Dragon Stone

Dragon Stone
? Core Design
1994

1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. five blank disks – find it in your local Amiga store
6. ARIV

In this txt we will crack the game to the original # of 4 disks.
No repacking or creation of a bootdisk is needed, like with some previous cracks.
Game is protected with a simple copylock protection, that returns the key in reg. D0 & (A3).
Tricky part is that the copylock is stored in a RNC packed file that is locked against decrunching.
Furthermore the boot block is encrypted & decrypts a new boot block. The boot block checksum is adapted, so the values give the txt ? *Disk 1* ?. If boot block is changed in anyway, the txt will also be changed. This is real bad, as the game checks the txt several times during boot, that?s why there is a old five disk crack.
We will do it a bit different way. The simplest way is often overlooked?.. 🙂
Start by backing up the four disks. Disk 1 contains the protection track and first track will show up faulty. Rest of disk is ok. Try running the decrypting routine on disk 1, and check out the new boot that appears: (you can skip this part if you want)

Here are the original compared to the decrypted:

How dare he calling me ? sad ? 🙂
Let?s start by getting the key & ripping the copylock.
Boot copy of game and enter AR when the Core logo appears. At this point, game has decrunched the protection.

Locate copylock by searching for the classic ? PEA xxxxx(PC) instruction: ? f 48 7a ?.
You should get two hits; at address 70390 & 703A0.
Disassemble address 70390 and locate end of encrypted code. (easy to spot, when normal code starts again):

At address 70C40 copylock key is compared with D0; they are so kind to give the key away. Key is : E3423B31.
If you look at the code just before the first ? pea ? in the TVD, you?ll see A3 is set to point to address 7005E; key is also returned here.
Insert a blank disk in DF0: and save copylock; ? sm cop,70390 70c40 ?. (no pic of this, sorry).
Start and enter ARIV. To be able to decrypt the copylock routine, enter ROBD mode; ? robd ?.

Insert disk with saved routine and load it to address 70000; ? lm cop,70000 ?.
Disassemble address 70000 and look out for the usual place to wire key in;

All the disk accessing where protection track is read & key is calculated is done by the code from 703ca ? 70414.
All this can be skipped and key inserted directly to D0 instead. We can do the ? move.l #key,d0 ? at address 703de and branch to address 70410.

Before new opcodes is made, take note of the original ones at address 703DE, they are marked with green in the above picture.
Assemble address 703de, insert key in d0 & branch to address 70410. Only point in doing this, is to make out new opcodes. When done, take note of new opcodes, marked with red above.
The decrypter is still on, so ? the normal ? code we insert, will be turned into encrypted code by ARIV. Next part is how to get opcodes into the copylock ? ? We can?t change boot and patch decrunched data, cause game checks boot block checksum, and file with protection is RNC crunched?
RNC cruncher is often leaving chunks of the crunched file unchanged. Part of copylock routine we want to change, is actually left unmodified!
Disable robd mode: ? robd ?
Insert copy of disk1 and read it into memory, starting at address 10000; rt 0 a0 10000.
Search for the original opcodes: ? f d5 6c 9d 94 ?.
ARIV will return no less than eight addresses. First copylock is the one kicking in when game starts. The remaining seems not to be used, but we will patch them anyway.

Type ? m 10c6e ?, hit enter, insert new opcodes and hit enter again. Do this with all eight addresses. When done, write tracks back: ? wt 0 a0 10000 ?.
Boot up and have fun with your new 4 disk only cracked version.

For quick testing, I have skipped through all levels and they start fine.
Dedicated to sweet sweet Victoria.

Rob

Publication author

offline 20 years

Rob

0

Comments: 103Publics: 79Registration: 20-07-2004