09 February 2007, 22:10 | #1 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
Cracked my first game: Gemini Wing
wooohooooo just cracked my first non-novella, long-track game
expect a tutorial of sorts later once written (so codetapper or galahad or girv or whoever can give me advice on doing it better) Last edited by BippyM; 09 February 2007 at 23:26. |
09 February 2007, 22:17 | #2 |
Global Caturator
Join Date: Aug 2004
Location: Porando
Age: 43
Posts: 6,108
|
Progressing well you are, young apprentice
In need of new WHDLoad installers, we are |
09 February 2007, 22:28 | #3 | |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 9,027
|
Quote:
Which one Bippy, which one? |
|
09 February 2007, 22:29 | #4 |
Wipe-Out Enthusiast
Join Date: Nov 2005
Location: .
Age: 43
Posts: 2,545
|
isnt having a thread titled "crack" just inviting trouble???
congrats though bipmaster. i'd be intrigued to hear what you have planned to crack in the future |
09 February 2007, 22:31 | #5 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
the title will be changed
|
09 February 2007, 22:31 | #6 | |
Moderator
Join Date: Jul 2004
Location: Norwich, Norfolk, UK
Age: 37
Posts: 11,168
|
Quote:
|
|
10 February 2007, 00:02 | #7 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
Gemini Wing Crack - BippyM
This is my first non-novella crack so please don't be too critical. Right first let's see what sort of protection we are dealing with and load the disk and either try and copy it or checkdisk (What I did). As you can see there is an error on track 0 so it is either a copylock or a long track. Boot a copy of the game and after a short while you'll get some rainbow flash and then the amiga will reset Right let's see if it is copylock or long-track, boot again but before the crash hop into your replay and search for the usual copylock opcode with f 48 7a There will be NO returned addresses so I guess we are dealing with long track . Again reboot but as soon as the rainbow effect starts hop into the replay and dis-assemble where we are. We should be in a dbra loop (addresses may differ as the game initially uses amigados to load the main.exe!) go down and back up and you should see the following code this is what is happening JSR 00018bE2 Jump somewhere TST.B D0 Test if d0 is 0 BEQ 00014e76 if d0 is 0 branch LEA 00070000,a0 load 70000 into d0 MOVE.W D0,DFF180 Put contents of d0 into color0 (change screen color) CLR.l -(a0) DBF D0,14E68 if d0 is not -1 loop BRA 00014e68 Loop anyway so let's try something, put a G 14e76 and see what happens! Yes the game loads, so we have three options here, we could change the BEQ to a BRA and bypass protection there, or we could change the tst.b d0 to a clr.b d0 and bypass the protection there, but the problem here is if the protection check is called again from another place in the game it might fail. We know d0 needs to be 0 to wire the protection so let's find where we can wire this in so it works properly. Lets follow the JSR jump directly before the TST condition The move.b 00018e52,d0 looks interesting, so I am guessing that address 18e52 holds the key before it is copied into d0, so if we find the instruction that puts the figure into 18e52 and force it to put a 0 in there we will bypass the protection. Let's search for all addresses that access 18e52 Let's search with fa 18e52 as you can see there are 3 results returned one of them is quite interesting as it copies #1 into d0 if we change that to move #0 into 18e52 then maybe the protection will pass, and seeing as it is only called the once, hopefully that is the only place in the game that modifies d0 for the protection check. Okay reboot the game again and when the track counter reaches 0 enter your replay and check 18e52 (or your address) again you'll get three results now we are interested in the third address returned, so let's assemble that address and change it to and exit back to the game... what happens? Right we need to make the change permanent, and seeing as the game uses amigados to load the initial gamefile we need to patch that. Again reboot and drop back in when we reach track 0 As we will be loading the main game file off disk we will need to know what address it'll jump to so the best way is to go back to the address that checks d0 and see what address it is jumping to. To find this we will need to look for some opcode. Reboot the game and goto an address from earlier (18be2 for me) and you'll notice the unique 78000 at the next address so we check the opcodes with m 18be6 (or your address) Now we load the game file into memory. LM gemini.prg,50000 (PIC8) now we simply search for the following f 41 f9 00 07 80 00 23, 50000 6ad4c You'll get one returned result so let us disassemble from there Ooh this does look familiar. address 54036 is the one we want, we now do a search for 4232 from 50000 to 6ad4c with fa 4232 50000 6ad4c. Three results returned as expected and we want the third at address $5425C let's assemble that and change it Now we save the file over itself and test the crack sm gemini.prg,50000 6ad4c reboot and voilla cracked |
10 February 2007, 01:20 | #8 |
Mostly Harmless
Join Date: Aug 2004
Location: Northern Ireland
Posts: 1,149
|
Nice one, BippyM You've picked up asm pretty quickly, and that's a good write-up there.
Your story makes me recall my first proper crack - Gothik on the Amstrad CPC - the click of the tape drive relay followed by the title music starting, signifying the crack (and trainer!) had worked. Good times A few comments on your crack. Not criticisms though as there's nothing wrong what you've done IMHO, just how I might do things differently. To start I'd have done the same as you: determine something about the protection and what I'm up against. You can get to tell what sort of loader is in use by listening to the sounds the floppy drive makes I'd then run a copy that won't work and see how it fails (in this case with the strobing loop) and take a note of the failure code if possible. I'd probably then have loaded the main exe into a debugger and disassembled it to find the failure code, then worked through the call sequence like you did to find the actual protection routine. The biggest thing I'd have done differently is that I'd have totally disabled the protection, probably by modifying the 0x18be2 routine to set the flag and return immediately. What you've done is let the protection run but always pass - nothing wrong with that but I just think its more elegant to excise the protection completely. Call it professional pride if you like I'd probably have investigated the JSRs at 0x18be2 just to see if there was anything tricky hiding in there. But you do start to develop a feel for protections and my spidey sense tells me this one is simple and you're not going to find any lurking horrors. An interesting challenge to set yourself for the next one is to crack the game by modifying as few bytes (or bits) as possible So well done that man See you on whdload-dev soon then ? |
10 February 2007, 11:09 | #9 |
move.w #$4489,$dff07e
Join Date: Sep 2005
Location: Norfolk, UK
Age: 43
Posts: 2,351
|
Yep, excellent work bippy. If you're anything like me after your first crack you feel quite proud
If you want another ADOS longtrack to have a go at try Alien Storm - that's quite straight forward as well |
10 February 2007, 12:53 | #10 |
Something
Join Date: Feb 2006
Location: Amigaland, Nostalgia
Age: 49
Posts: 757
|
There's one thing i don't understand:
Notice i know jackshit about ASM. What is the protection actually doing? After the crack it always fixes the code to pass, but before what was it doing? Does it check the track? Bootblock? What hardware part does it check? Is it because Xcopy couldn't remaster longtracks that it checks for it to see if it isn't Xcopy copied? I guess this was the cornerstone of anti-copying Amiga protection? In particular, what's it doing there in ~05403c? A note on what each line is doing after ~540006 would be really cool, tia |
10 February 2007, 13:45 | #11 |
move.w #$4489,$dff07e
Join Date: Sep 2005
Location: Norfolk, UK
Age: 43
Posts: 2,351
|
Longtracks cannot be copied by standard Amiga disk drives. The Amiga can read them, but can't write them back. Using a hardware copier (Cyclone etc) you can sometimes copy these tracks ok.
The copy protection reads the longtrack and probably generates some kind of serial number based on the contents, or a checksum of the contents etc. It then verifies this number and the protection fails/passes on the result. The code in your screenshot isn't that helpful, the first two lines just moves the value $78000 into A0 and address $4226. The would be some more interesting stuff in all the routines that get JSR'd to in the following lines. Line $54036 moves a value from memory back into register D0. And your line at $5403c restores all regs except D0/A0 from the stack. There's nothing particularly interesting in that code except what it might be returning in D0 Last edited by musashi5150; 10 February 2007 at 17:31. |
10 February 2007, 14:23 | #12 |
Something
Join Date: Feb 2006
Location: Amigaland, Nostalgia
Age: 49
Posts: 757
|
Hmmm, i see. Thanks. So this longtrack \ copylock stuff wasn't workable at all. Thank god it could be read (and disassembled) or else it wouldn't be crackable . It's also interesting to note that without these modified tracks it'd be pretty much impossible to create any decent anti-copying defence (well, it still was anyway ).
I guess the disks that weren't AmigaDos had the extra challenge of studiying the disk format? There'd have to be a file table somewhere? Hopefuly it was gained through disassembling bootloader file loading routines? Or maybe even the game\loader exe itself that load the datafiles later one by itself? Damn, that's a lotta work Fascinating though. |
10 February 2007, 14:28 | #13 |
Registered User
Join Date: Sep 2004
Location: Norway
Age: 49
Posts: 180
|
I'm impressed Bippym. You can't be a novice on asm
And you should get "the best topic of the decade"-award with your well-documented topics! |
10 February 2007, 19:21 | #14 | ||||||||||||
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
I'll look at alien storm or batman next I think Quote:
Quote:
Simply putting the correct key or whatever the protection needs into the program or bypassing the protection check completely can one crack a game. Quote:
MFM disks are more complicated as all the disks except track 0/side 0 are usually protected so yes one would have to disassemble the bootblock and figure out the loader and filetables etc and rip the files off before writing a new trackloader etc. This is why sometimes a crack comes on more disks than the original as mfm tracks can store more data than a standard amigados track ! Quote:
Expect my next crack tutorial type thing soon (and for those interested check out flashtro.com) |
||||||||||||
10 February 2007, 20:04 | #15 | |
Where is my mind?
Join Date: Jan 2007
Location: Nürnberg, Germany
Age: 49
Posts: 129
|
Quote:
great post! Are you going to write a tutorial on "how to wire the key in and bypass the protection check" as well? Well, if Galahad doesn't mind... Ciao, Luca |
|
10 February 2007, 20:05 | #16 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
I could include it as an alternative later I suppose.
|
14 February 2007, 18:41 | #17 |
CaptainM68K-SPS France
|
About long tracks, our pro crackers out there will confirm, that if a long track
has 34 sectors not possible to copy, because a standard amiga will only copy 11 sectors, just need to check sector 25 presence and of you go ^^ ! if sector 25 is absent then it's a copy, and game crash. Silmarils are nice ones, as their protection is always the same ! i have patched all my silmarils copies made from my originals. I'm personnaly only annoyed by nasty tricks used. But i like a lot making patched disks. |
14 February 2007, 18:47 | #18 |
move.w #$4489,$dff07e
Join Date: Sep 2005
Location: Norfolk, UK
Age: 43
Posts: 2,351
|
I've never seen anything like that - 34 sectors is a lot (too much) to fit onto a single track. Unless they are less than 512B each of course...
But I have an open mind and wait for Galahad or Codetappers opinion... |
14 February 2007, 20:01 | #19 |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 9,027
|
Most longtracks are 12 sectors, don't know where you get 34 from!
|
14 February 2007, 20:21 | #20 |
Moderator
|
AFAIK a longtrack consists of 528kbit....is it right...???
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Wing Commander as CD32 Emulation - Sound breaks up - game gets slow | magnusmagnorum | support.WinUAE | 12 | 20 February 2008 08:43 |
Wing Commander CD32 save game help... | nikvest | support.Games | 5 | 02 October 2007 04:48 |
Gemini Wing - Defeating the end-boss | andreas | support.Games | 6 | 20 October 2005 13:59 |
Gemini Wing | Carlos Ace | request.Old Rare Games | 2 | 25 May 2002 12:54 |
Gemini Wing | andreas | support.Games | 5 | 14 March 2002 21:43 |
|
|