Diaperboy Posted November 25, 2016 Share Posted November 25, 2016 Bruce Lee 1984 Datasoft. Cracking this title was quite a challenge for me. I was rather surprised at just how robust the copy protection on this disk was. The main thing that threw a monkey wrench into my plans was the encryption on this disk. It was a strange sort that I’ve never dealt with before. I was never REALLY able to figure it out, but I could modify a few bytes by brute force. The only problem with that attack is that if you modify 1 character, it changes the way the next couple of characters decrypt. The code almost seems to “unravel” like pulling a loose string on a sweater. The second problem with this disk is that some of the sectors seemed to be “double encrypted”. The “double encrypted” section required me to brute force the modifications TWICE! Using Altirra emulator, I used breakpoints to brute force the code AFTER the 1st decryption but BEFORE the 2nd decryption. Once I figured out the 2nd layer encrypted code, I changed the breakpoints so I could brute force the 1st layer encrypted code so it would decrypt to match the 2nd layer encrypted code. All this so the protection routine can do its double decryption with my modifications (and all other code) intact. I actually decrypted the first 3 disk sectors and left them that way, but I didn’t want to do that to the rest of the disk. I wanted the crack to be able to fit into a Chipmunk Plus! patch. The copy protection also checks its own data, in memory and by reading the first 3 sectors a second time to verify the data. This posed a problem, as my decryption and my modifications would be detected. I got around this by storing untouched sector images of the first 3 sectors on sectors 4-6. The copy protection routine now reads the untouched images for data verification. Anyway…here is an .atx copy (with copy protection intact) and an .atr copy (cracked) of Bruce Lee. This also contains my notes if anybody is interested. This crack will also be released on my next update of Chipmunk Plus! Bruce Lee.zip 4 Quote Link to comment Share on other sites More sharing options...
+DjayBee Posted November 26, 2016 Share Posted November 26, 2016 Nice work. I actually decrypted the first 3 disk sectors and left them that way, No need to do this and to disabled the decryption. Only the first some 16 bytes of sector 3 are actually encrypted and verified in memory. So you can hook up yourself there and work with live-patching the needed code. You only need to add one filler-byte to get the correct 1-byte sector checksum which is indeed verified. original end of decryption: 0834: 4C 12 07 JMP $0712 replacement: 0834: A9 08 LDA #$08 # original code runs to here 0836: 8D E5 07 STA $07E5 # JSR DSKINV => reroute to own code @$0853 0839: A9 7B LDA #$7B 083B: 8D BC 07 STA $07BC # JMP $0880 => reroute to own code @$087B 083E: 4C 12 07 JMP $0712 # original code from $834 4 Quote Link to comment Share on other sites More sharing options...
lotek_style Posted November 26, 2016 Share Posted November 26, 2016 DjayBee: You're a member of CSS? Quote Link to comment Share on other sites More sharing options...
Heaven/TQA Posted November 26, 2016 Share Posted November 26, 2016 The legendary CSS? Quote Link to comment Share on other sites More sharing options...
+DjayBee Posted November 26, 2016 Share Posted November 26, 2016 The legendary CSS? LOL - yes. 2 Quote Link to comment Share on other sites More sharing options...
lotek_style Posted November 26, 2016 Share Posted November 26, 2016 I guess we gotta talk Please check this: https://demozoo.org/groups/31474/ Quote Link to comment Share on other sites More sharing options...
Like us on Facebook
Follow us on Twitter
AtariAge on Instagram
Watch us on YouTube
Chat on Discord
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.