Ski Or Die

Hits: 948

novella

More
Tags
Category: TutorialsAmigaCrackingNovella
Author: rob
Submitted by: musashi9
Date: 2004-09-02 00:33
No tags
Ski Or Die
? Electronic Arts
1990

You will need following:

1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper

Start by making a copy of original game disk. Every track seems to be ok. So this is probably a novella protection.
Boot game and press fire at the title screen. A few moments after, a screen like this appears:

Keep inserting letters until this appears:

Enter AR and press D to see actual memory. We are standing at line 324C witch is jumping to itself. In other words;
a loop routine.

Let?s see what happens if we remove the JMP 324C. Assemble address 324C and insert three NOP?s and exit AR.

The game starts! We will make a patch, witch will insert three NOP?s from address 324C.
Let?s start by seeing what the boot block is doing. Read boot block into memory with: RT 0 70000.
Disassemble address 7000C and hold enter down, until you reach line 70172;

Line 70172 jumps into the game. At this time, the protection must have been loaded into memory. We have to find a
place for our patch.
We have plenty of room in the file, boot block is loading into memory. File is located on track 64 ? 66.
Read tracks into memory; RT 80 6 30000. We have room after txt ? dos.library ?

Lets choose address 37200. Assemble this address and make a patch like this:

Write tracks back with WT 80 6 30000. This patch will insert three NOP?s from address 324C and then jumps into the game.
We will change the JMP 3100 on boot block to JMP OUR PATCH. We don?t know what address our patch will be
loaded to, so reboot machine and enter AR when screen turns purple. Type N 3100 (where mainfile is loaded to) and
hold enter down, until this appears:

See something new ? That?s right, our patch is located on address 4900. Let?s load boot block into memory and change
The JMP 3100 to JMP 4900. Read boot block into memory, starting at address 70000; RT 0,70000

The JMP 3100 was located on line 70172. Assemble this line and change it to JMP 4900, see picture above.
Correct boot block chksum with: BOOTCHK 70000

Write bootblcok back; WT 0 1 70000. Reboot game and insert some letters at the protection screen.

If you want to bypass the whole protection instead, make this patch:
37200; MOVE.W #4E75,3708.S
37208; JMP 3100.S
This will insert a RTS in start of the protection and it will never appear. If you use this solution, game will start in the
shop.

Dedicated to sweet sweet Victoria

Rob

Powered by the best online Amiga mod player: FLOD


Some more you may like:

None


Comments

Leave a Comment!

Name:
: Use this calculator
Your comment will be available for editing for 10 minutes
2010-11-15 11:00

1. musashi9 writes

images fixed
reply