Does the "Hard Drivin' 2 trick" only work with certain encryptions?

[MethodGit]

I loved the idea that you could crack a copylock-encrypted executable by retrieving the copylock key and inserting the hardwire instructions at the right spot with ARIV. However, I've looked at exes for other games (Dragon Spirit, Bubble Bobble Jatte Hits) that appear to be encrypted in a similar manner (I can see the familiar structure at the beginning with the Hz and ONz wordings), but I for the life of me cannot find the section I'm after inside them, even with ROBD activated.

The section in question is the one where you first find "MOVEM.L D2-D7/A0-A3,-(A7)" followed by a bunch of ROXR.L and BSR.W instructions, and where you change the first BSR.W you come across into a MOVE.L (copylockkey),D0 instruction, followed by MOVEQ #0,D (if necessary) and finally BRAing into the "MOVEM.L (A7)+,D2-D7/A0-A3" further down the list.

I was starting to understand why I couldn't do this trick with the Proj66-encrypted Codies titles, but I'm nonplussed as to why it won't work with damn-near-similar-looking-to-HD2 exes by other companies. Were there different types of encryption?

[Codetapper]

The copylock routine in is an old type that is a lot harder to decrypt, it uses the movep instruction that won't work on some processors, and the encryption is far more complex. It's only used on relocatable files and to crack it will be beyond your skills at the moment. Stick to the easy types on flashtro.

Why don't you try American Tag Team Wrestling? That is an easy one. Here's the copylock track analysis. I'll let you work out which key is correct:

Code:

created by: WWarp 1.24 [build 2] (18.11.2004)
created at: 25-Nov-10 19:57:49
last modified at: 25-Nov-10 19:58:06
total tracks in file: 1
trk type  flags length  wlen  sync
  1 rncl        CopyLock CheckSum's:
		$66C4B47F  #0  add.l (a1)+,d0  rol.l #1,d0
		$3D5E2481  #1  add.l (a0)+,d6
		$C2A1DB7F  #2  sub.l (a0)+,d6
		$5A3B07A3  #3  add.l (a0)+,d6  swap d6
		$A5C4F85D  #4  sub.l (a0)+,d6  swap d6
		$B3625354  #5  add.l d6,d6     add.l (a0)+,d6
		$4C9DACAC  #6  add.l d6,d6     sub.l (a0)+,d6
		$AD605AA9  #7  add.l d6,d6     add.l (a0)+,d6  swap d6
		$17B15473  #8  add.l (a1)+,d0  rol.l #1,d0    (5 x roxl)

And here's the analysis of the disk image:

Code:

Copylock Decrypter v0.01
(c) 2004 Codetapper of Action (codetapper@hotmail.com)

Copylock header found at $dc5e
Copylock stack 1 found at $dcd8
Copylock stack 2 found at $e038
Copylock key wiring position found at $e056
Copylock key wiring skip to position found at $e0a0
Post copylock branch to address starts at $e446
Copylock new magic number ($a573632c) compare at $e0c2

======[ Key calculation routine found at $e124: ]======
_e124  	move.w	#$b,d1
_e128  	add.l	d6,d6
_e12a  	add.l	(a0)+,d6
_e12c  	dbra	d1,_e128
_e130  	addq.l	#4,sp
_e132  	rts	

======[ Post copylock code starts at $e446: ]======
_e446  	lea	$78(sp),a6	;Set a6 to real copylock registers
_e44a  	movem.l	d2-d3/a0-a1,-(sp)
_e44e  	move.l	d0,($60).w	;Serial number stored at $60
_e452  	moveq	#$3,d3
_e454  	move.l	d1,$4(a6)
_e458  	tst.l	($c,a6)		;Test real d3 register passed to copylock
_e45c  	bne.b	_e462
_e45e  	move.l	d0,(a6)
_e460  	bra.b	_e4ac
_e462  	lsl.w	#2,d3
_e464  	move.l	0(a6,d3.w),d2
_e468  	rol.w	#4,d2
_e46a  	and.b	#$f,d2
_e46e  	beq.b	_e4ac
_e470  	sub.w	#$1000,2(a6,d3.w)
_e476  	move.l	0(a6,d3.w),d3
_e47a  	rol.w	#8,d3
_e47c  	move.w	d3,d1
_e47e  	and.w	#$7,d1
_e482  	lsl.w	#2,d1
_e484  	move.l	$20(a6,d1.w),a0
_e488  	rol.w	#4,d3
_e48a  	move.w	d3,d1
_e48c  	and.w	#$7,d1
_e490  	lsl.w	#2,d1
_e492  	move.l	0(a6,d1.w),d1
_e496  	move.l	(a0)+,a1
_e498  	add.l	d0,0(a1,d1.l)
_e49c  	subq.b	#1,d2
_e49e  	bne.b	_e496
_e4a0  	rol.w	#4,d3
_e4a2  	and.w	#$f,d3
_e4a6  	cmp.b	#$8,d3
_e4aa  	blt.s	_e462
_e4ac  	cmp.l	$60,d0
_e4b0  	beq.b	_e4c6
_e4b2  	or.w	#$700,sr
_e4b6  	moveq	#$0,d0
_e4b8  	lea	($60).w,a0
_e4bc  	movem.l	d0-d7/a0-a6,(a0)
_e4c0  	lea	$40(a0),a0
_e4c4  	bra.b	_e4bc
_e4c6  	movem.l	(sp)+,d2-d3/a0-a1
_e4ca  	moveq	#$0,d0
_e4cc  	moveq	#$1,d0
_e4ce  	lea	_e4e0(pc),a6
_e4d2  	move.l	-$4(a6),d6
_e4d6  	add.l	$8,d6
_e4dc  	or.w	#$a71f,sr
_e4e0  	addi.l	#$44,($24).l
Copylock stack 2 ends at $e4e0

I wouldn't try cracking anything else until you can defeat this easy protection. So I will be disappointed if you ask for other games to be uploaded until you have done this one.

[MethodGit]

Patched, sealed and delivered to the Zone. How many marks out of 10 do I get?

[marty]

Nice, now try patch it all from boot block.
Good work

[Codetapper]

Quote:

Originally Posted by MethodGit

Patched, sealed and delivered to the Zone. How many marks out of 10 do I get?

0 points, because it doesn't bloody work! The code gets stuck at $70156 which does a jmp $70156. So it's stuck in an infinite loop doing nothing. I tried the original with floppy speed set to turbo and it works fine, yet your "crack" doesn't.

I guess marty assumed like me that your patch worked without checking it!

[MethodGit]

Quote:

Originally Posted by Codetapper

0 points, because it doesn't bloody work! The code gets stuck at $70156 which does a jmp $70156. So it's stuck in an infinite loop doing nothing. I tried the original with floppy speed set to turbo and it works fine, yet your "crack" doesn't.

I guess marty assumed like me that your patch worked without checking it!

Strange, it worked for me. Maybe I uploaded the wrong disk image or something! Lemme look at it again....

EDIT: Tried the disk again and the game loads fine for me. I can play a match and everything. What configuration are you using?

[Codetapper]

Standard A500 config but with turbo disk mode enabled. The original works fine, yours doesn't. Just retried it again with same results. I notice you wired the copylock key in a slightly unusual place, maybe that has something to do with it? You certainly didn't put it in the normal location!

[MethodGit]

Have you tried it without turbo disk mode by any chance?

And I wired the key in the same area as I've done in some of the Flashtro tutorials. Nothing out of the ordinary!

[Codetapper]

It seems to work without turbo, but there's something strange going on when the original works with turbo mode enabled but your crack doesn't!

Also the Flashtro tutorials are of varying quality! Some are poor, some are great!

[MethodGit]

Maybe hardwiring tricks and turbo mode just don't mix all that well? *shrugs*

I tend not to use turbo mode all that often as I know it can cause some conflicts with certain disk-accessing routines in some games.

[Codetapper]

Well my motto is if it works on the original, it should work on the crack...

[marty]

I did test it, and it sure works here. Both normal disk speed and just tried turbo, works just fine. (Here, anyway)

[Codetapper]

On this laptop here (WinUAE 1.5.0) it certainly doesn't with turbo disk mode but never mind! As marty says, now can you crack it from the bootblock without modifying the game data?

[MethodGit]

I'll give it a shot, but surely if you have to, say, redirect a certain JMP instruction normally issued by the game (as I've seen in Marty's Codies examples), that's technically modifying part of it?

[marty]

Quote:

Originally Posted by MethodGit

I'll give it a shot, but surely if you have to, say, redirect a certain JMP instruction normally issued by the game (as I've seen in Marty's Codies examples), that's technically modifying part of it?

Start by looking at the boot block. Find out, what data it loads and to where. Perhaps copylock routine is loaded by the bootloader, then its only a single jmp you need to take over. Or perhaps it loads another loader, which loads data and execute it, then another jmp to taker over.
A good idea is looking for the jmps, replace them with loops (or stick breakpoints, if possible) and see whats loaded into memory.

[MethodGit]

I know all about changing any JMPs into loops already. I'm just pointing out to CT that he said to do it without modifying game data, and I'm asking him whether any JMPs initiated by said game counts as data?

[Kalms]

When the aforementioned gentlemen are talking about "only modifying the bootblock", they mean: can you crack the game by only modifying content in the first 2 sectors on the disk?

There are several reasons why a crack that resides purely in the bootsector is preferable from one which modifies several locations on-disk. One major reason is that for some titles, the code which you want to modify is compressed on-disk. Now how do you apply modifications to that compressed code?

[marty]

Quote:

Originally Posted by Kalms

When the aforementioned gentlemen are talking about "only modifying the bootblock", they mean: can you crack the game by only modifying content in the first 2 sectors on the disk?

There are several reasons why a crack that resides purely in the bootsector is preferable from one which modifies several locations on-disk. One major reason is that for some titles, the code which you want to modify is compressed on-disk. Now how do you apply modifications to that compressed code?

As Mason Vagner once said; BINGO!

[MethodGit]

Quote:

Originally Posted by Kalms

There are several reasons why a crack that resides purely in the bootsector is preferable from one which modifies several locations on-disk. One major reason is that for some titles, the code which you want to modify is compressed on-disk. Now how do you apply modifications to that compressed code?

You rip the disk into chunks with WRip, find the one that contains the protection you wish to edit, decrunch it, edit edit edit, recompress and inject back into the disk?

The Flashtro site shows you how to do exactly this for a few titles!

[StingRay]

Quote:

Originally Posted by MethodGit

You rip the disk into chunks with WRip, find the one that contains the protection you wish to edit, decrunch it, edit edit edit, recompress and inject back into the disk?

You completely missed the point. What will you do if you can't find any decruncher for the crunched data?