Wolf Child
? Core Design

1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk – find it in your local Amiga store
6. Copylock Decoder ? find here

Start with making a copy of original game disks. You?ll notice an error on
disk 2, track 0. This is probably a copylock
track.
When copy of game is started, every thing seems fine. The copylock routine is executed,
when game prompts for disk 2.
The copylock fails here, of course, but game continues to load. It first crashes
when level 1 starts.
This is probably because the copylock modifies memory if it passes.
First of all, we must find magic number.
Boot original game and enter AR when you are prompted for disk 2. Search for the
copylock: FS ? ONz ?.
AR returns two addresses.

Disassemble the second address AR returns and hold enter down, until you see something
like in the picture above.
Copylock seems to end at address 171BC where it returns. Stick a breakpoint to this
address and exit AR: BS 171BC.
Exit AR, insert disk 2 and press fire. The copylock will execute and AR pops up
automatically, when end of copylock
are reached.

Press R to see registers. Damm? We don?t have magic number in D0. A
bit newer Copylock?s often move magic number
to address 60. See address 60 with M 60. Success !!! Magic number is E0 A7 AA 07.
Normally we would just insert a move.l #magic number in start of copylock, to crack
game. But it doesn?t work, because
copylock alters game code in the encrypted part of the copylock.
We can get around this, by ripping the copylock and inserting magic number inside
the encrypted part of copylock. In this
way, will copylock execute all it?s sneaky tricks.
We know copylock ends at address 171BC, but we have to find start of it. Do this
by searching for the opcodes for ? PEA ?:
F 48 7A,10000.
AR returns three addresses. There is $10 between the two first, a typically sign
of a copylock. Copylock starts at
address 16882.

Insert a blank disk and save copylock: SM CRY,16882 171BE.
We now have to find out where in the copylock, to insert magic number. This means,
that we have to decrypt the copylock
first. Start copylock decoder. It will first ask you for a copylock program to load.
Insert disk with saved copylock andchoose file ?cry?.

It will then ask for magic number. Type in, what you ripped from address 60: E0A7AA07
and press ok.

It will then ask for the sync, and since we have original disk, choose 89??

You will then be prompted to insert original disk in DF0: Remember to insert DISK
2, since it holds the copylock track
and press ok.
You will then be asked for value of D3 register, choose $0000

A moment after, copylock decoder is finished with its work and decoded file is ready
for save. Insert disk with saved
copylock and simply press ok.
You should now have a new file called ? cry.dec ?, which is the decrypted
copylock.

Fire up AR and load the decrypted copylock into address 40000: LM CRY.DEC,40000.

Disassemble address 40000 and stop when this appears:

Address 403F8 is the one we are interested in. This is where we?ll put the
MOVE.L #E0A7AA07,D0.
We also wants to skip the disk access, so we need a BRA after inserting magic number
in D0. But where to branch to ?
We actually have a BRA at address 40442, this branches to the part of copylock which
moves magic number to
address 60, etc.
See it with D 40442.

Ok, assemble address 403F8 and insert following code:

This code will insert magic number in D0 and branch on.
Find the opcodes for the patch, by typing: M 403F8 + enter + Esc, M 403FE + enter
+ Esc.
We need these opcodes to alter then encrypted code, so write them down.
We now know where in the copylock to insert our patch.
The encryption works by X-OR?ing data. We need the encrypted opcodes from
the long word instruction right before
our changes, our changes is at address 403F8 and the instruction before starts at
address 403F4.
So load the encrypted copylock into memory, starting at address 40000: LM CRY,40000.

We wanted the opcodes for the longword instruction on address 403F4, the address
before our changes.
Type M 403F4 + enter. Write the opcodes down marked with red.
Now it?s time to calculate the new encrypted code. Start your calculator and
XOR following:

ENCRYPTED NEW UNENCRYPTED NEW ENCRYPTED
9ED6F875 with 203CE0A7 = BEEA18D2

Last two bytes:

? ?

ENCRYPTED NEW UNENCRYPTED NEW ENCRYPTED
9ED6 with AA07 = 34D1
? ? ?

So the new encrypted opcodes for address 403F8 is this: BE EA 18 D2 34 D1.
This is the encrypted code for MOVE.L #E0A7AA07,D0.
Next instruction is our BRA. The previous encrypted long word instruction is 18
D2 34 D1 and the BRA instruction is
6042. Let?s rewrite this to long word: 60000042

Next calculation look like this:

ENCRYPTED NEW UNENCRYPTED NEW ENCRYPTED
18D234D1 with 60000042 = 78D23493
? ? ?

The new encrypted code we have to insert at address 403F8 look like this: BE EA
18 D2 34 D1 78 D2 34 93.
Next part is patching the game on a permanent base. The game file are crunched,
so we either have to decrunch them
or patch decrunched data, before it?s executed. Let?s choose the patching
method !
Boot copy of disk 1 and enter AR when the CORE logo and ? Presents ?
appears. Let?s see what it loads into memory.
Enter AR and press D, to disassemble actual memory.
It seems like, we are in the 45000 area of memory.

Disassemble address 45000, perhaps we have something interesting here.
Yep, address 45022 jumps to 68000. Jumps are always interesting
Disassemble address 68000 and hit enter a few times:

Notice address 6800E, this is a typically sign of a ProPack decruncher.
Exit AR and let the game continue to load. Enter AR again, when the big red Wolf
Child logo appears. The file should
be decrunched by now.
Disassemble address 68000 again, and hold enter down, until this appears:

Notice address 684AC jumps to address 400. Sounds interesting, right ?
Stick a breakpoint to address 684AC, causing AR to activate when this address are
reached. Exit AR and press fire to
continue load.

When AR activates, the game have finished loading data to address 400.
Disassemble address 400 and hit enter, until this appears:

Once again, the data is crunched. Look at address 4AE, it jumps to what A7 points
to. This jump is actually into the
decrunched data that among many good stuff, also holds the copylock.
Let?s stick a breakpoint to address 4AE, AR will then activate when data is
decrunched, but before game executes it.
We can then find copylock and see what address to patch.
Insert breakpoint: BS 4AE, and exit AR.

When AR pops up, the data is decrunched. Let?s find out where to patch the
copylock.
We have the opcodes for the instruction BEFORE the instruction we wanted to patch.
Search for the opcodes: F 9E D6 F8 75. AR returns one address; 17232. See opcodes
with M 17232.
We have to work out, what address to move our new encrypted data to.
We have $10 of data to move. The easiest would be to divide it up in two long words
and one word.
See picture:

Red line marks the data we searched for. White line is the first long word of new
data, yellow line is the second
long word of data and green line is the last word. Perhaps it?s a good idea
to take note of this.
We now know where and what data to patch copylock with. We also know the instruction
that jumps into the decrunched
data .
We could take over this jump, execute a patch that patches copylock with our crack
and then jump into (A7).
But where to put our patch ? Address 140 seems to be left alone by game, so we?ll
use this address.
First thing, is to alter the game to jump to address 140 instead of into (A7). This
jump is located on track 59.
Read it out with: RT 76 2 30000. Disassemble address 30000, until this appears.

We have the JMP (A7) at address 304AE. We can?t insert JMP 140.S here, since
this instruction is two bytes longer
than JMP (A7). Assemble address 304A8 instead and insert the JMP 140.S. You?ll
have to take note of the code you
removed from address 304A8, since we have to move it to our patch instead.
Let?s see if we can find spare bytes on the boot block for our patch and a
track loader to move it into memory.
Read boot block into memory, starting at address 70000: RT 0 1 70000.
See boot block with N 70000 + enter.

We have plenty of space. I seems like boot code ends around address 70080. Let?s
move address 70000 ?70080
to address 70200 and put our patch at address 70280. We?ll then write a new
track loader that moves our patch into
address 140, and moves original boot block into address 50000 and executes it.
Start by moving original bootcode from 70000 ? 70080 to 70200 ? 70280:
TRANS 70000 70080 70200.
Assemble address 7000C (bootcode starts here) and insert following code:

Address 7002E and 70054 can?t be assembled with AR. Insert the opcodes marked
with read instead, see picture above.
This code will move first $200 of boot block into address C0. We?ll put our
patch at address 70280 of boot block,
so it will end up at address 140 when moved into memory.
The next part moves the original boot block into address 50000 and executes it.
Find your notes which describes what part of copylock to patch, and insert following
code at address 70280:

70280; original game code we erased when we took over jump a7
70286; moves first long word instruction of crack into copylock
70290; moves second long word instruction of crack into copylock
7029A; moves word instruction of crack into copylock
702A2; jump into game

Correct boot block checksum: Bootchk 70000. Write boot block back to disk: WT 0
1 70000.
Now, next part is?Just kidding, you?re finished now !

Dedicated to sweeet Victoria
Rob


Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
MarzSyndrome
MarzSyndrome
13 years ago

Hmmmmm, I’m having a spot of trouble with this. Everything seemed to be going as accurately as the tutorial at first until I ran Copylock Decoder. I selected the ‘cry’ file but it didn’t ask me to input a copylock key, instead skipping straight to the sync question. I went ahead after that but noticed I wasn’t getting matching hex numbers at the places specified by the tutorial. Then when I eventually did save my bootblock and tested the game, it still gurued at the start of Level 1. I have a feeling it has to do with the whole… Read more »

WayneK
19 years ago

More interesting Rob Northen tutorial than most, good read!

0
Would love your thoughts, please comment.x
()
x