Submitted by: Rob
Date: 2004-09-23 20:00
? Dinamic software
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disks. Every thing seems to be ok, so this
is probably a novella protection.
Boot copy of game. After a few secs. this appears:
Interesting. You have two try?s. After the second one, the computer resets. Notice the ? nice ? way it?s resetting. No
crashing or flickering power LED?s. This reset could be done by the RESET command.
Assuming you are on the protection screen, enter AR. The opcode for RESET is 4E 70, do a search for it: F 4E 70
AR returns four addresses. Disassemble the last one, see picture above. Notice the RESET ? If you scroll down to bottom of
screen and back up, you?ll notice a LEA before the RESET. The reset routine probably starts at address 371F0.
The subroutine before the reset routine also looks interesting.
371D8; ADDQ.W #1,0003722A; adds one to address 3722A
371DE; CMPI.W # 2,0003722A; check if address 3722A = 2
371E6; BNE 371F8; if not, restart protection
371EA; if equal, jump to reset routine
This routine basically keeps count of, how many try?s you have. Let?s see what calls this routine: FA 371D8.
AR returns on address; 371BE; BNE 371D8. Hmmm. BNE (branch not equal) sounds interesting.
Remove the BNE by replacing it with two NOP?s, see picture above. Exit AR and chose something twice.
The game starts?
We can crack the game, by insert a NOP on address 371BE & 371C0, take note of this.
The protection is packed with a custom packer, so depacking is out of the question. We have to patch the protection
after it have been depacked.
Reboot game and enter AR at the protection screen. The address we have been working with, have all been in the 37000
area. The protection probably starts at address 37000.
Press R to see registers. Notice that A5 points to 37000.
Set A5 to 0: R A5 0.
We will check, if anything jumps to address 37000. If any registers points to the search address we will receive A LOT
of false references, that?s why we set A5 to 0.
Check if anything jumps to address 37000: FA 37000
AR returns a lot of addresses. We are interested in the first jump on address 8326. This address jumps to the protection
after it have been decrunched.
Let?s alter the jump to the protection, so it jumps to address 200 instead. We will the put a patch at address 200, witch
will insert a NOP at address 371BE & 371C0 and then jump into the protection.
Remove any disks and reset computer. Enter AR at the Kickstart screen and insert COPY of game.
The game starts to read from track 0, so the jump must be located on one of the first tracks.
Read track one into memory, starting at location 70000: RT 2 2 70000.
Search for jumps to address 37000, starting at address 70000: FA 37000 70000.
The first JMP at address 7013E is our address. Assemble this address and change it to JMP 200.
Write track back: WT 2 2 70000.
We need a place on disk for our patch, and we need to add a track loader, so our patch will be loaded into memory.
A good place to look, is always the boot block. Read track 0 into memory, starting at address 30000: RT 0 2 30000.
See boot block with N 30000 and hit enter a few times.
Polly wants a cracker ???
Let?s put the track loader at address 30140 and our patch at address 30300.
Disassemble address 3000C and hit enter a few times. We do this to see start of boot block.
Take note of the first two lines, because we will alter them to call our track loader.
Assemble address 3000C and insert this code;
3000C; BSR 30140; call our track loader
30010; NOP; needed, to make addresses add up
30012; NOP; needed, to make addresses add up
Assemble address 30140 and insert following code:
30140; MOVE.W #2,1C(A1); command read
30146; MOVE.L #100,28(A1); dest. address for data
3014E; MOVE.L #200,2C(A1); offset to read from
30156; MOVE.L #200,24(A1); amount of data to read
3015E; JSR ?1C8(A6); I have no idea, but it?s needed
30162; MOVEA.L A1,A2; code from original loader
30164; MOVE.L #2,D1; code from original loader
3016A; RTS; returns to original loader
Address 3015E can?t be assembled with AR. Insert the opcodes instead, see picture above. Continue assembling at
The track loader is now finished. Assemble address 30300 and insert following code:
30300; MOVE.L #4E714E71,000371BE; insert NOP on address 371BE & 371C0
3030A; JMP 37000; jump to protection
Our changes on boot block have corrupted it and causing it to be non ? bootable. Correct this with: BOOTCHK 30000.
Write track back: WT 0 2 30000.
Boot game and choose any symbols.
There is an easier way to crack this?.
Simply replace the jump to the protection with a RTS !!
Dedicated to the lovely Victoria