Gods
? Bitmap Brothers
1990/1991
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks – find it in your local Amiga store
6. ARIV
This is probably one of the BEST Amiga games EVER made. I still remember when I got it from my friend ALE, it was back in the sixth grade. I came home from school and spend hours, actually days playing this fantastic game.
Start by backing up original game disks, so we have something to work with. Disk 1 contains a copylock track, which appears as bad during copying.
When copylock fails, it does not crash game a first sight. It affects monsters, so they get MUCH more aggressive and need many shots to be killed. Just try playing level four with a copy, and you?ll see what I mean. Sudden freezing also seems to be caused by the copylock.
I have chosen to crack game by patching the copylock, rather changing it directly on disk. I tried this method and it worked just fine, until I killed the final boss. Then nothing happened, the end sequence did not appear.
Instead, we patch the copylock when it appears correctly in memory and after it has run, we put original opcodes back into it. With this method, I played through the whole game (again) and every thing worked fine and end sequence also appeared correctly.
This copylock seems to do lot?s of stuff to the game, so best way is to wire copylock key into it. For this, copylock key is needed.
Boot copy of game. When this screen appears after the intro sequence, start paying attention:
Copylock is run at a time, when above screen appears. We need to rip the copylock routine from memory, so it can be decrypted. This is not so easy, as copylock is removed from memory when it has run. I suggest you to use a real Amiga, as you can hear very clearly, when the copylock is executed. You will suddenly hear a drive grinding sound, now it?s time to enter AR. If you use WINUAE, keep an eye on your track counter. When game is reading track 0 for a long time, enter AR.
Locate copylock: ? F 48 7A ?.
AR returns six addresses, we are only interested in the first one. The other 50000 addresses are also the copylock, game starts to locate copylock here and then moves it to address 35DAE.
Insert a blank disk and save; SM COP,35DAE 40000. Start ARIV, enter with RMB and enable the RNC decrypter: ROBD.
Disassemble 35DAE and look out for this:
Address 3656C looks interesting, as it shows us that copylock key is moved to address 60.
Boot original game and enter AR, when you are prompted to insert disk 2. Copylock has now run & passed, so key can be grabbed from address 60.
Key is marked with red in the above picture.
Key can now be wired into the encrypted code and new opcodes can be made.
Like earlier, start ARIV, load copylock in and enable the decrypter. Disassemble start of copylock and watch out for location to wire key in.
The disk accessing part and key calculations of copylock key are done within the code from address 36174 ? 361BA. Registers are saved by the code at address 36174. Address 36188 is a good place to wire key in, as no disk routines has been called yet. We wire key into D0, clear D1 and then branch to address 361BA. This should give the best result. Disassemble a bit further:
Address 361B8 moves key from D6 to D0 (we skip this part) and registers are restored at 361BA, our branch address.
Address 361BE branches to second part of copylock, which modifies game?s memory.
Take note of original opcodes in copylock, marked with green above.
We will crack game by wire new opcodes into the copylock. When copylock has run, we clean up after our self, by restoring the code we have altered. To do this, we need to know what code is run just after the copylock.
Copylock does not end with a RTS, RTE, but it jumps to address 500. Copylocks often moves A7 to address 24, which then points to some code that are run after/in end of the copylock. I entered AR when copylock was finished reading track 0, and moved reading head back in place. I checked address 24, it pointed to address 3A8AA. A routine at address 3A8AA appeared, here is some of it:
Address 3A8EA caught my interest, because of the value being moved.
I tried executing the routine and looking at A7 afterwards, and it pointed to address 500. I rebooted game and breakpointed address 500 when copylock was run. When it returned, the breakpoint at address 500 was activated.
So address 500 is called after the copylock. Strange thing is, that absolutely nothing happens at this address, there is just empty memory till address AD0, which jumps to address 6388. We?ll take over this address after copylock has run, and restore all code we changed. Take note of opcodes of the instruction at AD0, marked with red:
The encrypted part of copylock can be found on disk and original values overwritten. With this method, I experienced problems with the end sequence. Then I tried patching the copylock instead, replaying whole game (again) and end part also appeared correctly. Therefore, the following patching method is used.
Boot copy of game again and enter AR when copylock is run. Remember, the drive grinding sound or long seek to track 0.
Copylock appeared at 35DAE, check if there is any code before this address:
35DAC set reg. D0 to #4. This seems to be the only code before the actual copylock routine. We are interested in what calls the copylock, so it can be patched before execution. There is no obviously calls like a JSR, BRA or similar.
Try searching for the address, where protection starts: F 03 5D AC.
AR returns three addresses. Try disassembling the first one and hit enter a few times:
Address 2440 moves a value equal to start of protection into D0, and then jumps to address 2446. Follow the jump at 2446, and disassemble till this appears:
Copylock routine is loaded into memory, in the 51000 area of memory. It appears here in some odd addresses, but is moved to address 35DAC, where it appears correctly. By doing some breakpointing, I found that the above code is called several times, and forth time it has been run, copylock appears at address 35DAC. We will need to take over the code at address 2750 and make it call a crack patch. When patch is called, we will put original opcodes back to address 274C, as it?s also called after the copylock has run. Take note of the original opcodes from address 274C ? 2750, as we need them later on.
Locating a crack patch in memory isn?t so easy with this game. Game starts using memory from address 84 and below this, copylock key is returned at address 60. This gives us very little space to work with. Part of high chip isn?t used, but game clears memory during loading, so this would kill our patch. Take a look around address 51000, where copylock is loaded to.
You can see the first PEA at the odd address 51145 (Hz), just before that we have the MOVEQ #4,D0 (p) and before that?. we have nothing. If we can locate these spare bytes on disk, a crack path can be written directly to disk 1.
To find this on disk, read a chump of it into memory, starting at address 10000; RT 50 20 10000. Then search for copylock routine: F 48 7A,10000.
AR returns two odd addresses; 29A05 & 29A15. Disassemble first address and hold enter down, till bottom of screen has been reached. Scroll back up, to determine how much free space we have:
Some data appears at address 29968 and 2996A is the first free address. To keep a little ? distance ?, let?s choose address 2996E. Next question is, where will this address appear, when game loads it into memory ?
Assemble 2996E and insert three NOP?s:
When done, write tracks back: WT 50 20 10000.
Now, simply reboot and enter AR when the copylock is checking track 0. Disassemble address 51086 (just a chump of memory before copylock):
We inserted three NOP?s, and the first one appears at address 510AE. This address will be start of crack patch. Next thing, is making game call our crack patch. You took note of some opcodes from address 274C, a bit earlier.
Armed with these, we can find this code on disk and make it call address 510AE.
Search for opcodes; F 4C DF 7F FF 4E 75,10000 80000. AR returns several addresses, but correct one is 6AE36.
Assemble this address and insert a JMP 510AE. Then write tracks back, see steps in the above picture.
When making our patch we have to take into account, that our patch is called several times before the copylock appears correctly at address 35DAC.
Crack ptach can now be made.
Read chump of disk into memory; RT 50 20 10000. Assemble 2996E and code patch:
2996E; MOVEM.L (A7)+,D0-D7/A0-A6; run code we removed at 274C
29972; CMPI.L #19A09C78,36188; check if copylock is moved correctly into location
2997C; BEQ 29980; if so, branch to 29980 and crack it
2997E; RTS; if not, just return
29980; MOPVE.L #4CDF7FFF,274C.S; restore code we removed at 274C
29988; MOVE.W #4E75,2750.S; restore code we removed at 2750
2998E; MOVE.L #589C2802,36188; move new opcodes into copylock
29998; MOVE.L #45285A02,3618C; move new opcodes into copylock
299A2; MOVE.W #2500,36190; move new opcodes into copylock
299AA; MOVE.L #4EF90005,AD0.S; insert JMP 510FA at address AD0, first code called after copylock
299B2; MOVE.W #10FA,AD4.S; insert JMP 510FA at address AD0, first code called after copylock
299B8; RTS; return
299BA; MOVE.L #4EF90000,AD0.S; restore code at AD0
299C2; MOVE.W #6388,AD4.S; restore code at AD4
299C8; MOVE.L #19A09C78,36188; restore original opcodes in copylock
299D2; MOVE.L #7EAEEC79,3618C; restore original opcodes in copylock
299DC; MOVE.W #1FAE,36190; restore original opcodes in copylock
299E4; JMP 6388.S; jump we took over at AD0
When patch is called, it checks if copylock is moved into place. If it isn?t, it just returns to game. When copylock IS moved into place, it will be patched and address AD0 will be set to call our patch after copylock has run. When patch is called again, it just ? cleans ? up after itself and returns to game.
Only thing left, is to write tracks back; WT 50 20 10000.
I have tested it on my beloved A500, without AR, through whole game and it works just fine.
Dedicated to sweet sweet Victoria
Rob
Publication author
