EVERYTHING YOU EVER WANTED TO KNOW ABOUT CRACKING BUT WERE
AFRAID TO ASK IN CASE SOMEBODY SMASHED YOUR HEAD IN WITH A BLUNT
YET ANOTHER DOC BY THE ALIEN
Cool text written by ALIEN/POMPEY PIRATES, was ripped by DAD of IMPACT, 6/92.
God knows why I wrote this doc... maybe it's because I'm a really nice alien and I'm very generous. Or maybe I'm an egotistical sod who wants his name plastered over as many disks as possible... nah, it's neither of those. It's because I am PISSED OFF with people asking me "How do you crack games?"...
If you want to learn how to crack, do the following:
A> Learn 68000 machine code. I am not joking.
B> Buy 'Atari ST Internals' by Abacus. ISBN 0-916439-46-1
C> Search around for the various docs which deal with cracking. There are some very good ones about Copylock for instance, which many people have.
D> Buy DevPac 2. Yes, buy it. It's well worth the money and HiSoft deserve every penny for such a brilliant product. If you can't afford it, get a copy and buy it when you can afford it. It will be worth it for the manual and support from HiSoft.
E> Think up a pseudonym because nobody cracks with their real name!
Now, presuming you know 68000, have read Atari ST Internals at least fifteen thousand times and have some common sense, it's time to run over some of the most common protections...
Today I found what is possibly the most totally useless piece of so-called protection in the universe...
It is called HACKLOCK 1.0 and is used on Player Manager (and maybe some other games).
Actually, trying to TRACE your way through the code is very tricky, and if you let it copy on top of the exceptions you've had it.
So don't even try!
Find this piece of code... (in Player Manager it's at the start of the file called MAINFILE.PRG)
MOVE SR,-(A7) ; code after here may be different in some
... ; games if anyone else has used HACKLOCK
... ; in Player Manager it enters super mode
... ; with gemdos $20
Now simply TRACE past the bit where it saves the status register on the stack (the second instruction above). Now RUN the sucker, and it will decrypt the code, restore the status register (complete with TRACE bit intact) and drop straight back into MonST with a TRACE exception. God I'm just so brilliant...
And that is all there is to it. Save your decrypted file, thank HACKLOCK for all it's help, and piss yourself laughing at the worst piece of protection since Lenslok... and if you don't know what Lenslok is, consider yourself a lucky git... imagine a piece of clear plastic which decrypted some on-screen mixed-up letters/digits. Well, that's what it was meant to do, anyway... First piece of protection I ever cracked, was old Lenslok!
Possibly the most straight-forward piece of cracking you can do... Rob has used this protection on a LOT of games. It's so easy to crack that more than one group has produced utilities to automate the process.
All the versions of it do the same thing:
* Screws around with exceptions (especially TRACE and ILLEGAL)
* Checks disk with very little noise, and a pause
* Puts 'magic number' in D0 and at $24 (TRACE exception) if disk is original
Many programs then compare the magic number with D0 (so you can get the magic number without having the original!), or exclusive-or it with something to continue the code (as in Xenon II). It's always best to have the original disk so you can run the protection and find out the magic number.
How to run the protection? Easy. The only exception it trashes is TRACE so you can still use breakpoints. Position the PC at the start of the prot., breakpoint the bit where it checks for the magic no. afterwards and run!
The point at which the code continues after the protection is easily found as all the prot. is encrypted, the first piece of intelligible code just has to be the end of the protection! One exception to this rule is the version where the protection isn't as heavily encrypted and has some normal code near the end. This always ends with an RTE so watch out for it.
Now, to neutralise the protection, get your magic number, place it in D0 and at $24 and BRAnch past the prot. code to the normal code. Simple. If you can, get hold of the Medway Boys' Game cracker 3 to see how it does it- it can show you much better than I can by typing this out.
Much like the above, but has these differences:
* ALL of the game code is encrypted
* NO normal code that you can breakpoint to return to MonST
...so it's a bit of a bitch. I have yet to find a 100% surefire way of cracking this protection- every time I encounter it, I have to spend an hour or so on it, mucking about with various little progettes I have.
Aha... Rob's little loophole... he never touches the Alternate-Help vector ($502), but he does trash the TRACE vector ($24) so you cannot use Shift-Alternate-Help to break in to the code. So what I do is put a TRAP #10 at the address in $502, so pressing alternate and help gives an illegal TRAP within MonST, returning control to you.
Your problem is grabbing control at the right point- you want it just after the code has finished decrypting, and before it starts relocation (you know TOS does it all the time with PRG files). If you catch it any point afterthat, then the program is partially relocated/fully relocated and without a relocation table... which is bad news, and that's what generally takes up my time... writing little progs to un-relocate files!
Good luck with that protection... oh yeah, it's also often combined with internal checks so don't think you've finished when you've got past the external protection! Also, you ALWAYS need the original disk (or one with the same magic number...).
...is so ancient you'll never see on any new stuff! If you do feel like cracking some old stuff that is Copylocked, then there are no real guidelines-just take it slow, don't use breakpoints because the code is forever doing checksums on itself, and use RUN UNTIL for any loops (slow, but it will get there eventually.). The hidden .PRO file in the AUTO folder is the real loader encrypted, which is decrypted by the PRG file.
That's probably not it's real name... I call it that because it must have been written by a retard as it makes no attempt to hide itself or stop you hacking it. I have strong suspicions that it is a Rob Northen attempt!
* Instruction sequence that has ST $43E followed by a load of
BSRs and then an SF $43E just before the end.
* Bloody horrible noise from the drive!
You DO NOT need my help with this protection! It is VERY EASY to crack and whenever we (The Pompey Pirates) find a game using it, it is normally done in about five seconds and on a menu an hour later (packing time!)...
There are some different versions of this protection where the $43E bits are different but as a rule, it conforms to the above. I have noticed some more little modifications lately but these are also blindingly obvious... Ninja Warriors uses it and rewrites two bytes of the game code if the protection check was successful. Watch out for that sort of thing and you will have no trouble.
...and you're no good if you can't stop the check entirely! Bloody nasty noises from the drive do not make good listening!
Yeah, that's it because:
A> I'm knackered (it is now 5:09 AM, I've been hacking all
night and there's another sodding storm going on outside!).
B> I can't remember any other protections... none that are used in more than one game, anyway.