Gremlins 2

Hits: 5102

MFM

More
Tags
Category: TutorialsAmigaCrackingMFM
Author:
Submitted by: musashi9
Date: 2006-07-06 19:00
No tags

Gremlins II from Elite


Requirements
1. AMiGA or WINUAE (Configuration: 2MB CHIP!!!)
2. ACTION REPLAY freezer (or ROM Image)
3. Original Game or CAPS-Image (2208)
4. Assembler (ASM-One)

Understanding what we need to do

Ok so let's try and make a copy of our original disk. Load up x-copy and fire away
hmm only 1 green zero out of so many red errors. Ok so what we know so far is we have an MFM protected disk here, what this means is we can't simply just make an exact duplicate from the original disk using X-copy, why? Well basically the amiga disk drive can read these disks fine but is unable to write them, it's only able to write back to disk using normal dos tracks. this is not a software problem but a hardware one.

So now we know all of this we should now realise the basics of what is needed
1. Understand the boot block. (as this is the only part of the disk readable by us, we need to see what it's doing)
2. Find someway of getting every possible byte from the original disk and save it.
3. Once we have the data we need to get the game running/working without the original disk even touching our amiga disk drive
4. When we are satisfied we have cracked all protections and removed all disk routines we can start to think about putting everything back on a normal dos disk
5. Attach one of your crackintros, and claim to be the best in the whole wide world, and call people bad names and use lots of bad words and and err thats about it



Understanding the BootBlock

What is the bootblock?
Well if we take a look at the results of our X-Copy tracks we will notice only 1 side of 1 track is a GREEN 0 (see picture below)

What this means is, our amiga by itself with no other hardware attached can only read this one side of the first track. If MFM protected games never had this GREEN 0 then they wouldn't work because inside this one GREEN (normal track) contains information to be passed to the amiga, to enable a normal amiga read abnormal tracks.
As we have talked about before, the standard amiga diskdrive is well capable of reading abmoral tracks but is unable to write them. so our solution is to gather all the information on these abnormal tracks and transfer them to a disk that has only normal tracks.

Now that we understand all of that, we need to search the BOOTBLOCK for the information that tells a normal amiga to read abnormal tracks, and change this information in such a way that will be useful to us.

From this point on we are going to use ACTION REPLAY(AR), we dont actually need to use this for 90% of our work, we can use ASMONE's internal tools such as RT and Disassemble and Assemble memory ............ but because AR is so handy why not use it :)

RT (read track)
===
Enter AR and insert yoour original gremlins disk into drive 0.
Now because we are using a normal amiga that can only read normal tracks, we are only able to read in the first GREEN 0 track:) so lets do that
we do this by using AR's Read Track command which is RT the we need to specify some parameters for this command
such as start track to read from ( we have a range of 0-9f (160 tracks = 80 tracks each side [2 sides to each disk])
the second parameter needed is the length this also should be in the form of the amount of tracks we want to load.
And finally we need to tell AR where in memory to load to, understand this so far?
we need a start track, a length amount (in tracks) and a place in memory to load all this data to.
Everyone should know by now that the BOOTBLOCK is always placed on track 0 and judging from our Xcopy results we should only be able to read 1 track (1 green 0).
so now we know what is needed lets crack on :)
type the following into action replay
RT 0 1 50000
we are reading track 0 with a length of 1 track into memory location 50000.

This is all we can do with the original disk and AR's RT command.Try for yourself to read any other track and you can see it wont work
Phase one complete, we now have the BOOTBLOCK from the original disk of a game called gremlins ,safely locked in memory.
Now lets Disassemble it to try and find out what it is doing,

Disassembling:
==========
AR has a Disassemble command that will basically disassemble any part of memory making it appear as ASM code.
Anyone familiar with an Amiga Bootblock knows that the code doesn't start where would would think.
The reason why our code wont start at 50000 (address we loaded the bootblock to) is because the amiga needs to know if this track is Bootable so this BOOTBLOCK has a HEADER that the amiga can recognise and if all is ok continue to boot, if this header is not found then our amiga will think it is not a Bootblock and will refuse to boot from this disk
The HEADER looks like this 'DOS' then a few bytes for a checksum check (this is a set of digits that have been pre calculated from the 400 bytes of our Bootblock and stored after the word DOS) if you try and alter any of the data within those 400 bytes and save the Bootblock back to disk, then the Cecksum will be wrong, and the amiga will refuse to boot this disk. So bare in mind when we want to alter any bootblock we must Calculate the Checksum for it afterwards.
dont worry many programs can do this with ease, we dont have to do any hard work.

Back to.Disassembling, now we know where to look (5000c) lets start disassembling out Bootcode to see what we have.
O ur disasembler command only needs 2 parameters [D, Memory to disassemble]
so type
D 5000c
C ontinue to hit ENTER to make the disassembling continue down, once it has reached the bottom we now have the power to scroll up or down, using the Cursor keys. We can exit this command anytime by pressing ESC
ok so scroll down let us see what we have here

ok pretty basic stuff here
LEA DFF000,A0 | a0 = Custom register
MOVE.W #7FFF,9A(A0) | Disable interrupts
MOVE.W #7FFF,96(A0) | Disable DMA
MOVE.W #0,180(A0) | Set background colour to Black

The purpose of all of that is to kill the operating system.
next.the game wants to move into supervisor mode

LEA 5002e(pc),A1
| point to MOVE.W #2000,SR
MOVE.L A1,00000020
MOVE.W #2000,SR
LEA 00068000,A7

For more information on this, read Code Tapper's very detailed and well commented Strider Tutorial here (we are still waiting for PART2 cough cough)
Next is a small memory copy routine, used for moving parts of memory around

LEA 50050(PC),A1 | the start addres of the memory we want to copy
LEA 00070000,A2 | the destination addres we want to copy the memory to
MOVEA.L A2,A3 | move the destination addres to A3
MOVE.W #76,D0 | #76,D0 = the amount of memory we want to copy
MOVE.L (A1)+,(A2)+ | the copy process
DBF D0,00050048 | loop the copy process untill the length in D0 is empty
JMP (A3) | jump to the addres in A3 (70000)

What we see here is the bootup code copying from 50050 with a length of 76 to destination addres 00070000
and then executing the code at address 00070000
Now we know it is moving some code to 00070000 lets find out what this code is doing

Lets examine 50050 (remember this? start adress of code that is copied to 00070000)
LEA BFE001,A1
LEA BFD100,A2

Well if you have studied the strider tutorial you will know by now that and i quote
"The important registers for disk accessing are bfe001 and bfd100"
Basicaly we have found the trackloader? if so then we dont really need to bother looking up and explaining every aspect of its code
because we are only interested in the 'Parameters' used to load a track
What are 'Parameters'?
They tell a diskloader where to start reading from, how much to read, and where in memory the MFM should be loaded to and after the MFM has been transformed from MESS into Readable code , we need a destination address for this readable code
lets start looking for these -
1. MFM address (load junk here before transforming it into readable code)
2. Destination address (where to copy the data once it has become readable)
3. Start position on disk to read from
4. Length of data to read

from our snapshot we dont see much code starting form 50050 onwards, and what we do see is nothing we are looking for
we do however see 2 BSRs and 1 BRA
BSR 000501EA
BSR 0005007A
BRA 00050206

The information we are looking for could be at any of these, so we have to search them all :)
lets take alook at the first BSR
D 501EA

hmm that just looks like some Disk access stuff with a simple RTS hmm ignore this one for now we dont need it
lets examine the Second BSR
D 5007A
This is more interesting, it seems to be a maze of code, moving from one part to another, lets follow it as much as we can without getting bored :)

Now this looks more interesting, if you have studied the strider tutorial you will know what most of this stuff is
MOVE.W #A245,7E(A0) | sync used for this game
MOVE.L #68000,20(A0) | Destination for MFM.... BINGO!!!! we were looking for this (write the address down 68000)

HMMM you know looking at the code for booting on gremlins and for strider, thet are almost identical, but i dont think they were made by the same company?
perhaps by the same coder?

I don't know about you but from searching this bootcode i have yet to find a track length, why is this important?
well how else will the disk know how to calculate where track 20 is? without a length of a track it can't.
I f you say a track is #1600 in length like a nomral dos track and you want to know where on the disk track 20 is you multiply 1600 by 20 = 2C000
Unlike the strider bootblock we dont have anything dividing ect... well nothing that sticks out so how can we know the length of 1 track?
well that will be pretty simple once we find the parameters for loading :) we can simple fill up some memory with lots of FFFFFFFF ect... the tell it to load 1 track into our point in memory with all the FF's and then see where the data ends and the F's begin and this will give us a length of 1 track
but first we must find these parameters to change

ok lets try the BRA and see what is there
D 00050206

MOVE.W #0,DFF180 | we know from above,that 'move.w #0,DFF180' means turn screen black
LEA 00000400,A5 | pointing to address 400 in A5 ... possible load address?
MOVEQ #E,D7 | put E in D7 ...possible start track position? or length?
MOVE.W #4C,00000028 | puts 4C at address 28...again..possible start track position? or length
BSR 00050120 | Call the trackloader? to execute now it has ou parameters?
BSR 000501F8 | disable the disk drive function because we are finished with it?
JMP 00000400 | jump to start the code we have just loaded

This all looks cosey but lets take a look at what the BSR calls just to make sure they are caling the trackloader
D 00050120
SUBQ.W #1,D7
hmm we have E going into D7 could this be our length/amount of data to load ?
W e can have some fun testing :) first thing we need to do is turn that JMP 400 into a branch loop so our code will just stay in a continous loop after we have read in some tracks.
N ow we must use the Assembling command 'A'
A 00050224
`050224 BRA 00050224
see simple :)
Now after we execute the bootblock and it loads in some tracks, it wont try and jump to start the game, instead it will just stay in one continous loop.
R ight so we want to tell if its length going into D7 or our start track to laod from
lets change MOVEQ #E,D7 at 50214 into MOVEQ #1,D7
A 050214
"050214 MOVEQ #E,D7

if it is the length then it should only load 1 track and no more, but if it isn't the length then it must be our start track and it will load in a bigger amount other than 1
since we want to know the length of a track and we are about to exectue this loader with the possible parameter of only loading 1 track, why not kill two birds with one stone.
First let us try what we talked about earlier, remember? about filling some memory with F's?
ok lets fill memory location 00080000 to 00082000 with F's, we do this by using the fill memory command
O FF,80000 82000
now let us change the load address from
LEA 00000400,A5
to
LEA 00008000,A5
A 5020e
'05020E LEA 00080000,A5
done? ok let us test memory 80000 make sure all those FFFFF's are there
We can vie wmemory in HEX by using M command
M 80000

See all those lovely FF's :)
now let us fill up address 80000 hopfully with just 1 track from the original disk
how? well simple, we execute the whole Bootblock
G 5000C
this will run through all of the code we have talked about and hopfully load 1 track into memory location 80000
notice how much the disk loaded? hardly seems like anything right? you can't hear it grinding away loading many tracks. so it looks like it D7 holds the parameter for Length/ Amount
lets make sure by checking address 80000
yup it has changed from FF FF to well some game code :)
now let us get the all important length of 1 track by scrolling down (press enter) and dont stop untill we see a whole bunch of FF's

There we have it 1 loaded track with a length of...hmm let us count i see data stopping at 18A0 but it has some stragglers along the line i say about 8 of them
so a track length of 18a8 :) cool make a note of this most important piece of information




Ripping the files / making a disk image

I have never typed so much in all my life!!!!!!!!
anyhoo we must press on.
now comes the fun part... ripping every last scrap of data from the original disk ,so we can make a RAM loader and get the game working without the need of the original disk

We now know what parameters need changing and for what purpose they are used for, so it shouldn't be a problem ripping everything in one go right? from track1 to the last track

well lets see if it is as easy as it sounds :)
Keep the load address at 80000 we just need to change the length and the start track
lets me put the image back here of the parameters we need to change so they are still fresh in our minds

Load address is fixed at 80000 now - good
we need to change the length to something big like A0 - 160 tracks
lets change MOVEQ #1,D7 at 50214 into MOVEQ #A0,D7
A 050214
"050214 MOVEQ #A0,D7
and now to change the start track, from MOVE.W #4C,00000028 to MOVE.W #1,00000028
A 050216

"050216 MOVE.W #1,00000028
Simple right? we want to load from track 1 with a massive length of A0, this should load everything we need into address 80000
we have everythig in place
Load address is sorted
Length is sorted
Start track is sorted
Jmp has been Loopified
now lets execute this bad boy and sit back and wait for it to load everything
G 5000c

Dum de Dum twiddle my thumb, scratch my bu...eerrr is it done yet? hmm disk activity seems to have stopped hmm if you are lucky enough to have a track counter on your diskdriver ( i seen them in a magazine once) or you are using WINUAE you will notice around track 67*2 it has stopped hmmm
could this be all? i guess it is, you can test it further by putting in higher track start positions and re executing, i dont think you can load anymore data from it
this could mean 2 things
1. this is all the data and it cant read anymore because that part of the disk isnt used
2. that part of the disk uses a different disk sync and is accesed by using another loader within the game code
Well all we can do for now is rip off the data we have loaded and hope it is everything :) if not we have some more hard work later on to do :)
Let us see where the data has stopped loading.We know the load address was in A5 so let's check out that register see where it is at now
use R command
R
Take a look at A5 it now says 14CF48

ok lets start saving some data
Insert a freshly formatted blank disk
We know the start of the data was 80000 and it looks like the end is 14CF48. So lets save a file to disk using these parameters.
For this we will use the Save Memory command SM | SM name of file, start-adress end-adress

SM data,80000 14CF48

it should all fit nicely on the disk:) but we also need the original bootblock so lets insert the game disk again and use the RT command to read it back in
RT 0 1 50000
then insert our disk with the data file we just saved
Now let us save the bootblock 400 in length
SM boot,50000 50400

Fingers crossed this should be everything we need and we can now throw away the original disk



Running the game from memory:

We now have all the files needed to run this game without the original disk (fingers crossed)
so load up ASMONE because we need to write a small program to get this badboy running without the need of the original disk
We want to use Chip memory with Asmone and lots of it ..... 111
BTW all source files are available for download on this page
ok so let me break this down for you before i write the source code
our aim is to load the bootfile then the main data file into address 80000 (so we have a complete disk image in memory)
patch the disk trackloader(s)? to a COPY MEMORY loader
in other words replace the trackloader with a loader that will copy data from higher memory into the desired location (thus making the original disk obsolete)
The first thing we need to do is load our bootblock and data into memory


   ORG $80000
INCBIN "DF1:BOOT" BLK.B $14a8,0
INCBIN "DF1:DATA"


1.ORG $80000
means everything past the ORG is assemblled at memory location $80000

2.INCBIN "DF1:BOOT"
means include binary file , in this case we want to INCBIN our boot file (bootblock is loaded to $80000 with a length of $400)
you can change the 'DF1:' to whatever drive you are using to host your bootblock + data file

3.BLK.B $14a8,0
means we add $14a8 of zeros after the bootblock [$14a8 + $400 = $18a8 (length of 1 track)]. We add this because we want to emulate the original disk
and like the original disk the data starts on track 1 ($18a8 = 1 track)

4. INCBIN "DF1:DATA"
Same as step 2 but this is loading all the data from the game



That is our disk image taken care of, now we have all our data loaded into memory, we need to replace the diskloader with a memory loader
We have the diskloader's parameters ... remember them?
Length = D7
Load address = A5
Load track = memory location $28
MFM 68000
and we know where the tracklaoder starts on the bootblock
offset $120 ($50120)
and we also know the length of 1 track ($18A8)
Now we have all this information, writting a memory loader should be pretty simple
Our memory loader will use the following parameters
A0 destination address
A1 = Offset in memory to laod from
D1 = length (amount of data to move)
now lets start writting our memory copy routine



BOOTL: ;Name of our routine MOVEM.L d0-a6,-(a7) ;Save regs on stack
MOVE.L A5,A0 ;Move Data Destination address from A5 to A0 MOVE.W $28,D0 ;Move the start track number from $28 to D0
MULS #$18A8,D0 ;Multiply the start track by $18A8
MOVE.L d0,a1 ;Move the new start track data to A1
MOVE.L #$80000,d3 ;Place an amount of 80000 in d3
ADD.l d3,A1 ;Add this big amount to the new start data in a1
MULS #$18A8,D7 ;Multiply the length in d7 by $18a8
MOVE.L D7,D1 ;Move the new length data to D1
COPYDATA:MOVE.B (A1)+,(A0)+ ;Start copying
SUBQ.L #1,D1 ;Subtract from length in D1 BNE COPYDATA ;Loop this copying process untill D1 is empty
MOVEM.L (a7)+,d0-a6 ;Restore regs fro mstack RTS ;Return to main program
BOOTLE:
;End of our routine

First we save all reg data to the stack (because we are going to play with them and want to return them safely once done)
MOVEM.L d0-a6,-(a7)
next we move the load address (destination address) from A5 to A0
MOVE.L A5,A0
next we move the start track data from low down in memory location $28 and save it nicely in reg D0
MOVE.W $28,D0
Now we must multiply this by the length of 1 track...why? well if our disk image starts at memory $80000 onwards..
MULS #$18A8,D0 .
and if the game wants to load from say track 12, we have to find out where in memory this would be
12 x 18a8 = 1BBD0
so we need to tell our memory loader to read from offset 1BBd0 (if it wants to load track12)
now we move our freshly multiplied digits to A1 and Add 80000 to them. We add 80000 because this is where our image starts
MOVE.L d0,a1
MOVE.L #$80000,d3
ADD.l d3,A1

If we wanted to load from track 12 ...80000+1BBD0 = start reading from memory location 9BBD0
Next we need to write a small copy memory routine to overwrite the trackloader on the bootblock and execute the bootblock to start the game loading


               

LEA BOOTLOADER(PC),A0
LEA $80120,A1
MOVE.L #(BOOTLOADEREND-BOOTLOADER),D0
REPLACELOADER: MOVE.B (A0)+,(A1)+
DBF D0,REPLACELOADER JMP $8000c

Point to the start name of the memory we want to copy,A0


LEA BOOTLOADER(PC) ;A0 Points to the ;source address of our code
LEA $80120,A1 ;A1 Points to the ;destination address of our code

Get the length of this whole routine (start to finish) then place it in D0

		 MOVE.L	#(BOOTLOADEREND-BOOTLOADER),D0

Do the copy process in a loop untill the length has been used up

		REPLACELOADER:	MOVE.B (A0)+,(A1)+	;Move from source to dest
DBF D0,REPLACELOADER ;loop until D0 is empty

Jump to execute the bootblock and start the game

		JMP $8000c 


Now let us put all these together in one big source file, put the 'overwrite' source first, then the memory loader, and finally we load all the data from disk into memory
so it should end up looking like this

               ;Memory image loader by Musashi9

LEA BOOTLOADER(PC),A0
LEA $80120,A1
MOVE.L #(BOOTLOADEREND-BOOTLOADER),D0
REPLACELOADER: MOVE.B (A0)+,(A1)+
DBF D0,REPLACELOADER JMP $8000c ;===================================================================== BOOTLOADER:
MOVEM.L d0-a6,-(a7)
MOVE.W $28,D0
MOVE.L A5,A0
MULS #$18A8,D0
MOVE.L d0,a1
MOVE.L #$80000,d3
ADD.l d3,A1
MULS #$18A8,D7
MOVE.L D7,D1
COPYDATA: MOVE.B (A1)+,(A0)+
SUBQ.L #1,D1
BNE COPYDATA
MOVEM.L (a7)+,d0-a6
RTS
BOOTLOADEREND: ;===================================================================== ORG $80000
LOADER: INCBIN "DF1:BOOT" BLK.B $14a8
INCBIN "DF1:DATA"


;-------------------------------------------------------------------------------------

Ok once you have this source loaded into Asmone exit the edit mode (ESC) save and let us try and assemble it
(dont forget to save the source RAMLOADER.S
(make sure the disk with all the data files is in DF1: (or whatever drive you used in the source)
press A to assemble (you should see some information pop up and eventually something saying ready.
If everything has assembled without errors then we are free to execute our code
we do this using J command
so just type J and press enter :)

;---------------------------------------------------------------------------------------

Hmmmm the screen just goes black, and the drive in DF0: seems to be searching for something..hmmm this can mean 1 of 2 things
we failed to overwrite the diskloader on the bootblock somehow. or there is another diskloader for this game

if we did overwrite the bootblock diskloader, then when we need to enter AR and find out where in memory we are. We should not be anywhere above memory location 80000
so lets try that, Enter AR
and press D (disassemble command) this will tell us where the code is currently trying to execute)

ok so we seem to be around memory location $1626...hmm scroll down and examine this code some more
notice a MOVE.L #55555555,D3... where have you seen this before? hmm let me repost the screen shot from when we disassembled the bootblock

looks like a MFM mask to me... so we are in another trackloader? let us scroll upwards to see where this starts
hmm lok at $15D4 onwards... remember these?
LEA BFE001,A1
LEA BFD100,A2

Smells like the start of a trackloader to me

Hmm so this is another one that needs patching...hmm assuming the data isn't packed let us search for it in memory
All of our diskimage is still located at $80000 assuming the game didnt blank or overwrite it yet
hmm so with some quick math we should be abe to find out where in our disk image it should be.
What do we know so far hmmm....some game code was loaded to address $400.. We know the length but that is not important right now.
What else do we know...hmm we know it loaded from the original disk ..starting from hmm let me think what was the load parameter for the diskloader?
ah yes $4C and our diskimage starts at memory location $80000
and the second trackloader has an offset of 15D4
hmmmpff now get out you little Hex Calculator (windows has one)
$4C x tracklength (18A8) = 751E0
so let us add 751E0 to the start of the diskimage, also add the offset of the 2nd loader minus 400 because that is where the data started loading to.
We will use the M command to search hex memory
M 80000+751E0+15D5-400
we end up at diskimage location F63B4..double check it is the same with D command
D F63B4

Yes it is the same few lines of code.Great!!!
Hmmm now back to Asmone and load up our RAMLOADER.S because we need to change it, to accommodate our 2nd loader.
We only need to add a second memory overwritting routine

               ;Memory image loader by Musashi9

LEA BOOTLOADER(PC),A0
LEA $80120,A1
MOVE.L #(BOOTLOADEREND-BOOTLOADER),D0
REPLACELOADER: MOVE.B (A0)+,(A1)+
DBF D0,REPLACELOADER LEA BOOTLOADER(PC),A0
LEA $f63b4,A1
MOVE.L #(BOOTLOADEREND-BOOTLOADER),D0
REPLACELOADER2: MOVE.B (A0)+,(A1)+
DBF D0,REPLACELOADER2

JMP $8000c ;===================================================================== BOOTLOADER:
MOVEM.L d0-a6,-(a7)
MOVE.W $28,D0
MOVE.L A5,A0
MULS #$18A8,D0
MOVE.L d0,a1
MOVE.L #$80000,d3
ADD.l d3,A1
MULS #$18A8,D7
MOVE.L D7,D1
COPYDATA: MOVE.B (A1)+,(A0)+
SUBQ.L #1,D1
BNE COPYDATA
MOVEM.L (a7)+,d0-a6
RTS
BOOTLOADEREND: ;===================================================================== ORG $80000
LOADER: INCBIN "DF1:BOOT" BLK.B $14a8
INCBIN "DF1:DATA"

Please tell me you at least understand this one by now?
Well the 2nd overwritting routine is just a copy of the first but we change where to copy our ramloader to.
LEA $f63b4,A1
Now we place a second ram loader at the memory location (disk image) of our 2nd trackloader

Ok shall we try it again? hmm dont forget to save your source before assembling and executing
A
then once done
J
Hmm the first thing you will notice is the trackcounter on DF0: tracks back to zero,hmmm we need to find the little routine that does that and kill it...
but not now. We can do that later when we add our own trackloader
!!!! have you noticed the game has started to load!!!!!!

BUT :( damm it we have hit a green screen...so close yet so far :P

ok ok lets enter AR find out what is going on...Enter AR press D find out where we currently are in the game code
Hmm we seem to be stuck in a loop
`061D0 BRA 061D0
lets take a look at what got us here (todo that we look at the memory above this loop)
D 61D00 and scroll down

At address 061DE we have a TST.D0 (test D0 for a Zero). If it's not zero then carry on and do the green screen loop.
However if it is zero, then carry on with the game code.
Hmm ok i have seen this before in other games. It looks like a small error check for the original diskloader. If all data has been loaded correctly and no errors were found then put Zero in D0.
If there was an error then it puts something else in D0 to tell the game there has been an error and thus cause a green screen loop
Well there is one simple way to check this :) restart Asmone AGAIN!!!! hahahaha and put one simple line of code in our ram loader

Notice the MOVE.W #$0,d0 just before the RTS........?
What we are doing here is emulating the original loader to fool the game into thinking everything loaded fine. 'look, see, a Zero in D0..dont panic you stupid game!!!!!'
O k let's try this out (save source) assemble and execute!!!
A
J

Oo look its gizmo :)...carry on

Ooo nice Menu screen (if you are using Winuae there is a sound BUG..that slows down the game...So turn off the music!)

Sweet.... looks like we have the game totoally working from ram now

However we need to make sure we have the complete game.How? Well play it alot, finish levels ect.. find secrets make sure it all works without the need of the original disk Watch out for any disk activity
One tip is to train the game so you can scan every room and every level untill the end sequence...
One useful cheat for you, would be Remove collision detection ;)
Well ok i will give it to you since you have took the time to read this far :)
A 1BA6
NOP
NOP

This should help you get to Level 2 and beyond, eventually completing the game

So give yourself a slap on the back :) we now have a fully working game that no longer needs the original disk to play it
Now all we need to do is write everything back to a normal amiga floppy and replace the original trackloaders with our "nice new Amiga friendly give a copy of the game to your mates" type of trackloader


Final Crack

Now we have the game fully working without the original disk, its time to get the game working on a normal amiga dos disk
We do this in stages
1. Write a new loader
2. Patch old loaders to work with our new loader
3. Write a new bootblock to boot everything into place
4. write everything back to a normal dos disk and enjoy

Step 1 - Write a new loader
----------------------------

Well before we can start we need a place in memory to put our new loader.
We know from looking at the bootblock that there is very little space from the loader to game code (study the bootblock the trackloader starts at offset 120 but the code that calls it is only $100 bytes away 21e)
so we know for a fact we cant just go overwritting the old trackloader with our new loader because our new tracloader is twice that amount
hmmm so first we need to play the game one last time from the original and hunt for at least 250 bytes of space
a good place to start is around 100 area upwards, we know the first file gets loaded to 400 so lets test this area 100-400
boot the game and when the screen goes black enter AR and fill up this memory with 2's
O 22,100 400
take alook toe make sure it is all 2s
N 100

Ok now play the game for as long as possible keep checking this area thru out :)
hmm is it still the same? ok cool lets use this area for our new loader

Now we have a good location we can start to build our new loader
We know from all the previous MFM cracks that using Alpha Ones trackloader requires some parameters to be set
TRACKLOADER:
;---------------------
; D0 = bytes to read
; D1 = start track
; D2 = byteoffset on track
; a0 = loadadress
; a2 = mfm adress
;------------------
so all we have to do is take the parameters we have for gremlins and transform them into parameters for the new trackloader
well we already knwo the value for a2 = mfm adress dont we ...hmm well look up, its 68000
D7 holds the length
A5 holds the destination address
D1 holds start track
So thats all we need, with D2 we need to recalculate because the orignal loader doesnt cover offsets but our new one does, but that is no big deal


move.l #$68000,a2 we already know this
muls.w #$18a8,d7
multiply D7 by track length which is 18a8
move.l d7,d0
then we move the new value to D0
move.l a5,a0
move the destination address to A0
move.w $28,d1
move the start track to D1
muls.w #$18a8,d1
again we muliply it by the track length
move.l d1,d2
copy it over to D2
divs #$1600,d1
now we divide this by the length of a dos track
muls.w #$1600,d1
and then multiply it by the same length
sub.l d1,d2
now we subtrack this new data from the original to give us the track offset
divs #$1600,d1
dont forget to re-divide D1 to get the start track for dos tracks
lea $dff000,a6
needed for the trackloader
incbin "df0:trackloaderpro.bin"
the trackloader

and this is our new loader which we will place at address 100 and patch all the old loaders to jsr to 100

ok now its time to start writting our final crack source
we now have a new loader time to move onto step 2

Step 2- Patch the old loaders
------------------------------

load up asmone and start 'chip' and lots of it '111'
now let us write a new crack source
What we are doing here is write a new BootBlock + a patch to overwrite the old trackloaders
but for the first trackloader we want to add a copy routine aswell, to copy our new loader to address 100

              
;FINAL CRACK PATCH

**************************************
** patch trackloader1 with jsr $100
**
** + a jump to our 'copy trackloader**
** routine' which we place at 30400 **

**************************************


LEA PATCH1(PC),A0
LEA $80520,A1
MOVE.L #(PATCH1END-PATCH1),D0
CP: MOVE.B (A0)+,(A1)+
DBF D0,CP **************************************
** patch trackloader2 with jsr $100 **
************************************** LEA PATCH2(PC),A0
LEA $f63b4,A1
MOVE.L #(PATCH2END-PATCH2),D0
CP2: MOVE.B (A0)+,(A1)+
DBF D0,CP2
RTS ;===================================================================== PATCH1:
MOVEM.L d0-a6,-(a7)
JSR $30400
MOVEM.L (a7)+,d0-a6 PATCH2: MOVEM.l d0-a6,-(a7) JSR $100 MOVEM.L (a7)+,d0-a6 MOVEQ #$0,D0
RTS
PATCH2END: PATCH1END: ****************************************************
** Make a new BootBlock **
****************************************************
org $80000
boot: dc.b "DOS",0
dc.l 0
dc.l 0 ****************************************************
** This is our 'copy trackloader routine' + **
** using the trackdisk device we track in the old **
** Bootblock from disk offset 400 and jump to it **
****************************************************
lea crack(pc),a0
lea $30400,a2
move.l #(crackend2-crack)-1,d0
copycode: move.b (a0)+,(a2)+
dbf d0,copycode
move.w #$02,$1c(a1)
move.l #$30000,$28(a1)
move.l #$400,$24(a1)
move.l #$400,$2c(a1)
jsr -$1c8(a6)
jmp $3000c

crack:
movem.l d0-a6,-(a7)
lea trackloader(pc),a0
lea $100,a2
move.l #trackloaderend-trackloader,d0
copy: move.b (a0)+,(a2)+
dbf d0,copy
movem.l (a7)+,d0-a6
rts

****************************************************
** Include our new trackloader **
****************************************************
trackloader:
move.l #$68000,a2
muls.w #$18a8,d7
move.l d7,d0
move.l a5,a0
move.w $28,d1
muls.w #$18a8,d1
move.l d1,d2
divs #$1600,d1
muls.w #$1600,d1
sub.l d1,d2
divs #$1600,d1
lea $dff000,a6
incbin "df0:trackloaderpro.bin"
trackloaderend: crackend:
blk.b $19c,0
****************************************************
** Include the old BootBlock **
****************************************************
incbin "df0:boot"
blk.b $10a8
****************************************************
** Include the Game data **
****************************************************
incbin "df0:data"

Assemble this and then execute it with a J hmm wait wait i forgot to dissable the MOVE BACK TO TRACK ZERO routine
hmm im to lazy to explain where to find it so just add this to the source
after
CP2: MOVE.B (A0)+,(A1)+
DBF D0,CP22

add
Move.l #$4e714e71,$f628a
hmm ok assemble and execute with J
Now everything should be patch, we should have a new bootblock at 80000
plus the old bootblock at 80400 plus all the game data after that
PHEW!!!!!!
now time to write back to a nice new blank disk
WT
RAM PRT:$80000
DISK PRT>0
LENGTH>160
and dont forget the bootblock checksum
type
CC
now reboot and enjoy





FileDownload: Gremlins 2
Filesize: 0KB, downloaded 65 times
Powered by the best online Amiga mod player: FLOD


Some more you may like:
Oracle - Gremlins 2

Comments

Leave a Comment!

Name:
: Use this calculator
Your comment will be available for editing for 10 minutes
2006-07-11 21:07
Avatar

1. codar writes

Incredible stuff, very interesting to read.
reply
2006-07-17 00:53

2. DLFRSILVER writes

Really great musashi ^^

may you try Cannon fodder in french or even BAT in french ?

they are MFM and NEVER cracked... hehehe
reply