Renegade/Worldwide (1994)
– I used original disk from the IPF #199
– AR and/or disassembler/debugger (not specific tuto)
– an assembler (AsmOne/DevPac/Barfly…) if you want to crack from the boot.
first of all, make a copy of disk 1. the copy stop at the start on a black screen.
a quick scan of the disk with X-Copy show an error on track 1. Seems to be a disk based protection.
Take a look at the bootblock :
bingo, it’s a copylock 😉
there are several ways to find copylock.
from AR or by disassembling the boot (I loaded and disassembled the starter program – 11 block loaded from block 24).
quickly, I found the copylock routine by searching pea and/or illegal instruction :
moveq #0,d0 mobeq #1,d1 lea $110.w,a3 pea getvalue(pc) ; copylock : patch here move.l (sp)+,$10 illegal getvalue: ...
the key is saved at $110.
just after copylock, starter load main program at 804 and decode it with the key before start it :
move.l $110.w,d0 ; the copylock key lea $804.w,a0 move.w #$e80,d7 .decrypt: move.l (a0),d1 eor.l d0,d1 move.l d1,(a0)+ rol.l #1,d0 dbf d7,.decrypt jmp $804.w ; start main
reboot, and with AR, stop when picture appear.
take a look at the address 110 in memory : m 110
BE D7 B5 7D
here is the copylock code.
now we have to patch copylock with the good key
directly in the starter program or from the boot after loading and before start it.
patch after lea $110.w,a3 :
move.l #$BED7B57D,d0 move.l d0,(a3) ; put good key at 110 rts ; no more copylock test
I used this way from the boot by rewriting the boot :
code added in the boot before start. address program in a3 :
loader ... lea patch(pc),a0 lea $77c(a3),a1 ; here is the copylock routine to patch moveq #s-1,d7 .copy move.b (a0)+,(a1)+ dbf d7,.copy ; original code movea.l 8.l,a5 jmp (a3) ; start patch: move.l #$BED7B57D,d0 move.l d0,(a3) ; put good key at 110 rts s=*-patch
you have just enough place in boot to put a trainer (and even a little "textro" or other tiny code)
reboot, and enjoy. Seems to work.
if you have doubt about another copylock in main "crypted" program, put a breakpoint with AR at 804 to take a look at the decrypted code. Seems to be nothing more for this game.
we can see that the prog load a "directory" file with the informations of all the files of the game (sector position, len, num disk…) : great 😉
ps: tested with the trainer by Gradius/Anthrox
comme j’ai été banni et que je n’ai plus aucun accès au site, je n’autorise plus l’utilisation de mes tutos sur ce site. merci de ne plus les publier
use google translate if you don’t understand
:satisfied, while nowadays reign the securerom etc checks, back then brains ruled! God job man!