Oscar ECS

Hits: 818

Crack Novella Protection

Category: TutorialsAmigaCrackingNovella
Author: Rob
Submitted by: Rob
Date: 2005-06-23 16:56
No tags
Untitled Document

Oscar - ECS
? Flair Software

You will need following:

1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. AR or ROM image
4. Pencil and paper
5. Chocolate & Cola

NOTE! Addresses may differ on your computer.

Start by making a copy of original game disks. Everything seems ok, so this is probably not a disk-based protection.
Boot copy of game. After some loading, a screen similar to this will appear:

I seem to have lost the manual, so we?ll better find a way to get around this?.
Type in a word, let?s say ? VICTORIA ? WITHOUT pressing enter. Enter AR and search for the word: FS ?VICTORIA?.
AR returns address C0A038. This is in expansion memory, I have slow mem. This also shows us, that game does not use fixed addresses, more fun for us :)

Let?s see, what game does with address C0A038: FA C0A038 C0000. AR returns address C09E50. Disassemble this address, hold enter down and release it when this appears:

We the compare routine at address C09F72, comparing what we typed in. If it?s NOT equal, the ? BNE ? at address C09F76 branches to address C09F8E and subtracts 1 from the attempts counter. If we simply remove this ? BNE ?, the protection will pass every time.
Game files are crunched with ICE! (programmers changed it to a fake ID, MICK), so we can?t just alter the protection on disk. Luckily, they didn?t crunch the main loader.
Reboot game and enter AR when screen turns blue. Press ? D ? + enter. You should be somewhere in the 71000 area of memory. The loader probably starts at address 71000, so disassemble this address, and look out for jumps:

We have a ? JMP (A5) at address 71106. This jumps into the decrunched data. Stick a breakpoint to this address and exit AR. See picture above. When game reaches address 71106, AR pops up. When AR activates, disassemble address C09F76, to check if the ? BNE ? in the protection is decrunched. It appears to be.

Press ? R ? to see registers. Game wanted to jump to (A5). A5 must be start of decrunched data. If we subtract the address where the ? BNE ? is located, with contents of A5, we have the number to ADD to A5, to make it point to the ? BNE ?. Sounds complicated?..
Use AR to subtract the two addresses: ? C09F76-C00120 = 9E56. Take note of this number.
Before we continue, you want to see something sweet ?
Try typing N + the address A5 points to: N C00120 + enter:

Ahhh so sweet. I guess she wasn?t a teen at that time?
Well well back to business.
We have to find the ? JMP (A5) ? in the main loader, so we can take over this jump and make it jump to a crack patch instead. Loader is located in the file ? FF ?, load it into memory, starting at address 30000: LM FF,30000.
File is located between address 30000 - 30C50

Disassemble 30000 and stop when the ? JMP (A5) ? appears. Let?s take over this jump, and make it jump to address 100 instead, where we?ll put a little crack patch. Next problem is, that ? JMP (A5) ? is two bytes shorter than ? JMP 100.S ?. So, instead insert the jump at the line before (30122). Also remember to take note of address 30122, as we have to restore the code in our patch. Assemble 30122 and insert a ? JMP 100.S ?:

Save file back to disk: SM FF,30000 30C50.
Next step, is to find a place for our patch and a way to move it to address 100.
Boot block is always a good place to start looking. Read it into memory, starting at address 70000: RT 0 1 70000. See contents of it: N 70000 + enter.

We have plenty of spare bytes here. Assemble 70100 (offset $100) and code the patch:

We also have to add a routine, that moves our patch to address 100. We?ll put this routine at offset $C0 (700C0)
Before we do this, we have to alter the original boot code, so our copy routine is called. Disassemble 7000C and hit enter a few times. 7000C seems to be suitable for this. Assemble and insert a ? BSR 700C0 ? . Take note of the code you remove, as we have to restore it again. See picture above.
Assemble 700C0 and code the copy routine:

Correct boot block checksum: BOOTCHK 70000 and write boot block back: WT 0 1 70000.

Just press Enter at the protection screen.
Tested with extra chip and slow memory.

Dedicated to sweeet Victoria.

Powered by the best online Amiga mod player: FLOD

Some more you may like:
Flash - Oscar

Leave a Comment!

: Use this calculator
Your comment will be available for editing for 10 minutes
No comments yet