Submitted by: Rob
Date: 2005-09-22 16:21
? Bitmap Brothers
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. one blank disk - find it in your local Amiga store
This txt is for use with caps version # 917. In top of the page, a zip file can be downloaded containing a trainer for the game. It?s based on the menu by Alpha 1 & Siriax & music by HQM.
Special thanks to Musashi9 for supplying the level skip address.
Archive contains the source + a bin file, that is the assembled & crunched trainer, ready to install on a copy of game. A short description of this can be found in end of this txt. Package also contains a trainer2.rnc, a version by Darkman with more options. Some kind of exp. memory is req for this version.
Start by making a copy of original game disk. An error on track 1 will appear; this is a copylock track.
Level 1 will work fine, but graphics will be messed up on level 2, due to the failing copylock. Copylock is also run several times later in game.
Easiest way to crack game, is by finding the copylock key and wire it into the encrypted code. This time we do it a bit different, so most of the disk accessing code is also run.
Copylock routine is located at track 0, start & enter ARIV and read track 0 to address 40000: RT 0 1 40000. Locate routine: F 48 7A,40000.
Enable ARIV?s build-in RNC decrypter: ROBD.
We need the copylock key.
Many copylock routines stores key at a fixed memory address, look out for signs of this.
At address 413FE copylock moves key to address 60.
Boot up original game and enter AR in start of level 2. ? You can skip to level two, by pressing fire, enter AR and put value #47 at address 1D7D. Game loads for a while, runs copylock routine and starts level 2. Key is now stored at address 60. Enter AR and grab key:
Key is marked with red in the picture above.
Enter ARIV again, read track 0 from copy of game to address 40000 (RT 0 1 40000), enable the RNC decrypter (ROBD), Disassemble start of copylock (40C40) and look out for following:
We usually wire key in at address 41006 or 4102E. Address 41050 calls second part of copylock, where key is moved to address 60 & part of game is decrypted. Before this happens, we have a BSR at address 41044, which calls a small subroutine. We could replace this routine with a MOVE.L #key,D6 & RTS. This will ensure key is always returned correctly & most of the copylock is run. We need to wire key to D6, because address 4104A moves key from D6 to D0. Normal ARIV could be used to move key in, but for some reason it won?t move key to D6, so we have to do it ? by hand ?.
To calculate new opcodes, we first need ? normal ? opcodes for ? move.l #ae3b9ce3,d6 ? & ? rts ?. After that, encrypted opcodes for the previous long word instruction to our changes is needed. Our changes is starts at address 410FC, previous longword is (410FC-4 = 410F8) address 410F8. See long word: M 410F8.
Now it?s time to get normal opcodes for new changes, so we can EOR them with encrypted ones. Disable the decrypter: ROBD. Assemble address 100 and insert a ? move.l #ae3b9ce3,d6 ? & ? rts ?. Take note of opcodes with ? m100 ? for first long word & ? m 104 ? for second. They are both marked with red, in bottom of the above picture.
Find your calculator and EOR first long word:
Previous long word: e9150aed
New un-encrypted long word: 2c3cae3b
First encrypted long word: c529a4d6
Rest of the instruction:
Previous word: e915
New un-encrypted word: 9ce3
Next encrypted word: 75f6
Last word (RTS):
Previous word: a4d6
New un-encrypted word:4e75
Last encrypted word: eaa3
New opcodes combined to one string: c5 29 a4 d6 75 f6 ea a3.
These opcodes need to be inserted in the copylock, and game is cracked.
Enter ARIV, insert copy of disk in DF0:, read track 0 to address 40000 and enable the RNC decrypter, just like you have done earlier. At address 410FC, insert the new opcodes:
Original opcodes marked with red, new ones with green. Don?t forget to press return after your changes. When done, disassemble address 410fc and check the code is correct.
Finally write track back: WT 0 1 40000.
Game is now cracked.
If you want to install the supplied trainer, follow steps described below.
Read track 0 to address 70000: RT 0 1 70000. Normally I suggest to call a trainer / intro as the first thing from boot, but not with this game. Part of boot block clears chipmem (only for people with extra chip), and that would cause the trainer patch to be removed from memory, if trainer is called as the first thing. Instead take over offset $ 104, when boot is ready to execute the loader, cause it has cleared memory at this time. Assemble 70104 and insert the code shown in the picture beneath:
As usual you can?t assemble the call disk i/o with AR, so insert the opcodes instead, see opcodes marked with red in the above picture.
Game also needs to call the trainer, we do this by inserting a ? jmp 7e000 ? in end of the RNC decruncher.
It ends at offset $ 3fc, assemble 703fc and insert the jump, see picture above.
Correct boot block checksum & write track back: ? bootchk 70000 ?,? wt 0 1 70000 ?.
Trainer can be located where the protection was. ($ 1600). Read track 1 to
address 70000: RT 1 1 70000. Insert disk with supplied trainer, and load it to
address 70000: LM TRAINER.BIN,70000. Insert copy of game and write
track back: WT 1 1 70000.
For a few details on how the trainer works, see the comments in the source.
I have play tested through the whole game, and it works fine. The last level was a real bitch!