Submitted by: Rob
Date: 2005-02-26 19:48
Submitted by: Rob
Date: 2005-02-26 19:48
Naughty Ones? Interactivision1994Created my Melon DezignYou will need following:1. Original game ? get it from your local supplier :)2. An Amiga or WINUAE3. Action Replay or ROM image4. Pencil and paperStart by making a copy of original disk. All tracks seems ok, so we are probably not dealing with a disk based protection.Boot copy of game. After some loading, a screen similar to this, appears:If you have misplaced your manual, continue reading?.Enter something, let?s choose ? SIGNE ?. When done, DON?T press enter, but enter AR. Search through memory forthe word ? SIGNE ?: FS ? SIGNE ?. AR returns address 1BE6E.Let?s see, what game does with this address: FA 1BE6E. AR returns three addresses, disassemble 1BD08 and hit entera few times:Address 1BD08 moves what we type in, into A4. Address 1BD10 seems interesting. It compares what A4 points to,with D0. If not equal, address 1BD12 branches to 1BD20, which subtracts 1 from the attempts counter.Let?s try to ? NOP ? out the BNE, assemble address 1BD12 and insert a ? NOP ?:Exit AR and press enter. The protection passes and game continues? Take note of address 1BD12, needs to be NOP?edout.The protection is located in a crunched file, so we can?t just modify it on disk. We have to find the point, where it?sdecrunched , but not executed yet. In this way, we can make a patch, which will insert a ? NOP ? in the decrunchedprotection.Read boot block into memory, starting at address 70000: RT 0 1 70000. Disassemble address 7000C and hit enter a fewtimes. This will show us, what happens at boot start.Let?s follow the code. We have a BRA 70036 at 70020. Disassemble 70036 and hit enter a few times.The interesting part is 70060 ? 70074. This code moves a part of the boot block into memory, starting from $7A,into memory, starting at address 6F000 and then executes it. Disassemble address 7007A and hit enter a few times:We have a JMP 3000 at 700DE, this will then appear in the 6F000 area of memory, when game is booted.Reboot game and enter AR, short after it begins to load. Disassemble address 6F000 and stop when the ? JMP 3000 ?appears. Stick a breakpoint to address 6F064: BS 6F064, exit AR and continue game.After some loading AR pops up when address 6F064 are reached. Try disassemble address 1BD12, to see if the ? BNE ?we want to NOP out, should be decrunched: D 1BD12. Seems not. Exit AR and continue game. Enter again, whenprotection appears.The ? BNE ? was at address 1BD12, so maybe protection starts at address 10000. See memory with N 10000 and hitenter a few times. Interesting?.. And he?s right?.Check, what calls address 10000: FA 10000. AR returns address 31C4. This call, must be part of the file starting ataddress 3000. So, we could change the ? JMP 3000 ? on boot block to ? JMP 100 ?, and put a little crack patch here.The patch should first modify address 31C4 to jump to second part of our patch, which insert?s a ? NOP ? at 1BD12 andthen jumps to address 3000. Take note of address 31C4.Reboot game, enter AR when it begins to load and insert a breakpoint to address 6F064 again.When I was poking around in the code, I fell over the word ? joshua ? in middle of the main file. A bit strange to putthat here?But not really, if you type the word at the title screen, screen flashes and you activate the game?s build-in trainer.? joshua ? appears at address 3352.Perhaps the game uses some kind of compare routine, to check if the word is type in at the title screen. Let?s see, whathappens with address 3352: FA 3352. AR returns address 331C. Disassemble this address and hit enter a few times.The interesting address is 3336, if 3294 is set to 1, the trainer is on. Also notice 333E, this code makes the screenflash, when the code is typed in at the title screen. If you follow the code the next steps, it ends with a ? RTS ?, soit?s just a little sub- routine. We could put a ? JSR 3336 ? in our crack patch, to activate the trainer. With someright or left mouse bottom check, to disable or enable the trainer.Next step, is to find a place for our crack + trainer patch and a way to move it into memory. Read boot block into memory,starting at address 70000: RT 0 1 70000. See memory with ? N 70000 ? and hit enter some times.Boot block seems to pretty full, except $3C0 ? 400. But this is not enough bytes, to the patches + moving them intomemory. Continue holding enter down, to check for some more free space:Offset $800 seems free, let?s pick it for our patches. Assemble address 70800 and code the patches:70800; MOVE.L #4EB90000,31C4; change address 31C4 to JSR 13870808; MOVE.W #138,31C8.S; change address 31C4 to JSR 1387080E; MOVE.W #F,DFF180; turn screen blue70816; BTST #6,BFE001; check for left mouse7081E; BEQ 7082C; if left mouse pressed, branch to 7082C and activate cheat mode70820; BTST #A,DFF016; check for right mouse70828 BEQ 70834; if right mouse pressed, branch to 70834 and start normal game7082A; BRA 7080E; loop above routine7082C; JSR 3336.S; execute cheat mode70830; JMP 3000.S; jump back to game, after cheat activated70834; JMP 3000.S; jump to game, without cheat70838; MOVE.W #4E71,1BD12; insert ? NOP ? at address 1BD12, crack game. This code will appear at address 13870840; JMP 10000; jump into protection, this code will appear at 140When game have loaded & decrunched the main file, we?ll make it jump to address 100 instead of 3000. When patchis run, address 31C4 is changed to ? JSR 138 ?. When address 31C4 are reached, the game jumps to our patch, whichcracks the protection and then executes it. After address 31C4 has been patched, the screen turns blue and wait?s forleft or right mouse to be pressed. If left is pressed, the games own trainer will be activated and game started. If right ispressed, the game starts normally.We?ll now alter the ? JMP 3000 ?, located at $DE to ? JMP 100 ?, see picture below.We had some spare bytes at offset $3C0 on boot block. Let?s a little track loader here, to move our patch into address100. But first, we need to alter the original boot code, so our loader is called. Assemble address 70036 and insert a? BSR 703C0 ? and a ? NOP ? the ? NOP ? is needed, to make addresses add up. Assemble address 703C0 and codethe track loader:Address 703E2 can?t be assembled with AR, so insert the opcodes instead. The loader will move $200 bytes of datainto memory, starting at address 100. it loads data, starting from offset $800 on disk. In end of loader, we restore thecode removed from the original loader and then returns with the ? RTS ?.Correct boot block checksum, if you would like game to boot: BOOTCHK 70000And finally write boot block back: WT 0 1 70000.If trainer activated, use ? Return ? to skip levels. You might also crack the game, by simply remove the call routine ataddress 31C4. This of course requires, that protection doesn?t messes with game?s memory?.
And now?. Musashi9 suggested to put a cracktro on. Well, isn?t that a nice idea! Musashi9 has done a GREAT jobin ? transforming ? a Anthrox cracktro into a Flashtro cracktro. Find it here cracktro.zipYou can load it into memory and edit the txt as you wish!, to do this run action replay and insert cracktro.adf
then type this
and edit the text to suit your needs
When done, crunch it with ByteKiller V2.0, using min.Crunch offset $200. Use 60000 for load & jump address.I have found some spare tracks on disk, where we can locate the intro. Read tracks 76 ? 79 into memory, starting ataddress 30000: RT 99 7 30000. As the observant reader can see, it?s actually only half of track 76 (152) ? 79.Type NQ 30000 + enter. You should see this flash over your screen:You should only see the above crap and nothing else. This is just blank disk space, none code. It ends around address399F3. Insert disk with saved cracktro and load it into memory, starting at address 30000: LM CRACKTRO,30000.End address must NOT exceed 399F3. If it does, repack file at a higher crunch offset or use ProPack !Insert your copy of game and write tracks back: WT 99 7 30000.Next problem, is to move it into memory, as whole boot block is full. We get around this, by simply move theboot block to another location on disk and write a new one, that moves our cracktro into memory and then the originalboot block.Read track 0 into memory, starting at address 70000: RT 0 2 70000. See memory with N 70000 and stop when thisappears:Notice our crack + trainer at offset $800. Offset $A00 seems free and $400 onwards, so transfer original boot blockto this location: TRANS 70000 70400 70A00.When you have done that, assemble start of boot code and make two new track loaders:You can?t assemble address 7002A & 7005A with AR, so insert the opcodes instead. Se picture above.The new loader will move our cracktro into address 50000 and execute it by the ? JSR 50024 ? ? It?s a exe file?.After that, original boot block is move to address 60000 and executed by the ? JMP 6000C ?Correct boot block checksum: BOOTCHK 70000Write track 0 back: WT 0 2 70000. Reboot and check it out!Dedicated to sweet sweet VictoriaRob
Download: Naughty Ones
Filesize: 0KB, downloaded 74 times
Filesize: 0KB, downloaded 74 times
Leave a Comment!
Your comment will be available for editing for 10 minutes
No comments yet