Submitted by: Rob
Date: 2004-09-17 01:52
? U.S Gold
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. 1 blank disk
6. Pro-Pack v2.08 ? find on amiga-stuff.com
Start by making a copy of original game disks. Every thing seems fine, so this
is probably a novella protection.
Boot copy of game. After a while a screen similar to this appears:
Press enter three times and you?ll see a flashing red screen. Enter AR, press D to disassemble actual memory and
hit enter a few times. Depending on where in the routine you are, something like this should appear:
This routine makes screen flash red. Address 4238 branches to address 4200, this is probably start of the routine.
Press R to see registers. Notice that A3 points to address 4200.
We will see what jumps into address 4200 (flash routine). Before we do that, we have to set A3 to 0 or we will get
a lot of false references. Set A3 to 0: R A3 0; press enter.
See what jumps to address 4200; FA 4200.
Address 95A looks interesting. Disassemble this address and hold enter down until you reach bottom of screen. Scroll
back up with curser up until this appears;
The BNE routine at address 93C seems to be skipping past the jump to the loop routine. Let?s see what happens, if
we jump to address 960, like the BNE do. Type G 960 and press enter.
The game starts. Interesting?.
Enter AR again.
At address 934 we have a BSR to address 1338, this is probably the protection routine starting here.
Let?s crack this by removing BSR 1338 at address 934, the TST.B at address 938 and change the BNE 960 on address 93C
to BRA 960.
Remove Disks from drives and reset. Enter AR when Kickstart picture appears.
The protection is crunched, so we have to decrunch it before any changes can be made to it.
It?s located in a file witch starts on track 0 and ends on track 10. Insert copy of game and read track 0 ? 10 into memory,
starting at address 30000; RT 0 16 30000.
Crunch ID for ProPack files are ? RNC ?. Search for the opcodes, starting at address 30000; F 52 4E 43,30000.
AR returns two addresses. File starts at address 30800. Next RNC file starts at address 4CA00. If we save memory from
address 30800 ? 4CA00, we know we have the whole file.
Insert blank disk and save memory as a file called RNC; SM RNC,30800 4CA00. Copy ProPack to this disk too and
boot it. Type this in DOS to decrunch file:
PROPACK U D RNC
After some time, you should have a new file called RNC.RNC. Enter AR and load it into memory; LM RNC.RNC,30000
File is located between 30000 63F8E.
We need to find the lines of code witch calls the protection. Remember the JMP 4200, to the loop routine ?
Let?s search for that jump; FA 4200,30000. AR returns address 3015A. Disassemble address 30100 to get the whole
Hopefully this looks familiar. Lets insert NOP?s from address 30134 to 3013C and change the BNE 30160 on address
3013C to BRA 30160. This will skip the whole protection and branch on with the game.
Assemble address 30134 and insert this code:
Note. If you don?t want to skip the whole protection, insert a NOP on address 30BEC and don?t change anything else.
This will cause the protection screen to appear, but it accepts what ever you type in.
Delete file RNC and RNC.RNC, to free some disk space.
Save memory back as a file called CRACK; SM CRACK,30000 63F8E. Exit to DOS and crunch file:
PROPACK P D CRACK
You should now have a new file called CRACK.RNC. Insert COPY of game and enter AR.
Read tracks 0 ? 10 into memory, starting at location 30000; RT 0 16 30000. Remove game and insert disk with cracked
file. The file from disk started on address 30800. Load cracked file into memory, starting at address 30800;
Insert COPY of game and write tracks back: WT 0 16 30000.
Dedicated to sweet sweet Victoria
Filesize: 0KB, downloaded 59 times