Submitted by: musashi9
Date: 2004-09-02 00:33
? Electronic Arts
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disk. Every track seems to be ok. So this
is probably a novella protection.
Boot game and press fire at the title screen. A few moments after, a screen like this appears:
Keep inserting letters until this appears:
Enter AR and press D to see actual memory. We are standing at line 324C witch is jumping to itself. In other words;
a loop routine.
Let?s see what happens if we remove the JMP 324C. Assemble address 324C and insert three NOP?s and exit AR.
The game starts! We will make a patch, witch will insert three NOP?s from address 324C.
Let?s start by seeing what the boot block is doing. Read boot block into memory with: RT 0 70000.
Disassemble address 7000C and hold enter down, until you reach line 70172;
Line 70172 jumps into the game. At this time, the protection must have been loaded into memory. We have to find a
place for our patch.
We have plenty of room in the file, boot block is loading into memory. File is located on track 64 ? 66.
Read tracks into memory; RT 80 6 30000. We have room after txt ? dos.library ?
Lets choose address 37200. Assemble this address and make a patch like this:
Write tracks back with WT 80 6 30000. This patch will insert three NOP?s from address 324C and then jumps into the game.
We will change the JMP 3100 on boot block to JMP OUR PATCH. We don?t know what address our patch will be
loaded to, so reboot machine and enter AR when screen turns purple. Type N 3100 (where mainfile is loaded to) and
hold enter down, until this appears:
See something new ? That?s right, our patch is located on address 4900. Let?s load boot block into memory and change
The JMP 3100 to JMP 4900. Read boot block into memory, starting at address 70000; RT 0,70000
The JMP 3100 was located on line 70172. Assemble this line and change it to JMP 4900, see picture above.
Correct boot block chksum with: BOOTCHK 70000
Write bootblcok back; WT 0 1 70000. Reboot game and insert some letters at the protection screen.
If you want to bypass the whole protection instead, make this patch:
37200; MOVE.W #4E75,3708.S
37208; JMP 3100.S
This will insert a RTS in start of the protection and it will never appear. If you use this solution, game will start in the
Dedicated to sweet sweet Victoria