DarkMan

Darkman ?

? Ocean

1991

You will need following:

1. Copy of game

2. An Amiga or WINUAE

3. Action Replay
or ROM image

4. Pencil and paper

5. One blank disk
– find it in your local Amiga store

6. ARIV ? find on
romshare.net

7. Kickstart 2.0

As usual, start by
making a copy of original disk. You?ll notice an error on track 0. This is as
many of you guessed, a copylock

track. But wait,
in this one we not only have three copylock routines, we also have a nasty encryption
and even better; checksums.

Let the fun begin
🙂

Game starts by loading
a encrypted main file to address 60000 and then executes it. We need to decrypt
this file, and grab

the decrypted data,
so we can crack the copylocks. To avoid game from executing the file, we?ll replace
the jump to file, with

a loop routine.

Insert copy of game,
and read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?

Disassemble start
of boot code and look out for jumps:

Line 7006A executes
encrypted file, by doing a ? JMP 60000 ?. Alter this to a loop, correct boot block
checksum and

write boot block
back:

Boot game and enter
AR when it hangs. Loaded file starts at address 60000, take a little look at it;
? N 60000 ? + enter

Well, what should
I say ? I spend hours on that encryption and when I finally got it, I realized
it?s pretty easy, when you

know how to do it.

Disassemble address
60000 and hit enter several times:

The encryption is
doing a LONG series of moving data between address 78000 and 8. Every time, a
bit of the file is

decrypted.

We?ll get the decrypted
data, by replacing the LAST jump to a loop routine. We?ll put this loop at address
4, as it stays

untouched. At start,
I altered the jump to a loop ? BRA 8 ?, but the file kept getting corrupted, perhaps
because part of the

? JMP ? instruction
is used as a decryption key?

Scan memory for jumps,
starting at address 60000: ? F 4E F9 ? (opcodes for JMP).

Last returned address
is 6091A. Disassemble this address and hit enter: ? D 6091A ? + enter

6091A jumps to address
8. Assemble 6091A and change it to ? JMP 4 ?. Assemble address 4 and insert a
loop, see

picture above.

When the file is
decrypted, it will get stuck at address 4 in stead of executing itself.

Execute encryption:
? G 60000 ?. Wait about 10 secs, enter AR and press ? D ? + enter.

You should now be
stuck at address 4. We know that encryption would originally jump to address 8,
so this is our

start address. To
find end address, type ? NQ 8 ?. You?ll see lots of crap flashing over you screen
and it seems to end

around address 14770.
( data continues at higher addresses, but is leftover from the encryption)

To ensure we have
all data, set address 147B8 to end address. Insert a blank disk and save memory,
as a file called ? A ?;

? SM A,8 147B8 ?.

Reboot and enter
AR when kickstart logo appears. Load saved file into memory, starting at address
60000:

? LM A,60000 ?. Disassemble
address 60000 and hit enter a few times.

You?ll see some ?
leftover ? from the decryption routine, moving data to address 40000.

We need to branch
past this part and to address 30032.

Assemble address
60000, insert a ? BRA 30032 ? and save memory back, as a file called ? B ?. See
picture:

Next part, is cracking
the three coylocks. These are identical and can be cracked the same way. We start
by finding

the copylock key,
and then we wire the key into the encrypted code.

Insert original game
and reboot. Enter AR immediately when the Darkman logo appears.

Copylocks start with
? PEA xxxxx(PC) ?, search for the opcodes: ? F 48 7A ? + enter. You?ll receive
six addresses and

game executes the
one starting at address 991C first. Disassemble address 991C, and hold enter pressed
down until

normal code appears
again.

The encrypted code
seems to end at address A240. Stick a breakpoint to address A240 and exit AR,
see picture above.

When game reaches
end of copylock, AR pops up, and we can read out key from D0 before game EOR?s
it.

When AR pops up,
press ? R ? + enter to see registers. Take note of key from D0.

Armed with the key,
we can wire it into the copylock.

Start ARIV and enter
with RMB. Insert disk with saved file ? B ? and load it onto memory, starting
at address 60000:

? LM B,60000 ?. File
is located between address 60000 ? 747B0.

Enable the built
– in RNC decrypter: ? ROBD ? + enter.

Find the copylock
routines, starting at address 60000: ? F 48 7A,60000 ?. It doesn?t matter which
of the copylocks we

choose, as they are
all alike.

Pick the first one,
disassemble address 65022 and hold enter down until this appears:

Address 65408 is
the one we are looking for. This code will appear in newer copylocks and it?s
here we?ll wire

copylock key. When
we crack the copylock this way, ? part two ? of copylock will also be executed,
which sometimes

contains decryption
routines, etc. But it seems like this one only moves the key to address 60, and
nothing more.

When we have done
that, there is no need for disk access part to be executed, so we can branch past
that part.

Continue disassembling
a few lines further. You?ll notice a BRA at address 65452, this BRA also appears
in most

copylocks, and it
branches to ? second ? part of copylock, as mentioned earlier. We can either branch
directly to

657F8, or to 65452,
it makes no difference.

Take note of the
original opcodes at address 65408: ? M 65408 ?, I have marked them with red in
the picture beneath.

We need them to find
the same location in the two other copylocks.

Assemble address
65408 and insert key in D0 and branch to ? part two ? of copylock, see picture
beneath.

Take note of new
encrypted opcodes, marked with green. The RNC decrypter is still active, so the
normal code we

insert, will be transformed
to encrypted code.

Find the two other
copylocks that needs to be modified, by searching for the original encrypted opcodes:

? F EC 9C C7 85 98
9C 21 15,60000 ?. AR returns two addresses: 69834 & 70970. Insert new encrypted
opcodes

at these addresses,
and don?t forget to press enter when done.

Save memory back
to disk, as a file called ? C ?: ? SM C,60000 747B0.

Next part is the
checksum routines. I had lot of troubles with them, so I had to call for help.

Musashi9 will take over the keys
now.

:O
ok ok so now we have the copylocks cracked in memory ready to run
insert your darkman disk (original or copy it doesnt matter) and lets try play
the game
so execute the cracked code by jumping to 60000
g 60000

everythig seems fine n dandy, game starts to load untill the first level appears

HMMM! nothing no movement at all
me thinks a checksum has kicked in (checking the memory around our copylocks
to see if it has been modified, which it has)
and thus crashing the game

i dont know much about finding checksums so i had to find my own way and one
thing i noticed is that when the checksum version of the game loads level 1,
the game freezers nothing much happens
but 1 thing struck me about this, do you notice there are no digits in the TOP
MIDDLE to represent the TIME + AMOUNT OF PHOTOS
and we know in the original game when you play level 1, the timer and photo
digits appear and start to count down
so i came to the conclusion that the checksum performs its check before the
game code activates ’20’ for amount of photos
so i decided to search for the code that places 20(hex 14) in memory
how? well i done a simple trainer search
so start up your original disk and when you reach level 1 you will notice you
have 20 snaps (right side)

so enter action replay and search for those 20, by using the trainer option
but hmm you cant just search for 20 because it is most likely to be in HEX format
which would be 14
why? well hex works like this 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10 11 12 13 14
count from 01 – 14 = 20
so lets activate our trainer
TS 14
let it do a search
eventualy it will say ready, when it does you exit action replay and take just
1 snap by pressing fire button
your snap counter goes down to 19
so now we enter action replay again and carry on our trainer search for 14 –
1 = 13
so
T 13
it will return 1 address only which is 71B9
lets take alook at 71b9 hmm well 71b8 because it’s probably a .W address meaning
4 hex digits

you can test it further to make sure this is the right address by adding 14
again then re-entering the game take some snaps then re enter action replay
and top up the amount back to 14
you will notice your snap counter goes back upto 20 every time
cool eh?
ok so now we have the address our snap counter is at
we need to search the game code
so do a find addres 71b8
FA 71B8
it will return several address

the ones we’re interested in are the first 2
the second one in perticular because this part of code is not executed if the
checksum fails (we know this because the counter is empty if it fails)
my first idea was to goto this address and work my way backwards
but then i thought why would it tst 71B8 after a checksum? didnt make sense
to me so i came to the conclustion the checksum is somewere between these 2
address points
6212 and 632e
so lets search from 6212 onwards
D 6212
scroll down just a little and you will bypass all the bsrs and jsrs ect.. and
you will come to a odd looking piece of code

reason i say its weird is its moving alot of numbers around subtracting adding
ect… so look like its calculating something
so i decided to bypass this, i noticed at the bottom is a BRA 62a90 so i placed
this at the start of this code
A 6250
`6250 BRA 62A0
and then i executed the game and it worked 🙂 level one now loads up
i pased on this information to Rob and he worked out that if you put a NOP at
address 628E this creates the same result (working level1)
infact here is what he found out
if you play the original disk and put a breakpoint at address 628E when the
breakpoint is raised D0 is set to 0
but if you do the same with the copy D0 is not set to 0
so address 628E writes d0’s value into the address A0 points to
so what we need to do is find all the SUB.W d0,(a0) and while we are at it all
the ADD.W d0,(a0)
so lets load our C file that rob made earlier to 60000 anf do a search for
F 91 50
and nop out them all
and also
F D1 50
and nop out them all
save back your C file
SM C,60000 747B0
try the game out by jumping at 60000
G 60000
works?
well yah but rob noticed something odd here
when your time runs out, the game crashes, this cant be good can it
rob found that if you noped out op codes D1 C8 the game wont crash
he found these by searching for similar code like the code surrounding both
the above opcodes and noping each suspicious line out in trial and error
so search and destroy the remaining opcodes (should be 3) and then save back
the file

Last step is packing
our cracked file. Copy ProPack to crack-disk and boot it.

Game?s boot block
moves the file to address 60000 and executes it. We are going to pack the file
using ProPack and

set address 60000
as jump address. The file will load & decrunch over itself. Type this In DOS,
to pack file:

? PP P M ?M2 ?X0X60000 DF0:D
? +enter.

The ? ?M2 ? option
will cause less crunch gain (doesn?t matter), but final file ill decrunch faster.

You should now have
a file called ? D.RNC ?. Next step is writing the file back to copy of game, replacing
the original

encrypted one.

Insert copy of game
and read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?.

Disassemble start
of boot code and hit enter a few times:

We are interested
in line 1003C. This shows the start offset on disk, where the boot loader begins
to read data from.

The offset is $2C00.
If we read tracks into memory, starting at address 10000, we have to load the
new file to address

12C00. We also have
to change the loop routine back to ? JMP 60000 ?.

Start by reading
the first eight tracks into memory, starting at address 10000: ? RT 0 12 10000
?. Insert disk with saved

files on, and load
file ? D.RNC ? to address 12C00: ? LM D.RNC,10000 ?.

Alter the loop at
line 1006A to a ? JMP 60000 ?, see picture beneath.

Correct boot block
checksum: ? BOOTCHK 10000 ?.

Insert copy of game
and write tracks back: ? WT 0 12 10000 ?
now play your fully cracked Darkman

Rob – Musashi9
playtesting by DLFRSilver

Publication author

offline 2 weeks

mus@shi9

0

Comments: 1160Publics: 2780Registration: 06-03-2017