? Virgin
1993
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk – find it in your local Amiga store
6. Copylock Decoder ? find on codetapper.com
7. Scientific calculator (build into windows)
Start with making a copy of original game disks. You?ll notice an error on
disk 2, track 0.
This is probably a copylock track.
When copy of game is started, every thing seems fine. The copylock routine is executed
short after disk 2 have been
inserted
The copylock fails here, of course, but game continues to load. Game seems to start
fine, until kick off where computer
crashes. Hmm?
This copylock modifies games memory from encrypted part of copylock. We have to
decrypt copylock and determine,
which part of copylock to alter. If we wire magic number within the encrypted part,
the sneaky parts will also be executed
and game will work.
We would now normally find magic number, but correct magic number isn?t returned
in either D0 or address 60.
Let?s start by ripping the copylock and decrypt it, to determine where magic
number are returned
Boot game and enter AR when screen turns green. Copylock have been loaded into memory
at this time.
Search for the copylock: FS ? ONz ?. AR returns two addresses.
Disassemble address 9D5D and hold enter down until you reach bottom of screen, scroll
up again until this appears:
Copylock start at address 9D42 and seems to end around address A60A, where it returns.
Insert a blank disk and save copylock: SM COPYLOCK, 9D42 A60C.
Start copylock decoder. It will first ask you for a copylock program to load. Insert
disk with saved copylock and
choose file ?copylock?.
It will then ask for magic number. Just press enter since we don?t have it.
This MIGHT have the effect, that some part of the copylock isn?t decrypted.
It will then ask for the sync, and since we have original disk, choose 89??
You will then be prompted to insert original disk in DF0: Insert disk 2 and press
ok.
You will then be asked for value of D3 register, choose $0000
A moment after, copylock decoder is finished with its work and decoded file is ready
for save. Insert disk with saved
copylock and simply press ok.
You should now have a new file called ? copylock.dec ?, which is the
decrypted copylock.
Fire up AR and load the decrypted copylock into address 40000: LM COPYLOCK.DEC,40000.
Disassemble address 40000. Stop when this appears:
Notice line 407DC. It moves D0 into address BC. Line 407E0 moves a ? fake
? magic number into D0, which is probably
used in the following routine to modify game memory.
We now know that magic number is returned at address BC.
Boot original game and enter AR after kick off. Copylock have run and passed at
this time.
Real magic number was returned at address BC:
Magic number is 16 BA 3B 5B, write this down. Let? disassemble decrypted copylock
and determine where to wire
magic number in.
Load decrypted copylock into memory, starting at address 40000: LM COPYLOCK,40000
Disassemble 40000 and stop when this appears:
Address 403E2 is the one we are interested in. This is where we?ll put the
MOVE.L #16BA3B5B,D0.
We also want to skip the disk access, so we need a BRA past the disk access after
inserting magic number in D0.
But where to branch to ?
We actually have a BRA at address 4042C, this branches to the part of copylock which
moves magic number to
address BC, etc. This is the address to branch to.
See it with D 4042C.
If you follow the code, you?ll see D0 moved into address BC and new number
being moved into D0.
We need to find the opcodes for the code we wants to put in the copylock. Assemble
403E2 and insert following
code:
This is the code we want in the encrypted copylock.
Find the opcodes for the patch, by typing: M 403E2 + enter + Esc, to see the MOVE.L
#16BA3B5B,D0 instruction and
M 403E8 + enter + Esc to see the BRA instruction.
We need these opcodes to alter the encrypted code, so write them down.
We now know where in the copylock to insert our patch and we know the opcodes.
The encryption works by X-OR?ing data. We need the encrypted opcodes from
the long word instruction right before
our changes, our changes is at address 403E2 and the instruction before starts at
address 403DE.
So load the encrypted copylock into memory, starting at address 40000: LM COPYLOCK,40000.
We wanted the opcodes for the long word instruction on address 403DE, the address
before our changes.
Type M 403DE + enter. Write the opcodes down marked with red.
Now it?s time to calculate the new encrypted code. Start your calculator and
XOR following:
ENCRYPTED | NEW UNENCRYPTED | NEW ENCRYPTED | ||
D8A1F875 | with | 203C16BA | = | F89DEECF |
Last two bytes: |
? | ? |
ENCRYPTED | NEW UNENCRYPTED | NEW ENCRYPTED | ||
D8A1 | with | 3B5B | = | E3FA |
? | ? | ? |
So the new encrypted opcodes for address 403E2 is this: F8 9D EE CF E3 FA.
This is the encrypted code for MOVE.L #16BA3B5B,D0.
Next instruction is our BRA. The previous encrypted long word instruction is EE
CF E3 FA and the unencrypted BRA
instruction is 6042. Let?s rewrite this to long word: 60000042
Next calculation look likes this:
ENCRYPTED | NEW UNENCRYPTED | NEW ENCRYPTED | ||
EE CF E3 FA | with | 60000042 | = | 8ECFE3B8 |
? | ? | ? |
If we connect the new code to one long string, it will look like this: F8 D9 EE CF
E3 FA 8E CF E3 B8.
We simply have to overwrite the encrypted copylock code, with our new cracked encrypted
code.
Copylock is located on disk 1, track 12. Insert copy of disk 1and read track 12 into
memory, starting at address 30000.
RT 18 2 30000.
We have the opcodes for the instruction right before our patch. Search for it, starting
at address 30000:
F D8 A1 F8 75,30000.
AR returns one address; 30A1C. See opcodes with M 30A1C + enter.
The previous instruction is marked with red. This was a long word instruction, so
we are interested in the data marked
with the white line.
Change these opcodes to the opcodes you calculated, marked with a green line, followed
by enter + Esc.
This will change the copylock so we wire magic number within the encrypted code, and
branches past the disk
accessing part.
Write track back: WT 18 2 30000.
Cracking by Rob
All play testing by Yuggi Bear
Dedicated to sweet sweet Victoria
Rob