convert it to make it work with Car. Anyhow, it's in the Zone so anyone with the knowhow can bop me on the head and tell me what sort of silly mistake I've made this time. |
30 August 2013, 07:21 | #7 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,187
|
Firstly, copying the disassembled slave source into your own version is hardly what I'd call cracking the game!
I've only had a 1 minute look but as a guess, I'd say you have forgotten that a DBF loop operates until the WORD in d0 becomes false, not the longword. The game will be copying $8ef8+1 longwords, not $18ef8+1 longwords. Therefore, most of the game is not decrypted and relocated into the correct place. Code:
000000EC 203c 0001 8ef8 MOVE.L #$00018ef8,D0 000000F2 22d8 MOVE.L (A0)+,(A1)+ 000000F4 51c8 fffc DBF .W D0,#$fffc == $000000F2 But you have more issues to deal with, when the crack patch at $c0 is run, it's assuming A2 is pointing to something useful. When it gets here, the address is garbage: Code:
00000114 4eea 025c JMP.L (A2, $025c) == $000131b0 ... 000131B0 5044 ADD.W #$00000008,D4 000131B2 3539 4755 5a58 MOVE.W $47555a58,-(A2) 000131B8 5762 SUB.W #$00000003,-(A2) 000131BA 737f ILLEGAL.L 000131BC 807a 7987 OR.W (PC,$7987) == $0001ab45,D0 000131C0 9398 SUB.L D1,(A0)+ 000131C2 9598 SUB.L D2,(A0)+ 000131C4 a3b0 ILLEGAL.L BTW there is no need to disassemble my WHDLoad slaves. You'd save yourself a tonne of time by asking for the source code - I'd happily send it if you asked first! And this way you'd get all the comments etc... Last edited by Codetapper; 30 August 2013 at 10:05. Reason: Added source code comment |
30 August 2013, 20:22 | #8 | ||||
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Quote:
Quote:
(Out of interest: does a longword version of DBF exist?) Quote:
Quote:
Besides, it's not really that difficult for me to disassemble a slave - just copy it to a disk, fire up ARIII, load file to memory and gradually skim through the code looking for anything that looks like patching protection checks (or in this case manually decrypting protected data). Thank you for the offer however. |
||||
30 August 2013, 20:36 | #9 | |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 9,008
|
Quote:
Skimming through code is never a good idea lest you miss stuff out, Stunt Car Racer is especially a simple to follow crack as well, I'm not sure you can bugger it up with the slave to help you. Remind us about PM3 Deluxe again? |
|
30 August 2013, 20:40 | #10 | |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
Also, before even attempting to size optimise code you REALLY should gain knowledge about the 68k instruction set as otherwise it doesn't make sense at all. Why you are obsessed with size optimising crack patches is something I don't really understand anyway, a crack has to work, no matter how large or small it is. No. Edit: Galahad posted at the same time. |
|
30 August 2013, 21:28 | #11 | ||
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Quote:
Quote:
|
||
30 August 2013, 21:37 | #12 | ||||
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,187
|
Quote:
Quote:
Quote:
In the slave, a2 always points to the WHDLoad base, and you have clearly copied the wrong bit of code, assuming that started the game. JMP ($25c,a2) is probably calling resload_Patch and you've thought that is how I started the game! The real code is jmp $e700. Clear as day! There is no way your "standard A500 setting" would work yet not on "an A600 or anything else". It simply would not work on ANYTHING. Quote:
|
||||
30 August 2013, 21:40 | #13 |
HOL/FTP busy bee
Join Date: Sep 2006
Location: Germany
Age: 46
Posts: 31,631
|
|
30 August 2013, 22:12 | #14 | |||
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Quote:
Quote:
Code:
000000F8 41f9 0005 d58c LEA #$0005d58c,A0 Quote:
|
|||
30 August 2013, 22:20 | #15 |
HOL/FTP busy bee
Join Date: Sep 2006
Location: Germany
Age: 46
Posts: 31,631
|
|
30 August 2013, 22:25 | #16 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
What is your obsession with cracking??
|
30 August 2013, 22:29 | #17 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
|
30 August 2013, 22:30 | #18 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
|
30 August 2013, 22:41 | #19 |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 9,008
|
|
30 August 2013, 22:45 | #20 | |
HOL/FTP busy bee
Join Date: Sep 2006
Location: Germany
Age: 46
Posts: 31,631
|
Quote:
Honestly, you show up here every 6 months to get your good amount of bashing and that's it. Maybe you can explain me why you do it one day. |
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Best cracking group | Ian | Amiga scene | 135 | 22 September 2021 12:46 |
Cracking challenge | marty | Coders. General | 45 | 05 September 2011 12:10 |
Cracking Help Request... | tomcat666 | request.Old Rare Games | 13 | 15 June 2009 16:21 |
Codetappers game cracking Challenge Thread | Codetapper | Games images which need to be WHDified | 19 | 31 January 2006 00:59 |
Old cracking groups and Todays cracking groups | Smiley | Retrogaming General Discussion | 23 | 24 October 2005 22:20 |
|
|