Submitted by: Rob
Date: 2004-08-03 22:43
? Flair Software
You will need following:
1. Original game ? find on romshare.com
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Some experience in using AR
First of all, this game needs 1 MEG. of CHIP memory, not slow or fast but CHIP.
Start by making a copy of original game disks. Both disk seems to be fine.
The protection is probably a Novella.
From now on, we will only use our copy of the game. Boot game, skip anims and press start at the title screen.
When prompted, insert disk 2. A moment after you?ll see this screen:
Hmmm. If you have the manual, you should stop reading now.
Enter AR and hit ?D?, you?ll see something like this:
Ok, we are in the 7C000 area. Lets find out where this starts. If we?re lucky, it starts at address 7C000. Search for
Jumps into this address by typing: ? FA 7C000?.
It will return one address; 29770. Notice that it does a ?JSR?, so maybe the protection is a subroutine, witch can be
totally bypassed. Write down address 7C000. Disassemble address 29770, when you reach bottom of screen,
scroll back up with curser up, until you see this:
Notice address 296E6, it look like the start of ?something?. This something will call the protection and after that,
start the game. Let?s see if anything jumps into this address, see pic:
Address D5914 jumps to 296E6, the main loader is probably located in area D5900.
Write this address down too (296E6), it might become handy later. Reboot game, when you?re prompted to insert disk 2, enter
AR, assemble address 7C000 and insert a ?RTS?, exit and start game see pic:
After a while this screen will appear:
It?s the game! So, this means that we can bypass the whole protection. That was the easy part, the hard part is making
this on a permanent base. This game is packed with some unknown packer or changed crunch ID?s, so we will have to make a patch
witch will insert a ?RTS? on address 7C000, after the protection have been depacked.
Start by ripping the main loader, it?s located on track 01 ?06, read them out with ?RT 2 0C 30000?.
Remember the last address you wrote down, 296E6 ? good , find sings of jumps into this address, beginning the
search at address 30000. See pic:
Change the ?JMP 296E6? to ?JMP C0?, see pic above. We will put our patch at this address. Our patch will insert
the ?RTS? to address 7C000 and the jump back into game at address 296E6. Write tracks back with ?WT 2 0C 30000?
Now we must find a suitable place on disk to our patch. The best would be to find some spare ?room? inside the loader
but there is none, so we leave this option.
Next option is to find some free disk space and put it there. A good place would be on the bootblock, there is plenty
of space. Read bootblock into memory; ?RT 0 70000?.
From address 700C0 and onwards is free. Yes, yes, I know. The copylock RNC thing?. I don?t think this game is
copylock protected, it only uses the RNC loading system. IF I?am wrong? then you?re just going to have some more fun?
Ok, assemble address 70200 and insert this code:
That was our patch, next problem is getting it into memory. Lets add a little track-loader routine, loading our patch
into memory, starting at address C0.
Assemble address 7000E and insert this code:
Assemble address 700C0 and insert this code:
You can?t assemble line 700DE with AR, so type ? M 700DE?; hit enter, and insert the opcode you can see on the
When done, correct bootblock chksum with: ? BOOTCHK 70000?
Write bootblock back with: ?WT 0 1 70000?. Reset and see what happens.
It works of course !
It was very hard to find a constant free memory location for the patch, since this game likes to ?spread it?s wings? in
memory. C0 is VERY low for A1200 users, but I have tested it on a REAL A1200 with and without accelerator and it worked fine.
I haven?t done much playtesting with this game, so I don?t know I there is more protection calls later in game?.
Dedicated to the sweets girl on earth? Victoria