Submitted by: xyzzy
Date: 2012-01-14 07:26
Submitted by: xyzzy
Date: 2012-01-14 07:26
Ocean 1989Required items
2) An Amiga or WinUAE (I’m using WinUAE)
3) X-Copy or your favorite copier.
4) Beermon or your favorite monitor.
5) Pencil and paper
6) Blanks, if you use a real amiga.
Given that this game was cracked over twenty years ago and the cracks/SPS originals are readily available on the Internet, we are not doing a disservice to anyone by analyzing the code. This is for educational purposes only and at your own risk and volition.
Make a copy of the disk using X-Copy to see what we are facing.
There appears to be a single track protection on track 1. Let’s boot the copy and see what happens. It shows the Ocean logo and then press F1 for one player game.
It loads for a while and then crashes. Directory the disk and this shows it’s a standard Amiga DOS disk. Looking at the startup sequence and this loads a file called volley. Load volley into memory at $40000 and disassemble, as shown in code below. The first bytes, up to 40020 or so, are the Amiga DOS header.
Looking at the code it opens the dos library (JSR -198(a6)), opens intro.code(JSR -1E(a6)), reads (JSR -2A(A6)) intro.code to 23000 in memory, and closes the file (JSR -24(A6)). JSR -19E(A6) closes the library and jump to $23000.
You can see a lot by displaying it as ASCII.
Load intro.code at 23000 and disassemble. As we know it’s using Amiga DOS we can search for system calls e.g. 4EAE is the first word for the JSR –XX(A6) opcode.
The below is the code which loads volley.code into address 25000. The code at 2475E copies the code from 2477a for 50 hex words length to 70000 in memory and jumps to 70000. So the text dos.library is at location 70078 and the text df0:volley.code is at location 70084.
Load volley.code in at address 25000 and disassemble.
The move of 25600 to 80 and trap is very interesting as the code is then running in supervisor mode.
This is the protection loop, as it’s decrypting the TVD at 7EFE4 (JSR $31b90), JSR to 7EFE4 (JSR (A0)), and it’s comparing FF7EEFAB with D0 on returning. The magic number for this game is FF7EEFAB. You can see the TVD code by setting a breakpoint at 2561c and jumping to 25000 after loading volley.code at 25000. The RNC TVD is there at 7EFE4 which reads the copylock track and generates the magic number.
We could change the compare to a move and add NOPs as required. However, I found that the game crashed. After searching for 2563A in the volley.code, I found a compare at 28FAE.
As usual, there are a myriad of ways to bypass this. Probably the best is to run a patch which returns everything to original state and ensures that c80 is at address 2563a. Looking at the code at 2561c, we can write a patch at 25646 and call it with a jsr replacing JSR $31b90 and our code will be erased after it’s run by the clr and dbf loop at 25626/25628. Alternatively, the patch can be placed in an unused part of memory and jumped to. We’ll insert a patch where the TVD code would be at 7EF4E to move the magic number into d0, move d0 into 24 and then RTS back. You can even replace the TRAP #0 at 25030 with a no operation, but this is dangerous as there may be further calls or checks (e.g. checking address 24). To be complete, we could decrypt the code for the TVD so that it is in memory for any checks with a JSR $31B90 at the start of our patch, but this is not necessary, as far as I can tell.
The above shows the full code to patch the TVD. The JSR at 25616 is changed and the code at 25646-2566E added. It could be in a dbra loop to copy the bytes rather than the list of moves. The patched code at 7EFE4 will be (this is what the moves at 2564c-25658 set up)
Move.l #FF7EEFAB,D0 – this sets D0 for the compare check Move.l D0,24 – this insert the magic number in the trace vector address as the Copylock does this RTSThe instructions at 2565c – 2566e reset the JSR that we changed back to 31B90 and reset address register A1 to 7EFE4.
Once you’ve assembled the patch in memory, you can save it back to disk using the method shown in the Sidewinder tutorial. Assemble the patch using N 25616 to replace the JSR. The code at 25646 can be replaced in the same way. Then delete the file volley.code from the disk (del volley.code) and save (S volley.code 25000 31f16).
Let’s train the game and see if our changes have worked correctly. Disassemble volley.code and scan the code. At 250BA there are two moves to 3063c and 3063e.
Searching for address 3063c reveals that it’s compared with 7 and the number of points to win a game is seven. This could be the player 1 and player 2 scores.
By modifying the two moves with a different number of points and restarting, it can be identified that 3063c is player 1’s score and 3063e is player 2’s score.
There’s a move at 25042
Searching for address 25b70 reveals compares against 1 through 9 which could be the level. Change the move for 25b70 to 2 (e.g. MOVE.W #2,($25b70)) and reboot the game. Sure enough you start at level 2 in America. To play the game right the way through change the move to 3063c at 350ba to insert 7 (e.g. MOVE.W #7, ($3063c)). Each time a venue appears let the computer will win one point and it then check the scores to see if any player has seven points. This will now send you to the next stage until winning the final stage and restarting. So our patch works for one player. The patch has been tested with the two player game and seems to work.