Submitted by: Rob
Date: 2004-10-02 14:57
? Taito Corp.
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disk. This is to determine type of protection.
You?ll notice an error on track 0. This is probably some sort of a copylock.
Boot COPY of game. After a little while track counter moves to 0 and short after game crashes.
This must be the protection kicking in or a bad copy of game?.
Boot original game and enter AR when track counter moves towards 0.
Press D to disassemble running program. Hold enter down, until bottom of screen has reached. Use curser up to
scroll up with, until this appears
It seems like the code in this area of mem, starts at address 1330C. This must be start of the protection.
Let?s check if anything jumps into it: FA 1330C.
AR returns address 456, which makes a JSR to the protection.
Disassemble address 456 and hit enter a few times. Let?s insert a loop routine at address 45C, so we can see registers
after protection have been run. Assemble address 45C and insert a BRA 45C, see picture above.
Exit AR and wait a few secs for the routine to finish. Enter AR again and press R to see registers.
It seems like we have some sort of a ? magic number ? in D0. Write this down.
We need to find the protection on disk so we can alter it permanently. Before we can do this, we need something to search
for Let?s use the opcodes for the first line in the protection.
It started on address 1330C, so type M 1330C to see opcodes. Write down the first eight numbers ( 48 E7 7F 7E ).
The last track read before protection kicked in was 8. So the protection must be located somewhere between track 0-8.
Read track 0 ? 8 into memory, starting at location 30000; RT 0 12 30000.
Search for the opcodes, starting at address 30000; F 48 E7 7F 7E,30000. AR only returns one address: 45B0C.
Assemble it and insert following code:
45B0C; MOVE.L #4454A500,D0; insert ? magic number ? in D0
45B12; RTS; return
Write tracks back: WT 0 12 30000.
The show isn?t over yet, because we still have two more routines. These are located on track 39-40.
I found these, by reading the whole disk into memory and then search for the protection.
Read track 39 ?40 into memory, starting at address 40000; RT 4E 4 40000.
AR returns two addresses; 43628 & 43E28.
Assemble these two addresses and insert the above code, just like the first protection routine.
Write tracks back; WT 4E 4 40000.
Dedicated to sweet sweet Victoria