Submitted by: Rob
Date: 2005-01-16 19:41
You will need following:
1. Original game – find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disk. This is to determine type of protection.
You’ll notice an error on track 0. This is some type of a disk based protection, where you can’t duplicate a specially
When you boot copy of game, it crashes almost instantly. So, the protection check is executed at a very early state of
Boot original game and enter AR, when it begins to load. Let’s try to search for the typically sign for a copylock,
the “ PEA $$$$ ”, F 48 7A. AR returns address 5A70. See memory with N 5A70 and press enter a few times.
Exit AR and wait for the copylock to finish. When game continues to load, enter AR again. See address 5A70 again
with N 5A70. Ahh… Seems like memory has changed. The copylock has probably decrypted the game loader.
We’ll better try to find start of it. Hold enter down to continue showing memory and stop when you reach bottom of
screen. Use curser up and scroll back up, until this appears:
Hmm. hard to see start of the code… Disassemble address 5930 and stop when this appears
It seems like the “ reasonable “ code starts at address 59E8 (many things starts here :). See memory with N 59E8:
Code seems to end around address 5B68, take note of this.
Insert copy of game and read track 0 into memory, starting at address 70000: RT 0 2 70000.
Disassemble the boot code: D 7000C. We are interested in 70038 & 70040. 70038 decides the amount of data to load
from disk and 70000 is the offset to load from. 70030 are the destination for the loaded data.
Since the boot code moves data from offset 400, we will simply transfer the decrypted loader to offset 400. This
will overwrite the original encrypted loader, and game will load the decrypted one instead.
The decrypted loader was located from address 59E8 – 5B68, transfer it to address 70400: TRANS 59E8 5B68 70400.
Write track 0 back: WT 0 2 70000. You don’t have to correct the boot block checksum, as we haven’t altered
anything in the actual boot code (70000 70400).
Dedicated to sweet sweet Victoria