Submitted by: Rob
Date: 2005-02-06 21:04
? Electronic Arts ?
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disk. Everything seems ok, so this is probably not a disk-based protection.
Boot copy of game. After some loading, this screen appears:
IF you press space (don?t do it), a screen like this appears:
So this protection is manual based. Assuming you still are at the previous screen, enter AR.
Press D and hit enter a few times, something like in the picture above should appear. Let?s try to find start of this.
Address 846A could be start of the protection? Exit AR and press Space, the screen with the watch will appear. Enter
AR again and jump to address 846A with G 846A. Whats that? The screen with ? press space to continue ? appears again.
This must be beginning of the protection. We can?t just find the protection on disk and alter it, since it?s crunched. We?ll
have to find a way, to patch the decrunched data, before it?s executed.
Let?s see what calls the protection. Enter AR and type: FA 846A.
AR returns address 48F4. The call is a part of a file, that?s located in the 4800 area of memory. Let?s see if we can find
start of it. Disassemble address 4800 and continue until you reach bottom of screen, scroll back up and stop when this
? Reasonable ? code seems to start at address 4800, probably start of the file.
Restart game and enter AR when the ? Loading Please Wait ? txt appears. Scan memory for jumps to address 4800:
FA 4800. AR returns two addresses and address 1E10 is a JMP 4800.
Assemble address 1E10 and change the JMP 4800 to JMP 100. Assemble address 100 and insert a
MOVE.W #F,DFF180 and a BRA 108, see picture above.
When the game reaches address 1E10 it will jump to address 100, screen will flash blue once and game hangs.
When this happens, enter AR and disassemble address 48F4 to see if the protection call is decrunched.
Damm? not yet.
We took over a jump to 4800, so jump to address 4800 with G 4800. The game continues and after a while, you?ll see
another blue flash? Enter AR and disassemble address 48F4 again. Seems like we are a bit more lucky this time J
The JMP 4800 is located on track 1, disk1. Let?s change this to JMP 100 and put a patch at this address, that inserts a
? RTS ? in start of the protection. It?s a little tricky, because the same jump is used twice. Patch must not be executed
first time, it will then insert the ? RTS ? at the wrong time. We could find some ? unique ? code that appears only when
patch should be executed. If the code appears, patch is executed and if not, we just jump to address 4800.?
Let?s use some of the opcodes from the protection call, in our compare routine. See opcodes with M 48F4 and
write down opcodes, marked with red.
Remove all disks and reset. Enter AR when the Kickstart picture appears. Insert copy of disk 1 and read track 1 into
memory, starting at address 30000: RT 2 2 30000.
Search for the JMP 4800: FA 4800 30000. AR returns two addresses and only address 32510 is a JMP 4800.
Assemble address 32510 and insert a JMP 100. Write track back when done: WT 2 2 30000.
Next step is to find a place on disk for our patch and a way to get it into memory. It?s always good to take a look at the
boot block. Read track 0 into memory, starting at address 70000: RT 0 2 70000. See boot block with N 70000 + enter.
Ahh? Don?t worry, there is no copylocks in this game. Instead of altering original boot block to add a track loader, I
prefer to move it to another location on disk. Check offset 1600 with N 71600, to see if it?s empty.
Seems empty to me? Transfer original boot block to location 71600: TRANS 70000 70400 71600.
Assemble address 7000C (start of boot block code) and insert following code:
7000C; MOVE.W #2,1C(A1); cmd read
70012; MOVE.L #100,28(A1); destination address for data
7001A; MOVE.L #200,2C(A1); offset on disk to read from
70022; MOVE.L #200,24(A1); amount of data to read
7002A; JSR ?1C8(A6); I/O
7002E; MOVE.W #2,1C(A1); cmd read
70034; MOVE.L #60000,28(A1); destination address for data
7003C; MOVE.L #1600,2C(A1); offset on disk to read from
70044; MOVE.L #400,24(A1); amount of data to read
7004C; MOVEA.L 00000004.S,A6; EXEC
70050; JSR ?1C8(A6); I/O
70054; JMP 6000C; jump to 6000C / execute original boot block
You can?t assemble address 7002A & 70050 with AR, so insert the opcodes instead, see picture above.
The above code will first move $200 from offset $200 on disk into memory, starting at address 100. This is where we?ll
put the patch. After that, it moves the original boot block from offset $1600 into memory and executes it.
Assemble address 70200 and code the crack-patch:
70200; CMPI.L #846A31FC,48F8.S; check address 48F8 for opcodes 846A31FC (JSR to protection)
70208; BEQ 7020E; if above equal, branch to 7020E
7020A; JMP 4800.S; if not equal, jump to 4800.
7020E; MOVE.W #4E75,846A; insert RTS in start of protection, protection call will then simply return
70216; JMP 4800.S; jump to address 4800.
When game is booted, it will jump to address 100 instead of 4800. Patch then checks if the protection call appears,
It does not, so it jumps to address 4800. After some loading, address 100 is called again (remember that?), this time
the protection call appears and the branch is equal. It the branches to address 10E, that inserts a ? RTS ? in start of
protection and then jumps to address 4800. When the protection call jumps to address 846A, it meets a RTS and simply
When you have coded the patch, correct boot block checksum: BOOTCHK 70000 and write track back: WT 0 2 70000.
Filesize: 0KB, downloaded 54 times