How to remove certain Rob Northern protection schemes.
------------------------------------------------------

Article by:  Alien/Pompey Pirates

D/loaded from:  Regression Therapy (http://website.lineone.net/~mikemee)

-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o

There are 3 main types of 'internal' RN protection, the 'external' versions
havn't been used for months now, plus there are loads of readily available
programs that will 'crack' that. But the 'internal' versions are still being
updated and used, and most of them look much like this:


         MOVEQ      0,D0                   D0, D1 and D3 are set up with values
         MOVE.L     D0,D1                   that control which drive is used for
         MOVE.L     D0,D3                   the check, whether the motor is left
         PEA        label1(PC)              on or not, etc.
         MOVE.L     (A7)+,$10.W        
         ILLEAGAL                           usuall this is what to search for...
label1   MOVEM.L    D0-D7/A0-A7,-(A7)
         PEA        LB18C0(PC)
         MOVE.L     (A7)+,$10.W
         MOVEA.L    A7,A0
         DC.W       $4E7A                   ...or search for this instead
         ORI.B      $40,D2
         ORI.B      $80,CCR
         ORI.B      $7B,DC
         ORI.B      $48,D2
         MOVEM.L    label2(PC),D0-D7/A0-A6
label12  MOVE.L     $4E730000,-(A7)
         MOVE.L     $10,-(A7)
         MOVE.L     $4DB9,-(A7)
         MOVE.L     $BD96BDAE,-(A7)
         MOVE.L     $B386B586,-(A7)
         MOVE.L     $D046D246,-(A7)
         MOVE.L     $246A71F,-(A7)
         MOVE.L     $23C17,-(A7)
         MOVE.L     $BD96BDAE,-(A7)
         MOVE.L     A7,$24.W
         ORI.W      $A71F,SR
         ADDQ.L     6,$24.W
         ...                                code is garbage from now on



You can find almost any check simply by searching for the ILLEAGAL instruction
(hex $4AFC), but if you know a game has a Rob Northern protection in it and you
can't find $4AFC, then try $4E7A instead.

What the protection does is check the disk to see if it's an original, then if
it is, it returns a 'magic' number in D0 which is generally different for
individual games. It'll return a 0 in D0 if the disk isn't an original. So all
you have to do to crack the protection is to make sure that D0 contains the 
original number on exit from the protection. Seeing as the whole purpose of the
protection is to return that number, it makes it possible to over write the
protection entirely, and use the 2K or so of space it takes up for other
purposes, e.g. your own, fileloader or whatever.

1: Simple keydisk check with magic number return   ( the code above )
This one simply returns with 0 or the magic number in D0, a piece of piss to
crack, all you do is change the start to:

        MOVE.L  magic,D0
        BRA     end

'end' is usually around $2AE bytes away. It's easy enough to see where Rob's
code ends and all the game's begins - Rob's is all encrypted and hence has no
recognisable  structure, and many ?? instructions. Often the ?last thing that
happens at 'end' is a simple CMPI.L for the magic number, or placing D0 in a
memory location for later use.


2: Keydisk check with magic numbers decryption of multiple addresses. 
This one is entered with numbers in D2 and D3 as well as the usual D0 and D1
set-up (which control various drive and delay parameters - of no importance).
A0 points to table of 3 addresses, which may or not be encrypted. What 
the routine does, is it takes the address from (A0)+, decrypts it if necessary
by adding $BDB6BDAE to it, adds D2 to it, then adds the magic number to the 
resulting address. I've only seen this 3 or 4 times and it was always 3 
addresses. Only once have the addresses been un-encrypted, in Cisco Heat. I do
not yet know the purpose of the number in D3 (it was $302F in Cisco Heat - but
that seemed to have no relevance to anything ).


3: Keydisk check with multiple addresses on stack, 2 magic numbers.
This one doesn't have the usual ILLEAGAL instruction near the start, but does
have a $4E7A word, and the familiar 'look' to the code. It enters with all the
registers except the stack pointers set up. D0 I think is used for drive 
control as usual, but everything else is new. The routine pushes a 'magic'
number on the stack, followed by FIVE addresses and returns with a DIFFERENT
magic number in DC. As yet, I don't know exactly what it's doing, but there
seems to be some correction between the values you get from subtracting D2, D3,
D4, D5 and D6 from their address register opposites. These might give the
offsets required for the addresses on the stack - but the numbers don't quite
match, I'm still working on it. The magic number on the stack again seems to be
something to do with the subtraction of A1 from A0, but that number was
slightly different to the one actually on the stack in the two cases I've seen
so far (Double Dragon III and WWF Wrestlemania). In both these cases after the 
usual encrypted 'garbage' code, there was one false check for a magic number,
then a real check (both simple CMPI.L's), followed by a couple of NOPs, then
RTS's. In both games, I cracked them with no problems because I had the 
originals and new the magic numbers, so I could replace the entire check and
just have the two magic numbers in place for later use. With bad copies it
would probably have been a different story!


Actually, with a bad copy, it is more difficult to crack any Copy Locked game.
It's not impossible though. If a programmer is stupid enough to CMPI.L for the
magic number, he tells you it in the process! Many other ways of checking for
the magic number will give it away as well. Every now and again a programmer
with some brains does something smart like EORing it with a memory location to
produce something like an address - which isn't actually checked, is merely
used, so that could cause problems if you have a duff copy. I've been told
it's possible to find the magic number of even a duff copy, but not in any 
detail, and I haven't needed to yet, as programmers are so obligingly stupid.


