Terminator 2 ? Judgment Day

1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk – find it in your local Amiga store
6. Copylock Decoder ? find on aminet
7. Scientific calculator (built into windows) or try
this free online calculator (select HEX option)

Start with making a copy of original game disks. You?ll notice an error on
disk 1, track 0. This is probably a copylock
track.
When copy of game is started, every thing seems fine. The copylock routine is executed
when you press fire at
the title screen.
The copylock fails here, of course, but game continues to load. After a few secs,
a screen like this appears:

Hmm?
First of all, we must find magic number.
Boot original game and enter AR when the ? press fire to start ? screen
appears.
Search for the copylock: FS ? ONz ?. AR returns one address.

Disassemble address 17C5 and hold enter down, until you see something like the picture
above.
Copylock seems to end around address 20DC where the normal code starts again. Stick
a breakpoint to this address and
exit AR: BS 20DC.
Exit AR and press fire. The copylock will execute and AR pops up automatically,
when end of copylock
are reached.

Press R to see registers. Damm? We don?t have magic number in D0. A
bit newer Copylock?s often move magic number
to address 60. See address 60 with M 60. Success !!! Magic number is AE 3B 9C E3,
write this down.
Normally we would just insert a move.l #magic number in start of copylock and then
branched to end of copylock,
to crack game. But it doesn?t work, because copylock alters game code in the
encrypted part of the copylock.
We can get around this by inserting magic number inside the encrypted part of copylock.
In this way, copylock will
execute all it?s dirty tricks.
Let?s rip out the copylock and decode it.
We know copylock ends at address 20DC, but we have to find start of it. Do this
by searching for the opcodes
for ? PEA ?: F 48 7A,
AR returns six addresses. There is $10 between the two first, a typically sign of
a copylock. Copylock starts at
address 17AA.

Insert a blank disk and save copylock: SM CRY,17AA 20E2
We now have to find out where in the copylock, to insert magic number. This means,
that we have to decrypt the copylock
first. Start copylock decoder. It will first ask you for a copylock program to load.
Insert disk with saved copylock and
choose file ?cry?.

It will then ask for magic number. Type in what you ripped from address 60: AE3B9CE3
and press ok.

It will then ask for the sync, and since we have original disk, choose 89??

You will then be prompted to insert original disk in DF0: Insert disk 1 and press
ok.
You will then be asked for value of D3 register, choose $0000

A moment after, copylock decoder is finished with its work and decoded file is ready
for save. Insert disk with saved
copylock and simply press ok.
You should now have a new file called ? cry.dec ?, which is the decrypted
copylock.

Fire up AR and load the decrypted copylock into address 40000: LM CRY.DEC,40000.

Disassemble address 40000 and stop when this appears:

Address 403E6 is the one we are interested in. This is where we?ll put the
MOVE.L #AE3B9CE3,D0.
We also want to skip the disk access, so we need a BRA past the disk access after
inserting magic number in D0.
But where to branch to ?
We actually have a BRA at address 40430, this branches to the part of copylock which
moves magic number to
address 60, etc. This is the address to branch to.
See it with D 40430.

If you follow the code, you?ll see D0 moved into address 60 and D0 cleared.
Ok, assemble address 403F6 and insert following code:

This is the code we want in the encrypted copylock.
Find the opcodes for the patch, by typing: M 403E6 + enter + Esc, M 403EC + enter
+ Esc.
We need these opcodes to alter the encrypted code, so write them down.
We now know where in the copylock to insert our patch.
The encryption works by X-OR?ing data. We need the encrypted opcodes from
the longword instruction right before
our changes, our changes is at address 403E6 and the instruction before starts at
address 403E2.
So load the encrypted copylock into memory, starting at address 40000: LM CRY,40000.

We wanted the opcodes for the longword instruction on address 403E2, the address
before our changes.
Type M 403E2 + enter. Write the opcodes down marked with red.
Now it?s time to calculate the new encrypted code. Start your calculator and
XOR following:

So the new encrypted opcodes for address 403F6 is this: 84 47 56 4E 38
98.
This is the encrypted code for MOVE.L #AE3B9CE3,D0.
Next instruction is our BRA. The previous encrypted longword instruction
is 56 4E 38 98 and the BRA instruction is
6042. Let?s rewrite this to longword: 60000042
Next calculation look likes this:

If we connect the new code to one long string, it will look like this: 84
47 56 4E 38 98 36 4E 38 DA.
We simply have to overwrite the encrypted copylock code, with our new cracked encrypted
code.
Copylock is located on disk 1, track 1. Insert disk 1and read track 1 into memory,
starting at address 30000.
We have the opcodes for the instruction right before our patch. Search for it, starting
at address 30000:
F A4 7B F8 75,30000.
AR returns one address; 3138C. See opcodes with M 3138C + enter.

The previous instruction is marked with red. This was a longword instruction, so
we are interested in the data marked
with the white line. Change these opcodes to the opcodes you calculated, marked
with a green line, followed by
enter + Esc.
This will change the copylock so we wire magic number within the encrypted code,
and branches past the disk
accessing part.
Write track back: WT 2 2 30000.

Enjoy !!!
Dedicated to sweet sweet Victoria
Rob

Publication author

offline 20 years

Rob

0

Comments: 103Publics: 79Registration: 20-07-2004