Robocop – Ocean Software (1987)
————————————————–
This time we need:
1. Robocop disk or CAPS
image
2. Amiga or WinUAE emu
3. Action Replay cartridge or ROM
4. Some cans of Red Bull and good music
In this tutorial we’re going to reverse the game Robocop.
First of all, we have to figure out about what kind of protection we’re dealing
with.
For this purpose, fire up X-Copy or any other copier, and make a copy of it.
Soon you’ll notice that the first track seems to be protected somehow.
Moving along, insert your created copy and reset the Amiga.
Hmm what the..
I’m not in mood for any meditation stuff right now so let’s get rid off it.
Hit AR, since our game screws up quite early and the trackcounter was on track
0
when it crashed, we don’t have to dig very deep into the game.
Now locate where the bootblock get’s loaded in.
FS “DOS”
Here’s what we get
It found one occurence 5C40. Scroll down a bit until you reach 5C9C “JMP (A3)”
. Note this address.
Ok now that we know these addresses, we have to figure out where the code which
causes the Amiga
to crash is loaded. Its quite obvious that we’re dealing here with the Rob Northen
Copylock protection.
So let’s search for its signature.
F 48 7A
It gives us 2 results A498 and A4A8
We have to find the exact address where this jump at 5C9C jumps to.
This means we have to find out what value is written to the register A3
To do so, i locked up execution at 5C9C by creating an infinite loop jumping
to 5C9C.
Unfortunately the instruction “JMP 5C9C” uses more bytes than “JMP (A3)”, so
it overwrites
the instruction at 5C9E.
But we’re lucky, because there’s some free space after the instruction “RTS”
at 5CA0,
which means we can shift those 2 instruction a bit.
But be aware there is a reference to those 2 instructions at 5C68 “BEQ 5C9E”,
make sure
you fix this to “BEQ 5CA2”.
Always keep in mind, that when you’re modifying the bootblock, you have to issue
the “BOOTCHK”
command. This ensures that the checksum of the bootblock is re-calculated.
You dont have to follow this part step by step, i just included it to illustrate
how i figured out the value
in A3. Additionally if i would show every step involved in modifying this piece
of code and putting it back
on disk, it would take more time than writing the whole tutorial =)
Just compare the 2 following pictures and you should understand whats going
on.
Before
After
Alright after loading the the prepared disk, we’re stuck at 5C9C in our infinite
loop. Now the
right moment has come to check register A3.
R
Nice at register A3, we see the value A498. Remember earlier in this tutorial
we figured out that
the Copylock routine start exactly there.
Since our copied disk crashes at instruction “A4A2 ILLEGAL” we have to find
out how the program
behaves when it passes this instruction when all the protection is intact.
For this reason put the original Robocop disk into the disk drive and reset
the Amiga.
Hit AR when the trackcounter is at track 0, dissassemble instruction A498.
Hmm nothing special, still the problematic routine in there. Exit AR.
Wait until the trackcounter moves away from track 0 and hit AR again. Dissassembe
once again A498
Hey whats that? The code changed!
Looks for me like a loader. Notice the “JMP 60000” at A502.
Do you think the same what i think? I assume the routine we had in there before,
was intended
to decrypt the game loader and after all this done it passes execution to the
game loader.
We need this loader! In order to do so, we gonna rip the loader and place it
on a blank disk.
The starting and the ending point in memory is what we need to successfully
dump the loader.
NQ A498
The end seems to be around ACEF, check the precise end
M ACEF
The last byte is at AD12.
Its size is 87A bytes. Dump it on a blank disk.
SM LOADER, A498 AD12
What we now going to try is, to locate the Copylock routine on disk and replace
it with
our decrypted loader.
Insert our copy and restart the Amiga. Hit AR before any loading occurs.
Read in the first tracks to memory
RT 0 2 50000
Now read in our dumped loader from disk at 60000
LM LOADER, 60000
Alright now we got the crappy one and the good one in memory.
Issue this command
TRANS 60000 6087A 50400
This command transfers our loader which is in memory at 60000 – 6087A
to location 50400 (Start of the Copylock routine). 50000 – 50399 are reserved
for the bootblock so leave it untouched.
Write it back to disk
WT 0 2 50000
Reset the Amiga. Wait a few seconds..
Ahh here comes the ocean logo. I love this company.
Dont let your steel butt getting kicked. Go and clean up the city from these
nuke addicted jerks =)
scenex – july 2004
Publication author
Hi Murphy,
When they included the RNC protection on Xenon 2 the files should have
been removed. Rob states this in the info files on the disk. ‘After
installing the protection delete the Copylock Files from the Key Disk.’
The Paranoimia version includes Keydisk.s, keydisk.obj, keydisk.inf,
protect.inf and protect. The inf files detail how the protection works
and how to install/use it. The keydisk program is the incbin into the
game and the protect program will encrypt a file or bootblock. You can
see the files from Amiga DOS, as they are not hidden.
Best regards,
Xyzzy
Hi xyzzy,
Thats hilarious!, did they mean to leave all that interesting text on
disk?, or did everytime you used copylock it dumped usefull info on disk
:)(sure it didnt when I played around with RNC copylocking a disk I had
many moons ago)
Are you also saying there are usable utilities hidden on disk too, that can be run?
Cheers again 🙂
Hi Murphy, This copylock uses the data on the original to decode the encrypted loader. Check out RNWARP by Ferox to see the different encoding techniques and the associated keys. There are more than one type of copylock. Some of the tutorials (Beach Volley, TVD decoder – Altered Beast) are on games where the coder has utilities supplied by RNC to incbin the check into the game. Check out the original or Paranoimia version of Xenon 2 for the utilities which were left on the disk. The RoboCop one is more like the copylocks on Bio Challenge and Future Basketball… Read more »
Thanks for that xyzzy, I have managed to successfullly go through the tutorial using 1620 versions. My copylock address varied slightly and so did the loader start end address? (Maybe my config?) but all went well. This may sound simple, but can I confirm that basically the way this protection works is it uses the magic copylock key on the original to decrypt the loader correctly, so using copy produces wrong key resulting in decrypted loader producing garbage = amiga bombs out. Other tutorials I’ve been through seem to just simply compare the correct key at some point which seems… Read more »
Hi Murphy,
The version of RoboCop (1989)(Ocean)[compilation Hollywood
Collection][1620] that I have has the Rob Northen on it and appears to
follow the above tutorial.
Best regards,
Xyzzy
Hi All, Could someone please provide a link where I can find the ipf for this tutorial. In the TOSEC version I have, I have 3 versions. RoboCop (1989)(Ocean)[2066] seems to have MFM protection all the way through, and not the single track mentioned above? (maybe update a tutorial for this version :)). RoboCop (1989)(Ocean)[compilation Hollywood Collection][1620] and RoboCop (1992)(Hit Squad, The)[budget][1621] have no protection at all. I did find RoboCop_3166 on another site, but this is a 2 disk version (but didnt work on my setup). Didnt think there was a 2 disk version of this game? (maybe a… Read more »