ThunderBlade

Hits: 1465

Nice quick and easy MFM crack

More
Tags
Category: TutorialsAmigaCrackingMFM
Author: aLpHa oNe
Submitted by: aLpHa oNe
Date: 2004-11-20 20:26
No tags

* Thunderblade (c) 1989 SEGA *

Requirements

1. AMiGA or WINUAE (Configuration: 2MB CHIP, 2MB FAST)
2. ACTION REPLAY freezer (or ROM Image)
3. Original Game or CAPS-Image
4. Assembler (ASM-One / Trash-M One / Seka or similar)


First of all, let?s check the kind of protection...

Let?s go on and rip the stuff off! This tutorial is a quickie so we will not care about the bootblock today (which is encrypted) ... the bootcode is loading up a small part that shows the "SEGA" logo and that loads up the mainfile (also encrypted) to $40000. But before we start with grabbing this mainfile we will rip the whole tracks in one turn...
Insert Gamedisk and boot it up until the "Thunderblade" Logo and the "Press fire to start loading" text appears...

Now enter AR and type in the stuff shown in the picture below:

Little explanation!
The trackloader of the game begins at adress: $AAFE and takes the following parameters:
D0 = Byteposition on disk
D1 = Bytes to read
A0 = Loadadress
So we just set a breakpoint using bs to this adress to change the loader parameters before the loading routine is called... Exit AR and continue the game with a click on your firebutton! :-) The AR will appear again, tellin? us that adress $AAFE is the next one to be executed! Use R to get an overview of the register values and then change them a little so that we can save out the whole disk. We put the following values into the neccessary registers D0/D1/A0:
D0 = 0
D1 = !1000000 (one mb should be enough I guess)
A0 = $80000 (our new loadadress)
Now if you?ve done that just exit AR and let the gameloader do it?s work... Now after some time the gameloader stops tracking (around cylinder 67 if usin? WinUAE) so the gamedisk is not full at all. Let?s have a look at our loadadress $80000 to see if something has happened...

Well nice, as you may have recognized, Diskposition 0 does not mean "real" Diskposition 0 on gamedisk... Before the gameloader is called there is a seperate routine which steps somewhere onto cylinder 7 before beginning to read so we will have to think of this later on before calling our own trackloader... if we will store these informations on our crackdisk e.g. at byteoffset $10000 we will have to add those $10000 bytes to D0 before calling our trackloader so that it reads in the correct data!
Okay, let?s see how many bytes we?ll have to save, beginning to search from adress $80000...

After some boring memory views we will come to the conclusion that adress $12AE70 is the end of data.
Let?s save the stuff onto a fresh formatted disk, type in: sm tracks, 80000 12AE70. Wow, this was fast action. Now let?s finally rip off the gameloader so that we can continue with writing the new diskimage.
Reboot and insert your Original Gamedisk again... After the first "SEGA" Logo has faded black and game continues tracking, enter AR and make the following patch:

This is the part that copies the main gameloader (which the game is tracking to $40000 at the moment) down to adress $800 and then executes it with a jump to $820. As we can see it copies $3A98 longwords so the gameloader has a size of $3A98*4=$EA60 (!60000) bytes. We will insert a bra $390 to adress $390 so that the processor loops instead of doing the copyjob. Now exit AR again and wait until tracking has finished and the game is hanging in our loop.
Enter AR again and take a closer look at the PC register, using R first... is doesn?t really hang at adress $390 as we can see but at $7FA2C?!
After disassembling that adress we can see that the game has just moved code to another location so this is still our loop that we?ve inserted at $390 before.
Let?s view $40000 to see if mainfile has really been loaded up.

Okay, nice... let?s write it to our savedisk using sm 800, 40000 4EA60.
I?ve named the file 800 so that we do NOT forget to put this loader to $800 lateron.
Well, you could throw your original disk through an open window now, we won?t need it again! ;-)

Let?s continue with writing the diskimage now... Boot up your favourite Assembler, hopefully ASM-One, reserve about 900 kb chipmem and type or paste in the following sourcecode which follows below the picture...
Our diskimage will contain a bootblock that ?tracks? in the original loader extended by our new loader to adress $40000. So the size of the loader increased from !60000 to !60448 bytes. Then our bootcode kills the interrupts and copies the original loader from $40000 down to the correct memory position $800 and the extended bytes (our new loader) to memory position $500! So before writing the tracks to our crackdisk we will have to execute the three instructions that are located in front of the diskimage coz they will place an "JMP $500 into the original loadercode.



MOVE.W #$4EF9,LOADER+$AAFE-$800 ; these 2 instructions are movin? a "jmp $500" into
MOVE.L #$500,LOADER+$AAFE-$800+2 ; the beginning of the original loader
RTS

; BOOTBLOCK, DISKPOS $0 - $400 *

BOOT:
DC.B "DOS",0
DC.L 0
DC.L 0
LEA CODE(PC),A0 ; copies our bootcode to $75000!
LEA $75000,A2
MOVE.L #(BOOTENDE-CODE)-1,D0
COPYCODE:
MOVE.B (A0)+,(A2)+
DBF D0,COPYCODE
JMP $75000
CODE:
MOVE.W #$02,$1C(A1) ; use trackdisk-device to ?track? in the loader to $40000
MOVE.L #$EE00,$24(A1)
MOVE.L #$40000,$28(A1)
MOVE.L #$400,$2C(A1)
JSR -$1C8(A6)
MOVE.W #$7FFF,$DFF096 ; kill dma and interrupts
MOVE.W #$7FFF,$DFF09A
MOVE.W #$0,$DFF180
LEA $40000,A0 ; copy original loader from $40000 to $800 ...
LEA $800,A1
MOVE.L #60000-1,D0
COPYLOADER:
MOVE.B (A0)+,(A1)+
DBF D0,COPYLOADER
MOVE.L #448-1,D0 ; ... and our new loader to $500 !
LEA $500,A1
COPYLOADER2:
MOVE.B (A0)+,(A1)+
DBF D0,COPYLOADER2
MOVE.L #$820,$80.W ; start code execution at $820
TRAP #0
BOOTENDE:
BLK.B 1024-(BOOTENDE-BOOT),0

; LOADER, DISKPOS $400 - $F200

LOADER:
INCBIN "ALPHA:THUNDERBLADE/800"
MOVE.L D0,-(A7)
ADD.L #$F200,D0 ; gamedata starts at $F200 on our crackdisk
MOVE.L D0,D2
MOVE.L D1,D0 ; ?bytes to read? into d0
MOVEQ #0,D1
DIVS.W #$1600,D2 ; calculate correct tracknumber
MOVE.W D2,D1 ; moves ?tracknumber?to d1
CLR.W D2
SWAP D2 ; d2 = byteoffset on track
LEA $C800,A2 ; game uses $C800 as mfm loadadress, so we do...
LEA $DFF000,A6
BSR.W TRACKLOADER ; call our trackloader
MOVE.L (A7)+,D0
RTS
TRACKLOADER:
; D0=Bytesize, D1=Trackno, D2=Byteofs, A0=Loadadr, A2=MFM-Adr
INCBIN "ALPHA:TRACKLOADERS/TRACKLOADER.BIN"
BLK.B 480,0 ; just to make the upcoming gamedatas begin on an even track

; GAMEDATA, DISKPOS $F200 - $BBFA0

DATA:
INCBIN "ALPHA:THUNDERBLADE/TRACKS"


The sourcecode & the binary of the trackloader used in this and probably the upcoming tutorials from me can be downloaded at the top of this page
Now before you go on don?t forget to activate the option shown in the picture below coz otherwise ASM-One will not be able to assemble our code (it?s the same in all my other tutorials, sorry that I forgot to mention that!)...

But now... Assemble the stuff using A and execute the (code) with J. Now that the loader is patched in memory let?s write the tracks back onto a new disk. Type in: WT and save the tracks beginning in memory from label BOOT, writing the tracks 0 up to 137. Finally calculate the new bootblock checksum with CC.

Reboot your machine now and have a play... we?ve just cracked another goodie!

Alpha One ?2004.
FileDownload: ThunderBlade
Filesize: 0KB, downloaded 97 times
Powered by the best online Amiga mod player: FLOD


Some more you may like:

None


Comments

Leave a Comment!

Name:
: Use this calculator
Your comment will be available for editing for 10 minutes
2015-07-08 11:52
Avatar

1. MrSega writes

Hi A1, Just a quick question, wondering how you discovered the trackloader of the game begins at address: $AAFE ?? Also how comes we dont rip/load the the sega logo part of original? Cheers M
reply
Reply to comment #1
2015-07-08 12:18

2. aLpHa oNe writes

The tutorial is 10 years old, don't know what I did back then. Surely the same thing as always, break while the game is tracking and trace through the loadercode to obtain the start.
reply
2015-07-08 12:42
Avatar

3. MRSEGA writes

Appreciate it is 10 years old. Guessing your not sure why you didnt rip/load the sega logo part of the original too? Thanks anyhow :)
reply