D-Bug & Automation Forum | |
D-Bug & Automation Forum >> Coding >> Introduction to ST Hacking By Hank/Automation PT 1
http://d-bug.mooo.com/dbugforums/cgi-bin/yabb2/YaBB.pl?num=1172673889 Message started by Shw on 28.02.07 at 14:44:48 |
Title: Introduction to ST Hacking By Hank/Automation PT 4 Post by Shw on 28.02.07 at 14:48:54
;Rob Northern Protection(internal)
;This one is probably the hardest of the three. ;ROB MOVEQ #0,D0 ; MOVEQ #0,D1 ; PEA L12345(PC) ; MOVE.L #$50004,-(SP) ; TRAP #13 ; ADDQ.W #8,SP ;L12345 MOVE.L (SP)+,$10.W ; ILLEGAL ; DC.W $2345 ; AND.W #$F8,SR ; CLR.L $24.W ; MOVE.L #43245365363,-(SP) ; MOVE.L #88745222435,-(SP) ; MOVE.L #47788679999,-(SP) ; MOVE.L #43245365363,-(SP) ; MOVE.L #4324536536,-(SP) ; ;There would be about 2.5kb of data between the above and below ;parts of code, i have done this to simplyfy the example. ; DC.W $FEFE ; AND.W $FFFFFF8913.W,D5 ; RTE ;These following examples are what maybe carried at the bottom of ;a RNC protection ;1 CMP.L #$42425673,D0 ; BNE $34566 ;The above line (BNE) would be replaced by a $4E71 (NOP) ;If it should read (BEQ) this would be changed to a (BRA) ;$6000 ;2 MOVE.L D0,ADDR ;These become more complicated as the address D0 is placed ;in can be checked at any time. ;To get round this you must do a string search* on the address ;that D0 is placed in to find the serial number of the disk. ;Once you have done that you must force the serial no. into ;D0 yourself then modify the protection. ;To find a Rob Northern do a string search* on $4AFC(ILLEGAL) *see section on monst2 for string search ;i.e. ;ROB MOVEQ #0,D0 ; MOVEQ #0,D1 ; MOVE.L #$42425675,D0 ; MOVE.L D0,$24.W ; BRA $888 ;jump over protection ;L12345 MOVE.L (SP)+,$10.W ; ILLEGAL ; DC.W $2345 ; AND.W #$F8,SR ; CLR.L $24.W ; MOVE.L #43245365363,-(SP) ; MOVE.L #88745222435,-(SP) ; MOVE.L #47788679999,-(SP) ; MOVE.L #43245365363,-(SP) ; MOVE.L #4324536536,-(SP) ; ;There would be about 2.5kb of data between the above and below ;parts of code, i have done this to simplyfy the example. ; DC.W $FEFE ; AND.W $FFFFFF8913.W,D5 ; RTE ;The modified version should look something like the above. ;When you have poked the serial number into D0 ;you must then jump over the protection to where the code ;checks or pokes D0 into an address ;the opcode for this is; ;12345678 is for my example only ; move.l #$12345678,d0 ; move.l d0,$24.w ; bra coderestart ; $203c12345678 ;move.l #serialno,d0 ; $21c00024 ;move.l d0,$24.w ; $60000888 ;bra coderestart ;there are examples of all these protections for you to crack. ;they are all executable files that will crash - it's up to ;you to get them to work. the screen will turn red if they fail ;and green if you manage to crack them. ;filenames ;GREMLIN.PRG ;Gremlin Graphics Protection ;PROT.PRG ;Protoscan II Protection ;RNC.PRG ;Rob Northern Protection ;Rob Northern Protection (external) ;This one is a real pig for beginers. ;To look at it looks like the internal version exept the ;whole file is encripted. ;Leave this one alone for the time being. |
D-Bug & Automation Forum » Powered by YaBB 2.6.0! YaBB Forum Software © 2000-2024. All Rights Reserved. |