Espana ? The Games ?92
? Ocean 1992

You will need following:

1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. 1 blank disk
6. ProPack ? find on amiga-stuff.com

Note! Addresses may differ on your computer.
Start by making a copy of original game disks, to see the type of protection. Everything
seems to be ok on all
disks. This is probably a novella protection.
Boot copy of game. After some loading, a picture similar to this, appears:

Choose anything, but the right one. (should be easy). When you have picked the wrong
picture, screen turns black.
Enter AR, press D to disassemble actual memory. Hold enter down until you reach
bottom of screen and scroll
back up with curser up, until this appears:

We are ? standing ? at address 1091A witch is branching to itself.(looping).
This routine starts at address 1090C.
Let?s check, what jumps to this address. Type; ? FA 1090C,10000 ?
see picture above. AR returns one address; 108B2.
Disassemble this address and hold enter down, until you reach bottom of screen.
Scroll back up with curser up,
until this appears:

Look at address 108AE, it compares D0 with D1 and if it?s equal, address 108B0
branches on with the game. If it?s NOT
equal, address 108B2 goes to the loop code. Let?s find this on disk and change
that BEQ (branch equal) to a BRA ( branch).
We need something to search for, when we patch disk. Let?s use the opcode
for CMP.L D0,D1; B2 80.
The protection is located in a file on disk 1 called ? main ?. It?s
crunched with ProPack, so we need to decrunch it before
we can alter it. Copy file ? main ? + ProPack to a blank disk and boot
it.
Type this in DOS to decrunch file: PROPACK U D MAIN

After a few secs, you should have a new file called ? main.rnc ?. Enter
AR and load it into memory, starting at
address 30000; LM MAIN.RNC,30000. File is located between 30000 ? 4431C.

Remember the opcode for the CMP.L D0,D1 ? Good, search for it starting at address
30000; F B2 80,30000.
AR returns four addresses. We are interested in the first one. Disassemble address
309EA and hit enter a few times.

Looks familiar ? Assemble address 309EC and change the ? BEQ 309F2 ?
to ? BRA 309F2 ?. Let?s remove the BSR
to the loop routine, by inserting a NOP on address 309EE & 309F0. This shouldn?t
be necessary, but you?ll never know.
Save memory back to disk as a file called ? crack ?; SM CRACK 30000
4431C. Reset and type this in DOS, to crunch
file: PROPACK P D CRACK.

You should now have a new file called ? CRACK.RNC ?. Delete file ?
MAIN ? on copy of disk 1 and copy ? CRACK.RNC ?
to it. Rename file to ? MAIN ?. Boot game and select whatever you want
on the protection screen.

Dedicated to sweet sweet Victoria

Rob

0

Publication author

offline 20 years

Rob

0
Comments: 103Publics: 79Registration: 20-07-2004

Subscribe
Notify of
guest

0 Comments
Newest
Oldest
Inline Feedbacks
View all comments
Authorization
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Registration
*
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

0
Would love your thoughts, please comment.x
()
x