Submitted by: Rob
Date: 2004-10-02 15:11
? Leisure Genius
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Note! Addresses may differ on your computer.
Start by making a copy of original game disks. This is to determine type of protection.
You?ll notice an error on track 0. This is probably some sort of a copylock.
Boot copy of game to see how the protection reacts. After some loading, track counter moves to 0 and hangs there.
This must be the protection kicking in, since original game continues at this point.
Enter AR and press D + return a few times. This is to see actual program.
Something like this should appear:
1D55C; TST.B D6; check byte 00 in register D6
1D55E; If not equal, branch to 1D55C
The routine is checking if D6 is byte 00. Let?s see registers. Press R to do so. You?ll notice that the last number
in D6 doesn?t say 0. Set register D6 to 6E00; R D6 6E00. Exit AR and see what happens.
Enter AR, disassemble address 1D55C and continue until bottom of screen has reached. Scroll up with curser up:
We do this to get an overview of the code.
Address 1D552 probably jumps to the protection routine. When it returns, data from D0 are copied to D6.
Before we can find the protection routine on disk, we have to get some code to search for.
A logical thing would be something from the protection routine itself.
Address 15D552 made a JSR 1D622 to the protection. Disassemble address 1D622 and hit enter a few times.
Address 1D622 jumps to address 272F4.
Disassemble address 272F4 and hit enter a few times. This must be start of the protection. See the opcodes for the
first line with: M 272F4. Take note of the first eight numbers ( 48 E7 7F 7E ).
Protection is located in a file called ? Monopoly ?, read it into memory starting at address 30000; LM MONOPOLY,30000
Find start of protection by searching for the opcodes, starting at address 30000, F 48 E7 7F 7E,30000
AR returns one address; 3A02C. Assemble this address and insert following code;
3A02C; MOVE.W #6E00,D0; wire ? magic number ? to D0
3A030; RTS; RETURN
Save memory back, overwriting original file; SM Monopoly,30000 5F26C.
Dedicated to sweeeet Victoria