Turrican III

Hits: 2481

MFM 2 DOS

More
Tags
Category: TutorialsAmigaCrackingMFM
Author: aLpHa oNe
Submitted by: aLpHa oNe
Date: 2004-11-25 22:14
No tags

* Turrican III (c) 1993 Rainbow Arts*

Requirements

1. AMiGA or WINUAE (Configuration: 2MB CHIP, 2MB FAST)
2. ACTION REPLAY freezer (or ROM Image)
3. Original Game or CAPS-Image
4. Assembler (ASM-One / Trash-M One / Seka or similar)


Guess what, Protection-Check...
001.png
Let?s begin with something familar... Enter AR and read in the only dos-readable Track 1 to check what?s going on in the bootcode. Type in: rt 0 1 $50000 and disassemble some lines using d $5000c!
2.gif
First interesting thing appears here... $1200 bytes of data are loaded using the trackdisk-device to adress $58000. This is the part of the fading "Rainbow Arts" Logo so let?s remember to rip this memory area during the next steps of cracking. Let?s disassemble some more lines...
3.gif
Well, seems as there is a little trackloader hidden in the bootcode that loads up $1800 bytes of data to adress $7E800, followed by a jump to $7E800. This is probably... no ... this IS the mainloader of the game. So as always we will replace the jump with a branch-loop now to get in contact with the stuff that is loaded up to $58000 and $7E800. :-)
This should be nothing new to you so behave like shown in the pic above, reset your machine and boot up the game...
So when black screen appears the processor is havin? a branch party so we can enter AR to save out some important stuff.
Let`s have a closer look to the adresses $58000 and $7E800.
4.gif
Things seems to be loaded up so let?s write them to our savedisk. Data at $58000 has a size of $1200 bytes and stuff at $7E800 is $1800 bytes (we know from the bootcode) so insert a fresh formatted disk and follow the instructions shown in the picture above.
Now it?s time to tell you some facts about the main trackloading routine of this nice game:
The trackloader is stored at $7F020, works with a filetable that is located at $7FCBA and is called with a filetableentry in D0. This value is then mulitplied by !16 with an asl.l #4,d0, so each entry of the filetable has a size of !16 byte. Perhaps I should tell you something ?bout the values in this table, let?s have a quick view onto it.
5.gif

Offset:
$0.b = Useless
$1.b = Cylindernumber
$2.b = Track 0 or 1 on cylinder
$3.b = Dunno, perhaps sectoroffset on track or something
$4.l = File-Loadadress
$8.l = Bytes to read
$C.l = Interesting thing, if you have memory expansion the game allocates high mem and loads the data to this adress instead of using the one at offset $4.l in the table. This new loadadress is stored in here, followed by copying the bytes down to the correct adress at offset $4.l ! So the game checks this value later on, if it?s not zero, it just copies the bytes from memory instead of tracking it again from disk. Great idea! :-)

Okay... let?s use our knowledge to rip off the complete disk! Let?s stick a breakpoint to the trackloader adress $7F020 now and change some loading parameters then. Continue the game with a jump to $7E800 as shown in the picture below (don?t forget to insert the gamedisk again).
Important:
If you use another memoryconfiguration than me (2 MB Chip, 2 MB Fast) the adresses can differ from the ones used in this tutorial. So if using another config you will have to save the loaded tracks from another memorylocation. In this case it stores all tracks beginning from $80000 (A3 = Memorypointer) and like told before, copying it down to the correct adress which is stored in the filetable then.
6.gif
Now that the AR appeared again, let?s view the registers to see which filetableentry the game wants to load. As you can see in D0 it must be entry #6, so let?s have a look at filetable offset 6*!16=$60. It wants to load up $3400 bytes to adress $43000, starting at Cylinder 1, Track 0. This is a great startposition so no need to change that. But as you may have guessed we don?t want to rip off only $3400 bytes so let?s change that parameter, e.g. into $F0000 (!983040) bytes. Do this step by step like shown in the picture above and continue the game then with quitting AR.
So after some tracking the game stucks at cylinder 21. No need to worry about that, this is the highscore track which has another format. Let?s enter AR again to save cylinder 1-20 to our savedisk.
8.gif
Due to the fact that A3 is used as a memorypointer ($80000 at first) we won?t need to search the end of the loaded data by hand coz it?s pointing directly onto it. :-)
Save the range like in the picture above, reset your machine and do the same again for cylinder 21-79.
If game is hanging in the branch-loop, enter AR again, sticking a breakpoint to adress $7F020 and jumping into the main code with g $7E800. Wait until AR pops up, telling us that instruction at $7F020 is the next one to be executed. Now let?s change the filetableentry #6 like this:
7.gif
So now we change the parameters to load $F0000 bytes from cylinder $15 (!21), Track 1 (remember Track 0 is Highscore-Track).
After you?ve made the changes, exit AR and let the game load in the rest of the disk. If trackloading has reached cylinder 80, enter AR again and save out the loaded range to a new formatted disk (it won?t fit onto our first savedisk at all). As you know, A3 points to the end of data, in this case $13E200. So write the stuff with:
sm cyl21-79, $80000 $13E200, exactly $BE200 (!778752) bytes!
Well congratulations, that was the last thing which dealed with the original gamedisk.
By the way: We won?t patch the original gameloader directly at $7F020 but on $7F2AC. This is the part of the loader where the tracks are loaded into the correct position (or into allocated high mem). If trackloader reaches this adress, the following stuff is important for us.

$7FDFE.L = Readadress
$7FE02.L = Bytes to read
$7FE20.B = Cylindernumber
$7FE1C.B = Tracknumber
$7FE0A.L = MFM Loadadress

Now with these informations it should be easy to patch the loader to handle our tracks, eh?! Boot up your favourite Assembler, ASM-One in this case, and let?s start with writing the disk-image(s). We will put all the datas back onto 2 disks coz they won?t fit onto one ?standard? amiga-dos formatted disk. Reserve about 1200 kb chipmem and type in the code of the diskimage which hides ?copy- and pasteable? below the picture.
009.gif


MOVE.W #$4E75,LOADER+$806 ; Puts an -rts- to the "Load Highscore" branch.
MOVE.L #$4E714E71,LOADER+$1132
; ?Nops? out a routine that asks for the original disk.
MOVE.W #$4E71,LOADER+$1136
MOVE.L #$11805000,LOADER+$D4C
; Disables Turrican 3?s own diskstepper!
MOVE.W #$600E,LOADER+$D50

LEA NEWLOADER(PC),A0
; Simply overwrites a part of the original loader with our own one.
LEA LOADER+$AAC(PC),A1
; Loader+$AAC is $7F2AC in memory later on.
MOVE.L #(NEWLOADERENDE-NEWLOADER)-1,D0
REPLACELOADER:
MOVE.B (A0)+,(A1)+
DBF D0,REPLACELOADER
RTS

NEWLOADER:
MOVE.L $7FDFE,A0
; Readadress
MOVE.L $7FE02,D0
; Bytes to read
MOVEQ #0,D1
; Clear neccessary registers.
MOVEQ #0,D2
MOVE.B $7FE20,D1
; Get Cylindernumber.
LEA DISKSTATUS(PC),A2
; Adress of status word "Which disk is inserted?", 0=Disk1, 1=Disk2.
CMP.B #21,D1
; Shall be read from higher than cylinder 21?
BGE.B SECONDDISK
; Yes... this belongs to second disk then.
TST.W (A2)
; First disk in drive?
BEQ.B CORRECTDISK
; Yep, everything ok then.
BSR.W FLASHCOLORS
; Otherwise flash colors!!!
CLR.W (A2)
; Change diskstatus to "Disk 1 inserted".
BRA.B CORRECTDISK
SECONDDISK:
SUB.B #21,D1
; Everything beginning from cylinder 21 on original disk now begins from zero again on 2nd disk.
TST.W (A2)
; Second disk in drive?
BNE.B CORRECTDISK
; Yep, continue the trackload.
BSR.W FLASHCOLORS
; Otherwise flash colors...
MOVE.W #1,(A2)
; ... and change diskstatus to "Disk 2 inserted".
CORRECTDISK:
LSL.L #1,D1
; Cylindernumber * 2 = Tracknumber ...
ADD.B $7FE1C,D1
; ... + tracknumber on cylinder = correct track!
MULS #$1A00,D1
; Multiply with game?s tracksize = correct byteoffset on disk.
DIVS.W #$1600,D1
; Divide by normal dos-tracksize, d1 = correct tracknumber on crackdisk.
SWAP D1
; Rest of division = byteoffset on track.
MOVE.W D1,D2
; Moves byteoffset to d2.
CLR.W D1
; Clear byteoffset in d1 and ...
SWAP D1
; swap it back so d1 = tracknumber.l again.
MOVE.L $7FE0A,A2
; MFM-Loadadress.
LEA $DFF000,A6
; Customchip baseadress to a6, neccessary for trackloader.
BSR.B TRACKLOADER
; Read in the stuff!
LEA $DFF000,A5
; Customchip baseadress to a5, neccessary for game. :-)
RTS
FLASHCOLORS:
MOVE.W D7,$DFF180
SUBQ.W #1,D7
BTST #6,$BFE001
BNE.B FLASHCOLORS
MOVE.W #$0,$DFF180
RTS
DISKSTATUS:
DC.W 0
TRACKLOADER:
INCBIN "ALPHA:TRACKLOADERS/TRACKLOADER.BIN"
NEWLOADERENDE:

; DISK-IMAGE.

DISK:
DC.B "DOS",0
; Disk 1 = !50 Tracks!
DC.L 0
DC.L 0
MOVE.W #$02,$1C(A1)
; Use trackdisk-device to load the stuff to $7E800 and $58000.
MOVE.L #$7E800,$28(A1)
MOVE.L #$400,$2C(A1)
MOVE.L #$1800,$24(A1)
JSR -$1C8(A6)
MOVE.W #$02,$1C(A1)
MOVE.L #$58000,$28(A1)
MOVE.L #$1C00,$2C(A1)
MOVE.L #$1200,$24(A1)
JSR -$1C8(A6)
MOVE.W #$7FFF,$DFF09A
; Kill Interrupts & DMA and jump into gameloader.
MOVE.W #$7FFF,$DFF096
MOVE.B #$1,$7FE14
JMP $7E800
BOOTENDE:
BLK.B $400-(BOOTENDE-DISK),0
; Fill rest of the bootcode with zero?s, so gameloader starts at even position !1024 ($400).

LOADER:
INCBIN "ALPHA:T3/7E800"
; Position on disk = $400.
INCBIN "ALPHA:T3/58000"
; Position on disk = $1C00.
BLK.B $600,0

GAMEDATA:
INCBIN "ALPHA:T3/CYL1-20"
; Position on disk = $3400 (Cylinder 1, Track 0 on original gamedisk).
BLK.B $A00,0
; Just to make the !50 tracks complete. :-)

DISK2: ; Disk 2 = !140 Tracks!
BLK.B $1A00,0
; Gamedata on disk 2 begins on Cylinder 0, Track 1 (calculated with $1A00 tracksize of course).
INCBIN "ALPHA:T3/CYL21-79"
BLK.B $C00,0
; Just to make the !140 tracks complete. :-)


The binary & sourcecode of the trackloader and crack can be downloaded from the top of this page
And now it?s time to ...
010.gif
... assemble the stuff using A and execute the (code) with J. Now that the loader is patched in memory it?s time to write the tracks back onto our disks. Type in: WT and save the tracks beginning in memory from label DISK, writing the tracks 0 up to !50. Finally calculate the new bootblock checksum for our disk 1 with CC. Insert second disk and continue with writing the tracks from label DISK2 like shown in the picture below (tracks 0 - !150).
Reboot your Amiga, insert disk one and enjoy this great game!
011.png
Alpha One ?2004
FileDownload: Turrican III
Filesize: 0KB, downloaded 300 times
Powered by the best online Amiga mod player: FLOD


Some more you may like:
TURRICAN IITurrican 1Turrican III [FRENCH]Turrican II [FRENCH]

Leave a Comment!

Name:
: Use this calculator
Your comment will be available for editing for 10 minutes
No comments yet