Submitted by: Rob
Date: 2005-05-23 16:57
Winter SuperSports 92
? Flair Software
You will need following:
1. Original game
2. An Amiga
3. AR3 or ROM
4. Pencil and paper
Start by making a copy of original game disk. Everything seems ok, so this is probably not a disk-based protection.
Boot copy of game. After a while, a screen like this will appear:
Let?s follow the instructions. Keep pressing enter until screen turns black. Enter AR and press ? D ? + enter.
You are stuck at a loop routine at address 5BF0.
Let?s see what calls this: ? FA 5BF0 ? AR returns two address; 5BF0 & 5F60.
We are naturally interested in address 5F60. Let?s have a look at the code
around this address:
The ? crashing ? routine seems to start at address 5F30. The routine is called by the ? BNE ? at address 5F14.
Address 5F10 checks if D1 = #E0. If it is, the ? BNE ? is skipped and the game will continue loading.
We?ll crack the game by changing the ? CMP.B #E0,D1 ? to ? MOVE.B #E0,D1 ? and then we NOP out the ? BNE ?.
This will push the correct value into D1 and game will continue loading.
The game files are crunched, so we need to patch the decrunched protection. We do this by pushing new opcodes into it. Assemble address 5F10 and insert following. Then write down the new opcodes:
I have divided the opcodes into two long words, see above picture.
Next step is to determine how to patch the protection.
Load main file ? BOOT ? into memory, starting at address 30000: ? LM BOOT,30000 ?.
File is located between address 30000 ? 32D68
The decrunch header starts with the txt ? TSM! ?. The game?s decrunch routine uses a compare routine, to check is the file is crunched. This will help us find the point, where the protection have been loaded & decrunched, but not yet executed. Disassemble address 30020:
Decrunch routine starts at address 30080, note the compare routine at address 30086.
Check what calls the decruncher: ? FA 30080 30000 ? AR returns two addresses. Try disassembling the second one and hit enter a few times:
When game reaches end of the above routine at address 3007E, the protection has been decrunched, but not executed yet.
Take note of the code at address 3007A and replace it with a ? JMP 100.S ?. This will cause game to jump to address 100, instead of executing the decrunched data. We can then put a patch at address 100, which moves new opcodes into the protection and then execute game.
When you have inserted the ? JMP 100.S ?, save file back: ? SM BOOT,30000 32D68 ?.
We need to make a little routine on the boot block, which moves our crack patch to address 100.
Read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?
(following is based on, that the boot block is a Standard DOS boot V2.0)
Disassemble address 7000C and hit enter a few times. Take note of the code at address 7000C and change it to ? BSR 700C0 ?. This will call our copy routine. Assemble address 700C0 and insert following code:
700C0; destination address 100 for patch
700C6; copy from offset 100 on boot block
700CA; copy 100 ? amount to copy
700D4; restore code we removed in start of boot
Assemble address 70100 and code the crack:
70100; restore code we removed in file ? boot ?, to make space for ? JMP 100.S ?
70104; insert ? MOVE.B #E0,D1 ? at address 5F10
7010C, NOP out ? BNE ? at address 5F14
Correct boot block checksum and write track back; ? BOOTCHK 70000 ? & ? WT 0 1 70000 ?
Reboot and type anything at the protection screen.