Chuck Rock II ? Son Of Chuck
Core Design
?
You will need following:
1. Original game ? find on romshare.com
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. 1 blank disk
6. Pro-Pack v2.08 ? find on amiga-stuff.com
7. X-Copy or some similar program
8. Basic knowledge in file handling
Start by making a copy of original game disks. You will notice an error on
track 0 on both disks.
This is probably a copylock, or you have a problem with your disk drive?..
Boot copy of disk 1. The Core logo appears and game load.
After a while the logo disappears and track counter goes to track 0. It hangs
there a few secs and game seems to be starting.
When you press ?start?, at the title menu, game continues to load
and this screen appears:
After this screen? your computer crashes. This doesn?t happen with
original game, so the copylock routine must have
done ?something? to the game, causing it not to work. We could crack
it by bypassing the whole copylock, but this
probably wouldn?t work, because the game continues to load after the copylock
have run. So the game must be using
magic number (s) for something ?useful?. So, lets find these numbers.
Boot original game, in the exact moment the Core logo disappears and track counter
goes to track 0, enter AR.
Do a HEX search for 48 7A, copylock often starts with this. See picture:
It returns two addresses, disassemble the first one with: ?D 19716?;
hit enter a few times. Notice the ?PEA? and ?ILLEGAL?
this is typical signs of a copylock. Continue disassembling by holding down
enter, until you see something like this:
The copylock ends at address 1A01C, and address 1A01E jumps back to game. Let?s
make a loop routine aftermagic number have been returned. Do this by
inserting a BRA at address 1A01E branching to address 1A01E.
See picture:
Exit AR. Game goes to track 0 and then it hangs at track 59. Enter AR, press
?R? followed by enter. You should see this:
Ok, I can tell you that we have multiple magic numbers, it?s not enough
just returning D0. We are interested in the
following registers: D0, D2, D3, D4, D5 and D6. D7 contains the address that
will start the game after copylock have
been run, we don?t care about this. You probably should take note of these
registers. Magic numbers are also returned
in some addresses, we wont dig into these know. I?ll tell you the addresses
when we make our patch.
Now its time to find the copylock on disk. This is difficult since its crunched,
so we must find the crunched data, rip it
from disk and decrunch it. To help you a little I?ll tell where its located:
between track 45-59.
Remove disk from drive and reset computer. When Kickstart picture appears, enter
AR and insert COPY of disk 1.
Read tracks into memory starting at location 30000; ?RT 59 20 30000?;
hit enter.
Lets find start of data. RNC crunched data files starts with ?RNC?,
the opcode for this is ?52 4E 43?
Type this and hit enter: ?F 52 4E 43 30000?. It returns two addresses,
the first one (32A00) is start of our data.
We can?t find exact end of data, but it doesn?t matter since ProPack
only checks start of file. To find end of data
read into memory, type: ?NQ 32A00?; hit enter.
A lot crap will flash down your screen and it ends at address 5BF58. Now we
have an start and an end address. So,
lets save this into a file. Insert a blank disk, and type this: ?SM RNC,
32A00 5BF58?; hit enter. When done copy
ProPack to this disk too and reset.
Type this in DOS to decrunch file: ?PROPACK U D RNC?; hit enter
When done you should have a new file called ?RNC.RNC?. This is a
big fella ah? Ok, enter AR and
type: ?LM RNC.RNC, D00?
File is located between D000 ? 7F775; Wow, almost felt over the edge.
Just kidding. Take note of these two addresses.
Search for copylock signs with: ?F 48 7A?: hit enter. I returns
two addresses. We are interested in the first one,
because this is start of the copylock. Lets make a patch, witch returns magic
numbers in the registers AND the
addresses I mentioned earlier. Make a patch like this:
This patch will cause the file to get larger than original, when we crunch it.
We deal with this by inserting a lot of
repeated code right after our patch. Repeated code is crunched more efficient.
Insert ?NOP??s from address
7D582 til 7D600.
We still have one little problem. We have inserted an ?RTS? in end
of copylock, so it returns to it?s entry point. The
problems is, that the copylock is started by a ?JMP? command. This
means we can?t ?RTS? our way back. So, lets
change that ?JMP? to a ?JSR?, turning our patch into
a subroutine. Disassemble address D000 and hold down enter
until you see this:
Notice address D070, this address jumps into the copylock routine. Alter the
?JMP? to a ?JSR?. See bottom of the
picture above.
Its time to save file back to disk. Before you do this, delete file called ?RNC?
and RNC.RNC?. Save memory with:
?SM RNC, D000 7F775?; hit enter
Exit to DOS and type: ?PROPACK P D RNC?; hit enter.
After some time, approx a week or two, it?s finished and you should have
a new file called ?RNC.RNC?. Enter AR, insert
COPY of disk 1 and read tracks to memory with: ?RT 59 20 30000?;
hit enter.
When done, insert disk with your cracked file and load it into memory starting
at locating 32A00, see picture above.
Insert COPY of disk 1 and write tracks back with: ?WT 59 20 30000?;
hit enter.
Next step is? oh sorry no next step, you?re finished! Reset computer
and boot your newly cracked game.
And it works of course! Disk 1 and Disk 2 contains the same magic numbers,
so the game just calls the same copylock
whether your playing from disk 1 or 2. I have playtested through the WHOLE game,
and it worked fine all the way
to the final monster. So, we should be pretty safe with this one too.
Crack dedicated to sweet sweet Victoria.
Rob.
Publication author
I think Rob removed all the bootblock images because he feared there could be a copyright issue with the site hosting them.
I guess he can upload to a free download site and add a link here in the comments if he still has the bootblock
Hairy Muff :), Hope it surfaces somewhere, that would make for an interesting read.
With regards to comment 4, Is there any reason why we only patch D6 into address 13D2, and not the other 2 address’ (100 & 130C)? I thought 100 was a common place to stick key? Rgds MC
A little late…
Don’t remember this one 100%, but you are right about $100, key should be stored there too, it is the proper thing to do. It will not make any diffrence to this game, as key is not checked at $100. Key at 13d2 is probably just part of the copylock stack
Good article! And commenting after the gap of 10 years RULEZ HARD =)!
If you want to avoid the repacking stuff, I have included a bootblock crack.
Just install the supplied bootblock on a fresh copy of disk 1 and game is cracked.
When background turns green at the Core logo, press LMB for unlimited life & energy or RMB for normal game.
Boot block can be downloaded in top of this tutorial.
Where can I find boot block download? (Cant seem to find download at top of tutorial), and is there a tutorial covering how this method works?
Rgds MC
I meant to also say that I cant seem to find download at top of tutorial, like it says?
Also when trying to edit the previous comment, I’m getting JS Ajax error message appearing? Hence why I have commented again.
Rgds MC
I do not seem to have the bootblock anymore. If you are still interested, I can make a new one. Regards
Me again ;), When looking here I find the value of reg D6 (0D038C92) is also in address 100, 130C and address 13D2. Is there any reason why we only patch D6 into address 13D2, and not the other 2 address’?. Appears to work OK anyhow?
Rgds
MC