Neighbours
? Impulze
How to crack without
hardwire key.
What you need:
- Original/SPS
release game - AR3 cart. or
ROM image - Some copy
program like BurstNibbler - A few blank
disks
This txt is based on a plain A500 with slow mem. expansion at $ C0000.
There already is a cracking tutorial on this site for the game, and it
describes how to hardwire copylock key into
the encryption. In this txt, we?ll look at how to crack game without
doing so & what copylock is actually doing to game.
Start by making a copy of game.
First we must know how protection is actually screwing up game, so we
can see if its cracked correctly.
Bootup your copy. Short after the loading logo appears, notice how the
track counter is moving to track 0 or if you use
a real Miggy, a drive grinding sound appears. This is the first
copylock being run. It?s a simple one, just returning a
key in reg. D0 & at memory address 60, we?ll look into it later.
After copylock has run, notice that game just continues
loading, like nothing has happened. Fun thing is, that game is using
this copylock for? NOTHING. Its not even checking
the copylock key ? we?ll also look into this later. After some more loading,
the picture disappears, 2. copylock is run &
now something is going on, cause screen just stays black. Protection has
crashed the game. This is what we want to avoid.
Let us start by looking at the first copylock. Even though game is not
using key, we?ll emulate it anyway.
Reboot with original in DF0 & enter AR when the loading pic appears.
Our goal is to obtain the key & where it is returned.
To do this, we need to find the protection in memory. Copylock routines
always start by pushing a memory into the stack, using
PEA xx(PC). To find protection, search for the opcodes: 48 7A. Before
doing so, press D+enter to disassemble actual
memory.
AR shows some address in 78000 area of memory. Try searching for copylock
starting at address 70000: F 48 7A,70000.
AR finds opcodes at address 78088 & 78098. Set a breakpoint to
address 78088, so regs. can be checked before protection
is run. Next is finding end of copylock & insert another breakpoint
here, so changed regs. can be found.
Disassemble address 78088, you?ll see tons of meaningless code
(encrypted part) and then at address 789AC, it starts
to make sense again. 789AC is where normal code starts. Insert a breakpoint
here too, and exit AR: BS 789AC.
When AR first pops up, see regs: R +enter. Exit AR and wait for next
breakpoint to activate.
This happens after protection has run. See regs again: R+enter. Reg. D0
has changed. This is copylock key, take note of it.
Maybe key is also returned at a memory address, search for it: F 57 C3
3E FF. AR returns address 60, very common.
To emulate the first protection, copylock key must be put in in reg. D0
and address 60.
Remember earlier, we talked about key not being used for any good ?
Try disassemble next instruction: D+enter. It?s a BSR to address 78AB6.
Disassemble address 78AB6:
D0 is just cleared, not even a stupid check for key.
Now for next copylock, the ?hard? one. It is a little different than
the one we just looked at, as it is not returning a
key in a reg., but puts in the game code.
Search for the next copylock: F 48 7A,60000.
AR returns one address: 6D6F2. Try disassemble a few bytes prior to
6D6F2, to find precise start of protection routine.
It starts at address 6D6E8, see above. We?ll see what calls this
protection, breakpoint it before & after its run & then
check memory for changes.
Check what calls it: FA 6D6E8 60000. AR returns address 634FA. Stick a
breakpoint to this address & the
following one: BS 634FA & BS 63500. Exit AR and wait for first
breakpoint to activate. When this happens, copy
whole chipmem to slow mem: TRANS 0 80000 C00000.
A copy of chipmem in now in slowmem. After protection has run, we can compare
new modified chipmem with copy in
slowmem & see what changes copylock has done. Before doing so, check
regs.: R +enter.
Notice that stack points to address 47C4. This is good to keep in mind,
as a lot of useless changes will happen in this area,
done by the Trace Vector Decoder.
Exit AR and wait for last breakpoint. When this activates, compare memory:
COMP 0 80000 C00000.
When AR shows address C00063, press Ecs to halt the process.
Quite a few address have already been changed. Most if it is just crap
from the copylock, except changes at address 60.
Here the longword value 3D 74 2C F1 is stored. This type of copylock
always store this exact number at $60.
Try check games like Heimdall, Double Dragon 3, Cool World, Cannon
Fodder 2, Motor Head, Robin Hood,
Parasol Stars, Moonstone, etc. Take note of the value.
Restart the compare: COMP 0 80000 C00000. You?ll see lots of addresses
in 4000 area of memory changed. This
is just copylock?s work memory.
After a while, a longword of changes at address 6B006 appears.
Take note of these changes.
Could be fun to see if game use these for anything. Try searching for
the value: F F8 57 B3 DF,60000.
AR returns three addresses, where the first two are interesting ? not the
last one of course 🙂
Disassemble 63748 and hot enter a few times. Here game checks for the
value. If its not returned, it branches to
address 63A54, which jumps to address FFFFFC ? not a valid address, which
will crash the computer.
To emulate this copylock, new values must be moved to address 60 &
6B006.
Final step is reading copylocks from disk, into memory, overwrite them
with a patch & write tracks back.
Game starts to load from around middle of disk, so read out from about
there: RT 6C 1A 10000.
Search for the copylocks: F 48 7A,10000. AR returns three addresses.
First address is 116F8 and will only one hit,
This must be the ?hard? one. Assemble address 116F8 and insert
following code:
116f8: move.l #f857b3df,6b006 ; copylock key moved to address 6b006
11702; move.l #3d742cf1,60.s ; standard value at address 60
1170a; rts ; return
Just before copylock started, regs was set up and saved. End of copylock
restores this, but we skip this part, since
patch just ends with a RTS. To avoid a visit from the Guru, NOP out
memory from address 116EE-116F8:
Now for the first copylock. Assemble address 2AD9A and insert:
2ad9a; move.l #57c33eff,d0; key in d0
2ada0; move.l d0,60.s; key at address 60
2ada4; bra 2b6be; branch past all encryption and to non-encrypted part
Write tracks back: WT 6C 1A 10000.
Reboot and check your new crack. Yes, it was possible without
hardwire..
BTW, in-game try inserting a breakpoint at address 63748 & 63AFA ?
where game checks if last copylock returned key.
You?ll notice that this code is almost constantly run.
Rob