Chuck Rock
? Core Design

1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk – find it in your local Amiga store
6. Copylock Decoder ? find on codetapper.com
7. Scientific calculator (build into windows)

Start by making a copy of original game disks. This is to determine type of protection.
You?ll notice an error on track 0,
on both disks. This is probably a copylock protection.
Copy of game crashes short after boot, due to the copylock is failing.
Boot game again and enter AR when the Core logo appears. Copylocks often starts
with a ? PEA $$$$(PC) ?, search
for the opcodes: F 48 7A. AR returns four addresses, this is because copylock is
moved from one memory location
to another. Take note of address 6E5C, copylock starts here.

Disassemble address 6E5C and hold enter down, until you reach around address 778A.
Copylock ends around address
777E and we have a compare of magic number with D0 in address 7780. Perhaps you
should take note of this ?
Insert a blank disk and save out copylock: SM COPYLOCK,6E5C 7786
Start copylock decoder and load in saved copylock:

CD will ask for the sync, choose $89?? ? We have original keydisk. Insert
disk 1 and press ok.

It then asks for D3 register, choose $0000.

After a few secs, decoded copylock is ready to be saved. Insert disk with saved
copylock and press ok.

Fire up AR and load decrypted copylock into memory so we can have a look at it:
LM COPYLOCK.DEC,40000

Address 403E6 is the one we are interested in. This code will appear in most copylocks
and it?s here we?ll wire magic
number. When we have done that, there is no need for disk access part to be executed,
so we can branch past that part.
You can see the code is getting a little ? weird ? around address 40226,
try to disassemble address 40428 and hit enter
a few times. You?ll notice a BRA at address 40430, this BRA also appears in
most copylocks, and this is the address
we?ll branch to.

Assemble address 403E6 and insert the code you see in the picture above. We only
do this, so we can see the opcodes
for our patch, because we?ll need them to calculate the encrypted opcodes.
You can see the opcodes in the
picture above, marked with red.
To calculate the new encrypted opcodes, we?ll need the encrypted opcodes for
the previous long word instruction to
our changes.
The instruction before our changes started at address 403E2.
Load encrypted copylock into memory, starting at address 40000: LM COPYLOCK,40000.

See opcodes with M 403E2.
We now have everything need to make the calcs.
xor the encrypted opcodes with the non ? encrypted opcodes and you?ll
get the new encrypted opcodes

ENCRYPTED NEW UNENCRYPTED NEW ENCRYPTED
A47BF875 with 203C9B50 = 84476325
Last 2 Bytes ? ?

ENCRYPTED NEW UNENCRYPTED NEW ENCRYPTED
A47B with CBE8 = 6F93
? ? ?

Take the previous encrypted long word and xor:

ENCRYPTED NEW UNENCRYPTED NEW ENCRYPTED
63256F93 with 60000042 = 03256FD1
? ? ?

Then new encrypted opcodes for copylock looks like this: 84 47 63 25 6F 93 03 25 6F
D1.
We simply replace these new opcodes with the original opcodes in the copylock and
it?s cracked.
Copylock is located on track 41. Insert copy of disk 1and read track 57 into memory
starting at address 30000;
RT 72 2 30000.
We have the opcodes for the previous long word instruction to our changes.
Search for it, starting at address 30000: F A4 7B F8 75,30000.
AR returns address 31E56, see opcodes with M 31E56.


Previous long word instruction is marked with red. The opcodes we need to change,
came right after and they are
marked with white. Insert the new opcodes you calculated, marked with green. Don?t
forget to press enter when done.
Write track back: WT 72 2 30000.
And now? you are not finished L
There is also a copylock track on disk 2 and it?s executed, when game request
for disk 2. The copylock routine is
located on disk 1, in a ProPacked data file. Let?s try to find a way to patch
the decrunched copylock before its executed.
Copylock 2 is easy to crack, since the opcodes from copylock 1 can be used.
Boot your newly cracked disk 1 and enter AR, when prompted to insert disk 2. Search
for copylock: F 48 7A.
AR returns address 15AEC & 15AFC. This means that copylock 2 starts at address
15AEC, take note of this.
NDOS games often load data into either low or high chip memory. See memory with
N 0 and stop when you reach around
address 1580:

Data on address 1000 seems to be start of something. Check if anything jumps to
this address with FA 1000.
AR returns two addresses, where one of them is a JMP 1000.

Reboot game and enter AR when the Core logo appears. Check if this jumps appears
at this early state of game boot:
D 613A0. The jump surely appears, and it?s probably not even crunched . Then
it would be really great if the copylock
was decrunched when the game performs the jump, but not executed yet.

Stick a breakpoint to address 613A0: BS 613A0 and continue game. After a while AR
pops up. Copylock started at
address 15AEC, disassemble this address and hit enter a few times. You?ll
notice that the copylock is decrunched and
and game haven?t executed it yet, since it hasn?t requested for disk
two.
Let?s take over this jump and change it to JMP C0, where we?ll put a
little patch, that inserts the cracked opcodes into the
copylock.
The jump is located on track 41 (find by trial and error), read it into memory starting
at address 30000: RT 52 2 30000.
Search for the jump, starting at address 30000: FA 1000 30000.
AR returns address 319A0.

Assemble address 319A0 and change the JMP 1000 to JMP C0 and write track back, see
picture above.
We now have to determine where in copylock, to insert new opcodes. This copylock
is equal to copylock 1, so we can
reuse the opcodes. Search for the opcodes for the previous long word instruction,
to our changes: F A4 7B F8 75.
AR returns address 15ECE, see opcodes with M 15ECE.

The instruction we searched for is marked with red. The opcodes we wanted to change
came right after. They are
marked with white. The new opcodes are marked with grey. Since we have to insert
the opcodes with the MOVE
command, the easiest thing is to divide them into two long words and one word.
Long word 1 starts at address 15ED2 and it?s marked with yellow. Long word
2 starts at address 15ED6 and it?s marked
with green. The last word starts at address 15EDA and it?s marked with orange.
Next step is coding the patch and add a track loader that moves it into address
C0.
Read out track 0: RT 0 2 70000.
We now have track 0 in memory, starting at address 70000. Let?s move original
boot block to another location on disk.
Make a new boot block that moves our patch and original boot block into memory,
and then executes original boot block.
If you check address 71A00 with N71A00, you?ll notice that this offset from
disk is not used.
Move original boot block to offset 1A00; TRANS 70000 70400 71A00.

Assemble address 70200 (offset $200 of new boot block) and insert following code:

70200; MOVE.L #84476325,15ED2; move first long word of crack into copylock
7020A; MOVE.L #6F930325,15ED6; move second long word of crack into copylock
70214; MOVE.W #6FD1,15EDA; move last word of crack into copylock
7021C; JMP 1000.S; jump we took over, jump back to game.

This little patch will move the new encrypted opcodes into copylock.
Assemble address 7000C and make the two track loaders:

The code from address 7000C ? 70054 will first move patch into memory, starting
at address C0 from offset $200 on
disk. It will then move original boot block from offset $1A00 into memory, staring
at address 60000. It will then be
executed by the jump to address 6000C.
Address 7002A & 70050 can?t be assembled with AR, insert the opcodes instead.
Correct boot block checksum with BOOTCHK 70000 and write track back: WT 0 2 70000.

Dedicated to sweet sweet Victoria?.

Rob

?

?

?

?

?


Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
MiniChuck
MiniChuck
9 years ago

Hi musashi9,
Thanks for update, appreciate this article was originally written way back on 2004, only 10 yrs ago, its taken me 25 years to discover this stuff anyhow!! :).
I have tried to edit messages twice now within the 10 minute expiry, and still no joy?
Do you know if there is any reason some levels in CR are not loading properly?
Rgds
Mc

musashi9
Admin
Reply to  MiniChuck
9 years ago

The error could be because you are not a logged in member??
Regarding Chuck Rock I just tested 2 versions and you are right it does crash on 2-5 but this is because there is no such level. Level 2-4 = BOSS and if you kill him it goes straight to 3-1. I am not sure about the other corrupted levels but it could be a similar case.

MiniChuck
MiniChuck
9 years ago

Sorry about horrible formatting?. I also see you still cannot edit messages, some Ajax error message???

musashi9
Admin
Reply to  MiniChuck
9 years ago

I have sent Rob (author of this tutorial) a MSG hopefully he will come back to flashtro and check. Although it has been some years since he left.
About the edit error, hmm it works for me but I do know there is a 10 min edit period and after that it may not let you edit.

MiniChuck
MiniChuck
Reply to  musashi9
9 years ago

Hi again, just tried to edit last message again?
Console reports:
Request URL: https://www.flashtro.com/index.php?r=rcomm
Request Method: POST
Status Code: HTTP/1.1 403 Forbidden
and a javascript pop-up stating ‘AJAX error:[object Pbject] is displayed?
Not a big thing, more interested in CR questions though as I work with webdev issues all day :).
Thanks again. MC

MiniChuck
MiniChuck
9 years ago

Hi there, thought I would ‘chuck’ in a few points 🙂 By no means am I an expert! 1. Havent really managed to get my head around how you worked out the XOR’d new opcodes, but I shall try again later. How did you know they had been XOR’d in the first place? In a few places it mentions things underlined in red or orange for example, and there is no red/orange colour in screenshot? 2. I know it is always best practice to emulate what the copylock does, and wire in any keys, but a method I have found… Read more »

0
Would love your thoughts, please comment.x
()
x