Naughty Ones

Hits: 1259

If you have lost your manual, dont panic

Category: TutorialsAmigaCrackingNovella
Author: Rob
Submitted by: Rob
Date: 2005-02-26 19:48
No tags
Naughty Ones
? Interactivision
Created my Melon Dezign
You will need following:
1. Original game ? get it from your local supplier :)
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original disk. All tracks seems ok, so we are probably not dealing with a disk based protection.
Boot copy of game. After some loading, a screen similar to this, appears:
If you have misplaced your manual, continue reading?.
Enter something, let?s choose ? SIGNE ?. When done, DON?T press enter, but enter AR. Search through memory for
the word ? SIGNE ?: FS ? SIGNE ?. AR returns address 1BE6E.
Let?s see, what game does with this address: FA 1BE6E. AR returns three addresses, disassemble 1BD08 and hit enter
a few times:
Address 1BD08 moves what we type in, into A4. Address 1BD10 seems interesting. It compares what A4 points to,
with D0. If not equal, address 1BD12 branches to 1BD20, which subtracts 1 from the attempts counter.
Let?s try to ? NOP ? out the BNE, assemble address 1BD12 and insert a ? NOP ?:
Exit AR and press enter. The protection passes and game continues? Take note of address 1BD12, needs to be NOP?ed
The protection is located in a crunched file, so we can?t just modify it on disk. We have to find the point, where it?s
decrunched , but not executed yet. In this way, we can make a patch, which will insert a ? NOP ? in the decrunched
Read boot block into memory, starting at address 70000: RT 0 1 70000. Disassemble address 7000C and hit enter a few
times. This will show us, what happens at boot start.
Let?s follow the code. We have a BRA 70036 at 70020. Disassemble 70036 and hit enter a few times.
The interesting part is 70060 ? 70074. This code moves a part of the boot block into memory, starting from $7A,
into memory, starting at address 6F000 and then executes it. Disassemble address 7007A and hit enter a few times:
We have a JMP 3000 at 700DE, this will then appear in the 6F000 area of memory, when game is booted.
Reboot game and enter AR, short after it begins to load. Disassemble address 6F000 and stop when the ? JMP 3000 ?
appears. Stick a breakpoint to address 6F064: BS 6F064, exit AR and continue game.
After some loading AR pops up when address 6F064 are reached. Try disassemble address 1BD12, to see if the ? BNE ?
we want to NOP out, should be decrunched: D 1BD12. Seems not. Exit AR and continue game. Enter again, when
protection appears.
The ? BNE ? was at address 1BD12, so maybe protection starts at address 10000. See memory with N 10000 and hit
enter a few times. Interesting?.. And he?s right?.
Check, what calls address 10000: FA 10000. AR returns address 31C4. This call, must be part of the file starting at
address 3000. So, we could change the ? JMP 3000 ? on boot block to ? JMP 100 ?, and put a little crack patch here.
The patch should first modify address 31C4 to jump to second part of our patch, which insert?s a ? NOP ? at 1BD12 and
then jumps to address 3000. Take note of address 31C4.
Reboot game, enter AR when it begins to load and insert a breakpoint to address 6F064 again.
When I was poking around in the code, I fell over the word ? joshua ? in middle of the main file. A bit strange to put
that here?
But not really, if you type the word at the title screen, screen flashes and you activate the game?s build-in trainer.
? joshua ? appears at address 3352.
Perhaps the game uses some kind of compare routine, to check if the word is type in at the title screen. Let?s see, what
happens with address 3352: FA 3352. AR returns address 331C. Disassemble this address and hit enter a few times.
The interesting address is 3336, if 3294 is set to 1, the trainer is on. Also notice 333E, this code makes the screen
flash, when the code is typed in at the title screen. If you follow the code the next steps, it ends with a ? RTS ?, so
it?s just a little sub- routine. We could put a ? JSR 3336 ? in our crack patch, to activate the trainer. With some
right or left mouse bottom check, to disable or enable the trainer.
Next step, is to find a place for our crack + trainer patch and a way to move it into memory. Read boot block into memory,
starting at address 70000: RT 0 1 70000. See memory with ? N 70000 ? and hit enter some times.
Boot block seems to pretty full, except $3C0 ? 400. But this is not enough bytes, to the patches + moving them into
memory. Continue holding enter down, to check for some more free space:
Offset $800 seems free, let?s pick it for our patches. Assemble address 70800 and code the patches:
70800; MOVE.L #4EB90000,31C4; change address 31C4 to JSR 138
70808; MOVE.W #138,31C8.S; change address 31C4 to JSR 138
7080E; MOVE.W #F,DFF180; turn screen blue
70816; BTST #6,BFE001; check for left mouse
7081E; BEQ 7082C; if left mouse pressed, branch to 7082C and activate cheat mode
70820; BTST #A,DFF016; check for right mouse
70828 BEQ 70834; if right mouse pressed, branch to 70834 and start normal game
7082A; BRA 7080E; loop above routine
7082C; JSR 3336.S; execute cheat mode
70830; JMP 3000.S; jump back to game, after cheat activated
70834; JMP 3000.S; jump to game, without cheat
70838; MOVE.W #4E71,1BD12; insert ? NOP ? at address 1BD12, crack game. This code will appear at address 138
70840; JMP 10000; jump into protection, this code will appear at 140
When game have loaded & decrunched the main file, we?ll make it jump to address 100 instead of 3000. When patch
is run, address 31C4 is changed to ? JSR 138 ?. When address 31C4 are reached, the game jumps to our patch, which
cracks the protection and then executes it. After address 31C4 has been patched, the screen turns blue and wait?s for
left or right mouse to be pressed. If left is pressed, the games own trainer will be activated and game started. If right is
pressed, the game starts normally.
We?ll now alter the ? JMP 3000 ?, located at $DE to ? JMP 100 ?, see picture below.
We had some spare bytes at offset $3C0 on boot block. Let?s a little track loader here, to move our patch into address
100. But first, we need to alter the original boot code, so our loader is called. Assemble address 70036 and insert a
? BSR 703C0 ? and a ? NOP ? the ? NOP ? is needed, to make addresses add up. Assemble address 703C0 and code
the track loader:
Address 703E2 can?t be assembled with AR, so insert the opcodes instead. The loader will move $200 bytes of data
into memory, starting at address 100. it loads data, starting from offset $800 on disk. In end of loader, we restore the
code removed from the original loader and then returns with the ? RTS ?.
Correct boot block checksum, if you would like game to boot: BOOTCHK 70000
And finally write boot block back: WT 0 1 70000.
If trainer activated, use ? Return ? to skip levels. You might also crack the game, by simply remove the call routine at
address 31C4. This of course requires, that protection doesn?t messes with game?s memory?.
And now?. Musashi9 suggested to put a cracktro on. Well, isn?t that a nice idea! Musashi9 has done a GREAT job
in ? transforming ? a Anthrox cracktro into a Flashtro cracktro. Find it here
You can load it into memory and edit the txt as you wish!, to do this run action replay and insert cracktro.adf
type this
LM 60000,60000
then type this
N 601DA
and edit the text to suit your needs
When done, crunch it with ByteKiller V2.0, using min.
Crunch offset $200. Use 60000 for load & jump address.
I have found some spare tracks on disk, where we can locate the intro. Read tracks 76 ? 79 into memory, starting at
address 30000: RT 99 7 30000. As the observant reader can see, it?s actually only half of track 76 (152) ? 79.
Type NQ 30000 + enter. You should see this flash over your screen:
You should only see the above crap and nothing else. This is just blank disk space, none code. It ends around address
399F3. Insert disk with saved cracktro and load it into memory, starting at address 30000: LM CRACKTRO,30000.
End address must NOT exceed 399F3. If it does, repack file at a higher crunch offset or use ProPack !
Insert your copy of game and write tracks back: WT 99 7 30000.
Next problem, is to move it into memory, as whole boot block is full. We get around this, by simply move the
boot block to another location on disk and write a new one, that moves our cracktro into memory and then the original
boot block.
Read track 0 into memory, starting at address 70000: RT 0 2 70000. See memory with N 70000 and stop when this
Notice our crack + trainer at offset $800. Offset $A00 seems free and $400 onwards, so transfer original boot block
to this location: TRANS 70000 70400 70A00.
When you have done that, assemble start of boot code and make two new track loaders:
You can?t assemble address 7002A & 7005A with AR, so insert the opcodes instead. Se picture above.
The new loader will move our cracktro into address 50000 and execute it by the ? JSR 50024 ? ? It?s a exe file?.
After that, original boot block is move to address 60000 and executed by the ? JMP 6000C ?
Correct boot block checksum: BOOTCHK 70000
Write track 0 back: WT 0 2 70000. Reboot and check it out!
Dedicated to sweet sweet Victoria
FileDownload: Naughty Ones
Filesize: 0KB, downloaded 74 times
Powered by the best online Amiga mod player: FLOD

Some more you may like:
Anthrox - Naughty OnesKingdom - Naughty Ones

Leave a Comment!

: Use this calculator
Your comment will be available for editing for 10 minutes
No comments yet