Submitted by: Rob
Date: 2005-07-08 14:02
You will need following:
1. Original game ? get it from your local supplier :)
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Note! Addresses may differ on your computer, due to different memory configurations.
Start by making a copy of original game disk. This is to determine type of protection.
You?ll notice an error on track 79. This is some type of a disk based protection, where you can?t duplicate a specially written track, probably a long track.
When you boot copy of game, track 79 is accessed just before the company logo appears. This is the protection kicking in. Game continues loading, but crashes short after.
Boot copy of game and keep eye on the track counter. When it moves to track 79, it?s time to enter AR.
We need to find start of protection routine. Hold enter down till bottom of screen has been reached. Scroll back up, and stop when this appears:
Protection starts at address C09C7C. Longtrack protections often makes a series of either BSR or JSR. The result of protection is returned in D6 and moved to D0. Stick a breakpoint to address C09CA4 and exit AR. When end of protection is reached, AR will pop up. Press ? R ? to see registers. We now have a ? bad ? key in D0.
Insert original game disk and execute start of protection: ? G C09C7C ?
When AR pops up, press ? R ? again. We now have a new key in D0, a good key. Take note of this number.
We?ll simply crack the game, by wire the key into D0 and then skip the whole disk accessing part, similar to cracking a copylock.
To be able to find protection routine in the game?s main file, we need some opcodes to search for. See opcodes with ? M C09C7C ?. Take note of the first long word of opcodes. Protection is stored in the main file, called ? t.x ?. (take a look in the startup-sequence).
Insert copy of game and load file into memory, starting at address 30000; ? LM T.X,30000 ?.
File is located between address 30000 ? 3F8EC.
Search for the opcodes, starting at address 30000; ? F 2A 7C 00 BF,30000 ? AR returns address 32320. Disassemble and hit enter a few times. Yep, it?s the protection.
Assemble address 3232C and insert the code shown above. This will clear D6, move key into D6 and then NOP out all the disk accessing calls. Original protection code will then move key from D6 to D0 and return.
And finally save file back: ? SM T.X,30000 3F8EC ?.
Reboot and have fun.
Dedicated to sweet sweet Victoria.