? Rainbird
Note: All your memory addresses could be different as the game is relocatable and
OS friendly ? so only use the addresses here as a guide.
This game has both novella and copylock protections. We will ditch the novella protection
first and worry about the copylock later?
Make a copy of the game and you will notice a copylock error. Boot your copy of
the game and after much loading you will be presented with the novella protection.
Ok, so lets type something in so we can trace the memory location. Type in ?flashtro?
but don?t press return. Instead start AR and search for our text:
f ?flashtro?
After a while AR should come back with a match, when it does hit ESC. In this case
it?s returned address $c0d34c. Check the address AR returned matches your text:
n c0d34c
Cool, it matches. Ok so now we need to find what code uses our text. So lets search
memory again:
fa c0d34c
After a while it should match 2 LEA instructions, you can stop AR searching now
by hitting ESC. Make a note of these addresses, they look interesting? let?s check
out the first one:
d c0c790
And hit return a few times to see some code.
Hmm? looks quite complicated and I?m lazy. So let?s check out the other address
instead ?
d c0c808
Aha, this one looks simpler ? Ok, let?s breakpoint this address and return to the
game.
bs c0c808
x
Now hit return and you should be returned to AR at the address we just breakpointed.
After the address we breakpointed there is an RTS instruction. We should trace the
program back to where it was called. Let?s get the address on the USP?
r
m c16528
Ok? so address $c0c5b8 called our code. Let?s check it out?
d c0c5b8
Hit return a few times. Hmm? looks like address $c0c5be is checking something. It
D0 = 0 then it will branch to the next routine? I wonder? Change the BEQ at $c0c5be
to a BRA by changing the opcode from 67 to 60.
m c0c5be
Now let?s check out the routine we are BRAnching to?
d c0c5c6
Call it intuition, but the CMP at $c0c5c8 looks very interesting? because if the
comparison fails then the code branches to the RTS instruction. I wonder what would
happen if we NOP out the BNE ? Like you did with the previous instruction change
the 66 0C (BNE) code to 4e 71 (NOP).
m c0c5cc
Ok? let?s exit AR and see what happens.
x
A drive grinding sound? You know what that is don?t you? It?s the copylock kicking
in!! We will come to this later. First we want to make those changes we did to the
code permanent. For this we should alter the files on disk. But which one? Well?
most coders are lazy? so I think we will probably find the code in the main exe
? ?weirddreams?.
To do this we need to find the right location. If you want to you can reboot your
game and follow the tut through again to find the opcodes, but I?ll save you the
trouble. We are looking for:
72 00 70 00 10 18 67
We need to change that 67 to 60 to force the branch. Let?s have a try. Load the
?weirddreams? file into RAM (make a note of it?s ending address!) and search for
our opcodes.
lm weirddreams,20000
f 72 00 70 00 10 18 67,20000
AR will find the location pretty quickly. Then use the m command to change the 67
opcode into 60. We also need to insert that NOP. So step a few more addresses and
you will see the opcodes for the BNE: 66 0C. Replace these with 4E 71 (NOP).
Now delete the original ?weirddreams? file and save our new one to disk. (Making
sure the disk is write enabled! 🙂
sm weirddreams, 20000 368cc
Reset your Amiga and load the game again. Type anything at the novella screen and
hit return?.
Ha! Novella protection is ditched. Ok, as soon as you hear the grinding sound of
the copylock kicking in enter AR and search for the copylock.
f ?ONz?
AR should come back with a match ($c0c919 in my case) ? when it does you can hit
ESC to stop searching. As ?ONz? is a little way into the copylock so disassemble
a bit earlier to find the signature PEA, ILLEGAL code ?
d c0c8f0
Press return a little and guess what? Yup, it?s a copylock ? Ok now keep pressing
return until you find an RTE instruction.
Hmm? this RTE seems to be too early. Copylocks are usually longer than this. Let?s
keep going? maybe we will find another RTE? 🙂
Aha! I knew there would be another 🙂 hehe. Ok lets breakpoint this address and
exit AR.
bs c0ce2c
x
The copylock will grind a little more and then AR will come up again. (If you are
running this tutorial from the original game disk the copylock key will now be in
D0!) But if you haven?t got the original disk don?t worry? all will become clear
very soon?
We need to find out where the copylock is going to RTE back to. So let?s get the
address from the stack.
r
m c7fffa
As this is an RTE instruction the SR is also pushed onto the stack. So ignore the
first 2 bytes. In this case the copylock is going to return to $c0ce2e. So lets
take a look at that address:
d c0ce2e
The code is saving D0 to some address and then checking it with a CMPI at address
$c0ce38. What?s it comparing it to? Could that be the magic number??!! It is. The
magic number for this game is: $967B7FEA
After some help from Rob about copylocks I discovered this copylock returns the
magic number in address $24 AND at the address the A6 register points to ? so we
need to emulate this when we make our patch. You can easily find for this yourself
by searching for the magic number after copylock has finished on an original disk.
Ok? so now we know that we need to patch the copylock on disk to always return the
magic number and so crack the protection. Disassemble the copylock address ($c0c8ea)
this is a around the start of the routine.
You will see the game saving the A6 register and then saving all the regs. We don?t
want to do this as it could mess things up later so we will BRAnch straight to our
address we found earlier ($c0ce2e).
So we will NOP out the MOVE.L A6,-(A7) instruction and then assemble our patch over
the MOVEM.L D0-D7/A0-A7,(A6) and the instructions after that. For this we will need
to know the opcodes to change.
M c0c8ea
The first 2 bytes are the opcodes for the MOVE.L A6,-(A7) that we want to NOP out:
2F 0E 4D FA FF
The first 4 bytes here are the opcodes for the MOVEM.L D0-D7/A0-A7,(A6) :
48 D6 FF FF 4D EE 00
Will will replace this code with our own patch. Do you think the programmers were
lazy enough to leave the copylock in the ?weirddreams? file again?? ?
lm weirddreams, 20000
f 2F 0E 4D FA FF,20000
This will find a match and then you can hit ESC to stop searching. Now we will assemble
our patch at that address.
a 2d052
Insert the following code:
nop
Then we need to insert our patch so:
F 48 d6 ff ff 4d ee 00,20000
Then when we find the match, assemble this code at that address:
A 2d058
Move.l #967b7fea,d0 ;Magic number into d0
Move.l d0,24.s ;And in $24
Move.l d0,(a6) ;And in (a6)
Bra 2d596 ;Address of $c0c2e2
Delete the original ?weirddreams? file and save our new crack back to disk.
sm weirddreams,20000 368cc
Reset your Amiga and load the game again. Enter anything at the novella screen.
Notice the drive grinding? No??
Cool? now the sit back and enjoy your crack of this rather odd game! ?
Greetz to Rob for his copylock advice 🙂
MSH
Publication author
😀
Whehe, that rocks. 🙂
😀
Nice tutorial, easy to understand, with good explanations!