? U.S Gold
1990
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of original game disk. This is to determine type of protection.
You?ll notice an error on track 79. This is probably a long track protection.
Boot copy of game. After a little while track counter move to 79 and hangs there.
This must be the protection failing.
Enter AR. Let?s see if we can find start of protection, and what calls it.
Press D hold enter down until bottom of screen has reached and scroll up with curser
up, until this appears:
It seems like the code starts at address 4118 and this is probably start of protection,
since we entered AR when it failed.
Take note of address 4134 & 414C since they alter memory address 120 & 122.
Let?s see what calls the protection: FA 4118.
AR returns one address: 39D4. Disassemble address 39D4 and hit enter a few times.
When the protection returns, we have a TST.L D0 at address 39D8. Change this to
BRA 39D8, see picture above.
This will cause a loop routine after long track has run.
We will then jump into the protection with copied disk and then with original disk
in drive, and see what registers and
address 120 changes to.
With copy of game in drive, jump to address 39D4; G 39D4. Wait a few secs for the
long track to finish. Enter AR
again and press R to see registers. Type M 120 + enter + Esc to see address 120
Insert original game and jump to address 39D4. Again wait a few secs and enter AR
Press R to see registers and
M 120 + enter +Esc to see address 120.
You?ll notice, that D0 + D1 + A0 has changed. Address 120 has also changed.
Take note of the changes and insert
copy of game.
Protection is located in a file called ? mainbit?. Load this file into
memory, starting at address 30000:
LM MAINBIT,30000. File is located between address 30000 ? 7CBF4.
Disassemble address 30000 and hit enter. We have a BRA 33594, at the first line.
Disassemble address 33594 and
hit enter a few times.
Remember the TST.L at address 335D8 ? The protection was called by the address right
before that.
Disassemble address 33D18 and hit enter some times to ensure it?s the protection
routine.
It seems to be the long track routine.
Assemble address 33D18 and insert following code:
33D18; MOVEQ #0,D0; clear D0
33D1A; MOVEQ #0,D1; clear D1
33D1C; MOVE.W #4124,D1; insert #4124 in D1
33D20; LEA 61AA8,A0; insert 61AA8 in A0
33D26; MOVE.L #2DE0402,120.S; insert #2DE0402 in address 120
33D2E; RTS; return
This patch will set the registers and address 120 to the same values, as if the
long track protection had run and passed.
Save memory back as a file called ? mainbit?, overwriting the original;
SM MAINBIT,30000 7CBF4.
Boot game and see what happens.
Notice that the game does NOT access track 79 anymore.
Dedicated to sweet sweet Victoria.
Rob
Publication author
