WolfChild

WolfChild

? Core Design

How to crack without
hardwire key.

What you need:

1. Original/SPS
   release game
2. AR3 cart. or
   ROM image
3. Some copy
   program like BurstNibbler
4. A few blank
   disks

This txt is based on a plain A500 with slow mem. expansion at $ C0000.

I already have written a tutorial on cracking this game, by hardwire
the copylock key into the encrypted copylock.

This time we?ll do it without & rather than looking much on the
copylock, then more on what its actually doing to the game.

Many copylocks just returns a eight digit value in ex. reg. D0 &
then game checks for the value and crashes if it?s not

correct. This copylock is doing much more. It changes the game code
several places & return the key in a memory address.

Start by making a copy of the game. There appears an error on disk 2,
track 0. This is the copylock track.

Let us have a little look at the copylock routine. Boot disk 1 and
enter AR when game req. for disk 2.

(copylock should have been loaded into memory now, as protection track
is on disk 2)

Copylocks start by pushing a memory address into the stack with the
instruction PEA. Search for the hex values for PEA,

to locate copylock routine: ?F 48 7A?. AR returns address 16882 &
16892. First address is start of copylock.

Try disassemble 16882 & hit enter a few times. The routine uses
ILLEGAL vector 10 to execute itself. Notice from

address 168B6, how a lot of values are moved into the stack. This is
still the non encrypted part of copylock.

All these values are plain code & are called by a Trace Vector
Decoder. Disassemble a bit further:

At address 168F2 it moves the stack to trace vector 24 & then mess
with Status Register, which causes the Miggy

to execute whats stored in the trace vector. The encrypted part of
copylock starts at address 16902, take notice of the

odd code..

Lets have a look at the stack, where all these opcodes where moved
into. Press M 24 +enter:

Stack was saved at $ 24 & it points to address 1FAE4. Disassemble
this address and hit enter a few times. Part of

the TVD now appears, which starts to decrypt first instruction (16902)
of the encrypted code. Try inserting a breakpoint

in end of it, at address 1FB08, exit AR and wait for it to pop up. When
it does, disassemble address 16902.

Notice how the instruction has been decrypted. It will then be
executed, re-encrypted & so on with next instruction

in the encrypted part.

Back to the actual work..

An fairly easy way to find changes done to game code, is to copy the
whole memory into expansion mem. before

copylock is run and insert a breakpoint in end of it. When copylock has
finished, the changed memory can be compared

with the original memory..

But, before doing so..

Reboot game and enter AR when it asks for disk 2. Insert the breakpoint
in start of copylock: BS 16882 & in end: BS 171BC.

When the copylock runs, it uses ?lot? of work
memory, causing many useless & annoying changes to memory, which makes

our compare harder.

To avoid this, change stack pointer to address 7E000, & then exit
AR to let copylock run. It will still change game code

as it should, but all its work memory is located ?far away? from game
code, and we have much less code to check out.

Follow the above screen; enter AR when asked for disk 2, insert
breakpoint in start & end of copylock, exit AR. When

first breakpoint is raised, copy chip mem. to exp. mem, set A7 to 7E000
& exit AR.

When last breakpoint activates, compare chip mem. with copy of chip
mem. in slow mem:

Quite a few changes. First addresses is still just crap mem. from copy
coplock. (like MOVE.L (A7),10).

First change is at address 60, where serial nr. is stored, which is
very common. Take note of the eight digit nr.

When you go on to check next addresses, erase addresses you already
checked form the list. It makes it easier, to keep

track of things.

Next change is at address 75A. As the above picture shows, a longword
of opcodes has changed. Copylock has overwritten

some game code with an RTS, & #0000 which else would have crashed
the game. Take note of new opcodes.

Go check the code yourself, and you?ll see the above opcodes has been
inserted at addresses:

75A, 74EC, 7DD0, A30A, A3CE, FDD4 & 10E26.

Next several addresses are just work mem. from the copylock. There are
some changes from address 17B34-17B38,

which I?am not sure is important. It differs from time to time when
copylock is run, so it might not be important.

But just to be sure, we?ll better include it anyway, so take note of
the changes memory.

The last set of changes is defiantly also important. Here copylock
generates two branches over some crap code, that else

would cause game to crash very short after start.

Take note of these changes too, see above.

With all values now known, a crack patch can be made. Copylock routine
is stored in a RNC (ProPack) data file, with a

non-standard decruncher. This
means that the decrunch routines needs to be patched. I won?t go into details
with this,

see the below commented pictures for a little info. There is also
included a ADF file for download in top of this txt.

Just download it, read boot into mem. and write it back to a fresh copy
of disk 1. Then you do not have to code it yourself.

When you have coded the patch or installed the supplied boot, you got a
fully cracked game, without any hardwire

of copylock key.

Rob