80's & Games
Javanoïd | Pang
Marilyn | Ban
Amiga Oldies
modules | Goodies
Gallery | Goodies
Sci-Fi | Fantasy
Thriller Polar
Divers | Doc

..= Cracking Tuto : simple copylock =..
by Heavy aka VrS!-Cybfree

Ruff'n Tumble/Renegade (1994)

 Amiga Tutos

I used original disk IPF #199 (2 disks), X-Copy, Action Replay and DevPac (or AsmOne)

Try the IPF disks. Non-Dos game, No passwords required.

First of all, make a copy of the first disk and boot it. The copy stop at the start and stay on a black screen.

A quick scan of the disk with X-Copy show you an error on track 0. Seems to be a disk based protection.
Take a look at the bootblock (sector 0 track 0) :
Bingo, it's a CopyLock ^^
The CopyLock is an encrypted trace-mode code. The files (datas and programs) are encrypted with the Copylock Keydisk computed by the copylock code.
More information and tools about CopyLock here.
Now, there are several ways to find and crack a copylock, depending of the difficulty of the copylock (number of keys, levels of encryption, PDOS format...). Here is a very simple one.
By disassembling the boot :

I loaded and disassembled the starter program (11 sectors from block 24):
I found the copylock routine by searching pea and/or illegal instructions. or follow the program.

moveq #0,d0
mobeq #1,d1
lea $110.w,a3
pea getvalue(pc) ; copylock : patch here
move.l (sp)+,$10
getvalue: ...

the keydisk is saved at $110.
just after copylock, the starter load main program at $804 and decode it with the key before start it :

move.l $110.w,d0 ; the copylock key
lea $804.w,a0
move.w #$e80,d7
move.l (a0),d1
eor.l d0,d1
move.l d1,(a0)+
rol.l #1,d0
dbf d7,.decrypt
jmp $804.w ; start main

To find the key value in this case, you don't need to remove TMV and decode the copylock routine.
Reboot, and with AR, stop when the Ruff picture appear.
Take a look at the address $110 in memory : m 110

here is the copylock code : $BED7B57D
now we have to patch the copylock code with the good key directly in the starter program or from the boot after loading and before start it.

patch after lea $110.w,a3 :

move.l #$BED7B57D,d0
move.l d0,(a3) ; put good key at 110
rts ; no more copylock test

You can directly modify the code under AR and rewrite the prog on the copy disk :
rt 2 1 70000 ; read the prog in memory
f 48 7a ; search for pea ### (copylock)
a 70b7c ; type the new code here
wt 2 1 70000 ; write the new cracked program

Watch the video of this method here on Youtube

or crack it from the bootblock with the patch :

loader: ; see below
lea patch(pc),a0
lea $77c(a3),a1 ; here is the copylock routine to patch
moveq #size-1,d7
move.b (a0)+,(a1)+
dbf d7,.copy
; original code
movea.l 8.l,a5
jmp (a3) ; start

move.l #$BED7B57D,d0
move.l d0,(a3) ; put good key at 110

we have just enough place in the boot to put a trainer (and even a little "textro" or other tiny code).

Reboot, test, and enjoy. Seems to work

Test the second disk to verify if another copylock exist.
If you have doubt about another copylock in main "crypted" program, put a breakpoint with AR at $804 to take a look at the decrypted code. Seems to be nothing more for this game.
we can see that the prog load a "directory" file with the informations of all the files of the game (sector position, len, num disk...) : great ;)

tested with the trainer by Gradius/Anthrox
The game work perfectly :

2008 (c) Heavy/VrS!/Cyb

Download :
- Cracked disk 1 + trainer (right mouse button at boot)
- sources of the original boot, patched boot and trainer in boot