Alien Storm

Here is my next crack suggested by musashi5150 in the gemini thread

Anyway this was another simple one

—–

alien storm crack – BippyM

Okay here is my second crack.

I’m not gonna go thru the xcopy business, you know the drill by now, suffice to say it’s got protection on track 79

We are going to bypass the copy protection completely and wire in the correct key too 🙂

Okay load a copy of the game and when it gets to track 79 it’ll hang for a few seconds before crashing

Go into your replay and you should be around the $c250 area

, go down and back up to the start of this routine at $c1f4.

Right i’m guessing we are inside the protection routine so let’s see where it is called from. enter fa c1f4.

Just the one result is found,

this is good let’s disassemble it and see what we have (I’ve already gone down and up) and you’ll see that d1 is moving something into d0 and returning, I bet this is also part of the protection routine.. Put a breakpoint on c1f2 and exit the replay and wait for it to pop back up 🙂

When the replay pops up we know exactly where we are so let’s just step thru to the next instruction with ST. When replay pops back up you should see a TST.L D0. let’s follow the code a little bit (go down and up to see both sides)

As you can see straight after the TST instruction there is a BNE. This tells us is if d0 is not 0 then branch to c556.

Let’s check what is in d0 with r

as you can see d0 is $0002ffff so the branch will be taken. Let’s make d0 0 and see what happens. Enter r d0 0

and exit replay. Woo the game loads.

Right so we could change the branch into a nop and the move.l d1,d0 to a moveq #0, d0 and tdhen return, this will wire in the correct key and also bypass the protection.

We need to make this permanent so we will need to alter the main file, as this program is amigados we need to see how it is loading. A quick look at the startup-sequence will show us that a program call stboot is loading a file called a.prg. So let us load in and look at the file a.prg.

lm a.prg,50000

the first line is a branch to 5001c, so let us look at this branch in more detail hmm a jmp to C352.. Let’s follow the jump (pic10).

Scroll down and there is our TST instruction and directly before it the jump to the copy protection routine. so we have to find this within our loaded file and modify it 🙂

We know the game jumps to looking into the routine at c1e8 you’ll see the jump directly into the copy routine, so we need to find this jump within the actual game code.

fa c1e8 50000

this will search for the jump to the copy routine and also show the tst situation

now all we do is assemble the code removing the jsr and clring d0 🙂

Now save thee file

sm a.prg,50000 6c3c8

Reboot and enjoy 🙂