Submitted by: Rob
Date: 2005-07-11 08:13
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disk - find it in your local Amiga store
6. TetraPack or similar
Start by making a copy of original game. When you boot copy, it loads a while and track counter moves to 0 and game crashes short after. This is the protection kicking in. Game loads a file called ? boot ?. This is the main loader and it?s RNC encrypted. If the copylock track is ok, file is decrypted and executed.
Let?s get our hands on the decrypted loader.
Boot original game and enter AR when screen turns black. The loader has been decrypted at this time and loads in the game.
Enter AR and press ? D ? to disassemble actual memory. You should be somewhere in 7Fxxx area of memory. Type N 7E000 and hit enter a few times. When you reach address 7F000 you?ll see start of the loader:
If we save memory from address 7F000 ? 7F500, we should have all data with us. Before we do this, try exit AR and enter again. Notice that AR writes ? Resident program allocated at: 100 ? in top of screen. Disassemble address 100 and hit enter a few times.
We are interested in the first line, which set SR to 2700. We also have to do this, before we execute the ripped loader.
You can?t just alter the SR, it will cause the Amiga to crash. We can alter it if we are in supervisor mode. We do this, by executing a ? Trap #0 ? instruction. Assemble address 7E000 and insert following code:
This little piece of code will turn off multitasking, clear screen and copy the code from address 7E02E ? 7E038 to address 100 and execute it in supervisor mode. Address 100 will then set SR to 2700 and then jump into the loader at address 7F000. Insert a blank disk and save memory: SM I,7E000 7F500. Saved memory is a data file and cannot be executed from Amiga DOS. We get around this, by absolute crunch it with TetraPack. Copy TetraPack to same disk as saved memory and start the cruncher. Fill in with parameters marked with red:
The parameters are pretty much self explaining?
When it asks for ? Load-address ? again, press enter to start crunching. You?ll see some flashing colours and a screen with crunch results appears. Just press enter and fill in parameters at the following screen:
You now have a executable loader called ? boot ?. Copy this file to copy of game, overwriting the old one.
Dedicated to sweet sweet Victoria