Hits: 1261

Remove Password protection

Category: TutorialsAmigaCrackingNovella
Author: Musashi9
Submitted by: musashi9
Date: 2004-05-20 02:24
No tags

what you will need
1. original game (find here)
2. an amiga or an amiga emulator (winuae)
3. an action replay cartridge or ar3 rom image for use with winuae

once u have all these set up we shall begin

our first task is to see what type of protection this game has
so boot the orignal up and play for a while ,notice anythingpop up saying goto manual page XX line Xx ect....? yes?
right well take note of this protection ,lets see if their is any disc protection ,try and make a copy with XCOPY
everything ok? no errors? good
so we have a password orwhats called a Novella protection to bypass
ok fire up the game
you should first see the paramax logo like this

and not long after you should see the dreded password screen

hey calm down pull ya self together ,now when you download this disc from B2TR if comes with a scan of the manual but well we dont need that do we? hehehehe well lets find out ,press action replay button and type D the npress enter
you will notice we are in the memory area $40000 so i assume this code we are in starts are 40000 check it out just to be sure
N 3fff0 if you see nothing then some code suddenly hit at address 40000 then yeah it starts at 40000
right keep skipping down using enter untill you come acroos some text in all that mubo jumbo
can you see ---- PLEASE ENTER.... ect...
like in the picture above

notice the ---- hmm i see 2 of them ,ok exit action replay and typ 12 ,so on screen you should have 12--
now go back into action replay scroll up to line 40440 then hit enter back down to were you was ,and you should see ---- change to 12--

hmm ok but we have 2 hmm lets use the last one because this one has PLEASE next to it like what the black screen has
type M 4068a ;this should bring us up to the 12-- hmm interesting lets see what code users this
FA 4068a ,40000 ;Find Address 4068A ,start searching from address 40000

we end up with 2 address points ,the first is putting the original ---- at this address hmm so lets skip that one
the second is interesting it seems to be moving the contents of 4068a (which would be the code we enterd) into D1
probibly for a calculation to see if its the corect code or not
lets see
D 4052E ;hit enter a few times to scroll down

hmm look at that CMP.L it seems to be checking something checking the number we enterd ,and below it is a BNE so if the number is not right it must loop back with fresh numbers ,right so lets remove that BNE see what happens
A 40538 ;hit enter once
then type
NOP ;hit enter once
NOP ;hit enter twice
now exit action replay and finish the numbers 1234 or anythign you want and press enter
oh my gawd the game starts to load hehehehhe :) cool eh
but hmm we need to change this for good

so fire up action replay ,type
RT 0 01 050000
lets see what happens at address 40000 because we know this is where the code gets loaded to ,so type
FA 40000 50000
we end up with 2 points

i think this is a decrunch routine so the loader must be packed ,lets have a look at address 50a46 so type
N 50A46
scroll down hmmm ok we have some empty space here ,at address 50DC6 type
HERE 'then press enter
why are we doing this? well you will soon find out
letrs write this back to disc
WT 0 01 050000
reboot and when you get to the protection screen load action replay again
F 48 45 52 45 ;find the hex value for the letters HERE
once its done we end up with an address

take note of this address 5EDC6
right read in track 01 again type
RT 0 01 50000
and what we want to do here is put a small patch to put our NOP NOP at address 40538 after the loader has decrunched
remember the address JSR 40000 was loacted at 50A46 this is the jump into the loader after it has unpacked
so lets edit this type
A 50A46 ;hit enter once
then type
JSR 5EDC6 ;jump to our patch then press enter twice
now lets code a patch

A 50DC6 ;remember this is where we put the HERE text we will use this for out patch
then type
MOVE.L #4e714e71,40538 ;put NOP NOP at address 40538 ..hit enter once
JMP 40000 ;we replace the original jump after our patch has executed ..hit enter twice
right that should be it lets write back to disk and find out

WT 0 01 050000
and reboot

once again we are faced wit hthe password screen ,so try it out type a number and press enter see what happens
it works hmm reboot just incase you enterd a lucky number adn try again hehehe
wow it works again cool
now go kick some alien butt

me thinks this game needs a trainer hint hint cough cough

Powered by the best online Amiga mod player: FLOD

Some more you may like:
Crystal - ParamaxAlpha Flight - Paramax


Leave a Comment!

: Use this calculator
Your comment will be available for editing for 10 minutes
2004-05-20 16:06

1. WayneK writes

Nice tut...

As for the trainer, there's 3 trained versions already in TOSEC, 1 crap one by AFL, and 2 decent trainers which cover most/all possible options by ZENITH and BACKLASH... so, no need to make more work for yourself :)