Untitled Document

Captain Dynamo
? CodeMasters
1992

You will need following:

1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. ByteKiller V1.3 ? find on amigastuff.com

Start by making a copy of original game disk. This is to determine type of protection.
You?ll notice an error on track 0. This is some type of a disk based protection, where you can?t duplicate a specially written track.
Boot copy of game. After some loading, a screen like this will appear:

Hmmm?.
Perhaps you heard the classic sound of copylock working or noticed track counter moving to 0, before this appeared ?
Let?s grab the decrunched main file and crack the annoying copylock.
Boot copy of game and enter AR when it begins to load. Press ? D ? +enter. You will receive an address in the 300 area of memory. Let?s see where this starts; Type ? N 0 ? and hit enter a few times.

Data seems to start around address 100. Disassemble and look out for jumps:

Address 14A jumps into loaded data. Stick a breakpoint to this address and exit AR; ? BS 14A ?. When it?s finished loading, AR will pop up.

When AR activates, press ? R ? to see registers. A2 points to start of file. This file is crunched, and we are of course interested in the decrunched data. Disassemble address 20000 and watch out for jumps:

Address 2005A jumps into the decrunched data. Assemble 2005A and insert a ? BRA 2005A ?, causing it to loop. A breakpoint is not suitable here, as the file is moved to lower chip, and a breakpoint will cause the Amiga to crash.
Exit AR and wait a few secs for the file to get decrunched.

Enter AR again and press ? D ? + enter. If you are stuck at the loop, file is decrunched. Then see start address of it, by pressing ? R ? + enter. Address 1000 is start of file.
Locate the copylock, by searching for the opcodes 48 7A (? PEA xxxx(PC) ?), which copylocks always starts with: ? F 48 7A ?. AR returns address 1872 & 1882. Disassemble 1872 and hold enter down till bottom of screen has been reached. Scroll back up and stop when you find start of the routine:

It seems to start at 186C. Checks what calls it: ? FA 186C ?. AR returns address 1032. Disassemble and hit enter a few times. Copylock is called by a BSR, right after this, we have another BSR. Disassemble 1652 and hit enter a few times:

Copylock key is compared at address 1656. If it matches, game branches to address 1662 and game continues to load. Change the routine from ? CMPI.L ? to ? MOVE.L ?. This will move key to the correct memory location. Then NOP out the BEQ and RTS, see above. There is no need for the copylock routine to be called, so NOP out the call:

We now have a cracked version of the main file in memory. Let?s save file and repack it. File starts at address 1000, but where does it end? Type ? NQ 1000 ? and press enter. Lot?s of crap will flash over your screen and it seems to end around address 9BD5.

Insert a blank disk and save memory: ? SM 1,1000 9D00 ?. This should ensure that we have all data. ? Greets Alpha 1 🙂
Copy file to the same disk as you have ByteKiller on. Start BK and crunch file. Fill in spaces, marked with red:

This will crunch our file to an exe file called ? VC ?. File will load & decrunch data to address 1000.
Why a file called VC? ? Because this is name of the main file 🙂
Copy crunched file to copy of game, overwriting the old one.
Last thing is to make a little modification to the boot block.
Read boot block into mem, starting at address 70000: ? RT 0 1 70000 ?. Disassemble 7000C and stop when this appears:

Original file is executed by the ? JMP (A2) at line 70084. This won?t work any more, due
to the copy routine. Boot block load file to address 600. Assemble 70076 and insert a ? JMP 600.S ?. Correct boot block checksum:

Write boot block back: ? WT 0 1 70000 ?.
And you are done 🙂

Rob


0

Publication author

offline 20 years

Rob

0
Comments: 103Publics: 79Registration: 20-07-2004

Subscribe
Notify of
guest

0 Comments
Newest
Oldest
Inline Feedbacks
View all comments
Codetapper
19 years ago

Alpha One is correct. There is a patch for the game on my website (http://zap.to/action) which deprotects the whole game from the bootblock, switches to PAL etc – I did it years ago and all I can remember about it was the 2nd hidden check in that version. The readme in the archive has more info about it.

0
aLpHa oNe
19 years ago

I suppose he?s meaning "if I remember right" 😉 So he?s talking of "his" memory hehe

0
Codetapper
19 years ago

You missed the second protection check in the game – this crack will not work after (from memory) the 3rd level…

0
Authorization
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Registration
*
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

0
Would love your thoughts, please comment.x
()
x