The Great Giana Sisters (c) Rainbow Arts
Requirements
1. AMiGA or WINUAE (Configuration: 2MB CHIP!!!)
2. ACTION REPLAY freezer (or ROM Image)
3. Original Game or CAPS-Image
4. Assembler (ASM-One / Trash-M One / Seka or similar)
So… let?s see how to make a working copy out of this game which only shows up small
red numbers if being copied with X-Copy or similar….. 🙂 As always we?ll check
out what is happening on track 0 because that?s the place which keeps the secret of
how the dos-unreadable tracks are loaded into memory. This is nothing new, so activate
AR, rt 0 1 50000 and d 5000c …
Hmmm… I think it?s only neccessary to watch at those 5 first instructions to realise what is going
on! Seems as if a trackloader at $50068 is been called to load 2 tracks beginning from track 1 to
$30000 in memory… Let?s find out what kind of data is loaded to $30000 then. This is surely
one of the main loaders!
Behave like shown in the pic above… replace the jump with a branchloop,
calculate the new bootchecksum and write the track back to disk. Now reset your amiga & wait until
the loop is executed (white screen, no tracking sounds, nothing happens hehe…)
Activate AR again and disassemble the area from $30020 …
Yo… again we can see these 4 instructions, starting track in d0, number of tracks in d1, loadadress
in a0 -> call trackloader.
It?s an easy job for us now to get an complete dump of our original disk. We just have to break
at the begin of the loader and to change the calling parameters so that the gameloader tracks
the whole disk into memory. So this will be: d0 set to 1 (start track), d1 set to !159 (number of
tracks) and a0 to e.g. $90000 ! Let?s begin, follow the steps shown in the pic below.
So after continueing the gamecode with a g $30020 the Action Replay pops up immediately
showing us that the game is about to load 21 tracks beginning from track 3. That?s not enough for us so we change
the parameters in d0/d1/a0 like described before. No need to set another breakpoint now which alerts
us that the trackloader has finished…. just leave AR using ‘x’ and you?ll see why… After a minute
of tracking the trackloader will stop on it?s own because the last tracks on the gamedisk are not
written in the used trackformat, in this case they are really UNUSED. So… now you have a complete
dump of your original disk in memory beginning at $90000, waiting for being saved! ;D
We will have to use 2 disks for saving the dump coz it won?t fit on one… so no problem, we save
in two steps. Insert first disk and write part one of our memory dump like this:
sm giana1, 90000 150000
So, these were the first !786432 ($C0000) bytes.
Insert second savedisk now and write the rest with:
sm giana2, 150000 16A800
Wow, that were the remaining !108544 ($1A800) bytes.
SOMETHING WONDERFUL HAS HAPPENED! ORIGINAL DISK NOT NEEDED ANYMORE!
Before we continue to write the cracked diskimage (man we were fast this time hehe) I give you some more
informations about this game which you had surely find out for yourself if stepping through the
trackloader and the rest of the game engine…
This loader at $31CF4 is used to load the titlescreen and the titlemusic. If you press your joybutton
it is used one more time to load the main gamecode which also includes another loader… this one is located
at $C632 but is 100% identical with the first one (both loaders handle tracks of $1700 bytes). The
first one stores the adress for loading the raw MFM data at $30524, the second one at $7E20!
So due to the fact that both loaders are identical I will only patch the first loader in our memorydump before
tracking it back to disk. This loader will check at the end of every call if the second loader has already been
loaded up to $C632. If this is true, loader one will copy itself directly over loader 2! Alright?! ;D
Now it?s time to boot up your favourite Assembler, in this case ASM-One, reserve some (more) chipmem (1200) and load in the
sourcecode that is delivered with this tutorial. It will look like this:
The commented sourcecode is here:
LEA GIANALOADER(PC),A0 ; Overwrite the old loader which is loaded up
LEA DISKIMAGE+$1700+$1CF4,A1 ; to $31CF4 with our new one …
MOVE.L #(GIANALOADERENDE-GIANALOADER)-1,D0
REPLACELOADER:
MOVE.B (A0)+,(A1)+
DBF D0,REPLACELOADER
RTS
GIANALOADER:
MOVEM.L D0-A6,-(A7) ; Save regs on stack
LEA $DFF000,A6 ; Customchipbase in A6, needed for our trackloader
MOVE.L D1,D3 ; Move ‘tracks to read’ to d3
MOVE.L D0,D1 ; Move ‘starttrack’ to d1
MULS.W #$1700,D1 ; Get Byteoffset of the starttrack on disk
DIVS.W #$1600,D1 ; Now where is the starttrack on our crackdisk
SWAP D1 ; Get the Byteoffset on track …
MOVE.W D1,D2 ; … and store it in d2
EXT.L D2 ;Enlarge to .l
CLR.W D1 ; Clear Byteoffset in d1
SWAP D1 ; … now d1 = starttrack again
MOVE.L D3,D0 ; restore ‘tracks to read’ to d0 again
MULS.W #$1700,D0 ; ‘tracks to read’ * $1700 = bytes to read
LEA LOADERNUMBER(PC),A5 ; here we store the info in which loader we are currently in ;D
TST.B (A5) ; Loader 1 at $31CF4 ?
BNE.B LOADER2 ; Nope, we are in Loader 2 !
MOVE.L $30524,A2 ; Otherwise move correct MFM adress for loader 1 to a2
BRA.B RULES ; Call Trackloader
LOADER2:
MOVE.L $7E20,A2 ; Move correct MFM adress for 2nd loader to a2
RULES:
BSR.W TRACKLOADER ; Trackloader!
LEA LOADERNUMBER(PC),A5 ; Loadernumber
TST.B (A5) ; Still in loader 1 ?
BNE.B SUCKS ; Nope, we are in loader 2 so no need to check for 2nd loader anymore
CMP.L #$48E7FFFE,$C632 ; Otherwise check if loader 2 is already in memory
BNE.B SUCKS ; Nope, it is not!
MOVE.B #1,(A5) ; Otherwise store info that we will be in loader 2 next time …
LEA GIANALOADER(PC),A0 ; … and copy the first loader over the 2nd loader
LEA $C632,A1
MOVE.L #(GIANALOADERENDE-GIANALOADER)-1,D0
REPLACELOADER2:
MOVE.B (A0)+,(A1)+
DBF D0,REPLACELOADER2
SUCKS:
MOVEM.L (A7)+,D0-A6
RTS
TRACKLOADER:
; D0 = bytes to read
; D1 = start track
; D2 = byteoffset on track
; a0 = loadadress
; a2 = mfm adress
INCBIN “ALPHA:TRACKLOADERPRO.BIN”
LOADERNUMBER:
DC.B 0,0
GIANALOADERENDE:
; ————————————————————
; NOW HERE COMES THE COMPLETE DISKIMAGE OF GIANA SISTERS!
; AFTER ASSEMBLING AND EXECUTING THE CODE, THIS AREA IS THE
; COMPLETE WORKING CRACKED DISKIMAGE !
; ————————————————————
DISKIMAGE:
BOOTCODE:
DC.B “DOS”,0
DC.L 0
DC.L $370
MOVE.W #$2,$1C(A1) ; Use trackdisk device to read the first
MOVE.L #$1600,$2C(A1) ; loader to $30000 as the original did.
MOVE.L #$2FF00,$28(A1) ; Here we use $2FF00 and not $30000 as loadadress
MOVE.L #$3000,$24(A1) ; because trackdisk device is not able to read
JSR –$1C8(A6) ; from diskpositions which are not $ideable with $200.
MOVE.W #$9,$1C(A1) ; So we read from $1600 instead from $1700 ;D
MOVE.L #$0,$24(A1)
JSR –$1C8(A6)
MOVE.W #$7FFF,$DFF096
MOVE.W #$7FFF,$DFF09A
JMP $30020
BOOTCODEENDE:
BLK.B $400-(BOOTCODEENDE-BOOTCODE),0
BLK.B $1700-$400,0
INCBIN “ALPHA:GIANA1” ; This file begins exactly at offset $1700 on disk!
INCBIN “ALPHA:GIANA2”
DISKIMAGEENDE:
Now, you already guessed it… assemble this code with j followed by enter and then
write the complete diskimage to a new fresh formatted disk using the wt command… Begin writing
from label DISKIMAGE and write 160 tracks beginning from track 0 !!! Finally don?t forget
to calculate the bootblock-checksum using cc …
Reset your amiga now and play some levels of this great oldskool game!
Alpha One ?2005
Publication author
