F/A-18 Interceptor

Hits: 7794

Password

More
Tags
Category: TutorialsAmigaCrackingNovella
Author: scenex
Submitted by: scenex
Date: 2004-06-24 00:07
No tags

F/A-18 Interceptor (1988) Intellisoft

----------------------------------------------

?

?

We need:

?

1. Original Disk or CAPS Image of F/A-18 Interceptor

2. Amiga or WinUAE Emulator

3. Action Replay Cartridge or ROM

?

?

Make a copy of the disk, and you'll notice the disk itself is not protected.

So it will probably be a manual based protection.

?

Lets start the game.

?

?

After the title screen you'll be prompted to choose a mode, lets press '5' for

'Qualification: Required For Missions'. Alright now comes the interesting part.

You're asked to enter the 'Security Countercode '.

Which we have since we bought the original game, but wouldn't it be nicer if

we could just skip this annoying part?

?

?

Ok, lets enter a 4 digit code assume '2466', don't hit enter yet (sometimes it

accepts 3 digit codes as well). Go into Action Replay. Now we gonna search

through the memory for our entered value.

?

F "2466"

?

In my case it found the value at address 05CC7B, this value may differ from

yours . Use your values from now on. Now we gonna search for all positions

which may try to read or manipulate our value where our entered code resides.

?

FA 05CC7B

?

After 4 results hit ESC.

?

?

0323FA LEA ? ? ? 0005CC7B ,A3

03C8B6 LEA ??? 0005CC7B ,A0

049F02 ? LEA ??? 0005CC7B ,A3

04A094 ? LEA ??? 0005CC7B ,A0

?

Since we found more than one possible address we gonna put breakpoints on

each of these addresses to analyze the behavior of the game. As before the

addresses may be different on your Amiga.

?

BS 0323FA

BS 03C8B6

BS 049F02

BS 04A094

?

Ok now exit Action Replay with 'x'.

When back in our flight simulator, hit enter to confirm our previously entered code.

What's this?

We're back in AR, our first breakpoint 0323FA was triggered.

Let's exit AR again with 'x'.

Once again it jumps back in AR again, this time at breakpoint 03C8B6.

Exit AR again, the game gives us another chance to enter the right code,

but before we even can react, the AR breaks this time at breakpoint 049F02.

Ok exit once more enter the first letter and the same thing is happening.

Right, exit AR the last time. Now you can enter the letters,

without getting kicked back in AR every time.

Enter 3-4 letters (certain codes are just 3 letters long, experiment with it).

As soon as you entered enough letters to be recognized by the game as an code

or you hit enter to confirm your code, the AR breaks again at breakpoint 03C8B6.

?

This should be enough of analyzing, so seems like the second breakpoint 03C8B6 is the

important one. Which decides whether we're allowed to play the game or not.

?

Let's check out what's going on at 03C8B6

?

D 03C8B6

?

?

Scroll down a few lines, you'll notice we're in a subroutine due following line

?

03C8DE RTS

?

Your attention on:

?

03C8CE CMP.B ??? (A0 )+ ,D0

03C8D0 BNE ??????? 0003C8E0

...

...

03C8DE RTS

==========================

03C8E0 MOVE.B ? # FF,0005CD3C

?

?

Alright when our entered code is not correct it will jump to line 03C8E0, which will start the

check routine all over. Although just for 3 times and then the game locks up.

?

We need the opcodes for the instruction at 03C8D0, note them on a paper.

?

M 03C8D0 ;gives us 66 0E 51 C9 FF F6 13 FC 00 01 00 05 CD 3C 4E 75

?

Lets try to NOP out the instruction at 03C8D0, with that we'll force the game to execute the

instruction at 03C8DE and thereby exiting the subroutine and continue the flow of the game.

?

A 03C8D0 ;hit enter, enter NOP, hit enter twice.

?

Exit AR, wow the protection check is no more and were sitting in the cockpit, but no time for playing now =)

We need to make it permanent, since the game seems not to be packed, we can make it the easy way.

?

First check out the disks structure by typing 'DIR' in AR.

?

?

?

We see there's the game file called 'F-18 Interceptor'. Ok let's load the file into memory at 060000.

?

LM F-18 Interceptor, 060000

?

It says 'Loading from 060000 to 0B0DE0' remember these values.

Ok now we gonna search for that opcodes string I told you to note on a paper.

?

F 66 0E 51 C9 FF F6 13 FC ,060000 ; just enter the first 8 bytes, this should be enough

?

Hit ESC after the first address found, It gives us the address 07CE60.

Let's see if it's the instruction we have to NOP out.

?

D 07CE60

?

It says 07CE60 BNE ??? 0007CE70

?

Great, enter

?

A 07CE60 ; hit enter, enter NOP, hit enter twice

?

Now we got our loaded game file patched, but it's still in memory not on disk.

Delete the existing 'F-18 Interceptor' on disk.

?

DELETE F-18 Interceptor

?

Write back our patched version to disk

?

SM F-18 Interceptor, 060000 0B0DE0

?

?

Alright let's try our work out. Reboot Amiga, start F/A-18 Interceptor.

Enter anything at code prompt, cool it works!

Hit F10 to start Afterburner, lean back and enjoy your flight =)

?

?

?

scenex ? June 2004

Powered by the best online Amiga mod player: FLOD


Some more you may like:
Unit A - InterceptorTrilogy & 7upCrew - Interceptor

Leave a Comment!

Name:
: Use this calculator
Your comment will be available for editing for 10 minutes
No comments yet