Sword of Honour

Sword Of Honour
? Prestige
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disks. Everything seems ok, so this is probably not a disk-based protection.
Boot copy of game. After some loading, a screen like this appears:
Hmmm? So this is a novella protection. The game wants some word from the manual, and I don?t assume you have the
Type something in, something sweet, like VICTORIA. When done, enter AR search through memory for the word
AR returns address 189D7. Let?s see, what game does with this address: FA 189D7. This time AR returns address
18822 & 1889E. Disassemble the first address AR returns and hit enter a few times:
Address 18822 moves what is typed in at the protection, to register A1. Address 18828 moves byte contents of (A0)
into D0. Address 1882A makes a byte compare of (A1) ? (what we typed in) with D0. If not equal, address 1882C
branches to address 18838 and protection restarts.
Try assembling address 1882C and insert a BRA 18832. In this way, the game will branch past the protection test.
Exit AR and press enter.
The game starts!
Next step, is making our crack on a permanent base. Enter AR and type M 1882C, to see the opcodes for our crack.
Take note of the address and the red opcodes, as we shall use them later on.
The protection is contained in a crunched file, so we have to find a way to patch file after it?s decrunched, but before
it?s executed. Let?s try to search through memory, for signs of jumps. The opcodes for ? JMP ? is 4E F9, search for
it: F 4E F9. AR returns 1,2,3, many addresses?
Disassemble the first one, at 222: D 222. It jumps to address 16000. The protection was located in this area of
memory, so perhaps we have found something interesting. Reboot game and enter AR SHORT after boot.
Try to disassemble address 222 and hit enter. The ? JMP 1600 ? appear as this early stage, so this part is probably not
Stick a breakpoint address 222 and exit AR: BS 222. When game reaches address 222, AR will pop up.
When AR activates, disassemble address 18822 (protection) and hit enter a few times. The protection is decrunched,
but not executed yet! We are interested in taking over this jump, and make it jump to a crack-patch instead.
This is a NDOS game, and they usually load data into either low or high chip memory. The ? JMP 16000 ? appears at
address 222, which is pretty low. See memory with N 0 + enter and stop when this appears:
The data seems to start at address 100 (it looks like a Byte Killer decruncher), we have a gap from address 240 ? 400.
If we find this data on disk, we could put the crack-patch at address 240.
This data is located on track 51 ( find by trial and error ? or keep your eye on track counter upon game boot ) read track
into memory, starting at address 30000: RT 66 2 30000. See memory with N 30000 and hold enter down. Stop when
this appears:
This hopefully looks familiar?!
The code starting at address 30C00 is loaded to address 100. The gap that started on address 240 must be address
30D40. This means, that contents of address 30D40 will end at address 240 when game load?
Assemble address 30D40 and code the crack patch:
30D40; MOVE.W #6004,1882C; insert new opcodes in address 1882C
30D48; JMP 16000; we took over this jump, jump back to game
Find the ? JMP 16000 ?, starting at address 30000: FA 16000 30000. AR returns four address, but only 30D22 is a
? JMP 16000 ?. Assemble this address and change it to ? JMP 240 ? instead. Write track back: WT 66 2 30000.
When game reaches address 222, which normally would jump to address 16000, it now jumps to address 240 instead.
Our small patch will change the ? BNE 18838 ? to a ? BRA 18832 ? and then jump back to game. You can now type
anything at the protection screen.
