A series of cracking articles from Usenet - Mon, Sep 26, 2022
Newsgroups: comp.sys.amiga.programmer
Path: cunyvm!ukma!darwin.sura.net!mips!mips!munnari.oz.au!newsroom.utas.edu.au!<>
From: <> (<>)
Subject: How to crack an Amiga game!!
Message-ID: <1992Jun26.054738.20843@newsroom.utas.edu.au>
Sender: news@newsroom.utas.edu.au
Organization: <>
Date: Fri, 26 Jun 1992 05:47:38 GMT
Lines: 200
So, some of you guys would like to know how to go about cracking games hey??
Well, here’s how you do it!
The first place to start is always the bootsector! The bootsector is so small that most games don’t bother having any protection at all there.
Generally (on professional productions) the bootsector will be a 1k long raw-tracks loader….not dos standard of course.
..so simply rip the bootsector off and disassemble it. If your lucky (for some nice easy work) it will only kill the DMA,INTS, etc.etc, colours and set up the stack real low. then it usually copies itself just up above the stack, (it doesn’t need to be position-dependant any more if it’s been previously relocated) and will load some tracks.
Disassenble the bootcode = 30 seconds work
If you’re good enough, you won’t have to even look at the routine for more than a minute to figure out where the tracks are loaded too, and how much… Now assemble the bootcode, and stick in a mouse-wait at the top. OK….run … Now hit the button on your cartridge (of course!.. why do things tha hard way?) and set a breakpoint at the place where the loader will terminate and jump into the loaded tracks..
Now save out the loaded tracks to disk and get ready for stage two..
Stage two starts to become more fun! You’ve got two more options from here… either there will be another sub-loader, or this will be the main loading routine.
If it’s ther former, you’re in for some fun over the next day or 2! What will of course occur, is they will try to kill yer cartridge, lose you in the code, generally put all those great obsticles in the way… The same kind of general guidelines will apply from now on, so here they come..
a) always go from one step to another from an assembled file, ie have a binary file, incbin it, and emulate all of the conditions that have been se up to that point c) at all times make sure that the game will work correctly from your assembled file! lotsa games are paticularly good at making hidden/latent protection bugs which will multiply.
c) Always make sure that the game will run with your cartridge in, as it will save alot of work..
d) Watch out for the cool trick of leaving the stack pointing into the middle of some crucial data (it’s obvious when you know what to look for cuz no interrupts will be used conspicuously) .cuz when you press your button, the data will get correpted = messy if the data was packed and in the middle of de-packing
e) The standard trick is the trace-vector-decoder
REMEMBER THIS NAME!!!!!!
What will happen here is that the trace routine to be executed will be pushed onto the stack, and the trace-vector will be pointed to it…. you will se a load of shit just in front of the PC, and the last command will be a move to the SR to kick off the trace….
[erm, for new guys..what happens is that the trace vector code is executed after each instruction, and after the current instruction, the trace vector decodes what the next instruction will be…] [ thus all you see in front of the PC is garbage]
So you want to know the best way to get around this?? Easy! rule .1 is Know the length! Write a routine which counts from 0 to whatever, and chuck this at the end of the trace (in place of the rte put a jump to your code - watch out for the trace taking checksums of the trace it’self and the area below the stack!! Loacte the screen address if it’s being displayed, and youe can get your ‘counter’ to show you the number of repetitions of the trace… [by printing the current number of reps to the screen]
Small ones are a piece of piss, longer ones like the ones on Gods/Magic Pockets are harder, but really fun eh!? [well over 270 reps if I remember]
Of course any good TVDecoder will kill yer cartridge on it’s way through.. .. anyway… find out what it does….finding out the effects is always really importaant…I’m too lazy to write more…
TVDecoders will be used to encrypt the disk-loaders, encrypt packers, hide some sneack checksum routine…etc.etc…
f) Packers are always a gimme. After a while, you’ll know your packers like back of your cock, er…hand..! Most of them are junk/repeats anyway, and always easy to find where the files go to…
g) Futher disk loaders are always fun. The guy has got all this memory to try to confuse you, but if he can understand it, so can you…
h) I’m getting bored of all of this …. you’ve gotta learn all the tricks yourself!… it’s the only way. A helpful tip is look out for interrupts!. Watch what will happen to the stack when you press your cartridge.. and MOST IMPORTANTLY NEVER GO TO THE NEXT STAGE OF THE ROTECTION IF YOU CAN’T RUN IT FROM YOUR ASSEMBLER AND GET IT RUNNING WITH THE ORIGINAL DISK IN THE DRIVE
hehe I nearly forgot…here’s a neat trick for all you learning crackers, what do you think this code does??
move.w #$4e71,pokeme (this is a 'nop' for guys who don't
pokeme bra.s red memorise the opcode)
bra.s green
red move.w #$f,$dff180
bra.s red
green move.w #$f0,$dff180
bra.s green
hint - you get a green screen!!!!
.Look, this is the type of 68000 trick that the other guy will try to put over your head. This type of thing is boring to a pro, but don’t become frustrated, you have the rest of your life to work it out! ..you’ll figure out all the tricks sooner or later…
OK,OK, so you’ve got to the main program - ALL games will have a main program of some sort or another! Right, the aim here is to gradually alter the loaders until none of the originals are used!
So this is the setup… You’ve got your main prg as a binary file, say starting at $400, stack below $400 and you’ve got all the contents of all hardware etc registers set up before you start.
If the file is big, pack it, as it wil save time in the long-run..get another amiga with loads of memory just for packing!
..this is what your ‘CRACK-SHELL’ will look like,
-kill dma, ints etc, supervisor mode (I use the division by 0 method..) -depack main prg to $400 -set stack, all registers…. CIA are important to set up too! (this is a mistake of beginners too…) (also use the SR! - alot of Amiga guys leave it alone..) -Wait mouse..
OK assemble,..RUN, put original into drive and press mouse… (the game will run normally as if nothing has happened)
This is the basic shell from which alot of crackers work! Now, you’ve gotta pick up the files if it’s a multi-load (they all are nowadays…but in the old days….sigh)
OK, the idea is to figure out the loaders, rip them off and get the files… when you first see the disk-code(its LONG!) you think ?what? … ..I’m not doing that every time!
Relax, you’ve gotta serve your apprenticeship and become familiar with the routines. After a wile you’ll be able to pick out the head-stepers, drive-selecters, decoder, etc and it’ss be easy to work out what’s going on. (just like packers,they become a help rather than a hinderence… there are only a limited number of ways to do the loading!) Now, pick off all the files…it helps to make the trainer at this time so that you can cheat and collect all of your files the easy way OR you can pick up the loading data - THER’E’S ALWAYS LOADING DATA! (ie from ‘block/track… to block/track etc..) and disassemble the relevant parts of the loading routines and use his routines to load his files…
OK, you’ve got them, this is where all your meg’s come in handy!.
Get the files packing on your other Amiga for a few hours, and try to pick the disk-protection… of course watch out for the obligatory checksum/ etc routine(s) to make sure that code within the game…specifically the loaders aren’t tampered with…
OK, the files are packed (shit! that was a long-wait if it was a two-disk game!) … OK
You must code a routine which merges all of the small packed files into a ‘BIGCRUNCH’ as I call it… This BIGCRUNCHER will put all of the packed files into 1 single large file and save this file out PLUS a list of all of the offsets of the individual files in the big file.
OK,OK…You’re ready to go.. Include the BIGCRUNCH into your assembler CRACKSHELL … incbin… Right include some code to copy the bigcrunch to say $c00000 if it’;s not used. The aim here is to run the file and get the file-loader routines replaced with your de-packer routine!!! ie..instead of loading from disk, all the files will be depacked down from the high-ram into their proper places (YEAH! MOVE.W $DFF006,$DFF180) Thus you get a 1-meg game, and the drive will only spin when the copy-protection is working..
. ,
Newsgroups: comp.sys.amiga.programmer Path: cunyvm!caen!sdd.hp.com!mips!mips!munnari.oz.au!newsroom.utas.edu.au!<> From: <> (<>) Subject: How to crack and Amiga game2!! Message-ID: 1992Jun27.044730.14869@newsroom.utas.edu.au Sender: news@newsroom.utas.edu.au Organization: <> Date: Sat, 27 Jun 1992 04:47:30 GMT Lines: 52
Shit! The end of that article was cut off!! OK,OK, I was tired anyway after not going to be for 3 days cuz of exams….
1st that example was wrong:
---------------------------
; Assemble this!
move.w #$4e71,pokeme
pokeme bra.s green
bra.s red
green move.w #$f0,$dff180
bra.s green
red move.w #$f00,$dff180
bra.s red
---------------------------
The green branch is taken anyway, despite the previous line nop’ing it. (assemble just that and try it)
Anyway, that wasn’t the fu*&in’ point! The point is that these are the types of coding tricks that the other guy will use to try to trick you!!! To a pro, these tricks are easy, but to a new guy, they are tuff!! The article I wrote yesterday was about 4 times longer than the one which you recieved!..and I actually did tell you the whole method that many crackers use jamm the games!!!!!!!!!!!!!!!!! I don’t know why the end of it was cut off, but I’ll type it in again now!!!!!!!!!!! I can’t be bothered typing out the rest of the hints which were cut off, I’ll get down to the main part..
I said that what will happen is that the other guy will try to lose you in the code, but you must follow that PC until you get to the main program (there’s ALWAYS a main program!!!!!!!!!!) Save the main program out to disk (sometimes 1 file, sometimes lots) and then get into your assembler and get out your CRACKSHELL and put in the code which will emlate the conditions of the machine which will allow you to run the game from the assembler..
The crackshell will do this:
- kill dma,interrupts,
- copy the bits of the game to their usual positions
- waitmouse
- set up the status of the machine which will alow the binary to run (eg, SR,hardware re’gs, vectors, registers, cia … EVERYTHING!!!!!)
What you should be able to do is to assemble the crackshell and run it, (the machine will be killed - insert the game disk(s)) now press the mouse button, and the game will run normally!!!!!!
I’m doing this in parts this time, goto news #3!!!!!!!
========================================================================= Newsgroups: comp.sys.amiga.programmer Path: cunyvm!caen!sdd.hp.com!mips!mips!munnari.oz.au!newsroom.utas.edu.au!<> From: <> (<>) Subject: How to crack an Amiga game #3!! Message-ID: 1992Jun27.051137.15404@newsroom.utas.edu.au Sender: news@newsroom.utas.edu.au Organization: <> Date: Sat, 27 Jun 1992 05:11:37 GMT Lines: 66
OK, as was in the original posting, you’ve gotta now collect the extra files!!!!!!!!!!
look at the code to find the routines which load the files!
eg MOVEQ #1,d0 ; file number...the load routine will use it
LEA $60000,A0 ;dest address of the file
JSR Load
There are two ways to collect the files
- train the game, and play right through to the end, collecting the files with your cartridge as they load in
OR 2. rip-off the loaders and decrunchers and use the other guy’s own routines to get his files!! You must get his ‘file info’ if you want to do this!!! Write a program which accepts the inputs, and uses his routines eg…
- get start block, end block
- kill system and load the files using the original routines (don’t to insert the original disk first)
- depack them with his routines if necessary
- restore system and save the files to your own disk
Right, you’ve got the files, now pack them with your disk packer and take a break!!!!!
OK, run the files through your BIGCRUNCHER as I described, and you will get two things out of it:1. a file which contains all of the packed files and 2. the data which says where the start of each file is within the bigcrunched file!!
now, set up your CRACKSHELL so that the BIGCRUNCH will be copied up to some spare ram…eg $c00000 if it’s not used..
Now you’ve gotta alter the main game program so that your routines will be executed instead of the original loaders. The routine that you will write will take the same inputs as the main game supplies, and has the same effect as the original routines. Assemble this program to disk, relocate it to say, $d00000, with your relocator utility (HEY! I’m gonna post the code for this tomorrow!!!!!)
Now, you’ve gotta change your CRACKSHELL so that it does this:
- kills the system
- copies the main-game file to it’s original position
- copies the BIGCRUNCH (ie all of the extra files - packed) to say $C00000
- copies your loader-emulator to say $d00000
- set up the initial conditions, as before
- POKE THE MAIN GAME FILE SO THAT IT EXECUTES YOUR ROUTINE AT $D00000
Number 6 is the most important new one. Say the original used to do this: moveq #1,d0 ; file number lea $60000,a0 ; dest address jsr $1004 ;load routine
then at $1004 you must do this: JMP $d00000 !!!!!!!!!!!!
Thus, your routine will be executed instead of the original file-loader and the result will be that the files are still put into there required positions by your depacker routine, and the RTS at the end will continue the game on as if nothing had ever happened!!!!! (alot of games need eg. registers ro be returned with values)
goto article #4!!!!!!!!
Newsgroups: comp.sys.amiga.programmer Path: cunyvm!caen!sdd.hp.com!mips!mips!munnari.oz.au!newsroom.utas.edu.au!<> From: <> (<>) Subject: How to crack and Amiga game4!! Message-ID: 1992Jun27.054304.15938@newsroom.utas.edu.au Sender: news@newsroom.utas.edu.au Organization: <> Date: Sat, 27 Jun 1992 05:43:04 GMT Lines: 71
Now, the tuff part about replacing the loader routine with your one at $d00000 is that the original loader will usually leave some kind of message that it’s been executed, and mostly there is some disk protection in the loader code!!!! This is where I’m becomming bored of typing all this info in, so I’ll give you some general guidelines here!!!!!!!!
- watch out for interrupt routines!!!! they might be checking things!
- find out the total effect of the loader routine, emulate it
- the protection might even involve setting a CIA register a certain way!!! I’ve seen this one before!!!
- an equally good way of beating the routines is to find out the routine which detects if the loader has been run
The number of tricks which can be used here is many, you must learn to overcome these yourself!!!
OK, now you will have a completely 1-meg game!! You can assemble the CRACKSHELL and run it, and the only time that the disk will spin is when the disk protection in working!!!!!!!
NEXT STEP IS TO BUST THE DISK PROTECTION ROUTINES
When you think about it, then only real way to protect a game is to check for something which is hard to copy. like a dongle, or a disk
Thus, you have to have a routine sitting in memory to be able to do this checking, and this is the vulnerable part! All you have to do is remove this rouine at this point and you’ve got the game cracked (as we have the files already).. easy, no?
NO!!!!!!!!!!!!!!!!!!!!!!!!!!!
This is where most of the action is!!!! Most of the effort will go into protecting this routine from removal, and not the routine itself!!!
This is where you will win or lose! This routine may be encrypted with a trace vector decoder, or there may be checks to make sure that this routine is run, it will pass some values back to the main game routines probably, there will be other routines to check that this routine is not removed. The list of methods is many!
I’d like to make some points here…
-
I wrote alot about this in the 1st artice I posted, but this part was cut off…and I can’t be bothered typing this stuff in again (unless you post yourself and demand it!)
-
For the sake of simplicity, I didn’t really mention that that the file loader (which we earlier bypassed) will be very heavily protected like the copy protection routines .Very often there is no separate copy prot routine, just a hugely fotified file-loader…
-
In the majority of cases, the protection code will not be seen by the porgrammer himself.. eg. early Rob Northern.. He will get 2 files. 1 will put the protection on the disk, the other will be incbin’ed into the game, and be jsr’ed, ..the result returned in the trace vector Thus your job will be easier in this case, as the protection is ‘modular’ if you can understand that expression
As I’m not going to give you specific details of the types of things that can trick you here, I will simply give you the aim of all this!
The aim is to get to the stage where the original disk is no longer accessed!!!!!!!!!!! Thus all of the extra files will be depacked from the extra-mem and the game will work as normal!
(goto article #5!!!!!!!!!)
Newsgroups: comp.sys.amiga.programmer Path: cunyvm!caen!sdd.hp.com!mips!mips!munnari.oz.au!newsroom.utas.edu.au!<> From: <> (<>) Subject: How to crack and Amiga game5!! Message-ID: 1992Jun27.062424.16809@newsroom.utas.edu.au Sender: news@newsroom.utas.edu.au Organization: <> Date: Sat, 27 Jun 1992 06:24:24 GMT Lines: 102
Right, so You can run the game without the original disk! Yeah! You’re nearly there!!
THE SECOND LAST STEP IS TO NOW INSERT YOUR OWN DISK LOADERS
As a cracker you’ll probably have a collection of diskloaders! Some like to use raw tracks, others like to use file-loaders
I’m a file loader freak!! The file loader will be a standard routine which only needs the name of the file to be defined, the destination address and the address where you can do DMA too
The file loader must be very nice to the game! ..not using anything or changing anything…so these are the rules
- decode the sectors into the same area that you do DMA to
- Don’t touch anything other than the necessary registers… eg. the game shouldn’t be able to see your loader!..use DBF timing loops for waiting, use the 68000 to decode (though you can try using the blitter if the original used it..)…etc.etc
- make sure all registers etc are returned as the original did
*4.If you are a really cool guy, you will want to use the trick of loading the files into there dest. positions and depacking them back over themselves - make sure you put depack striped in there to show how cool you are!!
Many games use file names, and a pointer to the file name itself will be given…in which case, just use the original name. Otherwise, a number will be given…let me explain.
this will be the code in the original game
moveq #1,d0
lea $60000,a0
(might also pass the DMS address here if it moves)
JSR loadit
and in the original, there will be an array of ‘file info’
(this is looking at memory..)
eg. $0016,$009f file 0 goes from 'block' 22 to $9f
$0100,$0106 file 1 goes from 'block' $100 to $106
$0107,$0110 etc
thus, the original loader would do this:
add.w d0,d0
add.w d0,d0 ...now
lea data,a1
add.w d0,a1
now get the data
(another common fileinfo format is start-block,length of file)
We don’t need to bother about this, as we have files on the disk! The solution os to use the value in D0 as the filename on the disk
eg. If d0 = 1, then the name of the file is ‘$0001’ on the disk This is easy to do!!!!!!! Just at the beginning of your file-loader make a small routine that constructs the name, then take it’s hash as normal, and load it
** How many times have you seen cracks with file names like $0001, $0002??** ** look out for it in the future, and you’ll know why!
The next step will be to get rid of your big-crunch, and get the files loading in from disk… ie. Put your disk-loader at $d00000 instead of the depacker..
THEN comes the tricky part, you must find a place to copy your own loading code into the main game somewhere. The ideal way is to of course use the area where the original routine was sitting (watch out for routines that take checksums/check bytes in this area = good protection against this) .but this is not always possible.. If you can’t put your routine over the original, make sure you find some area which is DEFINATELY FREE (hehe not so easy hey!)..otherwise you’ll have to release a one-meg game and you’ve been beaten… there are two factors here +ve is that your disk-loader is really small anyway, only a few small bytes (well under 2k anyway) -ve is that many programmers purposefully try to eat up all of the memory so that you can’t fit your routines in there (I’d like to give Hybris as a bloody good example of this…)
OK..Thats it!! You have a main-file in the form of your CRACKSHELL which sets up the status of the machine and then jumps into the main file, which has been altered with your own loader, and the other protection busted out.
Put the extra-files onto the final disk! Now put your intro onto the front of the crack shell, make sure the game is coded to hell to stop lame crack-stealers from ripping you off, and yeah! nearly forgot.. put your name into the high-score table!!!!!
OK,OK Now you’ve got a hot crack on your hands after those few days work, so spread the crap out of it, and start on the next one!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Here are the lamer signatures! Don’t be a dope, get high on cracking! - Jewels, ‘64 Cracking is good for you! - The Replicants/Union Demo, ST I agree - You, Amiga