an unpublished tip for pyradev users

Started by gef, 04:12, 03 April 10

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Johnny Olsen

I started with a CPC 464 and a disassembler typed from Computing with the amstrad.
Then i got a CPC 6128 and a rombo rombox with Maxam and Utopia.

I know of the trick with the bankswitch but I found it quite challenging to go through the code.
The appleby and some of the later speedlock use a lot of xor's to hide the loader.

Let us try to hack "solomons key" disc loader who use the appleby protection.

First thing we have to do is to know the load,lenght and entry start of the game loader,
here we use  Utopia's |info command to read the header.

info for DISK.BIN is &81EB - &7a5 - &81EB.

Then using Utopia's |load command we can load DISK.BIN to &81EB and to &61EB.
Now we have the loader twice in ram.

We had to move the first xor code (start &81FC - end &8213) to &71FC.

81FC: ld bc,&077d
81FF: ld hl,&8213
8202: ld d,&0067
8204: im 1
8206: ld a,&0069
8208: ld r,a
820A: ld a,(hl)
820B: xor d
820C: ld d,a
820D: ld (hl),a
8202: inc hl
820F: dec bc
8210: ld a,b
8211: or c
8212: jr nz,&81a5

we see that hl point to &8213 as the first byte to xor so we have to change
jr nz,&81a5 to jr nz,&810a

Now we will run this piece of code in &71FC,and it will decode the next xor code from &8214 and ahead.
This xor code will we move to &7214 and then adjust the code so it can be run from there.
That was to loop.

Now we have to move the loader from &61eb to &81eb and run the to xor codes from &71fc.

WE don't have to worry about the r register, because we start from scratch every time.

Now we have a decode loader.The next step is to find out how the loader works.

So far i was, but i would made a program to do the job, when Phil Howard (remember him? where is he ?)
came up with one in AA 33,I modified his program so I could use it on hack loaders.

I still have the source code.

I have just tried it with winape.


Quote from: Johnny Olsen on 02:52, 08 April 10
So far i was, but i would made a program to do the job, when Phil Howard (remember him? where is he ?)

That was an interesting example of cracking a loader.

I too remember Phil Howard and wonder what happened to him.  Maybe it was a pseudonym?

Powered by SMFPacks Menu Editor Mod