Untitled Document

Jimmy White?s

Whirlwind

Snooker

? Archer Maclean

1991

1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Three blank disks – find it in your local Amiga store
6. ARIV

NOTE !!!

This game will most likely NOT run correctly under WINUAE; use the real thing.
I have tried testing all the game?s functions, and it seems to work ok.
If you find any REAL errors that, please let me know, so it can be fixed.
Start by making a copy of original game disk. You?ll notice an error on track 0, this is a copylock protection.
If copy of game is run, screen will be filled with the txt ? FAIL ?.
Besides the copylock, game also has a novella protection and checksum routines. If copylock is changed, game will crash after the title screen. I have tried locating the checksums, but with out luck. Instead of cracking the checksums, we?ll replace all opcodes we change with original ones.

Let?s start by getting the copylock key. Execute ARIV, insert original game disk and reset. Enter ARIV right after reset, using RMB. Disable exceptions, to avoid undesired activations of ARIV: ? ALLEXC ?. Exit and continue loading.

When game has finished loading, screen turns black and game is being decrunched. When it?s done, the copylock is run and the title screen appears. Enter ARIV and locate the copylock routine.
Copylocks starts with the instruction ? PEA XXXX(PC) ? search for the opcodes: ? F 48 7A ?. You?ll receive three addresses, where there are $10 between the two last. A typically sign for a copylock routine. Enable the built in RNC decrypter, so we can decrypt the copylock:
? ROBD ?.
Disassemble address 279A6 and look out for second part of copylock:

Address 28194 moves copylock key to address 60. See contents of address 60: ? M 60 ?. Take note of key.
Next step is having a little look at the novella. Reboot original game and enter ? DAMM ? at the novella screen.

Enter AR and search for the word: ? FS DAMM ?. AR returns address FA08.

Press ? R ? to see registers. A1 points to address FA08. Set A1 to #0 = ? R A1 0 ?. If this is not done, we will get a lot of false references, when checking what game does with this address. Type ? FA FA08 ? to see what else happens with this address.

AR returns address 12064. Disassemble address 12064 And hold enter down, until bottom of screen has been reached. Scroll back up and stop when this appears:

Address 12056 calls the routine that makes A0 point to address FA08. This is done with a ? JSR ?, take note.
The really interesting stuff happens around address 12044. This address subtracts 4A+(A0) from D1.
If the result is NOT = 0, protection restarts. If the result IS 0, address FA4C is cleared and the correct value in D1 (0) is moved to A+(A0). Address FA4C tells the game, if novella has been run. If you quit to title screen and press LMB, game checks if FA4C is #0. If it is, novella will not appear, if not, it?s first time you start game and novella will appear.
We?ll crack the novella by inserting a ? CLR.W D1 ? and a NOP from address 12048.
We need to do this by wire new opcodes into the protection, cause it?s crunched. Take note of the original opcodes and make new opcodes:

Take note of both original and new opcodes.
Let?s have a look at the boot block, to see what it?s doing. Read it into memory, starting at address 70000:
? RT 0 1 70000 ?. Disassemble start of boot code (D 7000C) and stop when this appears:

Interesting part is line 70066. It jumps to what A3 points to; start of the loaded data. Change this to a loop, correct chk., and write track back, see above picture.
Reboot and enter AR when game hangs. Press ? R ? to see registers. A3 points to start of file. File is crunched, so we need to find the place, where the decruncher executes the decrunched data. This is often done by a ? JMP ?.
Disassemble start of file (59E8) and look out for jumps:

Address 5C02 executes the decrunched data. We could put a ? JMP C0.S ? at address 5BFC, making it jump to a crack patch. We have to put the jump at address 5BFC, because ? JMP C0.S ? is two bytes longer than ? JMP (A7). When erasing code at 5BFC, we also have to restore again in our patch. Take note of code at address 5BFC. We can?t assume that the code we want to change, always will appear at address 5BFC. We can calculate the correct address by subtracting the address we want to change with start of file. ? ? 5BFC-59E8 ? = #214. If we add #214 to A3, it will point to the correct address.
We can locate the crack on the boot block together with a copy routine, to move it to address C0. There are spare bytes on boot block from offset $C0. Read boot block into memory at address 70000, change the loop to ? BRA 700C0 ?, causing game to call our copy routine when file is loaded into memory. See picture:

Assemble 700C0 and code copy routine:

700C0; LEA C0,A0; destination address for patch
700C6; LEA 70100(PC),A1; copy from offset $100 on disk
700CA; MOVE.W #200,D7; amount to copy
700CE; MOVE.B (A1)+,(A0)+; copy
700D0; DBF D7,700CE; copy
700D4; MOVE.L #4EF800C0,214(A3); insert ? JMP C0.S ? in end of decruncher
700DC; JMP (A3) ; jump we too over

We still need to make out new opcodes for the copylock + where to locate opcodes for the novella. Opcodes for the copylock has to be done with ARIV. Assemble 70100 and insert a ? ILLEGAL ?. This will cause ARIV to automatically activate when file is decrunched, because it runs into a exception.
Assemble 70100, insert ? ILLEGAL ?, correct checksum and write boot back:

Start ARIV and boot game. When file is decrunched, it jumps to our patch and ARIV pops up. Locate copylock in memory; ? F 48 7A ?. ARIV returns address 27C22 & 27C32.

Enable the RNC decrypter so we can decrypt the copylock: ? ROBD ?
Disassemble start of copylock (27C22) and look out for location to wire key in:

The disk accessing part and key calculations of copylock key are done within the code from address 28028 ? 2806E.
Registers are saved by the code at address 2806E. Address 2803C is a good place to wire key in, as no disk routines has been called yet. We wire key into D0 and then branch to address 2806E.
Disassemble a bit further:

Address 2806C moves key from D6 to D0 (we skip this part) and registers are restored at 2806E, our branch address.
Address 28072 branches to second part of copylock, which fills registers with different values.
Take note of original opcodes in copylock, marked with green above. Don?t care about the location, as data is moved, before game starts. Assemble 2803C and insert the code you see above. After that, take note of the new opcodes AND their memory location.
Disable the RNC decrypter: ? ROBD ?. Copylock ends around address 28582. A few lines further down, we have a ? JSR 69D8.S ?. This JSR must be changed to ? JSR 102.S ?, a part of our crack patch. This part will move the ORIGINAL opcodes back into the copylock, so the checksum won?t notice that we have touched copylock.
Take note of the opcodes for the jsr: ? M 28582 ?. They are marked with green in the below picture.

Assemble 28582 and insert a ? JSR 102.S ?. Take note of the new opcodes: ? M 28582 ?, they are marked in the above picture with red.
We now need to locate the novella. Search for the opcodes, you took note of earlier:
? F 66 00 00 08 ?
ARIV will return lot?s of addresses, but 122D4 is the interesting one.
This where we need to insert the ? CLR.W D1 ? & ? NOP ?. A few lines further down, a JSR 12064 appears. Let?s take over this and alter it to JSR 126. At address 126, we will then replace the cracked opcodes in the novella with the original ones. Take note of original opcodes, marked with green:

Assemble 122E2 and insert a ? JSR 126 ?. Then take note of the new opcodes:

We now need to start game and see where original opcodes needs to be replaced. We need to replace them, so the checksums thinks everything is ok.
Boot original game and enter AR when the title screen appears. Let?s start with the copylock. First long word of opcodes was ? 14 43 9C 78 ?, search for them: ? F 14 43 9C 78 ?.
AR returns address 27DB0. This was the first long word. Second long word must be at address 27DB4.

Then there was the ? JSR 69D8.S ? in end of copylock, which we changed to ? JSR 102.S ?. Search for the jsr: ? FA 69D8 ?. AR returns two address; 278F2 & 282F6. It?s the second one that is interesting.

282F6 is where we inserted the ? JSR 102.S ?. Take note of address 282F6.
Then there is the novella. We changed the ? BNE 12052 ? at address 12048 to ? CLR.W D1 & NOP ?. New opcodes must be replaced at 12048.

We also replaced the ? JSR 12064 ? with ? JSR 126 ? at address 12056. This also needs to be set back to original opcodes. Addresses are marked with red, in the above picture.
Let?s code the crack patch. Insert copy of game and read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?.
Assemble 70100 and insert following:

70100; MOVE.L #45FAFFFE,-(A7); restore code we removed in decruncher
70106; MOVE.L #4EB80102,28582; take over ? JSR 69D8.S ?, to ? JSR 102.S ?; opcodes will then be restored at address 102
70110; MOVE.L #557FAF4E,2803C; wire 1. long word of cracked opcodes into copylock
7011A; MOVE.L #C813CF64,28040; wire 2. long word of cracked opcodes into copylock
70124; MOVE.L #42414E71,122D4; crack novella
7012E; MOVE.L #4EB90000,122E2; take over ? JSR 12064 ? to ? JSR 126
70138; MOVE.W #126,122E6; se above
70140; JMP (A7); jump we too over in decruncher
70142; MOVE.L #4EB869D8,282F6; replace ? JSR 102.S ? with ? JSR 69D8.S ?; restoring code
7014C; MOVE.L #14439C78,27DB0; move first long word of original opcodes into copylock
70156; MOVE.L #734DEC79,27DB4; move first long word of original opcodes into copylock 70160; JSR 69D8.S; jsr we too over after copylock, then executed here
70164; RTS; return to game, after copylock code restored to original opcodes
70166; MOVE.L #66000008,12048; insert original opcodes into novella protection
70170; MOVE.L #4EB90001,12056; replace ? JSR 126 ? with ? JSR 12064 ?; restoring code
7017A; MOVE.W #2064,1205A; see above
70182; JSR 12064; jsr we too over after novella, then executed here
70188; RTS; return to game, after restoring novella code.

When patch is executed, it will move new opcodes into the copylock & novella. It will also taker over the first JSR instruction after the protections, making them jump back to patch. When copylock has run, our patch is called and original opcodes are moved back into the copylock and the jsr is also restored. When the novella has run, then it will also jump to the patch and original opcodes are restored, though is seems not to be checksummed.
Correct boot checksum: ? BOOTCHK 70000 ?

Write boot block back: ? WT 0 1 70000 ?.

Rob


0

Publication author

offline 20 years

Rob

0
Comments: 103Publics: 79Registration: 20-07-2004

Subscribe
Notify of
guest

0 Comments
Newest
Oldest
Inline Feedbacks
View all comments
janer
19 years ago

perfect game.. i loved it back the days 🙂

0
Authorization
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Registration
*
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

0
Would love your thoughts, please comment.x
()
x