Motorhead
? Motorhead
? Virgin Games
1992
You will need following:
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. ARIV
6. Kick 2.0 or higher
7. One blank DD disk 🙂
8. wwarp
Do not use RNWarp on this game, as it will show you wrong checksums.
As usual, start by backing up the original game disk. This disk is faulty on track 0, upper side, so we are dealing with a disk based protection and most likely a Copylock.
This game uses one of the more hard copylocks, that decrypts part of the game code, based on decrypter inside the copylock code. The game will, of course, only be decrypted correctly if the routine has the correct Copylock key.
First step is getting the key. The fastest way (and most boring way), is to warp the copylock track and compare the key calculation routines with output from the warper.
Start ARIV and boot copy of game. Enter ARIV with RMB when the loading picture appears. Scan memory for signs of a copylock: ? FS ONz ?.
ARIV returns address F2DF. Enable the RNC decrypter: ? ROBD ? and disassemble address F2DF until this appears:
Take note of address F788 ? F78E, as it?s part of the key calc. routine.
Remove ARIV from memory and enter CLI.
Make a path to wwarp and change dir to RAM:
Type following in CLI, marked with yellow:
This will create a warp file of copylock track in memory, called ? mh ?.
If you match up the key calculation routines, you?ll see that checksum 6 matches. Key is marked with red. We now need to make new opcodes to move into copylock.
Boot copy of game and enter ARIV when the loading picture appears. The copylock was located around address F2DF.
Enter ROBD mode and disassemble address F2DF and hold enter down, till this appears:
The copylock key needs to be wired into address F6CA. After that, we set register D1 to #0. This will emulate Copylock in the best possible way. After that, we need to branch past the whole disk accessing part.
Continue to disassemble a few lines further:
The registers are restored at address F6FC, so this must be our branch address.
Assemble address F6CA and wire key in, see picture above. We can now read out the new opcodes that needs to wired into the copylock. I have marked them in the picture above. They are divided into two long words and one word.
This makes them easy to move into copylock, using the MOVE instruction.
We are still in ROBD mode, so the code we type in, will automatically be encrypted by ARIV.
There is no need to EOR the code ? by hand ?.
When the copylock is run, the key will be moved to register D0, D1 are cleared, disk-reading part are skipped and copylock will branch directly to the decryption routine in end of copylock, and part of game will be decrypted correctly.
Perhaps it?s a good idea to take note of new opcodes and their respective addresses.
Disable ROBD mode and read out boot block to address 70000: ? RT 0 1 70000 ?. Disassemble boot code:
Boot block is loading $ 1000 of data into memory, starting at the address A3 points to. The data is executed by line 70066. Change the jump to a loop routine, correct checksum and write boot block back:
Reboot game and wait for the game to hang. When this happens, enter ARIV.
Press ? R ? to see registers. A3 points to start of data. Disassemble address 66C0 and hit enter a few times.
Address 673A looks interesting. It makes a jump to address 800. When game reaches this jump, copylock has been loaded into memory.
We wish to take over this jump and make it jump to a crack routine, that we?ll locate at address 100. The jump?s location is depending on your memory configuaration, so we can?t assume it will appear at address 673A, on all Amiga?s. We can use A3 as an offset and calculate where in mem. it will appear.
Subtract address 673A from address 66C0: ? ?673A-66C0 ? The result is 7A.
This is the value we need to add to A3, to make it point to the jump.
Read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?.
See memory with ? N 70000 ?
We have some spare byte on boot block from offset $C0. We?ll locate a copy routine here to move our crack patch into address 100. The crack patch can then be located on offset $100 on disk.
We also need to modify the original boot code, so the copy routine is called.
Remember our loop at 70066 ? Good, change that to ? BRA 700C0 ?.
Assemble 700C0 and code the copy routine, see above picture.
This will make boot block call the copy routine and move the patch to address 100.
It will also patch the ? JMP 800 ? to ? JMP 100.S ?
I have also added a little trainer. No explanation for that, trainermakers will do that… Assemble 70100:
70100; MOVE.W #F,DFF180; set background to blue
70108; BTST #6,BFE001; check for LMB
70110; BEQ 7011E; if pressed, branch to 7011E, train & crack game
70112; BTST #A,DFF016; check for RMB pressed
7011A; BEQ 7013A; if pressed, branch to 7013A and crack game
7011C; BRA 70108; loop till pressed
7011E; MOVE.L #4E714E71,D0; fill D0 with opcodes for 2 x NOP
70124; MOVE.L D0,31EC.S; train game
70128; MOVE.W D0,31F0.S; train game
7012C; MOVE.L D0,26B2.S; train game
70130; MOVE.W D0,26B8.S; train game
70134; MOVE.W D0,6C64.S; train game
70138; CLR.L D0; restore D0 to its original value
7013A; MOVE.L #F9617B35,F6CA; move first long word of new opcodes into copylock
70144; MOVE.L #B7D50935,F6CE; move second long word of new opcodes into copylock 7014E; MOVE.W #D7FD,F6D2; move last word of new opcodes into copylock
70156; JMP 800.S; continue game, jump we too over
When the above routine is executed, screen will turn blue and Amiga will wait for LMB or RMB. If LMB is pressed, SOME of the routines that decreases the life and energy will be NOP?ed out. Then the new encrypted opcodes are moved into the copylock, so it will decrypt game probably, without the original disk.
If RMB is pressed, game will only be cracked and the trainer code is skipped.
Correct boot block checksum and write track back:
Boot game and choose trainer or not, when screen turns blue.
Rob
Publication author
