? Psygnosis
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk – find it in your local Amiga store
6. ProPack – find on amiga-stuff.com
7. ARIV ? find on romshare.net
8. Kickstart 2.0
Addresses may differ on your computer, due to different memory configurations.
Start by making a copy of original game disks. This is to determine type of protection.
You?ll notice an error on track 0, disk3. This is some type of a disk based
protection, where you can?t duplicate a specially
written track. Most likely to be a copylock?
Let?s start by retrieving the copylock key. Boot original game and enter AR
when level 1 starts. Copylock routine is executed
when disk 3 is inserted, so copylock should be in memory now. Copylocks starts with
the code ? PEA $$$$(PC) ?,
search for the opcodes: F 48 7A.
AR returns three addresses and copylock starts at the first one. There is no point
in finding the exact end of copylock
routine, so we choose C14000 to be end address. This should ensure us to have the
whole routine. Insert a blank disk
and save copylock: SM copylock,C12B28 C14000.
Enter ARIV ( right mouse bottom)and load in saved copylock routine, starting at
address 50000:
LM COPYLOCK,50000.
ARIV has a build-in RNC decrypter, which works pretty ok. Enable it by typing ?
ROBD ?. Disassem
ble address 50000
(start of copylock) and don?t release it before second part of copylock appears:
As you can see from line 507F8, copylock key is moved to address B4 and line 507FC
moves a fake key into D0.
Next step is simple, boot original game and enter AR when level one starts. See
contents of address B4 with ? M B4 ?
Take note of copylock key, marked with green above. We could crack this one by returning
copylock key at B4 and
set registers to the same values as the copylock, but it?s actually easier
to wire copylock key into the encrypted code,
in this way, ? part 2 ? of the copylock will be executed, and addresses
+ register will be set to the correct values.
Once again start ARIV and load copylock into memory, starting at address 50000:
LM COPYLOCK,50000.
Enable the decrypter by typing ? ROBD ?. Disassemble address 50000 and
stop when this appears:
Address 503FE is the one we are interested in. This code will appear in most copylocks
and it?s here we?ll wire
copylock key. In this way, there is a better chance for a 100% crack, since ?
dirty tricks ? will be executed this way.
These dirty tricks are often executed in end of the copylock, but this one actually
seems pretty innocence.
When we have done that, there is no need for disk access part to be executed, so
we can branch past that part.
Continue disassembling a few lines further. You?ll notice a BRA at address
50448, this BRA also appears in most
copylocks, and it branches to ? second ? part of copylock, as mentioned
earlier. We can either branch directly to
507F0, or to 50448, it makes no difference. To do things a little different, let?s
choose to branch to 507F0
Assemble address 503FE and insert the code you see in the picture beneath. We only
do this, so we can see the opcodes
for our patch. Type M 503FE & M 50404, to see the new ENCRYPTED opcodes?
We are still in ROBD mode, so
normal code will appear as encrypted code, works by xor. Pretty cool, eh ???
Take note of the opcodes marked with red. When we shall alter the copylock permanently,
we need something to search
for. See the opcodes for the previous long word instruction to our changes:
M 503FA.
Copylock is located in a file called ? Lemmings2 ? on disk2. Copy this
file + ProPack to a blank disk and boot it.
type this in DOS to decrunch the file: PP U D LEMMINGS2. ( U= unpack & D = data
file)
After a while, you should have a decrunched version of the file called ? Lemmings2.RNC
?. Enter AR and load file into
memory, starting at address 20000: LM LEMMINGS2.RNC,20000. File is located between
20000 ? 7FF6C.
Search for the opcodes for the previous long word instruction to our changes, starting
at address 20000:
F AC B8 F8 74,20000. AR returns address 32F4E. Type M 32F4E, to see opcodes.
The instruction we searched is marked with red. The opcodes that need to be changed
came right after and is marked
with white. Insert the new opcodes, ARIV calculated, marked with green and don?t
forget to press enter.
Delete files ? Lemming2 ? and ? Lemmings2.RNC ?, to free
some disk space. Save memory back, as a new file called
? Lemmings2 ?: SM LEMMINGS2,20000 7FF6C ?. Now we need to crunch
the file again. Type this in DOS, to crunch
file: PP P D LEMMINGS2.
After a while, you should have a new crunched file called ? lemmings2.RNC
? . Rename file to ? Lemmings2 ? and copy
it to COPY of disk 2, overwriting the old one.
Dedicated to sweeeet Victoria
Rob