Project X
? Team 17
1992
You will need following:
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks – find it in your local Amiga store
6. ARIV ? find on romshare.net
7. Kickstart 2.0
Some addresses may differ on your computer, due to different memory configurations.
It would probably be a good idea, to take note of addresses, offsets & keys during this tutorial.
First of all, make a copy of the original game disks. You?ll notice that all four disks has a error on track 0.
This is of course a copylock track.
When each level is loaded, a new copylock routine is loaded to address 400 and executed. All copylocks are the same, which makes things a little easier.
Boot block loads a main loader into low chip and this loader loads a main program into your expansion memory and executes it. This main program executes the copylocks, so we have to patch this program. Copylocks are located in the same memory locations, except for the one in level 3, which is located a little higher than the others.
Let?s start by retrieving the copylock key and make new encrypted opcodes based on the key, which we can wire into the copylocks.
Start ARIV, insert original disk 1 and reboot. Keep pressing RMB after reboot and type ? ALLEXC ? in ARIV, to disable exceptions. Exit and continue loading. Copylocks are executed after the introduction txt to each level. Enter ARIV when level 1 starts.
Search for copylock routines: F 48 7A. You will receive address 422 & 432. Disassemble address 422 and hold enter down. You?ll see tons of encrypted code and it seems to end around address D5A.
As you can see, we have a little compare routine at address D62. This routine compares copylock key with D0.
Take note of the key marked with red.
Let?s make the new encrypted opcodes. Enable the RNC decrypter: ? ROBD ? + enter.
Disassemble start of copylock (422) and stop when this appears:
We are interested in address 81A. This code will appear in most newer copylocks and it?s here we?ll wire copylock key. In this way, there is a better chance for a 100% crack, since ? dirty tricks ? will be executed this way.
These dirty tricks are often executed in end of the copylock, but this one actually seems pretty innocence.
When we have done that, there is no need for disk access part to be executed, so we can branch past that part.
Continue disassembling a few lines further. You?ll notice a BRA at address 864, this BRA also appears in most copylocks, and it branches to ? second ? part of copylock, as mentioned earlier. We can either branch directly to C0A, or to 864, it makes no difference.
Take note of the original opcodes at address 81A: ? M 81A ?, a have marked them with red in the picture beneath.
Assemble address 81A and insert key in D0 and branch to ? part two ? of copylock, see picture beneath.
We only do this, so we can see the new ENCRYPTED opcodes, to wire into the copylock. I have marked new opcodes with green, in the above picture.
The RNC decrypter is still active, so normal code we insert will show up as encrypted code?
Next step, is finding which addresses to patch, to be able to access the decrunched copylocks.
Insert copy of disk 1 and read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?. Disassemble start of boot code ? D 7000C ? + enter and look out for jumps:
Main loader is loaded to the address A3 points to and executed by line 70066; JMP (A3).
Change this to a loop routine, correct boot checksum and write track back.
See picture beneath:
Reboot and enter AR when game hangs. We now have the main loader in memory. Press ? R ? + enter to see registers.
Disassemble the address A3 points to (start of loader) and look out for jumps:
We have a jump at address 5AD2 to (A0). A0 will point to your expansion memory and main program will be located here. We need to take this jump over and patch main program. We do this, by altering the ? JMP (A0) ? to ? JMP 100.S ? and locate a crack patch at address 100. The JMP instruction we want to insert is two bytes longer than the original code, so we have a small problem, or have we??
The routine starting at address 5AD4 is only executed if you have 512KB chip mem and no expansion memory.
Try executing it by: G 5AD4. You?ll see something like this:
If we insert three NOP?s after the ? JMP 100.S ?, the routine will still work. Even tough it will never be used?
A3 points to start of loader, so we can use it to find the number to add to A3, so A3 points to the instruction we want to change:
5AD2 (jump we need to alter) subtract this from 59E8 (start of loader) = EA. The first two NOP?s must then be located on long word away, EA+4 = EE. Last NOP must be EE+4= F2.
We need the opcodes for ? JSR 100.S ? as we have to insert this instruction using the opcodes. Assemble address 5AD2 and insert a ? JSR 100.S ?. Then see opcodes using ? M 5AD2 ?.
Reboot and enter AR when game hangs. Check that ? JMP (A0) ? is still located at address 5AD2. If so, stick a breakpoint to this address: ? BS 5AD2 ?.
Execute loader: G 59E8. When the main program has been decrunched, AR will pop up, due to our breakpoint.
When this happens, press ? R ? to see registers. A0 will point to start of main program.
All game files are crunched with a costum cruncher, with the ID ? ATN! ?. We want to access the decrunched copylocks, so let?s find the decrunch routine?
Search for string ? ATN! ?; ? FS ?ATN!?,C00BB8 ?. AR returns four addresses. Disassemble the first one and hold enter down till bottom of screen has been reached. Scroll up again and stop when beginning of routine appears:
Decrunch routine starts at address C03C54. We are interested in what happens AFTER this has been called. See what calls the decruncher: ? FA C003C54 C00BB8 ?
You will receive A LOT of addresses, many more than shown above. Next step is simple: Start inserting breakpoints at address that calls the decruncher. When AR activates, check address 400 and see if the copylock has been decrunched.
To help you a little, I?ll tell you the correct address: C00E6C.
Now we need to find some suitable code, we can replace with a jump to our crack patch, which patches the copylock and then restore the code we alter in main program.
Disassemble address C00E6C and hit enter a few times. We have a jump at address C00E84 to address C03B16.
Disassemble address C03B16 and hit enter a few times.
Address C03B28 is very suitable, as the copylock has been decrunched at this stage but not executed yet. This code can can also easily be restored in our patch. Subtract address C03B28 (address we want to patch) with start of main program: ? ?C03B28-C00BB8 ? = 2F70. This is the number we have to add to A0, so it points the code we want to alter.
Stick a break point to address C03B28: ? BS C03B28 ? and exit AR.
When AR pops up, search for the original encrypted opcodes in copylock: ? F D6 31 C7 85 ?.
AR will return address 822.
As you can see in the picture above, first long word of new encrypted opcodes should be inserted at address 822 and second long word at address 826.
When level two is loaded, a new copylock routine will be loaded in, but that?s no problem, as the main program remains unchanged and will just call our patch.
We will have a little problem at level three though, because copylock routine is located at address 402 instead of 400.
This only applies for level three, for some strange reason. The ? RTS ? before the copylock is also a very strange thing,
It?s like this copylock is not execute at all. Try playing till level three and disassemble address 400 when breakpoint activates. Notice the ? RTS ?, which only appears at this level.
Also notice the original opcodes have ? moved ? to address 824 & 828. We have to take this in account, when we make the crack patch.
We also needed to patch address C03B28, so it calls our crack patch. We do this, by inserting a ? JSR 10A ? at address
C03B28 and restore the code we remove, in our patch. Assemble C03B28 and insert ? JSR 10A ?.
See opcodes with ? M C03B28 ?. We should now be armed with all necessary addresses, to make the patch.
Insert copy of disk 1 and read boot block into memory, starting at address 70000: RT 0 1 70000.
See contents of boot block: ? N 70000 ? +enter.
We have plenty of spare bytes here, for the patch a copy routine to move it into memory.
Start by changing the loop we made, from ? BRA 70066 ? to ? BRA 700C0 ?, see picture beneath.
We?ll then locate copy routine + patch for main loader at 700C0.
Assemble 700C0 and insert above code.
Explanation:
700C0; locate patch at address 100
700C6; copy from offset $100 on disk
700CA; amount to copy
700CE; copy
700D0; copy
700D4; patch main loader to jump to address 100 instead of (A0)
700DC; NOP out code after ? JMP 100.S ?, so the ? you don?t have enough memory ? routine will still work.
700E4; see above
700EA; execute loader
Assemble 70100 and code patch:
Explanation:
70100; patch main program, so it jumps to address 10A
70108; execute main program
7010A; restore code we removed in main program
7010C; restore code we removed in main program
7010E; check if original encrypted opcodes appears at address 822
70116; if true (all levels, except level 3), branch to 70116 and patch copylock
70118; if not true, check if original encrypted opcodes appears at address 824 (level 3)
70120;if true, branch to 70136 and patch copylock
70122; return. This is a security, if our patch is called for no reason, it will just return without modifying anything
70124; patch copylock (except level 3)
7012C; patch copylock (except level 3)
70134; return after patching
70136; patch copylock at level 3
7013E; patch copylock at level 3
70146; return after patching
Correct boot block checksum: ? BOOTCHK 70000 ? + enter.
And finally, write track back: ? WT 0 1 70000 ?.
Dedicated to sweet sweet Victoria
Rob
Publication author
