06 November 2010, 18:09 | #1 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Attempting to crack a game not on Flashtro!
Having completed the Captain Dynamo tutorial, I thought I'd try and adapt what I've learnt into another Codemasters title - Fantasy World Dizzy.
This game is in NDOS format and therefore I can't exactly replicate every step I made before, but I can at least track down the copylock calls and try to dummy/redirect them. Okay, so I booted a copy of the disk, and entered AR when the drive went to track 0 (to start the check) - this seems to be almost instant btw, so it must be happening in the bootblock. First things first, my commands: f 48 7a (reveals two addresses: D28 and D38) d d28 (go up a bit, and the routine appears to start at D1A) fa d1a (finds one result: 57E = BSR D1A) d 57e (directly after 57e is another BSR at 582: BSR 163A) d 163a (reveals....) Code:
00163A MOVE.L 27E6(PC),D0 00163E CMP.L #BEBF833A,D0 001644 BEQ 0000164A 001646 MOVE.Q #FFFFFFFF,D0 001648 RTS >> 163e move.l #bebf833a,d0 >> 1644 nop >> 1648 nop d 57e >> 57e nop >> 582 nop () Now I'm just stuck with something - how to save my edits afterwards? The game doesn't appear to contain any crunched data, I didn't have to wait for anything to load into memory like I had to with the Dynamo tutorial. (Though thinking about it, if it weren't crunched then surely I'd be able to find the helpine references directly in the ADF, which doesn't appear to have them after all, even though the game definitely boots up a helpine screen if the copylock fails. Hmmm.) I also didn't load any tracks into memory before starting. Still, I love how quickly I'm understanding some of these assembler commands! |
07 November 2010, 17:59 | #2 | |||||
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
Quote:
Quote:
Since you are using the Action Replay, you can use the RT/WT commands (R.ead T.rack/W.rite T.rack) commands to load/save tracks. Just consult the AR manual or press help to get a short help text when you are inside AR3. Quote:
Quote:
|
|||||
10 November 2010, 22:32 | #3 |
coder
Join Date: Jul 2009
Location: a galaxy far far away
Age: 49
Posts: 84
|
@MethodGit: One thing you might find rewarding is to just go after an older title that simply has Novella protection only (not one of the ones already explained on Flashtro). You know the routine, look up a word in the manual....page 25, paragraph 1 sentence 2 word 3 and enter it to pass the protection. Now some of these games have additional checks (such as a checksum or byte counting routine) later on or during the novella check, but some do not.
Last year I was able to find a game that hadn't been discussed in any of the tutorials and crack it myself without consulting anyone, simply with what little I knew of 68000 code at the time and from experience with the cartridge I'd gained through the Flashtro tutorials. If that's too easy, supposedly the game Elite has Novella protection, plus two other routines protecting that routine. I haven't played with it, but there is an old text file explaining supposedly how to crack it 100%. If you haven't read that yet, maybe it would be a good exercise in reverse engineering to find that protection and disable it's defenses to get a working cracked game. The Flashtro.com community is one of the best ideas I've seen on the web for resurrecting the excitement of the old amiga scene, but it sure needs more participation. For me, the best thing I got out of the cracking tutorials is a better understanding of the mental process you go through when you take apart simple protections with the Action Replay. After reading through those, and playing with a few, my AR skills had aggrandized. For me personally, the key to getting better at cracking and reversing, is to try and practice them both as often as possible and think of them as a complimentary symbiosis. I've got a long way to go too, but if you are coding, you learn cracking faster and vice versa. At least that's the way my brain works. Also...if you are going to be a cracker, it's good to understand a little data abstraction called "the stack". All architectures (I know about) have it, and protection can play havoc with it, plus try and trash it (to cover their tracks) when you return from a cart freeze. Last edited by Plagueis/KRX; 10 November 2010 at 22:40. Reason: The Stack |
11 November 2010, 09:48 | #4 | |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Quote:
Alas, F.W.Dizzy doesn't seem to like breakpoints at the start of the copylock routine, preferring to guru rather than take me to AR....... so I can't do a memory difference test. I also can't seem to find the magic number so I can use it with Copylock Decoder - evidently this is one of those games that doesn't leave said number laying around at address 60. |
|
11 November 2010, 09:54 | #5 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
While I think the flashtro tutorials are great, I agree that it doesn't teach one how to crack per se.
Once you have followed say 20-30 of the tutorials you might be better and have a better understanding of asm, you'd certainly not have learnt much. If you insist on hacking/cracking or whatever then start playing with the games themselves. Train them, change things. Find sprite and gfx routines and play with them.. Learn what is happening under the bonnet before you try to fix/modify it too much! Good luck with what you are doing MethodGit, but don't bite off more than you can chew!!! |
11 November 2010, 10:14 | #6 | |||
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
Quote:
Quote:
Well said Bippy, couldn't agree more! |
|||
11 November 2010, 12:58 | #7 |
Long time member
Join Date: Jul 2001
Location: UK
Posts: 754
|
First game I ever cracked was the manual protection on Battlehawks 1942.
Then I followed that with F15 Strike Eagle II. They were quite easy to do with an action replay. I think I managed to do first copyprotection check on Midnight resistance as well (memory very hazy here though). Wish Id kept up my assembler skills now as all the code tutorials look like gobbledygook again |
11 November 2010, 21:09 | #8 | |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Well I did try to hunt out the changes the trace decoder makes to the data in memory like how the WC page showed, for one thing. Seems it's smart enough to prevent me from even doing that though!
Quote:
|
|
12 November 2010, 09:28 | #9 | ||
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
Quote:
|
||
14 November 2010, 18:01 | #10 |
coder
Join Date: Jul 2009
Location: a galaxy far far away
Age: 49
Posts: 84
|
Correction on my earlier post. I had meant to say, "coding and reversing are complimentary skills in my opinion." If you are working on at least some small coding projects, and at the same time doing some reversing, like finding trainers and doing relatively easy cracks, I think you find you can build your skill even faster.
|
20 November 2010, 01:28 | #11 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Just one question..... are there any other common addresses aside from 60 that a Trace-Vector-protected game places a copylock key in? I feel as long as I can work out the key I might be able to at least code some kind of boot patch to hardwire it in.
Or would it be a lot easier to just note down all the copylock keys reported by WWarp and try my luck with one at a time until I strike gold? |
20 November 2010, 03:04 | #12 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,182
|
You need to decrypt the copylock to see what it is doing. eg. Archer Maclean's Pool:
Code:
Copylock Decrypter v0.01 (c) 2004 Codetapper of Action (codetapper@hotmail.com) Copylock header found at $32a0e Copylock stack 1 found at $32a88 Copylock stack 2 found at $32df6 Copylock key wiring position found at $32e14 Copylock key wiring skip to position found at $32e5e Post copylock branch to address starts at $3321e Copylock new magic number ($a573632c) compare at $32e82 ======[ Key calculation routine found at $32ee4: ]====== _32ee4 move.w #$b,d1 _32ee8 add.l d6,d6 _32eea sub.l (a0)+,d6 _32eec dbra d1,_32ee8 _32ef0 eor.l #$71895a65,d6 ;Modify serial number _32ef6 move.l d6,($60).w ;Serial number stored at $60 _32efa addq.l #4,sp _32efc rts ======[ Special copylock modifications: ]====== _32f66 move.w #$9290,$37994 _33198 move.w #$a9d0,($3e8).w ======[ Post copylock code starts at $3321e: ]====== _3321e lea $78(sp),a6 ;Set a6 to real copylock registers _33222 move.l d0,(a6)+ _33224 move.l d1,(a6)+ _33226 rol.l #1,d0 _33228 move.l d0,(a6)+ _3322a rol.l #1,d0 _3322c move.l d0,(a6)+ _3322e rol.l #1,d0 _33230 move.l d0,(a6)+ _33232 rol.l #1,d0 _33234 rol.l #1,d0 _33236 move.l d0,(a6)+ _33238 rol.l #1,d0 _3323a move.l d0,(a6)+ _3323c rol.l #1,d0 _3323e move.l d0,(a6)+ _33240 moveq #$0,d0 _33242 moveq #$1,d0 _33244 lea _33256(pc),a6 _33248 move.l -$4(a6),d6 _3324c add.l $8,d6 _33252 or.w #$a71f,sr _33256 addi.l #$44,($24).l Copylock stack 2 ends at $33256 |
20 November 2010, 04:39 | #13 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
I did try Fantasy World Dizzy on ARIV and using ROBD, but it couldn't find anything via "f 48 7a". Then again, I just read a small chunk of tracks into memory and went from there. Not sure if I'm supposed to do it while the game is running in the background...
And for me to get CopyLockDecoder working with it I first need to work out which address the game saves the key in, as 60 doesn't reveal anything. Edit: If I go into AR when the disk starts doing that loud crunch typical of copylock procedures, then search for "48 7a", it reveals the decoded copylock to reside in D28. Suffice to say, attempting to insert a breakpoint at this address yields nothing for me - it just gets ignored. Even if I try to repeatedly go back and forth between game and AR during the initial loading process to see which places it jumps to during that time, I'm still nonplussed. Then again, maybe I just need some sleep at this point! |
20 November 2010, 08:39 | #14 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Hang about, I think I may well have overthunk my thinkingness here!
I had the brainstorm of replacing JMP 324.S with a BRA FOREVER command, so that it at least keeps the decrunced copylock in memory for me to look at. And upon some playing about, it turns out I only really need to change a few bits and bobs, much like how I demonstrated at the top of this thread. Now I just need to think up the listings for an appropriate boot patch. I may well be close to defeating my last remaining Dizzy title! |
20 November 2010, 09:08 | #15 | |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
|
|
21 November 2010, 04:34 | #16 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Well the copylock itself isn't too bad - it's essentially the same one along the lines of the other Codemasters titles!
Here's the lowdown at the moment. The boot code from 7000C (bootblock loaded at 70000 of course) is as follows: Code:
7000C = MOVE.W #2,1C(A1) 70012 = MOVE.L #20000,28(A1) 7001A = MOVE.L #D6800,2C(A1) 70022 = MOVE.L #5800,24(A1) 7002A = MOVEA.L 00000004.S,A6 7002E = JSR -1C8(A6) 70032 = MOVE.W #9,1C(A1) 70038 = MOVE.L #0,24(A1) 70040 = MOVEA.L 00000004.S,A6 70044 = JSR -1C8(A6) 70048 = LEA 00DFF000,A6 7004E = MOVE.W #7FFF,96(A6) 70054 = MOVE.W #7FFF,9A(A6) 7005A = MOVE.W #0,180(A6) 70060 = LEA 00080000,A7 70066 = LEA 70080(PC),A0 7006A = LEA 0007E000,A1 70070 = LEA 70190(PC),A2 70074 = MOVE.L A1,00000080.S 70078 = MOVE.B (A0)+,(A1)+ 7007A = CMPA.L A2,A0 7007C = BNE 00070078 7007E = TRAP #0 70080 = LEA 00080000,A7 70086 = MOVE.W #2700,SR 7008A = LEA 00020000,A0 70090 = LEA 00000300.S,A1 70094 = MOVEA.L A1,A6 70096 = MOVE.W #3E7F,D0 7009A = MOVE.B (A0)+,(A1)+ 7009C = DBF D0,0007009A 700A0 = LEA 70190(PC),A0 700A4 = LEA 7018C(PC),A1 700A8 = MOVE.L A0,(A1) 700AA = BSR 000700B0 700AC = JMP 00000324.S I start off by disassembling where I am and notice that my BRA FOREVER command above is sitting at 7E02C - a difference of $DF80. Then I look at the current registers, which are as follows: Code:
D0=000000F2 8000FFFF 0000FFBB 00000000 000001FC 000080F2 00000000 00000005 A0=0000070C 00004148 000016E8 00006AAC 00006AEC 0007E310 0007E110 00080000 PC = 0007E02C USP = 00080000 SR = 2704 T=0 S=1 I=111 X=0 N=0 Z=1 V=0 C=0 Here's the patch code I basically want to load... Code:
MOVE.L #4E714E71,57E (nops out the BSR command to load the copylock check) MOVE.W #203C,163E (changes the CMP.L command to a MOVE.L one) MOVE.B #60,1644 (changes the BEQ into a BRA) JMP 324.S (restore the command originally taken out of the boot code) Now my problem is that I can't work out the best place on the bootblock to put the patch in, since all the boot code gets shunted several places forward in memory and I subsequently notice that my BRA (wherever, say for example 70200) command is pointing elsewhere where data exists, thus causing a guru upon load. I suspect it has to do with everything that is done before where JMP 324.S normally is, but I've looked at that and the registers and can't seem to join the dots still. I did see what happened if I replaced the command above it (BSR 700B0) with BRA FOREVER but it revealed totally different registers and furthermore none of the important data existed in memory, so obviously it's JMP I have to replace. I'm also aware that you usually need to have two patches on a bootblock - one to load the main patch into memory - but I've been struggling to get this working also. What sort of changes should I be making to my patch code, or is it (mostly) fine? |
21 November 2010, 09:07 | #17 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,182
|
All you need is about 20 spare bytes anywhere in the bootblock, change the jmp $324 to run your patch and then jmp $324. Most bootblocks have a few spare bytes in them!
|
21 November 2010, 09:55 | #18 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Oh, that I understand already. Just one problem...
I probably should've mentioned this the first time, but there's about $188 bytes worth of data from 0C onwards (including the bit I've showed above). It seems that BNE command loads this list of commands after (but before executing) JMP 324.S.... Code:
700B0 = MOVEA.L A6,A3 700B2 = ADDQ.W #4,A6 700B4 = MOVE.L (A6)+,D3 700B6 = MOVE.L (A6)+,D4 700B8 = MOVEA.L 7018C(PC),A0 700BC = MOVE.W #FF,D7 700C0 = MOVE.L (A6)+,(A0)+ 700C2 = DBF D7,000700C0 700C6 = SUBI.L #400,D4 700CC = MOVEA.L A6,A0 700CE = ADDA.L D4,A0 700D0 = MOVEA.L A3,A1 700D2 = ADDA.L D3,A1 700D4 = LEA 40(A1),A1 700D8 = MOVE.B -(A0),-(A1) 700DA = SUBQ.L #1,D4 700DC = BNE 000700D8 700DE = MOVEA.L A1,A4 700E0 = MOVEA.L 7018C(PC),A6 700E4 = LEA 200(A6),A5 700E8 = MOVEQ #0,D7 700EA = MOVE.W 1FE(A6),D4 700EE = MOVE.W D4,D5 700F0 = DBF D7,000700F8 700F4 = MOVEQ #1F,D7 700F6 = MOVE.L (A4)+,D6 700F8 = LSR.L #1,D6 700FA = BCC 00070104 700FC = MOVE.W 0(A5,D5.W),D5 70100 = BPL 000700F0 70102 = BRA 0007010A 70104 = MOVE.W 0(A6,D5.W),D5 70108 = BPL 000700F0 7010A = MOVE.B D5,D0 7010C = MOVE.W D0,D2 7010E = MOVE.W D4,D5 70110 = DBF D7,00070118 70114 = MOVEQ #1F,D7 70116 = MOVE.L (A4)+,D6 70118 = LSR.L #1,D6 7011A = BCC 00070124 7011C = MOVE.W 0(A5,D5.W),D5 70120 = BPL 00070110 70122 = BRA 0007012A 70124 = MOVE.W 0(A6,D5.W),D5 70128 = BPL 00070110 7012A = MOVE.B D5,D0 7012C = CMP.B D0,D2 7012E = BEQ 00070138 70130 = MOVE.B D0,(A3)+ 70132 = SUBQ.L #1,D3 70134 = BNE 0007010E 70136 = RTS 70138 = MOVEQ #0,D0 7013A = MOVE.W D4,D5 7013C = DBF D7,00070144 70140 = MOVEQ #1F,D7 70142 = MOVE.L (A4)+,D6 70144 = LSR.L #1,D6 70146 = BCC 00070150 70148 = MOVE.W 0(A5,D5.W),D5 7014C = BPL 0007013C 7014E = BRA 00070156 70150 = MOVE.W 0(A6,D5.W),D5 70154 = BPL 0007013C 70156 = MOVE.B D5,D0 70158 = BEQ 00070188 7015A = ADDQ.W #2,D0 7015C = MOVE.W D0,D1 7015E = MOVE.W D4,D5 70160 = DBF D7,00070168 70164 = MOVEQ #1F,D7 70166 = MOVE.L (A4)+,D6 70168 = LSR.L #1,D6 7016A = BCC 00070174 7016C = MOVE.W 0(A5,D5.W),D5 70170 = BPL 00070160 70172 = BRA 0007017A 70174 = MOVE.W 0(A6,D5.W),D5 70178 = BPL 00070160 7017A = MOVE.B D5,D0 7017C = MOVE.B D0,(A3)+ 7017E = SUBQ.L #1,D3 70180 = DBEQ D1,0007017C 70184 = BNE 0007010E 70186 = RTS I did look at the two Wolfchild tutorials yet again, but I think those boot patches were designed mainly for a game that uses nothing but crunched data throughout - this little game in comparison only compresses the loader. So, ummm, if putting my patch in $200 won't do the trick (I've tried that), where else? I hope following all these Ax's won't require a flowchart... |
23 November 2010, 05:42 | #19 |
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Okay, here's the lowdown - it doesn't matter where I put my code in after $(70)194 onwards, because anything after (70)18A doesn't get copied into memory, meaning my replacement of JMP 324.S with, say, BRA 70194 where the start of my patch code would be, is meaningless.
This game's loader does so many instructions on the bootblock that it's not as simple as adding code to other bootblocks, and even if I try to 'piggyback' by putting my instructions towards the end and adjusting other addresses if necessary (such as BRA/BEQ/BNE ones), I'm still treated to a bloody guru. I think now is the time where I'll have to come out screaming for help, because I really need to sleep and I can't keep melting my brain over this stupid loader and its stubborn bastardness. Trying to look at all the Flashtro tutorials bit by bit to see if there are any slight tricks I could re-adapt is coming to nothing. The protection isn't even over-the-top, it's simple in itself - I just have to contend with a custom loader that'll only load a certain amount of data and cut off just where there's room for my patch! P.S. I did try, for example, changing MOVE.W #FF,D7 to read #200,D7 to see if that would make it load just a bit more data. No dice. |
23 November 2010, 08:17 | #20 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,182
|
This appears to be a very simple task. You need to change $70070 as that is only copying the initial data, not your patch into the $7e000 range:
Code:
70066 = LEA 70080(PC),A0 7006A = LEA 0007E000,A1 70070 = LEA 70190(PC),A2 70074 = MOVE.L A1,00000080.S 70078 = MOVE.B (A0)+,(A1)+ 7007A = CMPA.L A2,A0 7007C = BNE 00070078 Code:
700BC = MOVE.W #FF,D7 700C0 = MOVE.L (A6)+,(A0)+ 700C2 = DBF D7,000700C0 |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Another World Flashtro crack | MethodGit | request.Old Rare Games | 8 | 03 May 2011 21:38 |
Is there any point in attempting another Christmas game making competition? | Cammy | Amiga scene | 17 | 02 December 2010 12:56 |
Robocop (Flashtro crack) - Tester Wanted! | andreas | support.Games | 6 | 07 October 2009 23:57 |
Wolfchild (Flashtro Crack) Second Disc | Retro-Nerd | request.Old Rare Games | 4 | 08 May 2006 16:07 |
[Found] -> Crack (was:Breakout game...) | Washac | request.Old Rare Games | 16 | 19 March 2003 19:26 |
|
|