Duckula
? Alternative
1990
You will need following:
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks
Start by making a copy of original game disk. You?ll soon discover, that all tracks are unreadable, except for the boot block.
This means that we are dealing with a MFM protection. But it?s an easy one, as it loads whole disk into memory, in one go. To make a bit more difficult, the programmers has also added a 1-track protection at track 79.
We?ll crack this one, by letting the loader read the game into memory and breakpoint it, before it executes. When we have done that, we?ll take care of the track 79 protection. After that, we write memory back to disk as tracks and finally writes a new track loader.
Boot original game and enter AR when it begins to load. Press ? D ? to disassemble actual program. Seems like we are in the 7C000 area of memory. Search for jumps, by searching for the opcodes for ? JMP ?: F 4E F9,7C000
AR returns address 7C442, which jumps to address 10000. Stick a breakpoint to address 7C422 and exit AR.
When AR pops up, disassemble address 10000 and hit enter a few times. The ? JSR 5E886 ? calls the 1-track protection. When protection routine returns, game checks if D0 is equal to 0. This means, that we have to set D0 to 0.
Disassemble the protection routine and look out for ?suspicious behaviour ?.
You?ll notice that protection alter the values of address 120 & 122. Let?s get those values. Exit AR and let game start.
When you exit AR, 1-track protection is run and game starts. Enter AR and take note of the contents of address 120:
Take note of opcodes.
Reboot game and insert breakpoint as before:
1-track protection started at address 5E886, assemble this address and insert the code above. This will set address 120 to the same values as protection and it will clear D0.
We know game starts at address 10000, but where does it end ?
To find out, type: NQ 10000
You?ll see lots of crap flashing over your screen and it seems to end around address 5E9A6.
If we save 42 tracks from address 10000, we should be pretty sure to have all data with us?
Insert a blank disk and save memory as tracks, starting at offset $1600 on disk: WT 1 54 10000.
Now we just need to write a new track loader, to move tracks into memory. We do this on the boot block.
A boot block always starts with ? DOS ?, so type this in at address 70000:
Boot code starts at 7000C, assemble address 7000C and code the track loader, see picture above. You can?t assemble
address 7002E using AR, insert the opcodes instead.
A few comments:
7000C; EXEC
70010; CMD read
70016; Destination address for data
7001E; amount of data to read
70026; Read from offset $1600 on disk
7002E; I/O
70032; Move address 70040(PC) into A0
70036; Move A0 to 80
7003E; Not needed 🙂
70040; Execute game
The track loader will move game data into memory, starting at address 10000. After that, we execute the game in supervisor mode, by doing the trap. When game starts, it messes with SR and will cause a crash if it?s not started in supervisor mode!
Correct boot block checksum: BOOTCHK 70000.
Write boot block to disk: WT 0 1 70000.
If you want unlimited time/energy, insert three NOP?s from address 14FEE?
Dedicated to sweet sweet Victoria
Rob
Publication author
