Submitted by: Rob
Date: 2004-09-21 01:59
? Electronic Arts
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Byte Killer v1.3 ? find on amiga-stuff.com
6. 1 blank disk
Note! Addresses AND registers may differ on your computer, due to different memory
Start by making a copy of original game disks. Every thing seems to be ok, so this is probably a novella protection.
Boot copy of game. After some loading, a screen similar to this appears:
Where should I know from?
Enter 111 as answer and enter AR. We have entered 111 and the opcodes for 1?s is 31. Search for 111; F 31 31 31.
AR returns one address; C33276. This address holds what ever we type in.
Let?s see what else happens with address C33276; FA C33276 C00000. AR returns six addresses. We are interested in
the second one; C33214. Disassemble this address and hit enter a few times.
Address C33220 looks interesting, since it compares A0,A1. If equal, address C33222 continues game.
Let?s change the BEQ on address C33222 to a BRA, so game continues no matter what we type in. See picture above.
Exit AR and hit enter at the protection screen.
The game continues!
Enter AR again. We altered address C33222 from BEQ to BRA, take note of this + the address.
The easy part is now over. The protection is located in a file, witch is packed with Pack ? Ice. I can?t find this cruncher
anywhere, so we have to patch it instead.
Let?s start by finding the decrunch routine. Pack ? Ice?s crunch ID is ? Ice! ?, opcodes are: 49 63 65 21.
Load the file ? lomain.ami ? into memory, starting at location 40000; LM LOMAIN.AMI,40000
File is located between address 40000 46FB0.
Search for the opcodes, starting at address 40000; F 49 63 65 21,40000
AR returns one address; 450F0. Disassemble this address, hold enter down until bottom of screen is reached. Use
curser up to scroll back up with, until this appears:
It seems like the decrunch routine starts at address 450EA. Let?s see, what calls this address: FA 450EA 40000
AR returns two addresses, disassemble the second one and hit enter a few times.
When the game jumps into (A1) at address 44570, the protection have been decrunched. Let?s take over this jump,
so it jumps to address C0, where we will insert a patch. We have to insert the JMP C0 at address 4456A, since JMP C0
is four bytes longer than JMP (A1).
Take note of address 4456A & 44570 and change address 4456A to JMP C0.
Save file back to disk: SM LOMAIN.AMI,40000 46FB0.
Boot copy of game. Enter AR when the title screen appears. Assemble address C0 and insert following code:
C0; MOVEA.L 4C98,A1; original game code
C6; BRA C6; loop routine.
This will cause the game to loop, after protection has been decrunched, instead of executing it.
Exit AR and start game. Game loads for a while, and you?ll see a little man on a motorbike driving out of your screen.
You should now have a black screen with no music. Enter AR and press D then enter then Esc.
You should be standing at the loop routine:
Press R to see register. The game jumped into whatever A1 pointed to and A1 points to address C00000.
This means that I have slow memory and game doesn?t decrunch to absolute memory.
Hmmm this makes it a bit more tricky, since A1 changes along with different memory configurations.
Remember the BEQ in the protection was located at address C33222 ? A1 points to address C00000.
If we add #33222 to (A1), A1 would point to BEQ. We can then change the BEQ to BRA and then subtract #33222 from (A1).
In this way, the patch will work on all memory configurations.
Assemble address C0 and insert following code:
C0; MOVEA.L 4C98,A1; original game code
C6; ADDA.L #33222,A1; add #33222 to A1
CC; MOVE.W #60F6,(A1); insert opcodes for BRA (60F6) to what ever A1 points to
D0; SUBA.L #33222,A1; subtract #33222 from A1, restoring it to original value
D6; JMP (A1); original game code, jump to game
D8; RTS; jump address for Byte Killer
Insert disk with Byte Killer on and save memory to disk as a file called cr; SM CR,C0 DA.
We need our patch to get loaded to address C0. For this purpose, we?ll use Byte Killer. With Byte Killer, we can locate
our patch at address C0 and make it executable, so we can start it from Startup-Sequence
Boot disk With BK on and execute it.
Insert parameters marked with RED, followed by enter:
Copy file crack to your copy of game and enter AR.
We have to modify startup-sequence, so it first loads our patch and then the game loader. Type M 30000 + enter
And insert following opcodes:
Save memory to disk, as a file called startup-sequence, in drawer S: SM S/STARTUP-SEQUENCE,30000 30012.
When our patch is executed from startup-sequence, BK unpacks it and locates it at address C0. BK then jumps to
address D8 witch is a RTS, hint; nothing happens, game continues to load. When game have decrunched, we have altered
it, so it jumps to our patch at address C0 instead of the protection. Our patch modifies protection and jumps into it.
I have tested it on following configs:
A500 2 MB Chip
A500 512K Chip + 512K slow
A500 512K Chip + 512K fast
A1200 2MB Chip
A1200 2MB Chip + 4MB fast
Dedicated to sweet sweet Victoria