Terminator
II ? Judgement Day
? Ocean
How to crack without
hardwire key.
What you need:
- Original/SPS
release game - AR3 cart. or
ROM image - Some copy program
like BurstNibbler - A few blank
disks
I already have written a tutorial on cracking this game, by hardwire
the copylock key into the encrypted copylock.
This time we?ll do it without & rather than looking much on the
copylock, then more on what its actually doing to the game.
Start by making a copy of the two disks. An error appears on track 0 /
disk1. This is the copylock track, that we can not
duplicate on a standard Amiga. The protection used is a copylock, which
is a small encrypted routine, that checks for track 0
& if it is a copy, the copylock will fail and it wont execute some
changes to the game. These changes are needed for the
game to run, without, it will crash.
First we must find out how the protection is affecting the game. Boot
up your copy, with disk 1 in DF0: and disk 2 in DF1:
Game seems to boot up just fine, intro appears & all is ok. Notice
after the ?Press Fire? screen, game seeks to track 0 or you
Can hear a drive grinding sound if using a real Miggy. This is the copylock
checking track 0. After, game continues loading &
some like this appears:
Not good..
This is not happen with original, so it must be the protection failing
the game.
Reboot with ORIGINAL game and enter AR when the ?Press Fire? screen
appears. Let us have a look at the protection.
Copylocks (newer ones anyway) often start with a PEA xx(PC) and another
PRA xx(PC) 10 bytes later.
Locate this by searching for the opcodes: F 48 7A.
We have the PEA stuff at 17AA & 17BA, this is start of the
protection. There are lots of other interesting stuff here.
Notice address 1782 checking is address 3138 is = 0. If it is NOT, it branches
to address 20DC, past the copylock.
Other interesting stuff is address 1794, which makes address reg. A0
point to address 3128, take note of this.
And final, 17A4 is setting D3 to other value than #0, a good sign that
we have a copylock that messes with game?s
memory.
Its quite interesting that game sets A0 to 3128 before running the
protection. Lets have a look at contents of this
memory area:
M 3128 + enter a few times.
We now have on screen what data this area of memory contains. Lets put
a breakpoint in start of the copylock & in the end,
to see if anything has changed around address 3128, before & after
protection has run. Set breakpoints:
BS 17AA & BS 20DC. Exit AR with X and continue game. After a little
while AR pops up, cause address 17AA has been
reached. This is BEOFRE the protection has run, so nothing has changed
yet. But it might also be a good idea to take a look
at data regs. Before & after protection run, to see if any has
changed. See regs. with R +enter. Exit AR and wait for AR
to pop up after protection has run.
When AR pops up again, see regs. again with R + Enter. All are the
same, except D3 has changed from 407F to 307F.
Take note, we must use this later on. Now look at memory around address
3128. Notice how address 3138 has changed
from #00 to #FF.. Remember game tested for this, just before running
the protection ? I?ll bet there is an instruction
in end of protection, setting address 3138 to #FF, telling the game
that protection has already been run.
Next part is the really interesting one. Notice how memory has changed
from address 313C-314C. Values before
Protection run is shown above with red and after with green. Take note
of the new values, marked with green. We need
them to emulate the protection. Question is, what the hell is game
using these changes for ?
Changes start at address 313C. Lets check if game calls this address.
Reboot with COPY of disk one and enter
AR when ?Press Fire? appears. Check if game uses address 313C: FA 313C.
AR return address 2234. Instruction at address 2234 moves contents of
313C into reg. A0 and calls this address
From 2238 with a JSR (A0). Game is using memory from address 313C-314C
as an address table.
Set a breakpoint to address 2238 & exit AR. When AR pops up, press
R + enter to see regs. Game is just about to call
The address in Reg. A0, which is 51C4C2D3, which is NOT AT ALL a valid
address. If you exit AR, the computer will
Crash. Try do the above with original game:
Notice how A0 now contains a valid address..
What the protection is doing, actually to generate a valid address
table for the game.
We are not quite finished yet, a small detail is missing. Remember
after running the protection, with original game,
D0 was #0 ? ? No copylock key was returned. Besides the address table, protection
might also return a copylock key
at a memory address & we need to check for this. Reason for
protection not return a key in D0, is that D3 is not #0
when protection is run. If D3 is set to #0 and a breakpoint is inserted
just after the protection (address 20DC), key
can be grabbed from D0 and we can search memory for it. Boot up original
game, enter AR when ?Press Fire? appears
and breakpoint address 17AA & 20DC:
Exit AR, continue game till breakpoint raises. Set D3 to #0: R D3 0. Exit
AR and wait till next breakpoint raises.
When this happens, press R to see regs. Key is now in D0. Search memory
for it: F AE 3B 9C E3.
AR return address 60, so we must remember to return key here.
Last thing needed, is the precise end address of the encrypted code
& where normal code starts, so we can branch
Past the whole encrypted part. Disassemble address 20DC (the address
game self branch to, if protection has been run more
Than once. Take a look at the code before:
Normal code starts at address 20CE, where game sets 3138 to value FF,
to indicate that protection has been run.
Take note of the end address.
Last part is writing a patch over the copylock, that emulates it as if
it was run with the original disk.
Read out the first few tracks of the disk: RT 0 A 10000. These are now in
memory from address 10000.
Locate the copylock: F 48 7A,10000. AR returns address 13BAA, there are
10 bytes till next match at 13BBA, so
13BAA is start of the routine.
Assemble 13BAA and insert the above code. It will move the correct values
into the file table (those we found earlier),
Put the copylock key at address 60 and set up reg. D3 to same value ad
after the protection has run.
Then it jumps past rest of the encryption and directly to normal code.
Write tracks back: WT 0 A 10000.
Enjoy your newly cracked game, WITHOUT and decryption at all? :)
Rob
Publication author
Yep, good work Rob – nice tut with a different method to learn 🙂
Thank mates 🙂
Excellent You just cant get any better jumps
yes ^^ that’s great,
tutos have returned, to offer
a new way of cracking, not only crack the game, but EXPLAINING what the protection is doing !!
Rob, my best saluttations for your work ^^ !!!
continue ^^, i have a lot of pleasure at reading your tutos ^^ !!!