Nigel Mansell

Hits: 1440

Cracking codewheel protection on Nigel Mansell's World Championship

Category: TutorialsAmigaCrackingNovella
Author: Wayne Kerr
Submitted by: WayneK
Date: 2004-05-23 19:07
No tags

Amiga cracking: Nigel Mansell's World Championship (c) 1992 Gremlin

[0] Introduction
[1] Bypassing the codewheel protection
[2] Make the patch permanent
[3] Final words

.-=[ [0] Introduction ]=-.
Things you will need:
1. The original of "Nigel Mansell's World Championship (c) 1992 Gremlin" (2 disks, not AGA or a budget re-release). The CAPS version (numbered 0137) is the
one I've used here.
2. An Amiga or a copy of UAE.
3. An Action Replay 3 cart (or ROM image for use w/ UAE above).

Ok, first things first, let's quickly try to make a copy of the Game Disk (disk one) and see if there's any disk copy-protection. Fire up XCopy and you should

No errors, and the disk copy boots perfectly... but before you think this is the shortest tutorial in history, continue letting the game load...and you see this:

So what we have here is a codewheel protection scheme, using a cheap cardboard wheel w/ inner/outer rings that you rotate to show a particular code-number.
But what if we've lost the codewheel, how on earth can we play this really awful racing game? It's time to start...

.-=[ [1] Bypassing the codewheel protection ]=-.
At this stage, we test to see what input the code protection scheme takes...and we find that we are limited to a 3-digit code. We know that the game is storing
the digits we enter somewhere, presumably in ascii format since it's echoing them back to us onscreen, so let's use this to hunt down the location of our
entered code in memory.

We enter a 3 digit code, but don't press return: 691 Press the AR button, and then search for this string in memory using the following command:
F "691"
Only 1 occurence found, this is a good sign! Let's check out memory at this location:

So we can be reasonably sure that this is where the game stores our entered code, and will later read it from in order to validate our entry.
NOTE: remember this game is relocatable, so if the locations you see in the pictures don't exactly match the values you find, substitute your addresses
where required!

Now let's use the Action Replay to find code that references the location we discovered above:

NOTE: Check the registers using the "R" command before you do this search, if one of the registers points to the location you found the string at you will be
flooded with false this case simply alter the register temporarily, for example if A0 pointed to the reference, change it by doing:
R A0 12345678
then perform the search, and then change A0 back to it's original value.

We should have 3 references as shown in the picture above, and we can disregard the first one since it's writing 7f into our location (so it's obviously not
reading our codenumber from there). Let's take a closer look at the other 2 bits of code that reference our codenumber memory-location.

Looks like we're in the right place, take a look at the code at the last reference we found (comments are in italics below each line):

00C0A64A : LEA.L 00C107E9,A0 ;A0 points to code we entered
00C0A650 : MOVE.L #00000000,D0 ;clear D0
00C0A652 : MOVE.B (A0)+,D1 ;copy one byte from our codenumber into D1, and increment A1 to point to the next one
00C0A654 : BEQ.B 00C0A66A ;branch if the last byte we read was zero
00C0A656 : CMP.B #7F,D1 ;7F is an 'end of code' marker used by the game
00C0A65A : BEQ.B 00C0A66A ;branch if we've reached marker byte.
If you set a breakpoint on the next instruction, you will end up here when you press return after you entered a 3-digit code:
00C0A65C : SUB.B #30,D1 ;ascii-adjust value (subtract 30 turns "0" into 00, "1" into 01, etc.)
00C0A660 : EXT.W D1 ;extend to a word (clears high-byte of word)
00C0A662 : MULU.W #000A,D0 ;D0 * 0a (10), kept as rolling sum of code we entered
00C0A666 : ADD.W D1,D0 ;add next code byte to rolling total...
00C0A668 : BRA 00C0A652 ;and loop until we've done this for the 3 digits in the code
So the 3 digits we entered are converted to their numerical values (from the ascii values), multiplied by 10 and added to the previous total. Now we're looking for something that checks this calculated value, and we don't have far to look :) In fact, it's the next instruction:
00C0A66A : CMP.B (A5,023A),D0 ;Compare the value calculated based on our code-entry, with some value
00C0A66E : BEQ.W 00C0A684 ;Branch if they are equal
Let's change the code here to always branch, and see if it works!

So now the code above is patched to always branch, let's return to the game and
see what, it works! Now all we have to do is...

.-=[ [2] Make the patch permanent ]=-.
So, normally we would just load the track/file that contains the code we want to patch, byte-patch it, and we're finished...however, if we look for the bytes we
need to change in order to make our permanent patch, they're not found in any of the files on the disk. The most obvious reason for this is that the files are
packed, and sure enough this is the case!
If we look at s:startup-sequence on the disk, we can see that the maingame file is called "mansell", and when we load this into a hex-editor (I use NewZAP) we
see the tell-tale signature early in the file:
524E4301, or if you prefer "RNC",01
This is the signature for data packed with the "Rob Northen Cruncher", in this case using mode 1 (slower decrunch, but higher compression than mode 2). Rob's
packer was officially called "ProPack", and luckily for us the "xfdmaster" decrunch library supports unpacking these files. Of course, we already have a
copy of xfdDecrunch, so we run that and unpack the mansell executable from the game disk and write it to a backup floppy.
if you dont have XDFMASTER then you can use the acutal ProPack util find it here RNC PROPACK
Now we load this decrunched amiga executable into NewZAP, and search for some bytes around the code we want to patch, I chose:
which are the opcodes for the TST.W 278(A5) instruction that comes immediately after the BEQ instruction we want to patch to a BRA.
Aha, success...we've found them:

We know that the 67000014 before the found value, is the opcode we want to change, so let's do it... using your hex-editor, modify the 67 byte to 60, and
that's it - Nigel Mansell's World Championship is cracked. By changing this instruction:
00C0A66E : BEQ.W 00C0A684
into this:
00C0A66E : BRA.W 00C0A684
we have forced the game to accept our code whatever the result of the comparison, and the game loads as expected.

.-=[ [3] Final words ]=-.
Now you should pack the modified executable with whichever amiga executable packer you feel like using or just use PROPACK , and replace the "mansell" exe on your backup copy
with the newly cracked & packed one... and that's it, codewheel bypassed.Not a very interesting crack really, but it does give us some things to look for
when we're cracking future codewheel/manual protections:
1. Search for your onscreen input in memory, then search for references to this to track down the code that manipulates your entry.
2. Games usually limit you to a specific number of attempts at entering the correct code - we can take advantage of this by using "trainer" techniques and finding this counter, and therefore the protection code that modifies this value when we fail to get the correct code.
Ok, I'm sorry this tutorial isn't very interesting, but my excuse is that it can
only be as 'good' as the protection being described :)

-Wayne Kerr, May 2004

Powered by the best online Amiga mod player: FLOD

Some more you may like:



Leave a Comment!

: Use this calculator
Your comment will be available for editing for 10 minutes
2004-05-25 01:02

1. musashi9 writes

Fantasitc Tutorial ,ive included a link to ProPack for depacking and packing the amiga exe ,incase people dont have XDFMaster
2007-02-28 15:12

2. Mr.Q writes

Cracked my first Amiga game to day thanks to bits of this tut.
Thx alot WayneK and u other dudes here.