Submitted by: Rob
Date: 2005-07-04 09:46
Trolls - ECS
? Flair Software
You will need following:
1. Original game
2. An Amiga or WINUAE
3. AR pr ROM Image
4. Pencil and paper
NOTE ! some addresses may differ on your computer.
Start by making a copy of original game disks. Everything seems ok, so this is probably not a disk-based protection. After some loading, a screen similar to this appears:
Type something in, let?s say ? VICTORIA ?. Enter AR and search for the string ? VICTORIA ?: FS ? VICTORIA ?.
AR returns address C1B95C. This is a bit interesting, as the address is part of my expansion memory. This tells us, that game not only use fixed addresses.
Check what game else does with address C1B95C: FA C1B95C C00000. AR returns three addresses. Try disassembling the second address and hit enter a few times.
We have to alter two lines of code here. We have a compare routine at address C004E4. If it fails, C004E8 branches to C004F2 and subtracts 1 from the attempts counter. When you have tried three times, you just returns to the title screen.
We have to NOP out the ? BNE ? at C004E8.
We also have a compare routine at C004EA. If this passes, C004EE branches on with the game. We need to change this ? BEQ ? branch equal ? to just ? BRA ?. In this way, the game will continue, no matter what we type in.
The ? BEQ ? starts with the opcodes 67, if we change this to 60, the ? BEQ ? will turn into a ? BRA ? instead. Game files are crunched, so we can?t just alter them. We have to find a way, to patch the decrunched files, before they are executed.
Insert disk 1. Start by reading boot block into memory, starting at address 70000: RT 0 1 70000. Disassemble start of boot code and hit enter a few times:
Boot block moves a little amount of data into memory and executes it. Line 7005C executes the data by the ? JMP (A3) ?
Let?s change this to a loop routine and boot game. Do following:
Reboot and enter AR when game hangs. Press ? R ? to see registers. Game jumped to what A3 pointed to.
Disassemble the address A3 points to ( 59E8) and hit enter a few times. Address 5AEC seems interesting, as it?s jumping into some data. We?ll better take over this jump and make it jump to a crack patch instead, so we can access the decrunched data. The ? JMP 10400 ? at address 5AEC is not a fixed address, it?s location depend on the value of A3.
We can calculate where it will appear, by subtracting address 59E8 (A3) from 5AEC (JUMP). If we add the result to A3, A3 will point to the ? JMP 10400 ?. Use AR to do the calc.: ? 5AEC-59E8 = $ 104. Take note of this number.
We want to change address 5AEC to ? JMP C0.S ?. We?ll then start our crack patch at this address. Assemble address 5AEC and insert the ? JMP C0.S ?. See opcodes for it with: M 5AEC. Take note of the first long word of opcodes.
Reboot game and enter AR when it hangs. Insert a loop routine at address 5AEC and continue game by jumping to (A3):
Enter AR when game hangs. At this point, game wanted to jump to address 10400, so disassemble this address and hit enter a few times. We are looking for jumps, that executes the decrunched data. The jump we are looking for is probably jumping to the contents in one of the address registers, as game uses expansion memory.
Address 106BC seems interesting, as it jumps to the address A0 points to.
Stick a breakpoint to address 106BC and jump to address 10400 to continue game, see picture above. When game wants to execute decrunched data, AR will pop up. When this happens, try disassembling address C004CE, to check if the protection is decrunched.
We have to take over the ? JMP (A0) ? at address 106BC. We?ll make it jump to address D0.S instead. Problem is just, that our new jump is two bytes longer than ? JMP (A0) ?. So, we have to insert our jump at the address before, 106B6.
Take note of the code at address 106B6, as we have to restore it in our patch.
We need the opcodes for ? JMP D0.S ?, so follow the stuff done in the picture and take note of opcodes marked with red.
Next step is to determine, how to insert a ? NOP ? and ? BRA ? in the protection. The ? BNE ? appeared at address C004E8 & the ? BEQ ? at C004EE. The game code starts at the address A0 points to, sp press ? R ? to see registers.
Subtract address C004E8 from start of code at C00100 and address C004EE from start of code, see picture above. If we add the result to A0, we have the corresponding address to patch.
We now have all information?s needed, to crack the game.
Insert disk 1 and read boot block into memory, stating at address 70000: RT 0 1 70000. If there is spare bytes here, then we?ll put the patch on the boot block:
Plenty of free space?
Assemble offset $ 100 and code the patch:
70100; MOVE.L #4EF800D0,106B6; change address from ? JMP (A0) ? to ? JMP D0.S ?
7010A; JMP 10400; jump we took over
70110; MOVEA.L 00000000,A0; this will appear at address D0, restore code we removed in game
70116; ADDA.L #3E8,A0; add #3E8 to A0, so it points the ? BNE ? we want to remove
7011C; MOVE.W #4E71,(A0); NOP out ?BNE ?
70120; SUBA.L #3E8,A0; subtract # 3E8 from A0, restoring it to it?s original value
70126; ADDA.L #3EE,A0; add #3EE to A0, so it points to the ? BEQ ?
7012C; MOVE.B #60,(A0); change ? BEQ ? to ? BRA ?
70130; SUBA.L #3EE,A0; subtract #3EE from A0, restoring it to it?s original value
70136; JMP (A0); jump we took over, jump to game
Next step, is moving our patch into address C0. Remember the loop routine we inserted in the boot block ? Let?s alter this to ? BRA 700C0 ? and put a copy routine at offset $C0, to move our patch into memory.
Assemble 700C0 and code the copy routine and first part of crack-patch:
700C0; LEA C0,A0; dest. address for data
700C6; LEA 70100(PC),A1; copy data from offset $100 on disk
700CA; MOVE.W #200,D7; amount to copy
700CE; MOVE.B (A1)+,(A0)+; copy
700D0; DBF D7,700CE; copy
700D4; ADDA.L #104,A3; add #104 to A3, so it points to ? JMP 10400 ?
700DA; MOVE.L #4EF800C0,(A3); insert ? JMP C0 ? at the address A3 points to
700E0; SUBA.L #104,A3; subtract #104 from A3, restoring it to it?s original value
700E6; JMP (A3); jump to loaded data
Correct boot block checksum: BOOTCHK 70000
Write boot block back: WT 0 1 70000.
When protection screen appears, just press enter.
As usual, dedicated to sweeet Victoria.