Untitled Document

Graham Gooch
World Class cricket
? Audiogenic

1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks – find it in your local Amiga store
6. ARIV
7. Dopus or similar program

Start by making a copy of original game. This is to determine type of protection.
You?ll notice an error on track 0, probably a copylock track.
Let?s start by finding the copylock key. Boot original game and enter AR when you hear the copylock seeking towards track 0. Locate the routine: ? F 48 7A ? AR returns three addresses, where there is $10 between the two first, a typically sign for a copylock. Disassemble 26E and search for end of copylock. You reached the end when all nonsense code stops.

Normal code seems to start again, around address B92. Stick a breakpoint and exit AR: ? BS B92 ?.
When copylock is finished and game reaches address B92, AR will pop up. Game haven?t had a chance to flush the registers, so we can grab the key from D0.

Press ? R ? to see registers and take note of key from D0.
Let?s have a little look at the code before the copylock routine:

We have a few lines of code before the copylock, that clears register D0, D1 & D3. Take especially good note of address 268 & 26A, as we shall use this a little later
Main file is called ? 210793.ag ? ? what did you else expect? 🙂
Load file into memory, starting at address 30000: ? LM 210793.AG,30000 ? File is located between 30000- 7404C.

If you try finding the copylock in loaded file, you won?t get any luck. Programmers have tampered with the routine, so it doesn?t appear normally. Disassemble start of file (D 30000) and look out for this:

Line 3018E & 30190 should look familiar to you. We SHOULD have had some copylock code from 30194 and onwards. It?s pretty hard to crack something that is not there?
We must assume that when game reaches line 3018E, rest of copylock code have been moved into place. Let?s insert a ? JSR C0.S ? at line 3018E. We will then put a patch at address C0 that cracks the copylock, by moving new opcodes into it.
Assemble 3018E:

When done, insert a blank disk and save main file: ? SM 210793.ag,30000 7404C ?. Do NOT save file on copy of game, as this will not work. Using Dopus, DiskMaster or similar program, copy all other game files to the disk, you just saved main file to. If you don?t follow this procedure, game will not boot.
Rename the disk so new disk name is ? ? (one blank space). Same as original.
Install disk with a normal DOS 2.0 boot block.
Insert another blank disk and save copylock routine, so we can decrypt it: ? SM COP,100 1000 ?.
Start ARIV and enter with RMB.
Load saved copylock into memory, staring at address 100: ? LM COP,100 ?.
By loading copylock to same memory location as game, we can easily see memory address for new cracked opcodes.

Enable the RNC decrypter: ? ROBD ?.
Copylock routine started at address 26E. Disassemble this address and look out for location to wire key in:

The disk accessing part and key calculation of copylock key are done within the code from address 654 ? 69A.
Registers are saved by the code at address 654. Address 668 is a good place to wire key in, as no disk routines has been called yet. When key is inserted in D0, we clear D1. We can then branch to the address that restores registers again. D0 & D1 is not saved. Disassemble a bit further:

Address 698 moves key from D6 to D0 (we skip this part) and registers are restored at 69A, our branch address. Address 69E branches to second part of copylock.
Assemble address 668 and insert the code you see above, to wire key in.
New opcodes are marked in the above picture and the addresses where they belong.
It?s now time to create the crack patch. This can be located on boot block, together with a little routine, to move it to address C0. Read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?.
Disassemble start of boot code:

Take note of the code at line 7000C and change it to ? BSR 7000C ?. This will call our copy routine upon boot.
Assemble 700C0 and make the copy routine:

700C0; LEA C0,A0; set C0 as destination address for patch
700C6; LEA 70100(PC),A1; copy from offset $100 on disk
700CA; MOVE.W #200,D7; copy $200
700CE; MOVE.B (A1)+,(A0)+; copy
700D0; DBF D7,700CE; copy
700D4; LEA 7004C(PC),A1; restore code we removed in start of boot
700D8;RTS; return to original boot code

Assemble 70100 and code the crack patch;

70100; MOVE.L #303132BF,668.S; insert first long word of new opcodes into copylock
70108; MOVE.L #8CEE40BF,66C.S; insert second long word of new opcodes into copylock
70110; MOVE.W #ECC6,670.S; insert last word of new opcodes into copylock
70116; MOVEQ #0,D0; restore code we removed in main file
70118; MOVE.L D0,D1; restore code we removed in main file
7011A; RTS; return to game

At address C0, you could also just wire key to D0 + address 60 and then make a jump to end of copylock, as the routine is harmless.
Correct boot block checksum: ? BOOTCHK 70000 ?

Write boot block back: ? WT 0 1 70000 ?

Yuggi Bear has done a little testing with this one, and told me that it crashes sometimes.
This also happens in original!

Rob


0

Publication author

offline 20 years

Rob

0
Comments: 103Publics: 79Registration: 20-07-2004

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
Codetapper
18 years ago

Have you guys tried deleting the original file off the (copy of the) disk then saving the file? That might work better. Only a guess, as I don’t use AR at all (no need!)

0
aLpHa oNe
18 years ago

Action Replay has dozens of bugs under winuae….

0
musashi9
Admin
18 years ago

I’ts a problem with action replay (BUG)
it will not save back the file properly if the original disk is almost full (99%)

i had the same problem with Flashback

0
DLFRSILVER
18 years ago

I ‘m afraid i have the very same
problem actually,

i got an error code 21 on file 210793.ag after reboot and loading…

0
Codetapper
18 years ago

Firstly you must have done something wrong if you can’t save the cracked file onto the disk. This is a very simple game to crack and there is no other protection that would prevent the game working by overwriting the file on disk. Programmers have NOT tampered with the routine as you wrote – it is a simple run length encoder used to depack the file. The version you cracked is not the latest release of Gooch either – the final version that I’m aware of is 19/08/93. You can fix the crashes in all versions by fixing the 3… Read more »

Authorization
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Registration
*
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

0
Would love your thoughts, please comment.x
()
x