[b]Curse of Enchantia (1992) ECS[b]

Great game to make your mind think

what you will need

1. original game (find here)
2. an amiga or an amiga emulator (winuae)
3. an action replay cartridge or ar3 rom image for use with winuae

once u have all these set up we shall begin

our first task is to see what type of protection this game has
so boot the orignal up and play for a while ,notice anything pop up saying
goto manual page XX line Xx ect….? no?
ok cool then i presume the protection is disc based
so boot up your copy of X-COPY (what u mean u dont have
it ,dont lie everyone had a copy of this)
and lets make a backup of the original disc ,now what this does is well
make a backup for us to use (if its possible)
and also tells us what type of disc protection is on the game
so you start to make a copy and oh no first track upper side has an error
:O but thats ok the rest of the tracks are clean

so what this tells us is that this game is not MFM protected
which is a bitch to crack
because every track apart from the boot sector,is protected
so we only have 1 track protected thats cool it probibly means its just
copylock protection and what this means is the error track cant be duplicated
with a standard amiga you need a special machine,so when the game kicks
and a
copylock routine executes to check this track and make sure its the
original track and since it cant be duplicated it checks and is unable
to find that track and thus
cause the game to crash
so lets test it but there are 6 disks to this game so test them all in
the same way
you will notice only the first disk is protected this way

so load up the backup disk you just made
after a while you will notice the nothing is happening .. just a black
hmm then the amiga resets itself, hmm it doesnt do this with the original
so this must be the protection check

ok so load up the orignal disk you have and wait for the black screen
to pass then you should see
a CORE logo like this

when you do hit old blue (action replay button)
then type D and press enter
you should see something like this

maybe not around the same address as in the picture but around 60000 area
so lets see where the start of this code well starts 😛
NQ 60000
after a short while some jibberish apears on screen press ESC quick when
it does
should look like this

the start of all this jibberish seems to be at address
hmm ok so lets see what jumps into this address
this will scan the memory for a part of code that jumps ino this address
once its done searching we end up with 2 address points

we are interested in the second point the JMP one
take note of the address of this point which is
ok now we are armed with this address point lets reload the backup disk
just before the crash when the screen turns black press thee action replay
and look at the address point 0AE6C
you should see a jmp but to an unknown address a weird looking one that
seems out of range
so lets replace that with the JMP we have
then press enter twice to get out of write mode

now press X to exit AReplay
and see what happens
AH the CORE logo apears and the game starts to load 🙂
ok so lets change this on a perminant basis
reboot wit hthe backup disk and when the black screen appears fire up the
action replay
and type
and a line of numbers and letters will appears
press esc to get out of that mode and type
RT 0 10 050000
this will read the first part of the disk into memory location 050000
what we need to do now is search for those numbers and letters
so type
f 4e 26 d2 ec f0
and we end up with 2 address points the first is the one we already have
but the second is the one from the disk ,this is the one we need to change
so lets check that address type
D 545D4
yup its the same weird JMP
so type
a 545D4
press enter twice
now lets write this back to disk
WT 0 10 050000
once this is done reboot and try out our new disk

woo it works

this is good enough but well it still takes a second or 2 before the CORE
logo appears which means the RNC is still doing its routine and checking
so just to be safe lets bypass this incase it gives us problems later in
the game

so reboot with backup disk and hit old blue on black screen
we have the jmp address so lets check this part of code out
type d AE6C
but this looks like the end of the code so scroll down till you see the
JMP go ff screen then scroll back up past the JMP not to far

the address highlighted in red is the start of this code so take note
of that address
type M AE3C
taek note of the first lot of binary
33 FC 80 00
ok now we need to find the RNC
like most non dos games the boot code normaly goes to address
so lets scan this
D a498
scroll down some alot of harmless code
do you see the PEA at address A528
typical RNC so lets edit this to jump to the start od the jmp code
but we cant do it in memory we have to edit the disk and all these address
wont mean a thing when we edit the disk thsi si why we take note of the
binary numbers and letters so we can compare the memory locations with data
on the disk
so type
M A528

now we are armed once again with numbers and digits 😛
so lets check the disk out
RT 0 05 050000

and search for these binarys 🙂 first we need to look for
the JMP start code
so type
F 33 FC 80 00
which gives us 2 address points we only need the second one at 0545A4
take note of that address its important
now lets look for the RNC start
48 7A 00 0A
right so we have 2 address again lets edit the second one of these
which should be

a 52C90
bra 545A4
press enter twice
what we done was edit the start of the RNC to just skip the RNC and goto
the JMP code
now lets write it back to disk
WT 0 05 050000
lets reboot and try it
😀 yup now the CORE logo comes on straight away and the game loads with
no problems 🙂
what this protection done was encrypt the JMP to 6A9DA
and would only un encrypt it when the protection was passed
so we trick it by bypassing the whole protection and jumping to that address


Publication author

offline 4 days


Comments: 1160Publics: 2780Registration: 06-03-2017

Notify of

Inline Feedbacks
View all comments
18 years ago

hmm The Cult style? nb!


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Would love your thoughts, please comment.x