Dynamite Dux
? Sega
1989
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. one blank disk
The boot block crack can be downloaded in top of this page.
Just install it on a fresh copy of game ($ 0 ? 400) and it?s cracked.
Start by making a copy of original game disk. An error is present on track 0, probably a good old RNC.
When copy of game is run, it loads for a while and then it hangs short after. This is the protection kicking in.
Boot original game and enter AR when you hear the drive grinding sound of the copylock routine kicking in.
Copylocks start with the opcodes ? 48 7A ?, search for them: ? F 48 7A ?. AR returns no less than six addresses.
This old game actually has three copylock routines. They are all identical, so they can be cracked the same way.
Disassemble start of the first copylock and hold enter down, till the encrypted code stops. First copylock ends around address B64C. The code after compares the copylock key in D0 with address C744. If it fails, then game will hang.
Stick a break point to address B652 and exit AR: ? BS B652 ?. When end of protection is reached, AR will pop up and we can read the key from D0. ? You could also just grab it from address C744 if you don?t have the original…
When AR pops up, press ? R ? to see registers. Key is stored in D0.
Let?s have a little look at the code before the copylock routine:
The code where A6 is moved to stack, have to be removed or Amiga will crash when the patched copylocks is executed.
A memory address is also moved to A6, see contents of this address: M B09A. Copylock key is also returned here.
We?ll crack these three old copylocks, by wire the key into D0, 24 & (A6), then branch past the encrypted code and directly to the compare routine.
Let?s have a look at the copylock:
The first copylock routine starts at address B110. We will start patch at address B116, the same location in each of the three copylocks. The branch address will then be B654, start of the compare routine, right after the copylock.
It?s also important to NOP out the first line of code in each routine ( MOVE.L A6,-(A7) ) or Amiga will crash.
Insert copy of game and read a chump of the disk into memory, starting at address 10000: ? RT 40 50 10000 ? Find start and end address of the three copylocks and patch them:
Write tracks back: ? WT 40 50 10000 ?
If you prefer patching the whole potection from boot block, rather than changing tracks, do as follows:
Read track 0 to address 70000; RT 0 1 70000.
Assemble 70056 (where game jumps to loader) and insert following, which will copy a crack patch from offset $ 100 on disk, to memory address 100 and take over game, so it calls the patch:
70056; MOVEM.L D0-D7/A0-A6,-(A7); 70056-70072; copy patch to address 100
7005A; LEA 100,A0
70060; LEA 70100(PC),A1
70064; MOVE.W #AC,D7
70068; MOVE.B (A1)+,(A0)+
7006A; DBF D7,70068
7006E; MOVEM.L (A7)+,D0-D7/A0-A6
70072; MOVE.L #4EF90000,70074; 70072-70084; take over game , make it call crack
7007C; MOVE.W #100,70078
70084; JMP 70020; jump we took over
Assemble 70100 and make the crack patch itself. This will crack the three copylocks, by moving following patch over them;
; NOP
; original code, not changed
; move.l key,d0
;move.l d0,24.s
;move.l d0,(a6)
; bra past copylock
70100; MOVE.W #4E71,B110; 70100-7013A; move new opcodes into copylock 1
70108; MOVE.W B110,C80E
70112; MOVE.W B110,CE24
7011C; MOVE.L #203C8488,B116
70126; MOVE.L #FF421C0,B11A
70130; MOVE.L #242C80,B11E
7013A; MOVE.L #60000530,B122
70144; MOVE.L B116,C814; 70144-7018a; copy opcodes from copylock 1 to copylock 2 & 3
7014E; MOVE.L B11A,C818
70158; MOVE.L B11E,C81C
70162; MOVE.L B122,C820
7016C; MOVE.L B116,CE2A
70176; MOVE.L B11A,CE2E
70180; MOVE.L B11E,CE32
7018A; MOVE.L B122,CE36
70194; MOVE.L #4EF90000,70074; restore jump we too over
7019E; MOVE.W #B020,70078; restore jump we took over
701A6; MOVE.W #F0F,DFF180; trainer starts here, flash screen and wait mouse
701AE; MOVE.W #F,DFF180
701B6; BTST #6,BFE001
701BE; BEQ 701CC
701C0; BTST #A,DFF016
701C8; BEQ 7020A
701CA; BRA 701A6
701CC; NOP; will appear at address 1CC
701CE; NOP
701D0; MOVE.L 1CC.S,10E5A; train lives
701D8; MOVE.W 1CC.S,10E5E
701E0; MOVE.L 1CC.S,201EA
701E8; MOVE.W 1CC.S,201EE
701F0; MOVE.L #4EB80210,1FEC0; hook call to toggle function ? energy on/off
701FA; MOVE.L 1CC.S,1122E; train energy
70202; MOVE.W 1CC.S,11232
7020A; JMP B020; jump we took over
70210; MOVE.W #3213,D0; restore code removed at 1FEC0; this will appear at address 210
70214; BTST #A,DFF016; check RMB during game play, if pressed, branch to 70220 and toggle energy
7021C; BEQ 70220
7021E; RTS
70220; EORI.L #DF484E71,1122E; toggle energy
7022A; EORI.W #88DB,11232; toggle energy
70232; MOVE.W #FF,C0.S; delay
70238; ADDQ.W #2,C0.S
7023C; SUBQ.W #1,C0.S
70240; BNE 70238
70242; RTS
When screen flashes, press LMB for unlimited lives & energy or RMB for normal game. During game play, press RMB to toggle energy on/off. Game will halt VERY shortly, to indicate your selection.
Correct boot block checksum: BOOTCHK 70000. Write back: WT 0 1 70000.
Dedicated to sweet sweet Victoria
Rob
Publication author
