Baby jo

gOo Goo gA ga

Author: rob
Submitted by: musashi9
Date: 2005-02-26 12:12
Baby Jo ? Going Home
? Loricil
?You will need following:
1. Original game ? get it from your local supplier :)
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disk. This is to determine type of protection.
You?ll notice an error on track 79. This is some type of a disk based protection, where you can?t duplicate a specially
written track, probably a long track
When you boot copy of game, the protection runs short after screen turns black. Game continues to load and everything
seems fine. When you press fire at the title screen to start game, nothing happens. Title screen just re-appears.
This must be the protection, that have ? done something ? to the game. Hmm?
Boot original game and enter AR when screen starts to turn black. Type ? D ? and hold enter down, until bottom of screen
has reached. Scroll back up and stop when this appears:
Protection routine starts at address 7610. I found it, by doing some breakpointing.
Address 7636 calls the disk accessing part and 763A moves the result from this, into address 78DC. Let?s stick a
breakpoint to this address and exit AR. AR will then activate, when address 763A are reached and we see the result in D0.
Set breakpoint: BS 763A
When AR pops up, press R to see registers. Protection returns ? 19B1 ? in D0 + D6. See the opcodes from address
7610 with: M 7610. We do this, so we can find the routine on disk, and patch it permanently. Protection is
located somewhere between track 0 ? 4, read them into memory, starting at address 30000: RT 0 A 30000.
Search for the opcodes from address 7610, see picture above. AR returns address 39010. Disassemble this address,
and stop when the disk accessing part of the routine appears.
Assemble address 3907A and insert following code:
3907A; MOVEQ #0,D0; clear D0
3907C; MOVEQ #0,D6; clear D6
3907E; MOVE.L #19B1,D6; move ? magic number ? into D6
39084; BRA 3908E; branch to part, that moves ? magic number ? into D0 and returns
Insert copy of game and write tracks back: WT 0 A 30000.
Go test your new crack!
Perhaps it would be a little easier to play test, if we added a micro trainer, that gives us 255 lives?
Assuming you still have all three lives, enter AR and start the trainer with: TS 3.
Exit AR and loose one life. Enter AR again and continue trainer: T 2. AR returns Address 12C7D. This address holds
the number of lives. Try typing M 12C7D. First HEX is 02. It would normally start with 03, three lives?.
Let?s determine, at which point this address is set to 03, so we can patch it.
Reboot game an enter AR when the title screen appears. Check address 12C7D: M 12C7D
The address seems to be set at this time.
Press D and hold enter down, until this appears:
Stick a break point to address DB0, exit AR and start game. AR appears when you press fire. This might be a good
address to take over, and make it jump to a little trainer patch instead. DB0 makes a JSR EE5E, take note.
Let?s find start of the main file. It?s usually loaded into low chip, see memory with N 0 and hold enter down. Release it
when you reach around address 800. The data seems to start at address 400.
Reboot game and enter AR, when game begins to load. Search for jumps to address 400: FA 400.
AR returns address 40A42. Stick a break point to address 40A42 and exit AR.
When AR pops up, check if number of lives should be set at this stage: M 12C7D. Seems not?.
Let?s find the ? JMP 400 ? on disk, make it jump to address 100, where we?ll put a little trainer patch.
But first, press ? R ? to see registers. A0 points to address 400. Change this to 0 with: ? R A0 0 ?. If we don?t do this,
we?ll get a lot of false references.
The ? JMP 400 ? is probably also located somewhere between track 0 ? 4, so read them into memory, starting at
address 30000: RT 0 A 30000. Find the ? JMP 400 ?, starting at address 30000: FA 400 30000.
AR returns address 31A42. Assemble this address and change it to ? JMP 100 ? instead. See picture below:?
Write tracks back: WT 0 A 30000. Time to code the patch. But first, check the boot block for spare bytes. Read it
into memory, starting at address 70000: RT 0 1 70000. See memory with N 70000 + enter a few times.
Plenty of space here to put a little trainer. Assemble 70200 and insert following code:
70200; MOVEM.L D0-D7,-(A7); save registers, as we?re going to mess with D0
70204; MOVE.L #FFFFFFFF,D0; fill D0 with F
7020A; MOVE.W D0,DFF180; move D0 into colour register DFF180
70210; SUBI.W #1,D0; subtract 1 from D0
70214; CMPI.W #1,D0; compare #1 with D0
70218; BEQ 70226; if equal, branch to 70226 and start game without trainer
7021A; BTST #6,BFE001; test for left mouse pressed
70222; BEQ 7022E; if pressed, branch to 7022E
70224; BRA 7020A; loop flash, until D0 = 0
70226; MOVEM.L (A7)+,D0-D7; restore registers
7022A; JMP 400.S; start game
7022E; MOVEM.L (A7)+,D0-D7; restore registers
70232; MOVE.L #4EB90000,DB0; change address DB0 to JSR 148
7023C; MOVE.W #148,DB4; change address DB0 to JSR 100
70244; JMP 400.S; start game
70248; MOVE.B #FF,12C7D; this will appear at address 148, move #FF to 12C7D and gives you 255 lives
70250; JMP EE5E; jmp to address EE5E, we took over this, from DB0. The sub routine at EE5E will return to DB6
When you boot game, it loads in main file and jumps to address 100. The screen will flash for a few secs. If nothing is
done here, game will start as normal. If you press left mouse bottom, address DB0 will be altered to ? JSR 148 ?
and patch the lives, so you have 255.
Let?s find a way, to move patch into address 100. Disassemble start of boot code and hit enter a few times: D 7000C.
Take note of the first line of code, and change it to ? BSR 70100 ?, this will call 70100. Assemble address 70100
and code a small track loader:
70100; MOVEA.L 4.S,A6; EXEC
70104; MOVE.W #2,1C(A1); cmd read
7010A; MOVE.L #100,28(A1); destination address for data
70112; MOVE.L #200,24(A1); amount of data to read
7011A; MOVE.L #200,2C(A1); offset on disk to read from
70122; JSR ?1C8(A6); I/O
70126; LEA 70036(PC),A0; restore code, we removed in start of boot block.
7012A; RTS; return to original loader
As usual, why should it change, you can?t assemble address 70122 with AR. Insert the opcodes instead, see picture above.
Correct boot block check sum: BOOTCHK 70000, if you want game to be able to boot :)
And write boot block back: WT 0 1 70000.
When you boot game, press left mouse bottom at the flashing screen, and you?ll get 255 life?s. If you do nothing, game
continues normally, after a few secs. ??
Original supplied by the fastest: DLFRSILVER
