Puzznic
? Ocean
? Taito
1990
You will need following:
1. Original game ? or disk image
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks – find it in your local Amiga store
6. ARIV ? find on romshare.net
7. Kickstart 2.0
Start by making a copy of original game disk. You?ll notice an error on track 0. So we are probably dealing with a disk based protection. Let me surprise you all: It?s a copylock?
Game loads an encrypted file into memory. The copylock runs, if it passes, the file gets decrypted, if not?
Let?s start by ripping off the copylock, so we can decrypt it and determine how to get the copylock key.
Start copy of game and enter AR when copylock runs. You can see it, when track counter moves to 0 or when you
hear the drive grinding sound. Search for the copylock: F 48 7A. AR returns three addresses.
Copylock & encrypted file starts at address 22F00.
Insert a blank disk and save copylock: SM COPYLOCK,22F00 30000. We don?t need an exact end address, copylock routine itself, ends long before 30000.
Start ARIV and enter with right mouse. Insert disk with saved file and load it into memory, starting at address 50000:
LM COPYLOCK,50000
Enable the RNC decrypter: ROBD.
We are interested in ? second part ? of copylock. Disassemble 50000 and stop when this appears:
The routine starts at address 507E2, and it decrypts the file if copylock key is correct. When it does this, D0 is modified and we can?t read out copylock key..
We can get around this, by inserting a lot of 0? in start of the routine.
See opcodes for the routine, so we can find this point again: M 507E2. Take note of the first long word. 
Boot original game and enter AR, BEFORE copylock is executed. Search for the opcodes you took note of:
F 0E AB 9E A8, 22F00. If file appears in memory, you will receive address 236E2. If you don?t get this, exit AR and continue loading for a few secs, and try again.
Type M 236E2, to see opcodes. Replace them all with 0?, see picture above. When done, press enter and exit AR.
This will make the copylock crash, so enter AR when Amiga crashes. Press R to see registers:
Your Amiga might be crashing, but copylock key is sitting in D0, just waiting for you?.
We?ll crack the game, by wire the key into the encrypted part of copylock. When copylock get?s the correct key, it will decrypt the file and voila.
Start ARIV and load saved file into memory, starting at address 50000: LM COPYLOCK,50000
Activate RNC decrypter: ROBD
Disassemble address 50000 and stop when this appears:
Address 503F2 is the one we are interested in. This code will appear in most copylocks and it?s here we?ll wire copylock key. After inserting the copylock key, we branch to second part of copylock, that decrypts the file. This will also skip the disk accessing part. So no drive grind sound anymore?.
Continue disassembling a few lines further. You?ll notice a BRA at address 5043C, this BRA also appears in most copylocks, and it branches to ? second ? part of copylock, as mentioned earlier. We can either branch directly to 507E2, or to 5043C, it makes no difference. Today, let?s choose 5043C.
We wish to alter the opcodes at 503F2, but before we do this, take note of the existing opcodes. These can then be used, to locate the opcodes later on. See opcodes: M 503F2
Assemble address 503F2 and insert the code you see in the picture beneath. We only do this, so we can see the new opcodes. Type M 502F2, to see the new ENCRYPTED opcodes? We are still in ROBD mode, so normal code will appear as encrypted code.
I have marked the new opcodes with red in the above picture.
Next step, is to replace the old opcodes with our new ones.
Start copy of game and enter AR, when it begins to load. Press D to disassemble actual memory. Seems like we are in the 60000 area of memory. Search for jumps into the encrypted file, starting at address 60000: FA 22F00,60000.
AR returns address 60012.
Stick a breakpoint to this address and exit: BS 60012. When game wants to execute the file, AR pops up.
When the Breakpoint raises, search for the opcodes: F 3F 0E B5 80,22F00. AR returns address 232F2. See opcodes with M 232F2.
The original opcodes is marked with red. We are going to patch the copylock, instead of alter it on disk. Therefore, divide the new opcodes into two long words, which we can move into the copylock, using the ? MOVE.L ? instruction.
First new long word is marked with green, Second long word is marked with yellow. Take note of the addresses and corresponding opcodes.
Can you remember we had a ? JMP 22F00 ? at address 60012 ? This jumps into the file we wish to alter. Let?s take over this jump, and make it to jump to address 100 instead and put a crack patch at this address. The jump is located at track 70, read it into memory, starting at address 30000: RT 8C 2 30000. Disassemble 30000 and hit enter a few times:
We have the ? JMP 22F00 ? at address 3003A. Assemble 3003A and insert a ? JMP 100 ? instead. Write track back:
WT 8C 2 30000. See picture above.
Let?s see, if we have spare bytes on the boot block for a crack patch. Read boot block into memory, starting at address 70000:
RT 0 1 70000. See contents of boot block: N 70000 + enter a few times.
Plenty of space here. Let?s decide to put the patch at $100 & a copy routine to move the patch into memory, at address C0.
Disassemble start of boot code, so we can find a way, to call the copy routine: D 7000C
Address 5C jumps into the data, original loader moves into memory. Let?s change this to ? BRA 700C0 ?, too call our copy routine.
Assemble 7005C and insert the BRA:
Assemble 700C0 and code the copy routine, see picture above. When done, assemble 70100 and do the crack:
Correct boot checksum: BOOTCHK 70000. And write boot block back:
WT 0 1 70000. When you boot newly cracked game, a white screen will appear after some loading. Just be a little patient here, the file is decrypting and it takes a few secs.
Dedicated to sweeet Victoria.
Rob
Publication author
perfect crack. perfect game 🙂