Speedball II

Speedball II

? Bitmap Brothers

1990/1991

1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. one blank disk – find it in your local Amiga store
6. ARIV

Start by making a copy of original game disk. An error on track 0 will appear; this is a copylock track. Copy of game will of course not work.
Fun stuff happens inside the copylock, so we?ll crack this by inserting the copylock key into the encrypted code.
Let?s start by getting the copylock key. Boot original game. Press fire at the title screen, to continue loading.
Approx 5 sec. after the ? LOADING GAME ? txt appears, the copylock is access able in memory. It?s either crunched or encrypted, because it? not to be found on disk. This means that we have to patch the copylock when it appears in memory, but before it?s executed. Enter AR after the 5 sec. has passed.
Located the copylock: ? F 48 7A ?. AR returns address 15070 & 15080, a typically sign for a copylock.

Stick a breakpoint to address 15070 and exit AR: ? BS 15070 ?. When copylock is executed, AR will pop up.
Press ? R ? to see registers. Most of ? D ? registers are set to #0. D3 has the value #3460, take note of this!

To get hold of copylock key, we will put a breakpoint in end of copylock, so we can read out key from D0.
If D3 has another value than #0, key will NOT be returned in D0, so we set register D3 to #0. ? R D3 0 ?. To find end of copylock, disassemble address 15070 and continue disassembling until non encrypted code appears:

Copylock ends at address 159BE with the ? RTE ?. This also tells us, that the routine is executed with an exception.
Stick a breakpoint to address 159BE and exit AR: ? BS 159BE ?.

When the breakpoint is reached, press ? R ? to see registers.
You can now read the key from D0 🙂
Now we are here, let?s have a look at how the routine is executed. I tried finding JMP/JSR/BSR/BRA that called the copylock, but it?s not that easy, there is no obvious calls. Copylock uses the value in D3,for some calculations.
This means that something must set D3 to the value #3460. Search for this value: ? F 34 60 ?.

AR returns 1,2, many addresses? We are interested in 7C922. Let?s have a look at the code around this address:

Address 7C920 moves our value to address 0. Then we have to see what game does with address 0. Before this is done, none of the ? A ? registers must have the value #0, or we will get a lot of false references. See registers ? R ?. A5 is = #0. Set to #1; ? R A5 1 ?
Then check what happens with address 0: ? FA 0 ? + enter.

AR will return many addresses, but only 835A looks interesting. It moves address 0 into D3.
Let?s have a look at the code around address 835A:

Copylock is executed by address 836A, due to the exception it causes. (look at the stack)
All that is not so important. Address 8350 is doing a ? JSR 13772 ?, very suitable for changing to ? JSR crackpatch ?
Address 8350 seems perfect to take over, as copylock appears in memory, but it haven?t been executed yet, by the ? LINEF ? instruction. Take note of address 8350. We also need to take note of the opcodes, as we have to replace the code back to ? JSR 13772 ?, or game will crash, even though we make a ? JSR 13772 ? in our crack patch.
Opcodes for ? JSR 13772 ? is marked in the picture above + their respective addresses.
When the cracked copylock has run, we need to restore opcodes for both the JSR instruction and for the copylock.
We do this, by inserting a ? JSR crackpatch ? at address 8378. It will then jump to a part of crack patch, which restores the original opcodes. Take note of original opcodes at address 8378 & 837C:

We still need to make out new encrypted opcodes for the copylock; this will come a little later.
Let?s find a memory location for our patch and a way to move it into memory. Usually low chip is left alone, but not this time. The programmers thought it was funny to eat up lots of chip mem, especially low chip.
Have a look in high chip instead.
See memory around address 7FA00: ? N 7FA00 ? and hit enter a few times.

Address 7FA00 ? 7FF00 seems to be free. This will be location for our patch.
Read boot block into memory, so we can find a location on disk for patch and a way to move it to address: 7FA00: ? RT 0 1 70000 ?. See contents of it: ? N 70000 ?.

Seems like we have plenty of spare bytes. Crack patch can be located at offset $200 (70200) and a copy routine to move it into memory can by located at offset $1C0 (701C0).
Original boot code also needs to be changed, so the copy routine is called. Disassemble start of boot: ? D 7000C ?:

Line 7010C is suitable to take over. Alter this to ? BSR 701C0 ?, & a ? NOP ? so our copy routine is called.
Also take note of the code you remove at 7010C, as we have to restore it again.
I know this call could have been inserted a lot earlier in the code, but it will cause problems for people with extra Chip memory. I actually started by placing the ? BSR 701C0 ? at line 70014 and it worked fine, until it was tested with extra chip memory. If extra chip is present, it seems like most of chip memory is cleared, hence; our patch will be removed. Therefore, the copy routine has to be called AFTER memory has been cleared.
Assemble 701C0 and make copy routine:

701C0; MOVEM.L D0-D7/A0-A6,-(A7); save registers
701C4; LEA 7FA00,A0; destination address 7FA00 for crack patch
701CA; LEA 70200(PC),A1; copy from offset $200
701CE; MOVE.W #200,D7; amount to copy
701D2; MOVE.B (A1)+,(A0)+; copy
701D4; DBF D7,701D2; copy
701D8; MOVEM.L (A7)+,D0-D7/A0-A6; restore registers
701DC; MOVEA.L 84,A0; restore code we removed at 7010C
701E0; RTS; return to original loader.

Correct boot checksum: ? BOOTCHK 70000 ?

Write track back: ? WT 0 1 70000 ?.
Patch will now be loaded to address 7FA00 upon game boot. But how to call the patch?
Reboot game and let it load. When loading stops, enter AR. Press ? D ? + enter, to see where in memory we are.

Seems like we are somewhere in the 7Cxxx area of memory. Game is now decrunching main file. It probably executes decrunched data with a ? JMP ?. Scan memory for signs of jumps: ? F 4E F9,70000 ?. AR returns address 7C97E.

Disassemble address 7C97E and hit enter. It jumps to address 84. Stick a breakpoint to 7C97E and exit AR, see above picture. When AR pops up, disassemble address 8350, to see if the ? JSR 13772 ? (we needed to take over this) is decrunched.

Yep, it?s decrunched. We need to find this jump on disk and make it jump to our crack patch at address 7FA00.
Read out a chump of disk, starting at address 10000 : ? RT 0 40 10000 ?.
Search for the jump, starting at address 10000: ? FA 84 ?. AR returns eight addresses, but only the last one at 5D57E is interesting. This equals to the address we breakpointed.

Assemble 5D57E and insert a ? JMP 7FA00 ? & write tracks back, see picture above.
We now need to make out new opcodes for the copylock.
Start ARIV and boot original game. Enter ARIV right after boot, using RMB. Disable exceptions, to avoid undesired pop ups: ? ALLEXC ?. Exit and continue loading. When the presentation appears, enter ARIV. We know copylock appear when game reaches address 8350 (JSR 13772). Assemble and insert code marked in the picture beneath:

When address 8350 are reached, background will turn green and game will loop. Exit and wait for screen to turn green.
Enter ARIV and enable the RNC decrypter: ? ROBD ?.
Copylock started at address 15070, disassemble and look out location to wire copylock key in:

The disk accessing part and key calculations of copylock key are done within the code from address 1549C ? 154E2.
Registers are saved by the code at address 1549C. Address 154B0 is a good place to wire key in, as no disk routines has been called yet. We wire key into D0 and then branch to address 154E2.
Disassemble a bit further:

Address 154E0 moves key from D6 to D0 (we skip this part) and registers are restored at 154E2, our branch address. Address 154E6 branches to second part of copylock.
Take note of original opcodes and locations in copylock, marked with green above.
Assemble 154B0 and insert the code you see above. After that, take note of the new opcodes and their memory location.
We should now be ready to make the patch. Read boot block from copy of game into memory, starting at address 70000: ? RT 0 1 70000 ?. Assemble 70200 and code patch:

70200; MOVE.L #4EF90000,7C97E; restore jmp at 7C97E, main jump to patch, original ? JMP 84 ?
7020A; MOVE.W #84,7C982; restore jmp at 7C97E, main jump to patch, original ? JMP 84 ?
70212; MOVE.L #4EB90007,8350; replace JSR 13772 with JSR 7FA28
7021C; MOVE.W #FA28,8354; replace JSR 13772 with JSR 7FA28, jsr to part of patch, that cracks copylock
70224; JMP 84.S; jump we took over
70228; MOVE.L #4EB90001,8350; restore jsr at 8350, to it?s original state
70232; MOVE.W #3772,8354; restore jsr at 8350, to it?s original state
7023A; JSR 13772; jsr we took over
70240; MOVE.L #F9E1E450,154B0; wire first long word of new opcodes into copylock
7024A; MOVE.L #10F9847A,154B4; wire first long word of new opcodes into copylock 70254; MOVE.L #4EB90007,8378; jump to patch after copylock run, and restore opcodes 7025E; MOVE.W #FA68,837C; jump to patch after copylock run, and restore opcodes
70266; RTS; return; run copylock
70268; MOVEA.L #1BBEE,A0; code we removed at 8378
7026E; MOVE.L #207C0001,8378; restore code we removed at 8378
70278; MOVE.W #BBEE,837C; restore code we removed at 8378
70280; MOVE.L #B8DD9C78,154B0; restore original opcodes in copylock
7028A; MOVE.L #DFD3EC79,154B4; restore original opcodes in copylock
70294; RTS; return, continue game as nothing had happened 🙂

Patch will take over game code, crack copylock and then restore all opcodes to their original values after copylock has run.
Correct boot checksum: ? BOOTCHK 70000 ?

Write track back: ? WT 0 1 70000 ?.

Testing by the very fat & ugly Yuggi Bear.
Dedicated to ALE ? men sig det ikke til nogen…

Rob

Publication author

offline 20 years

Rob

0

Comments: 103Publics: 79Registration: 20-07-2004