Ruff ‘n’ Tumble
Renegade/Worldwide (1994)

– I used original disk from the IPF #199
– AR and/or disassembler/debugger (not specific tuto)
– an assembler (AsmOne/DevPac/Barfly…) if you want to crack from the boot.

first of all, make a copy of disk 1. the copy stop at the start on a black screen.
a quick scan of the disk with X-Copy show an error on track 1. Seems to be a disk based protection.

Take a look at the bootblock :

bingo, it’s a copylock 😉

there are several ways to find copylock.
from AR or by disassembling the boot (I loaded and disassembled the starter program – 11 block loaded from block 24).

quickly, I found the copylock routine by searching pea and/or illegal instruction :

	moveq #0,d0
	mobeq #1,d1
	lea $110.w,a3
	pea getvalue(pc)	; copylock : patch here
	move.l (sp)+,$10
	illegal
getvalue: ...

the key is saved at $110.

just after copylock, starter load main program at 804 and decode it with the key before start it :

	move.l $110.w,d0 ; the copylock key
	lea $804.w,a0
	move.w #$e80,d7
.decrypt:
	move.l (a0),d1
	eor.l d0,d1 
	move.l d1,(a0)+
	rol.l #1,d0
	dbf d7,.decrypt

	jmp $804.w ; start main

reboot, and with AR, stop when picture appear.
take a look at the address 110 in memory : m 110

BE D7 B5 7D

here is the copylock code.

now we have to patch copylock with the good key
directly in the starter program or from the boot after loading and before start it.

patch after lea $110.w,a3 :

	move.l #$BED7B57D,d0
	move.l d0,(a3)	; put good key at 110
	rts ; no more copylock test

I used this way from the boot by rewriting the boot :

code added in the boot before start. address program in a3 :

loader 
...
	lea	patch(pc),a0
	lea	$77c(a3),a1 ; here is the copylock routine to patch
	moveq	#s-1,d7
.copy	move.b	(a0)+,(a1)+
	dbf	d7,.copy
; original code
	movea.l	8.l,a5
	jmp	(a3)		; start

patch:
	move.l #$BED7B57D,d0
	move.l d0,(a3)	; put good key at 110
	rts 
s=*-patch

you have just enough place in boot to put a trainer (and even a little "textro" or other tiny code)

reboot, and enjoy. Seems to work.

if you have doubt about another copylock in main "crypted" program, put a breakpoint with AR at 804 to take a look at the decrypted code. Seems to be nothing more for this game.
we can see that the prog load a "directory" file with the informations of all the files of the game (sector position, len, num disk…) : great 😉

ps: tested with the trainer by Gradius/Anthrox

0

Publication author

Users not found

Subscribe
Notify of
guest

0 Comments
Newest
Oldest
Inline Feedbacks
View all comments
heavy
heavy
11 years ago

comme j’ai été banni et que je n’ai plus aucun accès au site, je n’autorise plus l’utilisation de mes tutos sur ce site. merci de ne plus les publier

use google translate if you don’t understand

0
CyberPasturmas
16 years ago

:satisfied, while nowadays reign the securerom etc checks, back then brains ruled! God job man!

0
Authorization
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Registration
*
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

0
Would love your thoughts, please comment.x
()
x