Baby jo

Published by mus@shi9 on

Baby Jo ? Going Home
? Loricil
1991
?You will need following:
1. Original game
? get it from your local supplier 🙂
2. An Amiga or WINUAE
3. Action Replay
or ROM image
4. Pencil and paper
Start by making a
copy of original game disk. This is to determine type of protection.
You?ll notice an
error on track 79. This is some type of a disk based protection, where you can?t
duplicate a specially
written track, probably
a long track
When you boot copy
of game, the protection runs short after screen turns black. Game continues to
load and everything
seems fine. When
you press fire at the title screen to start game, nothing happens. Title screen
just re-appears.
This must be the
protection, that have ? done something ? to the game. Hmm?
Boot original game
and enter AR when screen starts to turn black. Type ? D ? and hold enter down,
until bottom of screen
has reached. Scroll
back up and stop when this appears:

Protection routine
starts at address 7610. I found it, by doing some breakpointing.
Address 7636 calls
the disk accessing part and 763A moves the result from this, into address 78DC.
Let?s stick a
breakpoint to this
address and exit AR. AR will then activate, when address 763A are reached and
we see the result in D0.
Set breakpoint: BS
763A

When AR pops up,
press R to see registers. Protection returns ? 19B1 ? in D0 + D6. See the opcodes
from address
7610 with: M 7610.
We do this, so we can find the routine on disk, and patch it permanently. Protection
is
located somewhere
between track 0 ? 4, read them into memory, starting at address 30000: RT 0 A
30000.

?
Search for the opcodes
from address 7610, see picture above. AR returns address 39010. Disassemble this
address,
and stop when the
disk accessing part of the routine appears.
Assemble address
3907A and insert following code:
3907A; MOVEQ #0,D0;
clear D0
3907C; MOVEQ #0,D6;
clear D6
3907E; MOVE.L #19B1,D6;
move ? magic number ? into D6
39084; BRA 3908E;
branch to part, that moves ? magic number ? into D0 and returns

?
Insert copy of game
and write tracks back: WT 0 A 30000.

Go test your new
crack!
Perhaps it would
be a little easier to play test, if we added a micro trainer, that gives us 255
lives?
Assuming you still
have all three lives, enter AR and start the trainer with: TS 3.

Exit AR and loose
one life. Enter AR again and continue trainer: T 2. AR returns Address 12C7D.
This address holds
the number of lives.
Try typing M 12C7D. First HEX is 02. It would normally start with 03, three lives?.
Let?s determine,
at which point this address is set to 03, so we can patch it.
Reboot game an enter
AR when the title screen appears. Check address 12C7D: M 12C7D
The address seems
to be set at this time.
?
Press D and hold
enter down, until this appears:

Stick a break point
to address DB0, exit AR and start game. AR appears when you press fire. This might
be a good
address to take over,
and make it jump to a little trainer patch instead. DB0 makes a JSR EE5E, take
note.

Let?s find start
of the main file. It?s usually loaded into low chip, see memory with N 0 and hold
enter down. Release it
when you reach around
address 800. The data seems to start at address 400.
Reboot game and enter
AR, when game begins to load. Search for jumps to address 400: FA 400.
AR returns address
40A42. Stick a break point to address 40A42 and exit AR.

When AR pops up,
check if number of lives should be set at this stage: M 12C7D. Seems not?.
Let?s find the ?
JMP 400 ? on disk, make it jump to address 100, where we?ll put a little trainer
patch.
But first, press
? R ? to see registers. A0 points to address 400. Change this to 0 with: ? R A0
0 ?. If we don?t do this,
we?ll get a lot of
false references.

?
The ? JMP 400 ? is
probably also located somewhere between track 0 ? 4, so read them into memory,
starting at
address 30000: RT
0 A 30000. Find the ? JMP 400 ?, starting at address 30000: FA 400 30000.
AR returns address
31A42. Assemble this address and change it to ? JMP 100 ? instead. See picture
below:?

Write tracks back:
WT 0 A 30000. Time to code the patch. But first, check the boot block for spare
bytes. Read it
into memory, starting
at address 70000: RT 0 1 70000. See memory with N 70000 + enter a few times.

Plenty of space here
to put a little trainer. Assemble 70200 and insert following code:
70200; MOVEM.L D0-D7,-(A7);
save registers, as we?re going to mess with D0
70204; MOVE.L #FFFFFFFF,D0;
fill D0 with F
7020A; MOVE.W D0,DFF180;
move D0 into colour register DFF180
70210; SUBI.W #1,D0;
subtract 1 from D0
70214; CMPI.W #1,D0;
compare #1 with D0
70218; BEQ 70226;
if equal, branch to 70226 and start game without trainer
7021A; BTST #6,BFE001;
test for left mouse pressed
70222; BEQ 7022E;
if pressed, branch to 7022E
70224; BRA 7020A;
loop flash, until D0 = 0
70226; MOVEM.L (A7)+,D0-D7;
restore registers
7022A; JMP 400.S;
start game
7022E; MOVEM.L (A7)+,D0-D7;
restore registers
70232; MOVE.L #4EB90000,DB0;
change address DB0 to JSR 148
7023C; MOVE.W #148,DB4;
change address DB0 to JSR 100
70244; JMP 400.S;
start game
70248; MOVE.B #FF,12C7D;
this will appear at address 148, move #FF to 12C7D and gives you 255 lives
70250; JMP EE5E;
jmp to address EE5E, we took over this, from DB0. The sub routine at EE5E will
return to DB6

When you boot game,
it loads in main file and jumps to address 100. The screen will flash for a few
secs. If nothing is
done here, game will
start as normal. If you press left mouse bottom, address DB0 will be altered to
? JSR 148 ?
and patch the lives,
so you have 255.
Let?s find a way,
to move patch into address 100. Disassemble start of boot code and hit enter a
few times: D 7000C.
Take note of the
first line of code, and change it to ? BSR 70100 ?, this will call 70100. Assemble
address 70100
and code a small
track loader:
70100; MOVEA.L 4.S,A6;
EXEC
70104; MOVE.W #2,1C(A1);
cmd read
7010A; MOVE.L #100,28(A1);
destination address for data
70112; MOVE.L #200,24(A1);
amount of data to read
7011A; MOVE.L #200,2C(A1);
offset on disk to read from
70122; JSR ?1C8(A6);
I/O
70126; LEA 70036(PC),A0;
restore code, we removed in start of boot block.
7012A; RTS; return
to original loader

As usual, why should
it change, you can?t assemble address 70122 with AR. Insert the opcodes instead,
see picture above.
Correct boot block
check sum: BOOTCHK 70000, if you want game to be able to boot 🙂
And write boot block
back: WT 0 1 70000.
When you boot game,
press left mouse bottom at the flashing screen, and you?ll get 255 life?s. If
you do nothing, game
continues normally,
after a few secs. ??

Original supplied
by the fastest: DLFRSILVER
Rob
0

Publication author

offline 2 weeks

mus@shi9

0
Comments: 1160Publics: 2780Registration: 06-03-2017
Categories: CrackingSingle trackTutorials
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments

Related Posts

Cracking

Shadow of the Beast 2 – Cracking Tutorial [French]

Download the ADF below Attachments ShadowOfTheBeast2_CRACK_TUTORIAL_FR_2020 File size: 3 MB Downloads: 615 Publication author offline 2 weeks mus@shi9 0 Comments: 1160Publics: 2780Registration: 06-03-2017

Cracking

Rodland – Cracking Tutorial [FRENCH]

French Cracking Tutorial by Giants Publication author offline 2 weeks mus@shi9 0 Comments: 1160Publics: 2780Registration: 06-03-2017

Cracking

Xenon 2 – Cracking Tutorial [FRENCH]

French Cracking Tutorial by Giants Publication author offline 2 weeks mus@shi9 0 Comments: 1160Publics: 2780Registration: 06-03-2017

Homepage
Register
Register
Authorization
Registration
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Entry Lost your Password ?
Registration
*
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Signup
Registration
Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Get New Password
0
Would love your thoughts, please comment.x
()
x