Hits: 7463

password + auto-check in some versions

Category: TutorialsAmigaCrackingNovella
Author: heavy
Submitted by: ?
Date: 2008-02-13 19:52
No tags
Flash Back (IPF 1736)
1992 Delphine Software

It's a dos game no disk based protection. Start the game...it's a password protection.

not really easy, because of many ways to find keyboard routines.
If you stop the game with AR and disassemble, you reach each time graphics routine...
but we have the location of the program in memory. (with 512K slow fast, the program is at $C0xxxx. address could change).

AR break :
We can see on the screen the text "protection". perhaps we could find the text in memory ? or the code is 6 chars long. Why not searching a cmpi.b #6 ($c390006) (or cmpi.w #6, cmp.b...)
f 0c 39 00 06,c00000 ; CMPI.B #6

Good results; combined with the search of letters, we can see "P" "R" "O"... near the "cmp".
n c0f300

Each address test the same variable at C19252. In this case there are 2 test routines : one near C0F3D8 and another near C19168. (I skipped the C168B0 because it's not the same address tested)

Here is the routine 1:

Exit AR and type some letters.
break, take a look at C38330 : here is the chars. we have found the routine!
it's a loop for testing the 6 chars.
at C0F3EA it's the end, go to test code (C0F466).
We can break the loop of 6 chars : put 2 NOP (4e71 4e71) at C0F3E0.
Another cmpi.b #6 exists at C0F420 : 2x nop at C0F428.
Exit AR, press Return. That doesn't work.

Need to patch more.
Second test routine:

at C19170, put 2 Nop.

That works. But the code is still checked.

The 2 testcode routs are at C0F466 and C191FE.
NOP the cmp result at lines C0F49A and C1922C. loop 6 chars but never check them ;)

the second protection at C191FE is the second password test near the end of the game, when you use the Teleporter.

Exit AR, press Return. OK!

At the protection screen, press Return without having to type 6 chars.

Now let's go with disassembler for having the whole program and patch it.
load file "flashback" as binary (186 kb).
search for cmp/protection, find routines, and change bytes.
offsets are (from French version) :
- 3BE0 first routine
- 3C28
- 3C9A second password test near the end
- D970 second routine
- DA2C

save patched file and reboot. hmm...screen stay black.
take a look at startup-sequence:
"endrun flashback"

flashback is launched with "endrun" (endrun load flashback by using LoadSeg).
if program is patched, he stop !?! strange...all cracked version use endrun not modified...(I don't know why. If
someone have an explanation, feel free)

so, don't use endrun, change the startup-sequence : "flashback"
that works fine now.

How to verify if an other protection is hidden somewhere? play the whole game ;)
you can use already known levels codes :
(french version)
mode Easy: back, loop, cine, good, spiz, bios, hall
mode normal : play, toit, zapp, linx, scsi, gary, pont
mode hard : clop, cara, cale, font, hash, fibo, tips
(english version)
mode Easy: wind, spin, kava, hiro, test, gold, wall
mode normal: fire, burn, eggs, gurt, chip, tree, bold
mode hard : mine, your, nest, line, lisa, mary, mice

Or search if the program check itself if he was modified (hmm...this kind of check should be done each time) :
search the lines nopped if they are tested somewhere :
C0F3E0 (off 3BE0), C0F49A (off 3C9A), C19170 (off D970), C1922C (off DA2C)

no results in French versions.
some others versions exist: no more in English version.
but positive match for the German version :
the program compare the line C1922C (not this one in the original file. based on tuto version)
cmpi.l #$66000008,xxxx"beq xxxx ; ok...
$66000008 = it's the "bne xxxx" we have nopped in the test code 2 !
replace the BEQ by a (wonder) BRA = $60

Test the full game. It seems ok now.

you can find all the calls to protection routines.
the first protection screen (the second one in the tuto) start at offset D6C4 and is called only 1 time : nop at offset 8E8 (jsr $D694). try...no more password at start!
other advantage : with the third protection (on German version), if you don't change anything in the second routine and only skip the call, the instruction check always success. no need to find and patch it.

the "Teleport" protection (the first one in the tuto) is called 19x! what is the good one? if you nop them...the teleport doesn't work anymore. But it's not really a problem : no need to press any key.
FileDownload: FlashBack
Filesize: 168KB, downloaded 72 times
Powered by the best online Amiga mod player: FLOD

Some more you may like:
FlashbackFlashback (PC)Interpol - FlashbackInfect - Flashback


Leave a Comment!

: Use this calculator
Your comment will be available for editing for 10 minutes
2008-02-14 18:31

1. Zebpro writes

I have finished many times my french version, and there is a protection check near the end.

Thanks for all those tuts !! :)
2008-02-14 18:52

2. heavy writes

where "near the end" ? what "protection check" ? password?
I can't find the same protection check in the French executable.
I'll search
2008-02-14 19:07

3. heavy writes

can you test with that version (download file flashback and replace it) ?
2008-02-14 19:53

4. demoniac writes

I was checking out the English version a few months ago. Like the French, there's a checksum protection around where you drop the bomb. The game will blackout if the checksum is incorrect.
2008-02-14 20:09

5. heavy writes

2 English versions exist. IPF 1163 v1.0 22.4.93 and IPF 1885 Retail: Delphine Collection. perhaps 2 french versions exist ?
2008-02-14 20:34

6. heavy writes

or perhaps it's the famous cmpi.b #6 at C0F420 and nop C0F248: "Another cmpi.b #6 exists at C0F420 : patch it if used. 2x nop"
-> not used in the password protection, perhaps near the end
which level ? 6, 5 ?
2008-02-14 21:12

7. Zebpro writes

Well the protection I'm talking about near the end (bomb drop on the alien planet) is a password check. I don't really know which verson was the one I used, it's the original one sold in France, the first one as I bought it the day it was released.
2008-02-14 21:17

8. Zebpro writes

If I remember correctly, the password check was just before you activate the lift to go to the space ship and escape the planet before it blows up. Or maybee just before entering the screen where that lift is. It's really at the very end of the game, just before the final cut-scene. JOTD talks about it in the read me of his WHDLoad install for this game (first point on the version 3.1).
2008-02-14 22:14

9. heavy writes

ok. I take a look at the whdload code. He skip 3 password checks and 1 "checksum" (not really a checksum, an auto-check of the code to see if the code was modified, exactly what I discovered).
the third password check is called "Teleport test". and It's just what I said before about the third CMPI.B #6 !
so, this protection is skipped with my patch.
But unfortunately, I'm not really good at the end of the game. If you can test it.
2008-02-14 22:36

10. heavy writes

a little error : it's not the cmpi.b #6 line, but the second test password at C1922C. It's the teleport test.
2008-02-14 22:41

11. musashi9 writes

I remember the second password screen coming up when you try and use the teleport device
Try and skip to a level where you have the teleport (pink slime level?) and use the teleport and the second password screen should appear?
2008-02-14 22:54

12. heavy writes

I found : it's when you use the Teleporter, the Protection screen appear.
and the patch works fine ;)
it wasn't the "checksum" protection. I'm happy :D
2008-02-14 22:56

13. heavy writes

argl! Musashi9 post just before me ;)
it's exact. and that works
2008-02-14 22:57

14. DLFRSILVER writes

Just excellent !!! what a good tutorial :D
2008-02-16 10:18

15. heavy writes

ADDON : with a disassembler, you can find all the calls to protection routines.
the first protection (the second one in the tuto) start at offset D6C4 and is called only 1 time : nop at offset 8E8 (jsr xxx). try...no more password at start!

the "Teleport" protection (the first one in the tuto) is called 19x! what is the good one? if you nop them...the teleport doesn't work anymore.
2012-11-01 08:25

16. FireofTschernobyl writes

Hi I was inspired by FlashBack Crack Tutorial to look at the PC Version of Flashback. There are diffrent versions of the CopyProtection too.I found out that the german version has also the Code Checker cmpi.l #66000008,xxx principle as routine implemented.  So the game checks a whole block of Code and that 2 or 3 times. Also i found out that in the pc version you have to type something in the Code Box or game will crash. So you have to deal with the Game Code Check, the Program Code Check and the check that you typed something in. Other version, i think, do not have this difficulties. Referring to Amiga Flashback i skipped the bad/good boy check with a jmp. Thanks for all Tutorials ! I never found a better source of MFM  Tutorials.
2012-11-01 10:29

17. musashi9 writes

Cool ,please feel free to write a tutorial on cracking the PC version. I will be happy to host it here.
2012-11-01 12:43

18. FireofTschernobyl writes

Sorry for my english, my own language is german. I wanted to make a comment about Flashback  - the game and its protection is amazing on Amiga and the PC. I can make a tutorial but only if you make a mfm tutorial for Turrican 1. It is not in your tutoral list. That would be great!!! 
Reply to comment #18
2016-12-16 03:22

19. -TCB!- writes

That Turrican tutorial is now there :)
2016-12-15 13:18

20. morpa writes

Download doesnt work
2016-12-15 15:19

21. musashi9 writes