Archer Maclean Pool
? Archer Maclean
1992


1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk – find it in your local Amiga store
6. ARIV
During this txt, a lot of addresses and values are shown. It?s probably a good idea to take note of them during reading, as it will makes it easier to do the final patch.
This game is very similar to Jimmy White?s Whirlwind Snooker, both in game play and protection.
This one has just been optimised both in game functions and the protection is also at a higher level.
As for Jimmy White?s Whirlwind Snooker, this game also has checksum routines which causes
the Amiga to crash if it fails (reset). Checksums seems to be more sensitive in this one, taking better ? care ? of the novella. I still can?t locate the routines, so we bypass them by restoring all values we alter, back to original state.
Copylock is way more tricky, as it?s NOT enough to wire copylock key into the encrypted code. Copylock key are moved to address 60 after the key calculation routine and different values are moved into memory. If these are not simulated, game will crash.
Let?s begin.
Start by backing up original game disk, so we have something to work with. If a copy of game is used, the screen will be filled with the txt ? FAIL ?.
We start by getting the copylock key. Execute ARIV, insert original game and reboot. Enter ARIV just after boot, using RMB. Disable exceptions and exit: ? ALLEXC ?.
This disable ARIV from popping up, when an exception is reached.


When the Presentation screen appears, game has been decrunched and copylock has run. Enable the RNC decrypter, so we can have a look at the copylock inside: ? ROBD ?. Copylocks start with the instruction ? PEA xxxxx(PC) ?.
Search for the opcodes: ? F 48 7A ?. You will receive address 32A0E & 32A1E. Disassemble the first address and stop when you reach end of the key calc. routine:


Address 32EF6 look very interesting, as it moves the final calculated key into address 60. Take a look at address 60, to get key: ? M 60 ?.
More ? not so normal ? stuff happens in here. When I was stepping through the code, I fell over these two addresses:


When inserting key into the encrypted code and branching past the disk access stuff, the above are skipped.
This is very BAD?
If we don?t emulate address 32F66 & 33198, game will crash. Let? have a look at where to wire key in.
Disassemble address 32E14 and hit enter a few times:


The disk accessing part and key calculations of copylock key are done within the code from address 32E14 ? 32E5A.
Registers are saved by the code at address 32E14. Address 32E28 is a good place to wire key in, as no disk routines has been called yet. We wire key into D0, clear D1 and then branch to address 32E5A. This should give the best result.
Disassemble a bit further:


Address 32E58 moves key from D6 to D0 (we skip this part) and registers are restored at 32E5A, our branch address.
Address 32E5E branches to second part of copylock which fills registers with different values, based on D0.
Take note of original opcodes in copylock and their addresses, marked with green above.
Assemble 32E28 and insert the code you see above. After that, take note of the new opcodes and their address.
We have to restore opcodes in copylock after it has run, to avoid problems with checksums. We can do this by inserting a call after the copylock, to a patch, which restore opcodes. Have a look at code after copylock:


Copylock ends at address 3330A. This is a good place to insert a call to patch, which restores original opcodes in copylock. See the original opcodes for the code at address 3330A, assemble and insert a ? JSR 12C.S ?.
Then see opcodes for new code. Every step is shown in the picture above.
There is still the annoying novella left. Boot original game and bring up the protection screen.
Type in the word ? DAMM ?.


Enter AR and search for the word: ? FS DAMM ?. AR returns address 16AFA.


We are interested in what game might do with address 16AFA. Before we check this, see registers: ? R ?.
A1 points to address 16AFA. Set A1 to #0, to avoid getting false references. ? R A1 0 ?.
Then type ? FA 16AFA ?. AR returns address 16ED6. Let?s look at the code around this address:


The protection check is done at address 16EB8. This address subtracts 14+what A0 pints to from D3.
If the result is #0, address 16B10 is cleared and game starts. If it fails, protection just restarts.
Take note of address 16B10 getting cleared, as we shall use this info later on.
We?ll crack it by clearing D3, just as if the protection had passed. This can be inserted at address 16EB8.
To make addresses add up, three NOP?s is also needed. Just as with the copylock, we need to restore novella to it?s original state when it has run. Take note of the original opcodes, see picture above. Assemble 16EB8 and insert code marked with yellow. When done, see new opcodes:


Next question is where to take over novella? I tried patching it just after running the copylock, but this caused a crash. It seems like a checksum is run after the copylock. We then have to patch novella, AFTER this checksum has run. As I don?t know where the checksums are, I just tried taking over different addresses after copylock had run.
Address 5DDC seems to be very suitable. Have a look at it:


We can alter address 5DDC to ? JSR 176.S ?, after copylock has run, without getting troubles with checksums.
Address 176 can then wire new opcodes into the novella. See original opcodes for address 5DDC, insert a ? JSR 176.S ? and see new opcodes. See picture above.
After the novella has run, it?s probably best to restore original opcodes. This means that we need to find the code after it has run.
Remember that novella cleared address 16B10?
It does this, so it knows if the protection has been run. See what else happens with address 16B10: ? FA 16B10 ?.


AR returns three addresses. Have a look at the code around the first one:


Address 16B8A checks if address 16B10 is #0. If it is, the novella call at 16B94 is skipped. When novella has run, it returns to address 16B98. We?ll insert a ? JSR 1AA.S ? here, and restore original opcodes in novella, from a patch at 1AA. See original opcodes for 16B98 & 16B9C, insert a ? JSR 1AA.S & NOP ? and then see new opcodes.
Original opcodes are shown with green and new ones with red.
You should now be armed with a bunch of opcodes and addresses.
We now need to find a way to take over the decrunched game, before it?s executed, and make it call our crack patch.
Read boot block into memory, starting at address 70000:

? RT 0 1 70000 ?
Disassemble start and look out for jumps into loaded code:


Line 7009A makes a jump to the address A3 points to; beginning of the crunched game. Change this to a loop routine and write track back. Follow the above steps.
Reboot game and enter AR when it stops loading. We now need to find the jump into the decrunched data and take over this jump. Find start of loaded data, by looking at A3:


Address 59E8 is start address. Disassemble and look out for jumps. Address 5C48 makes a ? JMP (A7) ?, which executes decrunched game. We need to replace this with a ? JSR 100.S ?. The new code inserted is larger than original, so we have to insert at a little lower address. Address 5C40 is suitable. Take note at the code on address 5C40 & 5C42, as code has to be restored again. The opcodes for ? JSR 100.S ? is 4E B8 01 00. We move these opcodes into address 5C40. There is a little problem though, as A3 points to start of data, the start address is relative. It can be calculated where to insert the JSR by subtracting the address we wish to alter, with start address: ? ?5C40-59E8 = 258 ?.
All needed info to make a crack patch should now be in place. Only thing left, is a copy routine to move patch from disk and into address 100. Both patch and copy routine can be located on boot block, as there is free space from offset 100.
Read boot block into memory, starting at address 70000, change loop to ? BRA 70100 ?, to call copy routine upon boot.
See picture:

Assemble 70100 and code copy routine:
70100; LEA 100,A0; destination address 100
70106; LEA 70200(PC),A1; copy from offset $200 on disk
7010A; MOVE.W #D8,D7; copy $ D8 (size of crack patch)
7010E; MOVE.B (A1)+,(A0)+; copy
70110; DBF D7,7010E; copy
70114; MOVE.L #4EB80100,258(A3); call patch with a ? JSR 100.S ?, when game is decrunched
7011C; JMP (A3); jump we took over

Assemble 70200 and code the crack patch:
70200; MOVE.L A0,D0; restore code from end of decruncher
70202; SUB.L A6,D0 restore code from end of decruncher
70204, MOVE.L #6B87AF4E,32E28; wire new opcodes into copylock
7020E; MOVE.L #F6EBDD4E,32E2C; wire new opcodes into copylock
70218; MOVE.W #96C3,32E30; wire new opcodes into copylock
70220; MOVE.L #4EB8012C,3330A; call patch after copylock has run
7022A; RTS; return to decruncher
7022C; EORI.W #BD50,D0; run code we removed at 3330A
70230; MOVE.L #2ABB9D8C,32E28; wire original opcodes into copylock
7023A; MOVE.L #4DB5ED8D,32E2C; wire original opcodes into copylock
70244; MOVE.W #2CB5,32E30; wire original opcodes into copylock
7024C; MOVE.L #33CABD50,60.S; return copylock key at address 60
70254; MOVE.W #9290,37994; emulate code we skip inside copylock
7025C; MOVE.W #A9D0,3E8.S; emulate code we skip inside copylock
70262; MOVE.L #A40BD50,3330A; restore code at address 3330A
7026C; MOVE.L #4EB80176,5DDC.S; call patch, to crack novella
70274; RTS; return to game
70276; MOVE.W #535E.S,D0; run code we removed at 5DDC
7027A; MOVE.L #3038535E,5DDC.S; restore at address 5DDC
70282; MOVE.L #42434E71,16EB8; crack novella
7028C; MOVE.L #4E714E71,16EBC; crack novella
70296; MOVE.L #4EF801AA,16B98; call patch after novella has run
702A0; MOVE.W #4E71,16B9C; call patch after novella has run
702A8; RTS; return to game
702AA; LEA 12464,A0; run code we removed at 16B98
702B0; MOVE.L #41F90001,16B98; restore code at address 16B98
702BA; MOVE.W #2464,16B9C; restore code at address 16B98
702C2; MOVE.L #96680014,16EB8; wire original opcodes into novella
702CC; MOVE.L #66000008,16EBC; wire original opcodes into novella
702D6; RTS; return to game

When patch is first called, it will wire new opcodes into copylock and a call back to patch, after copylock has run.
When it returns original opcodes are returned in copylock, code we skip inside copylock is emulated and a call back to patch is inserted at 5DDC. When game reaches the call at 5DDC, patch will wire new opcodes into novella and insert a call back to patch at address 16B98. When patch is called for the last time, original opcodes are wired into novella and it returns to game. This should ensure that all values are original, to fool the checksums at the correct stages.
Correct boot checksum: ? BOOTCHK 70000 ?


Write track: ? WT 0 1 70000 ?.


When novella appears, just press Enter.
There have been done lot of testing with this one, and no faults were found. If you any, please let me know. By faults, I mean actual errors you find, like the game is crashing at a certain point. I don’t care about what you ” suppose, think, assume “, hard facts please.
Many greets to DLFRSILVER for testing!
Rob

0

Publication author

offline 20 years

Rob

0
Comments: 103Publics: 79Registration: 20-07-2004

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
Pollie
Pollie
8 years ago

Ok thanks I will check it out and get back to ya. So this is how they would have done it back in the day?

0
WayneK
Reply to  Pollie
8 years ago

Yes, patching the TVD to store the decrypted bytes somewhere else in memory is probably what I would have done back in the day (if I could code anything at all back then!).
Making a little decrypter is also possible, just look at the TVD to see how it does the decryption (as I said, ARIV RNC mode fails on some games since they use something like ADDI.W #1234,D0; NOT D0 and other simple methods).

Once you have mastered the copylock stuff, take a look at the TVD’s by Pierre Adane (games like Toki, Ilyad + some others) 🙂

0
Pollie
Pollie
8 years ago

Ah ha I see, in this example the previous longword at 32EF2 is 0F88A12E, and 0F88A12E EOR with 2E4EA14E (at 32EF6) = 21c60060 = MOVE.L D6, 00000060.S, Thanks for that WayneK.
I assume back in the day before ARIV people would have wrote their own decryptor?, or did they manually go through each instruction??, or is it possible to get the copylock to decrypt itself to memory somewhere??

0
aLpHa oNe
Reply to  Pollie
8 years ago

You can decrypt it to memory via patching the tvd. I think I did something like this here:
https://www.flashtro.com/index.php?e=page&c=Single-Track-protection&id=449

0
Pollie
Pollie
8 years ago

Hi there, Is somebody able to explain, how to decode rnc encryted code manually? I know you can use ARIV, just wondering how Crystal did this back in the day. Thought ARIV came out after this game. Obviously there must be a formula, as this is how ARIV does it.
Take encrypted code above at 32EF6 – MOVEA.l A6,A7 – 2E4EA148
, once decrytped this becomes 32EF6 – MOVE.L D6,00000060.S – 21C60060
How do you turn 2E4EA148 into 21C60060?
Cheers 🙂

0
WayneK
Reply to  Pollie
8 years ago

Usually it’s just done with EOR… if you EOR the previous longword with the current longword, you will get the decrypted opcode (or, 4 bytes of it since you only did 1 longword!).
This is exactly how Blackhawk’s ARIV RNC mode works, and as such won’t work for any RNC’s that don’t use EOR (quite a few early ones, if I remember correctly).

A bit more is explained in “TVD’s explained”, an old tutorial I wrote for Flashtro, and covered in detail by a tutorial Codetapper wrote too!

0
WayneK
18 years ago

Hey… as they say, "Can’t we all just get along?" (usually followed by a brutal beating…) Codetapper, most of the cracks people are writing tutorials for here… they are doing so to revisit their amiga scene days, now that they feel they can understand how to crack a few things – they also want to use (mostly) the tools that were available in those days… now I’m not expecting everyone to use ancient warpers and figure everything out from there, but I would say that excludes using whdload and MMU techniques to place memwatch points. If you want people to… Read more »

Codetapper
18 years ago

Jesus Christ, I try and help a lamer out so they can improve their skills and get flamed for it. If you are too stupid to learn about memory watchpoints and checksums then that’s your problem not mine. Just don’t keep churning out tutorials pretending you know what you’re doing when clearly you don’t. Anyone that disagrees with your methods gets abused – how lame. BTW your remark about Puzznic, Archer etc is also a joke. You were not able to crack ANY of those games before I showed you how to wire a key into a copylock. And if… Read more »

Codetapper
18 years ago

In that case your crack worked by luck not by skill. I’ve told you how to find checksum tests and you simply ignore my comments about mem watchpoints – therefore you might as well not bother trying to crack anything as you do not have the skill to find anything remotely tricky. You have simply learnt some cracking tricks and apply those to every game with a sledge hammer approach – even when it doesn’t apply to every game. You could have also uploaded a text file with just the code in if or the bootblock since you are too… Read more »

Codetapper
18 years ago

As I told you before, if you uploaded the ADF it would be easy to check. I’ve told you the exact location of the missed checksum and the expected value so you could do it yourself.

0
Codetapper
18 years ago

I can guarantee the WHDLoad versions are cracked correctly because I used the MMU to put breakpoints over the parts that were changed. If the game was reading those at any point, WHDLoad would quit the game on the exact instruction that caused the read. Unlike your version which would simply start misbehaving until it crashes or whatever Archer Maclean made it do. It is a waste of time to type out hundreds of bytes when you could easily create an ADF of your version. The game compresses to about 200k, and would be downloaded quicker than anybody could type… Read more »

Codetapper
18 years ago

It’s not easy to test your cracks because there are no obvious download links to grab your version. From what I can see and my knowledge of this game (having supported 3 different versions for WHDLoad and cracking them properly) I would guess that this version screws up at some point due to the missed checksum. It is also a farce to title this tutorial (and Jimmy Whites) anything like "bypass checksums" when you didn’t even locate them in the code. If there are 2 checksums and you do all sorts of patches to get around 1 of them, the… Read more »

Codetapper
18 years ago

Incidentally, the main part of the copylock for those that are interested: Copylock Decrypter v0.01 (c) 2004 Codetapper of Action ([email protected]) Copylock header found at $32a0e Copylock stack 1 found at $32a88 Copylock stack 2 found at $32df6 Copylock key wiring position found at $32e14 Copylock key wiring skip to position found at $32e5e Post copylock branch to address starts at $3321e Copylock new magic number ($a573632c) compare at $32e82 ======[ Key calculation routine found at $32ee4: ]====== _32ee4 move.w #$b,d1 _32ee8 add.l d6,d6 _32eea sub.l (a0)+,d6 _32eec dbra d1,_32ee8 _32ef0 eor.l #$71895a65,d6 ;Modify serial number _32ef6 move.l d6,($60).w ;Serial… Read more »

Codetapper
18 years ago

Easy. The game sets the stack to $400 when it starts up, and dumps stuff onto the stack. Later on, it pulls the values off the stack into the registers and therefore the value at $3e8 is used despite you not being able to find it easily in the code. I don’t think this crack will work properly anyway because the checksum at $41ffc has not been handled. If the checksum has been tested, the word at $41fee is set to 1. The checksum (as a word) is calculated and stored at $41ff0. This is the 2nd version of Archer… Read more »

musashi9
Admin
18 years ago

fixed 😉
keep up the contributions

0
Phantasm
18 years ago

hmm screenshots should probably have been smaller. my apologies.

0
Phantasm
18 years ago

Just for forther information the checksum routine is at $4831e – $483cc. Basically it uses some fancy code ( I guess to try and disguise itself) but doesn’t do much more than total up the word values of two areas of memory starting at $328c0 and $16b36. The calculated checksum is written to two different addresses by the code at $4837c and $4838a. If you wish to deal with this checksum by hand rather than using robs technique you can either hardwire #$253f into d0 at the relevant point, or since this is a simple addition calculation, you can easily… Read more »

aLpHa oNe
18 years ago

Really great tutorial, Rob!

0
WayneK
18 years ago

Nicely done Rob, good way to beat the CRC routines even when you can’t detect them 🙂

0
Authorization
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Registration
*
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

0
Would love your thoughts, please comment.x
()
x