Submitted by: Rob
Date: 2004-12-19 23:15
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Note! Address may differ on your computer.
Start off by making a copy of original game disk. You?ll notice that something
is wrong on track 79, it can?t be
duplicated correctly. So we are probably dealing with a disk based protection.
The protection probably works by checking track 79 and it it?s the original track, a certain value is passed through a register,
similar to a RNC.
Boot original game and enter AR when track counter moves towards track 79 (protection track). Game is probably somewhere
in the protection routine. Press D to disassemble actual memory and hold enter down, until bottom of screen has been reached.
Scroll back up, until this appears:
Address C15910 calls a routine starting on address C15920. When it returns, address C15914 moves the word contents
of register D0 into a memory address. This smells like the protection routine ? starts ? at address C15920.
Stick a breakpoint to address C15914 and exit AR. When AR reaches this address it automatically pops up, and we can
read out the key from register D0 and D6. Address C15942 copies D0 to D6.
When AR pops up, press R to see registers. We have the correct in both register D0 + D6, take note of this.
We could crack this by simply wire the correct key (19AD) into D0 + D6 and then return.
The protection is located in a file called ? dt ?. To be able to find protection in the file, we need something to search
for. A logical thing would be the opcodes from address C15920 ? ? start ? of the protection.
See opcodes with M C15920.
Load file into memory, starting at address 30000: LM DT,30000. File is located between address 30000 ? 4CC34.
Search for the opcodes: F 52 79 00,30000. AR returns 10 addresses and we are interested in 3D224.
Disassemble address 3D224 and hit enter some times. The protection routine will appear. Normally we would just
insert our patch at address 3D224 and onwards. I have tried this and it DOES not work. Address don?t add up when game
loads file into memory and our code will get corrupted for some strange reason. I have tried inserting one hell lot of
NOP?s from address 3D224 and then executed game. The NOP at address 3D224 turned out ok, but NOP?s from the
following addresses and up to address 3D246 was messed up. Everything looked normal again from address 3D248.
We can get around this by inserting a ? BRA 3D248 ? on address 3D224 and insert the crack patch from address 3D248.
Assemble address 3D224 and insert a ? BRA 3D248 ?. Assemble address 3D248 and insert following code:
3D248; CLR.L D0; clear D0
3D24A; MOVE.L #19DA,D0; wire correct key into D0
3D250; MOVE.L D0,D6; copy key from D0 to D6
3D252; RTS; return.
Insert copy of game and save memory back to disk, as a file called ? dt ?:
SM DT 30000 4CC34.