Gemini Wing Crack – BippyM
This is my first non-novella crack so please don’t be too critical.
Right first let’s see what sort of protection we are dealing with and load the disk and either try and copy it or checkdisk (What I did).
As you can see there is an error on track 0 so it is either a copylock or a long track.
Boot a copy of the game and after a short while you’ll get some rainbow flash and then the amiga will reset
Right let’s see if it is copylock or long-track, boot again but before the crash hop into your replay and search for the usual copylock
f 48 7a
There will be NO returned addresses so I guess we are dealing with long track . Again reboot but as soon as the rainbow effect starts hop into the replay and dis-assemble where we are. We should be in a dbra loop (addresses may differ as the game initially uses amigados to load the main.exe!)
go down and back up and you should see the following code
this is what is happening
JSR 00018bE2 Jump somewhere
TST.B D0 Test if d0 is 0
BEQ 00014e76 if d0 is 0 branch
LEA 00070000,a0 load 70000 into d0
MOVE.W D0,DFF180 Put contents of d0 into color0 (change screen color)
DBF D0,14E68 if d0 is not -1 loop
BRA 00014e68 Loop anyway
so let’s try something, put a G 14e76 and see what happens!
Yes the game loads, so we have three options here, we could change the BEQ to a BRA and bypass protection there, or we could change the tst.b d0 to a clr.b d0 and bypass the protection there, but the problem here is if the protection check is called again from another place in the game it might fail. We know d0 needs to be 0 to wire the protection so let’s find where we can wire this in so it works properly.
Lets follow the JSR jump directly before the TST condition 🙂
The move.b 00018e52,d0 looks interesting, so I am guessing that address 18e52 holds the key before it is copied into d0, so if we find the instruction that puts the figure into 18e52 and force it to put a 0 in there we will bypass the protection. Let’s search for all addresses that access 18e52
Let’s search with fa 18e52
as you can see there are 3 results returned one of them is quite interesting as it copies #1 into d0 if we change that to move #0 into 18e52 then maybe the protection will pass, and seeing as it is only called the once, hopefully that is the only place in the game that modifies d0 for the protection check.
Okay reboot the game again and when the track counter reaches 0 enter your replay and check 18e52 (or your address) again you’ll get three results
now we are interested in the third address returned, so let’s assemble that address and change it to
and exit back to the game… what happens?
Right we need to make the change permanent, and seeing as the game uses amigados to load the initial gamefile we need to patch that.
Again reboot and drop back in when we reach track 0
As we will be loading the main game file off disk we will need to know what address it’ll jump to so the best way is to go back to the address that checks d0 and see what address it is jumping to. To find this we will need to look for some opcode. Reboot the game and goto an address from earlier (18be2 for me) and you’ll notice the unique 78000 at the next address so we check the opcodes with m 18be6 (or your address)
Now we load the game file into memory. LM gemini.prg,50000 (PIC8) now we simply search for the following
f 41 f9 00 07 80 00 23, 50000 6ad4c
You’ll get one returned result so let us disassemble from there
Ooh this does look familiar. address 54036 is the one we want, we now do a search for 4232 from 50000 to 6ad4c with fa 4232 50000 6ad4c.
Three results returned as expected
and we want the third at address $5425C let’s assemble that and change it
Now we save the file over itself and test the crack 🙂
sm gemini.prg,50000 6ad4c
There is another way to crack this game which bypasses the protection, inserts the correct key and keeps the code relocatable (Thanks to Galahad for showing me this)
Load the prog gemini.prg assemble from address 54006 and insert the following code
move.l $54038(pc),a0 ;load the address where the wrong key is inserted into a0 ($4232)
moveq #0,d0 ;move correct key into d0
move.b d0,(a0) ;put correct key into correct mem location ($4232)
This bypasses the protection check by not executing any of the jsr’s and the code is kept the same 🙂
reboot and voilla cracked 🙂