Fighter Bomber
? Vektor Grafix
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
This crack covers both the copylock + novella protection.
Note! Some addresses may differ on your computer, due to different memory configurations.
Start by making a copy of original game disks. You?ll notice a error on track
0 on disk 1, this is probably a copylock
routine.
Boot COPY of game, after the intro- animation, track counter goes to 0, and after
a while to track 36. The game keeps
doing this over and over again. This is the copylock kicking in. Enter AR and search
for copylock with: ? F 48 7A ?.
AR returns six addresses, the copylock starts at address 7E322.
Disassemble address 7E322 with; ? D 7E322 ? and hold enter down until
you see something like the picture above.
Address 7E84E checks magic number with D0 and address 7E854 branches on, if they
are equal. Change the ? BEQ 7E86C ?
to ? BRA 7E86C ? and exit AR. This will force the game to continue,
whatever magic number is correct or not.
After a few secs, game continues to load. So, lets load copylock from disk into
memory and make a patch witch will
return magic number in D0 and then return to where it was called. Copylock is located
on track 0, read this track into
memory, starting at location 30000; ? RT 0 2 30000 ?.
Search for copylock with: ? F 48 7A ,30000 ?. The copylock starts at
address 30322, this is where we will insert our
patch. Assemble address 30322 ( A 30322) and insert a patch like this:
Part of the copylock routine is located on the bootblock, bootblock stretches from
30000 30400. Our changes will
cause the bootblock chksum to get corrupt, and game won?t boot. Correct this
with: ? BOOTCHK 30000 ?.
Write track back with: ? WT 0 2 30000 ?. Reboot machine and see what
happens. After you have inserted disk 2 and
chosen language, this screen appears:
Well, since I lost my manual, we probably have to find a way to bypass this novella.
Enter AR and press D to disassemble
actual memory. When you reach bottom of screen, use curser up to scroll back up
with until you see this:
The novella starts at address 37726 (find out by trial and error). Let?s find
this on disk and insert a ? RTS ? on the first
address of protection, causing it to return to its entry point. The Novella is stored
on disk 1, on track 55.
We need some opcode to search for, before we read track into memory. Let?s
use opcode from address 37726.
Type; ? M 37726 ?, hit enter + Esc. Write down the first 12 numbers
(23 FC 00 03 7A AA)
Insert COPY of disk one. Read track 55 into memory with: ? RT 6E 2 20000 ?.
Search for the opcode, starting at
address 20000; ? F 23 FC 00 03 7A AA,20000 ?. We are interested in address
20226. Try to disassemble this
address and hit enter a few times. Looks familiar ? Good, because this is start
of the protection.
Assemble address 20226 and insert a ? RTS ?, see picture above. Write
track back with: ? WT 6E 2 20000 ?, and reboot
game.
Notice that the game skips the whole novella, after you have selected language.
Dedicated to sweet sweet Victoria.
Rob
you could fix the manual check routine like this so it accepts everything:
378BC CMP.B D0,D1
378BE BEQ 37876 -> BRA 37876
378C2 BRA 378CE
….
378C6 CMPI.B #44,(A0)
378CA BEQ 37990 -> BRA 37990