Frenetic
? Core Design
1990
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Three blank disks – find it in your local Amiga store
6. ARIV
Note!
Some addresses may differ on your computer.
Start by backing up the original game disks, so we have something to work with. Both disks carries an error on track 0, which is a copylock track.
There are four identical copylock routines in this game. One on disk 1, three on disk 2, where two of them are crunched.
Disk 1 is the intro disk and disk 2 contains game. Disk 2 can also be booted, if you want to skip intro.
This txt will describe in details how to crack the games, based on a boot from the intro disk. A quick crack for disk two is also shown, if you aren?t interested in the intro.
This type of copylock returns copylock key in the address, that A4 points to. To try fooling the cracker, the copylock track on the two game disks are different. This means, that copylock key is not the same on disk 1 and 2.
Because copylocks on disk 2 is crunched, we have to take over game and patch the decrunched routines, before they are executed.
To crack the copylocks, we will wire key into the encrypted copylock, using ARIV to make new opcodes.
Let?s start!
Execute ARIV and boot copy of disk 1. After a few sec, ARIV pops up due to an exception occurred.
Locate copylock: F 48 7A. AR returns address 7B42 & 7B52. Perhaps something interesting happens in end of Copylock routine. Disassemble address 7B42 and stop when normal code starts again.
Address 840E moves contents of address 71674 into D0. This is the address, where copylock key is returned. If you look at the code just before copylock routine, you?ll notice that A4 is set to point to address 71674.
At address 8414 is the classic stupid compare routine, that just gives copylock key away. Key is; 08 39 46 87.
Armed with the key, we can use ARIV to wire it into the encrypted code. Enable the RNC decrypter: ROBD.
Disassemble start of copylock (7B42) and watch out for key wire location:
The disk accessing part and key calculations of copylock key are done within the code from address 7F48 ? 7F8E.
Registers are saved by the code at address 7F48. Address 7F5C is a good place to wire key in, as no disk routines has been called yet. We wire key into D0, clear D1 and then branch to address 7F8E. This should give the best result.
Disassemble a bit further:
Address 7F8C moves key from D6 to D0 (we skip this part) and registers are restored at 7F8E, our branch address.
Address 7F92 branches to second part of copylock.
Take note of the first long word of original opcodes in copylock, as we need them later on when making the patch. They marked with green above.
Assemble 7F5C and insert the code you see above. After that, take note of the new opcodes marked with red.
The RNC decrypter is still active, so the normal code we insert will be encrypted instead of decrypted. This means, that no calculations are needed.
We now have new opcodes for the first copylock, but the addresses to patch are unknown, because first copylock is located at a relative address.
First copylock is loaded in by the boot block together with main loader. Perhaps something interesting can be found here.
Read boot block into memory, starting at address 70000: RT 0 1 70000. First part of boot block is a header and the checksum, actual code starts at offset C. Disassemble 7000C and look out for jumps into the code loaded into memory:
Boot block loads data into memory, starting at the address A3 points to. This is then execute by a JMP (A3), at line 7005C. Alter this to a loop and reboot. Follow steps shown in above picture.
After reboot, game should halt almost just after boot. Enter AR and search for the original opcodes in copylock, to check if it appears in memory: F 47 F4 9C 78. AR returns address 7284, which means we have copylock in memory.
Press R to see registers. A3 points to start of loaded data. If we subtract the address we want to alter (7284), with start of loaded data (59E8), we will get the value to add to A3, so it points to the address we want to alter? 🙂
We need to do this because A3 will not always point to address 59E8, it will depend on your memory configuration.
Make the calc: ? 7284-59E8 = 189C. 189C is the value to add to A3, to make it point to the first long word in copylock, that needs to be patched. Next long word will just be 189C + 4 and so on.
Then there is the little matter of copylock 2 & 3. These are both located on fixed addresses, but are crunched.
First thing is getting the copylock key and make new opcodes.
Boot original game and continue loading past the intro, till the title screen appears.
Copylocks have now been decrunched, but not executed. Locate them: F 48 7A. AR returns four addresses with $10 between, this means we have two copylocks in memory. The one starting at address 42F4 is run first. Disassemble start of and stop when you reach end of encrypted code:
This happens at address 4BC0. This line moves copylock key from 282E4 into D0. Stick a breakpoint to address 4BC0 and continue game. When copylock has run & passed, key can be grabbed from address 282E4.
When breakpoint is raised, see key: M 282E4. Insert a blank disk and save copylock routines, so we can load them into ARIV & decrypt them; SM COP,42F4 10000.
For later use when patching the copylocks, it might be useful to know where the decrunched code starts.
Copylock 1 starts at address 42F4, so perhaps the data start at address 4000. Make a memory dump:
It?s hard to see from just a memory dumb. Try disassembling an address near 4000, ex 3FEE. When you reach 4000,
reasonable code seems to appear. Then there is a real good chance, that 4000 is start of decrunched data.
Start ARIV and enter using RMB. Load saved file into memory, starting at address 42F4 (start of copylock1): LM COP,42F4. Enable the decrypter: ROBD.
To make out new opcodes, you simply do the same as with copylock 1, we just use another key.
Follow steps shown on pictures:
Take note of new opcodes, marked with red. I also highlighted a long word of original opcodes. This will help us locate the second crunched copylock.
When we find opcodes for copylock 2, the opcodes we already have, can be used, as the two copylocks are identical.
Next step is finding the addresses where to wire opcodes in. We can?t use the above addresses, as copylocks are moved around in memory, after decrunching. Patching the decrunched copylocks will require taking over a series of jumps.
It might be a good idea to take some notes?
Boot copy of disk1 and enter AR when the loop routine kicks in. We now have main loader and copylock 1 in memory.
We are interested in accessing the two crunched copylocks, BEFORE they are executed. It?s usually a great idea to scan memory for JMP instructions. JMP starts with 4E F9. Search for it: F 4E F9. AR returns two addresses.
Have a look at the second one, it jumps to address 65000. Assemble and change this to a loop, see beneath:
To continue game, we need to jump to the address A3 points to, remember? See registers: R. A3 points to 59E8.
Insert ORIGINAL disk 1 and execute this address: G 59E8. We still have to use original disk, due to copylock1?
Core logo appears and game begins to load. Suddenly screen turns black and game hangs, where the intro normally would start. This must be our loop kicking in. Enter AR and check if the copylocks are decrunched now: F 48 7A.. AR returns no addresses. Hmmm copylocks aren?t loaded & decrunched yet. Let?s see if anything calls address 4000, which we assumed was start of decrunched data. Type; FA 4000. AR returns two addresses, where only 625F2 is a JMP.
Assemble 625F2 and change it to a loop, see above. We halted game by changing a JMP 65000 to a loop. To continue game, we have to jump to address 65000; G 65000.
The intro starts. Insert disk 2 and press fire to continue loading. Game loads and then freezes after a while. Enter AR and Press D + enter. You should be stuck at your loop routine.
See contents of memory on address 4000; N 4000 + enter.
In the first line, the txt ? RNC ? appears. This smells like a ProPack decruncher. This one decrunches over itself, making decrunched data start at address 4000. The interesting part of the decruncher is end of it, where it executes decrunched data. (it seems it first jumps to the stack and calls a routine, which moves decrunched into place, at address 4000)
Disassemble address 4000 and look out for jumps:
Address 41A8 jumps to the stack. We will need to take over this jump, as it executes decrunched data. Problem is though, a ex. JMP 100.S is 2 bytes larger than JMP (A7). This means that the new JMP must be inserted at address 41A2 and the code we remove, must be restored in the crack patch.
Assemble 41A8 and change it to a loop, see above. Continue game by jumping to address 4000; G 4000. After about20 sec, the file should be decrunched. Enter AR and check if you are stuck at the loop.
Search for the original opcodes in copylock: F 47 F4 9C 78. AR returns address 49C4 & 545E. These two addresses are the first long word to patch in each copylock. To calculate next long word, just add 4 and last word, add 4 again.
See calcs here:
Armed with this, a crack patch can be made. When we are at it, a routine for moving patch for copylock 2 & 3 into memory, can be made. This routine and patch can be located on boot block, which contains plenty of spare bytes.
Read boot block into memory, starting at address 70000: RT 0 1 70000. To call our first patch & copy routine, change the loop you made before, to a BRA 700C0, see beneath:
When done, assemble 700C0 (a 700C0) and code copy routine for patching of copylock 2 & 3, and crack copylock 1:
700C0; LEA 100,A0; destination address 100 for patch
700C6; LEA 70200(PC),A1; copy from offset 200
700CA; MOVE.W #8E,D7; amount to copy (at least size of patch)
700CE; MOVE.B (A1)+,(A0)+; copy
700D0; DBF D7,700CE; copy
700D4; MOVE.L #06C894BD,189C(A3); crack copylock 1
700DC; MOVE.L #6073E6BD,18A0(A3); crack copylock 1
700E4; MOVE.W #005B,18A4(A3); crack copylock 1
700EA; MOVE.L #4EF90000,1D8E(A3); change JMP 65000 to JMP 100
700F2; MOVE.W #100,1D92(A3); change JMP 65000 to JMP 100
700F8; JMP (A3); jump we too over
Assemble 70200 (a70200) and code crack patch + micro trainer:
70200; MOVE.L #4EF80110,625F2; alter JMP 4000.S to JMP 110.S
7020A; JMP 65000; jump we took over
70210; MOVE.L #4EF8011C,41A2.S; insert JMP 11C in end of decruncher
70218; JMP 4000.S; jump we took over
7021C; MOVE.L #45FAFFFE,-(A7); restore code removed in end of decruncher
70222; MOVE.L #06C831C0,49C4.S; crack first decrunched copylock
7022A; MOVE.L #9CE743C0,49C8.S; crack first decrunched copylock
70232; MOVE.W #FCCF,49CC.S; crack first decrunched copylock
70238; MOVE.L 49C4.S,545E.S; crack second decrunched copylock
7023E; MOVE.L 49C8.S,5462.S; crack second decrunched copylock
70244; MOVE.W 49CC.S,5466.S; crack second decrunched copylock
7024A; MOVE.W #F,DFF180; trainer start here; set background to blue
70252; BTST #6,BFE001; check for LMB pressed
7025A; BEQ 70268; if pressed, branch to 70268 and train number of ships
7025C; BTST #A,DFF016; check for RMB pressed
70264; BEQ 7028C; if pressed, branch to 7028C and start normal game
70266; BRA 7024A; loop till pressed
70268; MOVE.L #4E714E71,D4; insert 2x NOP in D4
7026E; MOVE.L D4,BB70; train number of ships
70274; MOVE.W D4,BB74; train number of ships
7027A; MOVE.L D4,69DA.S; train number of ships
7027E; MOVE.L D4,69DE.S; train number of ships
70282; MOVE.L D4,5C18.S; train number of ships
70286; MOVE.W D4,5C1C.S; train number of ships
7028A; CLR.L D4; restore D4 to its original value
7028C; JMP (A7); start game
Correct boot block checksum: BOOTCHK 70000
Write boot block back: WT 0 1 70000.
And you are done!
As mentioned in start of this txt, you can boot directly to game and skip intro, by booting from disk 2.
The above crack requires you to boot from disk 1. Here is how to crack disk 2, so you also can boot from there:
Insert copy of disk 2 and read boot block into memory, starting at address 70000: RT 0 1 70000. Assemble 7005C and insert a BRA 700C0. See picture:
Assemble 700C0 and code copy routine to move crack patch into address 100 and crack the non-crunched copylock:
700C0; LEA 100,A0; destination address 100 for patch
700C6; LEA 70200(PC),A1; copy from offset 200
700CA; MOVE.W #7E,D7; amount to copy (at least size of patch)
700CE; MOVE.B (A1)+,(A0)+; copy
700D0; DBF D7,700CE; copy
700D4; MOVE.L #06C831C0,189C(A3); crack copylock 1
700DC; MOVE.L #9CE743C0,18A0(A3); crack copylock 1
700E4; MOVE.W #FCCF,18A4(A3); crack copylock 1
700EA; MOVE.L #4EF90000,1D8E(A3); change JMP 4000 to JMP 100
700F2; MOVE.W #100,1D92(A3); change JMP 4000 to JMP 100
700F8; JMP (A3); jump we too over
Assemble 70200 and make crack patch + train number of ships:
70200; MOVE.L #4EF8010C,41A2.S; insert JMP 10C in end of decruncher
70208; JMP 4000.S; jump we too over
7020C; MOVE.L #45FAFFFE,-(A7); restore code removed in end of decruncher
70212; MOVE.L #06C831C0,49C4.S; crack first decrunched copylock
7021A; MOVE.L #9CE743C0,49C8.S; crack first decrunched copylock
70222; MOVE.W #FCCF,49CC.S; crack first decrunched copylock
70228; MOVE.L 49C4.S,545E.S; crack second decrunched copylock
7022E; MOVE.L 49C8.S,5462.S; crack second decrunched copylock
70234; MOVE.W 49CC.S,5466.S; crack second decrunched copylock
7023A; MOVE.W #F,DFF180; trainer start here; set background to blue
70242; BTST #6,BFE001; check for LMB pressed
7024A; BEQ 70258; if pressed, branch to 70258 and train number of ships
7024C; BTST #A,DFF016; check for RMB pressed
70254; BEQ 7027C; if pressed, branch to 7028C and start normal game
70256; BRA 7023A; loop till pressed
70258; MOVE.L #4E714E71,D4; insert 2x NOP in D4
7025E; MOVE.L D4,BB70; train number of ships
70264; MOVE.W D4,BB74; train number of ships
7026A; MOVE.L D4,69DA.S; train number of ships
7026E; MOVE.L D4,69DE.S; train number of ships
70272; MOVE.L D4,5C18.S; train number of ships
70276; MOVE.W D4,5C1C.S; train number of ships
7027A; CLR.L D4; restore D4 to its original value
7027C; JMP (A7); start game
The above patch does the same as patch on disk 1, except some JMP addresses doesn?t have to be patched. Correct boot block checksum: BOOTCHK 70000
Write boot block back: WT 0 1 70000.
When you boot either disk 1 or 2, screen will flash with a blue colour, at some point. Hold down LMB for a few sec to get unlimited ships or hold down RMB for normal game.
I have played through the whole game and it works just fine.
Dedicated to the sweetest girl on earth?
Supplied by DLFRSILVER
Rob
Publication author
