Trolls AGA

Hits: 895

How To Crack The Novella

More
Tags
Category: TutorialsAmigaCrackingNovella
Author: Rob
Submitted by: Rob
Date: 2005-05-29 08:00
No tags
Untitled Document

Trolls - AGA

? Flair Software

You will need following:

1. Original game ? find on emunova.net
2. An Amiga 1200
3. ARIV
4. Pencil and paper
5. ARIV

Start by making a copy of original game disks. Everything seems ok, so this is probably not a disk-based protection.
Start ARIV and boot copy of game. After a few secs, ARIV pops up, it?s activated by an exception.
Turn off exceptions by tying: ALLEXC and exit with X. By the way, to enter ARIV normally, use RIGHT mouse.

Game continues loading and after a while, a screen like this appears:

Type something in, let?s say ? VICTORIA ?. Enter ARIV and search for this word: FS ? VICTORIA ?. ARIV returns address 3F69A. This is the address, where game saves what we type in.

Let?s see, what game else does with this address: FA 3F69A. You will get three addresses and we are interested in the second one ? 2048A. Disassemble this address and hit enter a few times.

We have to alter two lines of code here. We have a compare routine at address 204A0. If it fails, 204A4 branches to 204AE and subtracts 1 from the attempts counter. ? You have three try?s!
We have to NOP out the ? BNE ? at 204A4.
There is also a compare routine at 204A6. If this passes, 204AA branches on with the game. This must be change from ? BEQ ? branch equal ? to just ? BRA ?. In this way, the game will continue no matter what is type in.
Assemble the addresses you see in the picture above and insert the shown code. When done, see address with the ? M ? command. Take note of the opcodes for our new code, marked with red. Game files are crunched, so they can?t just be altered. We have to find a way to patch the decrunched files before they are executed.
First of all, the protection seems to be located in the 20000 area of memory. Perhaps the file actually starts at address 20000. Check, if anything calls address 20000: FA 20000. ARIV returns address 106D4, which makes a ? JMP 20000 ?. Take note of this!

Let?s find start of this new routine. Disassemble address 106D4 and hold enter down, until bottom of screen has been reached. Scroll back up and stop when this appears:

The code seems to be starting at address 10400. Take note !
Let?s have a look at the boot block and what it?s loading in. Read boot block into memory, starting at address 70000: RT 0 1 70000. Disassemble boot code and stop when this appears:

We are interested in 7005C, this address jumps to what A3 points to. A3 will point to start of the data, that boot block loads into memory. Let?s alter this to a loop routine, so we can have a closer look at it. Do following:

Reboot and enter ARIV when game hangs. A3 should point to start of the loaded data. Press ? R ? to see registers.
A3 points to address 66C0. This might differ on your computer !

Let?s see, if we have a jump to address 10400, done by the data from address 66C0: FA 10400 66C0. ARIV returns address 678A. We should now have all addresses needed, to be able to patch the protection.

There is just a little problem. Address 66C0 is relative, ie. A3 points to it. This means that we can not assume that the ? JMP 10400 ? will appear at address 678A on all Amiga computers.
A3 will always point to start of the data, so we can use A3 as an offset to calculate how ? far away ? from A3, the ? JMP 10400 ? will appear.
Simply subtract 66C0 from 678A and we know what number to add to A3, so it points to the jump. Use ARIV to make to calculation: ? ? 678A-66C0 ? = CA. See picture above.
Let?s see if we have spare bytes on the boot block for our patch. Read boot block into memory, starting at address 70000: RT 0 1 70000. See boot block with ? N 70000 ? and hit enter a few times.

Seems like we have plenty of space, from $C0 and onwards. And no, the game is NOT copylock protected.
On the boot block, we altered the ? JMP (A3) ? to ? BRA 7005C ?. Assemble 7005C and change it to ? BRA 700C0 ?.
We?ll then start our patch at 700C0. The new code at 700C0 will move ? second ? part of our patch into address 100 and alter the ? JMP 10400 ? to ? JMP 100 ?. Insert the code you see below:

Assemble 70100 and insert following code:

Correct boot block checksum: WT 0 1 70000. And write boot block back: WT 0 1 70000.
Boot game and type what ever you want at the protection screen:

?And what happens when you press enter?

The game starts of course :)

Dedicated to the sweetest girl; Victoria
Rob

FileDownload: Trolls AGA
Filesize: 0KB, downloaded 55 times
Powered by the best online Amiga mod player: FLOD


Some more you may like:
Trolls - ECSFairlight - Trolls

Comments

Leave a Comment!

Name:
: Use this calculator
Your comment will be available for editing for 10 minutes
2016-12-15 13:24
Avatar

1. morpa writes

Download broken
reply