© Taito
1987
You will need following:
1. Original game – find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disk. This is to determine type of protection.
You’ll notice an error on track 0. This is some type of a disk based protection,
where you can’t duplicate a specially
written track.
When you boot copy of game, it crashes almost instantly. So, the protection check
is executed at a very early state of
game boot.
Boot original game and enter AR, when it begins to load. Let’s try to search
for the typically sign for a copylock,
the “ PEA $$$$ ”, F 48 7A. AR returns address 5A70. See memory with
N 5A70 and press enter a few times.
Exit AR and wait for the copylock to finish. When game continues to load, enter
AR again. See address 5A70 again
with N 5A70. Ahh… Seems like memory has changed. The copylock has probably
decrypted the game loader.
We’ll better try to find start of it. Hold enter down to continue showing
memory and stop when you reach bottom of
screen. Use curser up and scroll back up, until this appears:
Hmm. hard to see start of the code… Disassemble address 5930 and stop when
this appears
It seems like the “ reasonable “ code starts at address 59E8 (many things
starts here :). See memory with N 59E8:
Code seems to end around address 5B68, take note of this.
Insert copy of game and read track 0 into memory, starting at address 70000: RT
0 2 70000.
Disassemble the boot code: D 7000C. We are interested in 70038 & 70040. 70038
decides the amount of data to load
from disk and 70000 is the offset to load from. 70030 are the destination for the
loaded data.
Since the boot code moves data from offset 400, we will simply transfer the decrypted
loader to offset 400. This
will overwrite the original encrypted loader, and game will load the decrypted one
instead.
The decrypted loader was located from address 59E8 – 5B68, transfer it to
address 70400: TRANS 59E8 5B68 70400.
Write track 0 back: WT 0 2 70000. You don’t have to correct the boot block
checksum, as we haven’t altered
anything in the actual boot code (70000 70400).
Dedicated to sweet sweet Victoria
Rob
Publication author
Image disk don’t exist on emunova.net and this tuto don’t work with SPS image [0765] Arkanoid – Revenge of Doh (retail)(EU)]. ALL disk is encode (MFM ?). Error 8 on ALL track with Xcopy pro (and error 6 on track 0) with doscopy+ and with Nibble copy, always with xcopy pro, First track : Error7 and any other Green
Hi,
Not too deep, too shourt.
It missing some picture (like orginal copy with error under xcopy)
and more details.
If not, it’s good.