Shadow Fighter

Hits: 1256

Punch kick slap

Category: TutorialsAmigaCrackingNovella
Author: rob
Submitted by: Rob
Date: 2005-05-21 13:50
No tags

Shadow Fighter

? Gremlin
1. Original game ? find on
2. An Amiga or WINUAE
3. An Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disks. Everything seems ok, so this is probably not a disk-based protection.
Boot copy of game. After some loading, a screen like this appears:
Type something in three times, so it fails. You will see a new screen, asking you to reboot. Enter AR and press D, to
disassemble actual memory. You should receive address 26284 that is branching to itself. Game will loop like this
forever. Continue disassemble, until you reach bottom of screen and scroll back up:
The routine seems to be starting at address 2625E. Next step, is to find what calls this ? fail ? routine. We can?t do that
now, since protection flush memory when it fails, it removes part of itself. Reboot game and enter AR when protection
appears. Search for calls to address 2625E: FA 2625E. AR returns four addresses. We are interested in 25922.
Disassemble address 25922 and hold enter down, until bottom of screen has reached. Scroll back up and stop when
this appears:
We have the compare routine at address 258FE. If it passes, address 25900 branches to 25926 and exits protection.
We simply have to change the ? BEQ ? branch equal ? to ? BRA ?. The protection will then pass, no matter what is
typed in.
Game files are crunched, so we have to patch the decrunched protection, before it?s executed. The patch should be pretty
simple, as it only has to change to ? BEQ ? to a ? BRA ?. We will do this, by inserting new opcodes at address 25900.
See old opcodes with ? M 25900 ?. Assemble 25900, change it to a ? BRA ? and see new opcodes:
Old opcodes marked with red and new with green. Take note of address 26900 and the new opcodes!
Next step, is finding what calls the protection. To do so, we need to find start of it. Protection seems to be in the 25000
area of memory. Disassemble address 25000 and stop when some ? reasonable ? code appears:
It seems to start at address 25826, take note. See what calls this address: FA 25826. AR returns four address and only
one of them is a ? JSR ?. Address 8544 calls the protection. The ? JSR 25826 ? at address 8544 is part of another
crunched file?
Perhaps this file starts at address 8000 straight. Disassemble address 7FF0 and hit enter a few times:
Reasonable seems to be starting at address 8000. Take note.
What calls address 8000?
Reboot game and enter AR, when the loading screen appears. The main loader must be in memory now. Search for
jumps to address 8000: FA 8000. AR returns two addresses and 7A0D0 does a ? JMP 8000 ?. Take note!
We now have all addresses needed, to patch the protection. Read boot block into memory, starting at address 70000:
RT 0 1 70000. Disassemble boot code, to see what it does: D 7000C. Seems like we have a jump to address 7A000.
And we had a ? JMP 8000 ? at address 7A0D0. This jump must be part of the file loaded to address 7A000.
Nice to know, isn?t it? :)
See contents of boot block with N 70000 and press enter a few times. Seems like we have spare bytes here, to put our
crack-patch. Assemble address 70100 (offset $100 on disk) and code the patch:
Assemble address 700C0 and code a little routine, that will move our patch to address 100 and patch the ? JMP 8000 ?
to ? JMP 100 ?. See picture above.
Correct boot block checksum, so game can boot: BOOTCHK 70000.
Write boot block back: WT 0 1 70000.
Boot game and type any number at the protection screen.
I haven?t done much play testing with this one, just so you know.
Powered by the best online Amiga mod player: FLOD

Some more you may like:
Shadow of the BeastSkid Row - Shadow of the Beast 3The Champs - Black ShadowIllusion - Shadow of the Beast III

Leave a Comment!

: Use this calculator
Your comment will be available for editing for 10 minutes
No comments yet