Lotus Esprit Turbo Challenge

Hits: 6837

MFM to DOS

More
Tags
Category: TutorialsAmigaCrackingMFM
Author: Musashi9
Submitted by: musashi9
Date: 2005-06-19 15:27
No tags

Lotus Esprit Turbo Challenge


Requirements
1. AMiGA or WINUAE (Configuration: 2MB CHIP!!!)
2. ACTION REPLAY freezer (or ROM Image)
3. Original Game or CAPS-Image (0774)
4. Assembler (ASM-One)

Understanding the BootBlock

Ok so let's try and make a copy of our original disk, load up x-copy and fire away
hmm only 1 green zero out of so many red errors. Oh well time to take that 1 green error free track and dismantle it probe it poke at it molest it sexualy assault it err hmm anyway moving on
Fire up good old blue and read track 0 at addres 50000
RT 0 1 50000
then dissasemble it with
D 5000c (why 5000c? well first few bytes are just a bootblock header[DOS])
now scroll down to see what this badboy is upto

The first part is pointing to 5001c which inturn is pointing to address 1000
and it even has a jump to address 1010
so me thinks after booting, all the action takes place around memory location 1000
(in other words, it moves data to 1000 and jumps at 1010 to start the game loader)


Understanding the Loader

now we know where the loader is placed in memory and also where it is executed, we can start to break it down so we can understand it better
reboot with the original disk in df0:
when it start to boot hit your action replay button
now lets dissasemble our loader which we know is jumped to at address 1010
D 1010

look at the lines of code highlighted with a red mark
~001050 MOVE.L #3000,D0
~001056 MOVE.L #800,D1
~00105C LEA 400.s,A0
~001060 BSR 1110
now this last instruction (BSR 1110) is interesting because it is called twice (see 1074)
trackloader possibly?
it very well could be, just look at the code from 1050 it is moving 3000 to D0 and 800 to D1 and 400 to A0
i think D0 is telling the trackloader what place to load from on the disk
D1 is telling the trackloader how much to load
and A0 is telling the trackloader where to load this data to
but if this is the case then why at address ~001064 does this change?
well we have 3800 moved into D0 like before but D1 and A0 are not the same
insted of loading numbers into these registers it is pointing to an address (possibly to get the numbers from there insted?)
well yes it is because the first FILE loaded loads a file table from 3000 on disk with a length of 800 to address 400
so the address pointed to by the second file are in this area (BF8 and BFC) the file table is 400 + 800 = C00 so only just within this area
let us make sure by checking out this area

BF8 = DF48
BFC = 72000
so for the second file we have a file size of DF48 and an address to load this file is 072000
interesteing make a note of this address (why? because after it has loaded the second file it seems to execute it)
why do we know this? because there are no other files loaded from this small loader(only these 2) so whatever is loaded at 72000 seems to take over the loading of files
i dont mean the trackloader is up high at 72000 somewhere, it still can use this trackloader at 1110 but the information it gives it, is somewhere around 72000


Ripping the files / making a disk image

Now that we know where the trackloader is and what information is fed into it we can in theory make it load the whole disk image in one go
and then save it as 1 big file
the way we are going to do this is put a BRA LOOP at the start of the trackloader
we know it starts at 1110 so lets read the original instruction at 1110 (so we can put it back later)
D 1110

ok we dissasemble 1110 and we find a bsr 13a4, examine 13a4 yourself and you will find some bfd000 and dff000 we might want to keep them later on when we add our own trackloader (keep the BSR) but forget about thta for now
right lets put a loop at 1110
A 1110
~001110 BRA 1110
and re execute the loader
G 1010
you will notice track counter (if you have one) goto zero
and then nothing (out loop has kicked in)
ok lets see what our REGS are set to by typing R
we see
D0 = 3000
D1 = 800
A0 = 400

well let us change all of this so we can rip off the whole disk into memory
we shall keep D0 the same (because this is the start of our MFM protection) 1800 x 2 = 3000 (track2)
D1 will have to well be larger let set it to EA000 (why not bigger? well ill explain later)
A0 needs to goto 80000 (out of range of the game) because it's a half meg game
ok so type
R A0 80000
then
R D1 EA000
now we need to replace the BRA LOOP with the original BSR
type
A 1110
~001110 BSR 13A4
now exit and you should see the disk loading and not stopping

When we reach CYL 79 enter action replay again and type R you will notice A3 is a rather large number, this is where the data stopped loading to
if you search this area N 16a000
you will find nothing so scroll search from a little lower say 14A000 downords untill you come to the end of data

you will find some mushi love stuff and after that nothing so this is the end of all our data
now we need to start to save this as one big file

insert a newly formatted blank disk and type
sm lotus,80000 14c600
saves from memory location 80000 to the end of the mushy stuff 14c600
we should now have a big file called lotus
and thta should be most of the data ripped well i say most but we need the first 2 tracks aswell
so insert the original disk and type
RT 0 2 50000
(dont worry it can read upto track 2 but no further)
now insert another newly formatted blank disk (cos it wont fit on the other one)
and save this as boot
sm boot,50000 52c00
the end is 52c00 because it's 2 tracks (1600 x 2 = 2c00)
now we need to run this game without the need for the original disk
before we do that let us find out where on the first track our trackloader starts
so we have the bootblock at address 50000 let's search for the trackloader
remember the first file (file tbale) is loaded at address 400
lets do a search for that address
FA 400 50000

we find 2 address but our one is the one with A0 at the end (remember)
do D that address and scroll down
look familier? so the trackloader on the bootblock is located at 15a (5015a)
take note of this
ok our next step is running the game from ram to make sure we dont need the original disk anymore


Running the game from ram:

We now have all the files needed to run this game without the original disk (fingers crossed)
so load up ASMONE because we need to write a small program to get this badboy running without the need of the original disk
BTW all source files are available for download on this page
ok so let me break this down for you before i write the source code
our aim is to load the bootfile then the main data file into address 80000
patch the trackloader to a COPY MEMORY loader
in other words replace the trackloader with a loader that will copy data from higher ram into the desired location (thus making the original disk obsolete)
here is the source code for that

;-------------------------------------------------------------------------------------
LEA LOTUSLOADER(PC),A0
LEA $8015a,A1
MOVE.L #(LOTUSLOADERENDE-LOTUSLOADER),D0
REPLACELOADER: MOVE.B (A0)+,(A1)+
DBF D0,REPLACELOADER
JMP $8000c

;****************************************************************
LOTUSLOADER:
MOVE.L d0,a1
MOVE.L #$80000,d3
ADD.l d3,A1
COPYDATA: MOVE.B (A1)+,(A0)+
SUBQ.L #1,D1
BNE COPYDATA
RTS
LOTUSLOADERENDE:
;****************************************************************

ORG $80000

LOADER: INCBIN "df1:boot"
BLK.B $400,0
LOTUSDUMP: INCBIN "df0:lotus"

;---------------------------------------------------------------------------------------

Let me break this down for you

LEA LOTUSLOADER(PC),A0 Our new loader
LEA $8015a,A1 Location of old Track loader
MOVE.L #(LOTUSLOADERENDE-LOTUSLOADER),D0 Loader Length goes in D0
REPLACELOADER: MOVE.B (A0)+,(A1)+ Replace loader until d0
DBF D0,REPLACELOADER reaches 0
JMP $8000c Start Game
This will overwrite the trackloader with our LotusLoader patch
and once it has finished it will jump to 8000C to start the game

LOTUSLOADER: Name of our patch
MOVE.L d0,a1 Move disk posistion into A1
MOVE.L #$80000,d3 Put 80000 into D3
ADD.l d3,A1 Add D3 to A1
COPYDATA: MOVE.B (A1)+,(A0)+ Copy data
SUBQ.L #1,D1 Subtract 1 from D1
BNE COPYDATA Zero not reached? do again
RTS Return
LOTUSLOADERENDE: End of patch
This is our Ram loader, it will take the information from the game loader and transfer data from ram into the memory location the game wants it to be
we add 80000 to the location on disk because we are loading all our data files into 80000+
so we know the filetable is on disk position 3000 and since our game data is being placed at 80000 we have to add 80000 to the disk position
so file 1 is located at 83000, get it? file 2 at 83800 ect... so on and so on

ORG $80000 Start loading here
LOADER: INCBIN "df1:boot" Load boot file
BLK.B $400,0 Add 400 to length
LOTUSDUMP: INCBIN "df0:lotus" Load game data

This will load all our ripped data into memory location 80000
we add 400 because our boot is only 2c00 long (remember? 1600 x 2 = 2c00) but we need the start to load our game data at 83000
so we add 400 (2c00 + 400 = 3000)



Ok all done? place the disk with the game data on it into DF0: and the disk with BOOT file on it into DF1:
all done?
ok lets test it out
exit edit mode and pree A and enter to assemble

no when we press J to execute the game should start loading
hmm save your source first , done?
Press J and enter to start
hmm screen goes black like it is supose to but the track counter (if you have one) shoots right upto the last track
thats not good, it just stays there aswell like it is trying to read but it cant
i dont think it is a copy lock otherwise it would try and read and if it cant, it will move on with negative consequences
this one just keeps trying and doesnt work
ok enter Action replay lets find out in memory where we are
type D and enter

we seem to be in the 72000 area (file 2)
hmm ok lets dissasemble this file and see what we can find
but lets not do it from the 72000 lets do it from the fresh file in memory
so we know file 2 is 3800 on disk so in memory that would be
83800
D 83800 and scroll down

what we are looking for is a Bra or a BSR or a JSR
hmm this looks interesting a BSR 84392
lets disasemble this
D 84392
hmm a move.l #9e,D0
and a JSR 1000c.s
9e hmm looks like its reading track 158
hmm ok lets put a RTS on the JSR hopefully this will prevent it loading that track
take note of the address of the JSR (84396)
ok reboot and start ASMONE again and load up our RAM patch
place MOVE.L #$4e75,$83496 just above the JMP 8000c

assemble and J

oh my gawd the game works without the need for the original disk
cool eh?
ok well use this to test it out make sure it doesn't need any more disk access or to see if any novellas pop up ect...
in other words give it a damm good rogering!
(Hint! try and find the secret hidden game)
ok satisfied?
lets make a working disk version now


Final Crack

Now all we need to do is put all the data back to disk, and replace the old trackloader with our new
so reboot with ASMONE
load the ram source
done?
ok well we need to change a few things
see the source below for the crack
see line 2 has changed from 8015a to 8015e
remember at the start of this tutorial i told you about the BSR we wanted to keep
well this is how we keep it , we move our new trackloader just under it
did you also notice i removed the BLK.B 400
this is because we are now working with 1600 per track and not 1800
so our first file wont start at 3000 but 2c00 which is 3000 - 400
and because of this we have to sub 400 from our 1 track protection RTS
MOVE.W #$4e75,$83f96
you will also notice the lotusloader has changed dramatically
our new trackloader needs the following parameters
TRACKLOADER:
; D0 = bytes to read
; D1 = start track
; D2 = byteoffset on track
; a0 = loadadress
; a2 = mfm adress
so our new patch includes the following
MOVE.L #$1F68,A2 this is the address our trackloader will use to load raw mfm data to
MOVE.L D0,D4 this wil move the disk position into D4
MOVE.L D1,D3 this will move the length into D3
DIVS #$1800,D0 this will divide the diskposision by 1800
MOVE.L D0,D1 and once it has been divided it will then move it into D1 and give us our tracknumber
MULS #$1600,D0 this will multiply the tracknumber by 1600
SUB.L D0,D4 this will subtract whatever "muls #1600" gives us, from the orignal diskposition
MOVE.L D3,D0 this will move the length into D0
SUB.L #$400,D4 this subtracts 400 from D4 to find offset on the track
MOVE.L D4,D2 finally we move the offset into D2
incbin "df1:trackloaderpro.bin" oh also include alphaone's great new trackloader pro

so basically we start off with say
a disk posision of 3000
length of 800
we convert this into
; D0 = bytes to read
; D1 = start track
; D2 = byteoffset on track
; a0 = loadadress
; a2 = mfm adress

Crack.S
;------------------------------------------------------------------------------------

LEA LOTUSLOADER(PC),A0
LEA $8015e,A1
MOVE.L #(LOTUSLOADERENDE-LOTUSLOADER),D0
REPLACELOADER: MOVE.B (A0)+,(A1)+
DBF D0,REPLACELOADER
MOVE.W #$4e75,$83f96
RTS

;****************************************************************
LOTUSLOADER:
MOVE.L #$1F68,A2
MOVE.L D0,D4
MOVE.L D1,D3
DIVS #$1800,D0
MOVE.L D0,D1
MULS #$1600,D0
SUB.L D0,D4
MOVE.L D3,D0
SUB.L #$400,D4
MOVE.L D4,D2
incbin "df1:trackloaderpro.bin"
LOTUSLOADERENDE:
;****************************************************************

ORG $80000

LOADER: INCBIN "df1:boot"
LOTUSDUMP: INCBIN "df0:lotus"


;--------------------------------------------------------------------------------------
all done?
exit edit mode and assemble our little crack
then press J to execute
now all we need to do is write all the data back to a brand new floppy
WT
RAM PRT:$80000
DISK PRT>0
LENGTH>160
and dont forget the bootblock checksum
type
CC
now reboot and enjoy


Special thanks goes to Rob for playtesting and alpha One for all this cracking know how





?

FileDownload: Lotus Esprit Turbo Challenge
Filesize: 0KB, downloaded 115 times
Powered by the best online Amiga mod player: FLOD


Some more you may like:
Genesis and Angels - Lotus EspritBio ChallengeBio Challenge [FRENCH]Megaforce - 944 Turbo Cup

Comments

Leave a Comment!

Name:
: Use this calculator
Your comment will be available for editing for 10 minutes
2005-06-20 08:24
Avatar

1. aLpHa oNe writes

Great Tutorial, Musashi9 !!!
reply