Monty Python?s Flying Circus
? Core Design
1990
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk – find it in your local Amiga store
6. ARIV
7. RNWarp
This crack covers the version with both novella and copylock protection.
Start by making a copy of original game. This is to determine type of protection.
You?ll notice an error on track 0, probably a copylock track.
Boot copy of game. After some loading, a screen like this appears:
I hope you have a great cheese knowledge?..
Keep on choosing the wrong cheese until this appears:
Enter AR and press D + enter to disassemble actual memory. Address 2C064 branches to itself, the game is simplylooping.
Disassemble address 2C064 and hold enter down, till bottom of screen has reached. Scroll back up and stop when this appars:
Address 2C02E is most likely start of the ? crashing ? routine. See what calls this:
? FA 2C02E ?. AR returns address 2BF98. Take a look at the code around this address:
Address 2BF98 calls the crash routine, when the attempts counter reaches 0. Address 2BF88 checks is address 2CAB8 is equal to 0. If it is, it branches to the code after the crash routine and game continues. To crack this, we insert a ? CLR.W 2CAB8 ? at address 2BF80. It then needs to be followed by a ? NOP ?, to make addresses add up. It might also be a good idea to insert a NOP at address 2BF7E, just top be sure.
Insert the code you see beneath:
We?ll crack the game by wire new opcodes into the protection systems, so take note of new opcodes, see above picture.
Next fun part is the copylocks. There are three of them and they are all identical.
These copylocks does not just return the copylock key in D0, but EOR.L key within the encrypted code.
We need to take note of the routine that calculates the key, warp the copylock track and then compare key calculation routine with out from the warper.
Execute ARIV, and boot copy of game. Enter ARIV just after reboot and turn exceptions off : ? ALLEXC ?. Exit and re-enter, when the novella appears. Enable the ?RNC decrypter: ? ROBD ?
Search for copylock routines: ? F 48 7A ?. ARIV returns six address, all with $10 between.
This means that we have three copylocks in memory.
Disassemble the first one and look out for the code above. The address marked with green is part of the key calc. routine. Take note of this code.
Remove ARIV from memory and run RNWarp, with original disk in DF0::
? RNWARP.EXE VIEW ?
RNWarp will now read the copylock track and produce six possible checksums. Checksum 1 matches the key calc routine. The copylock key is A3 EF 13 06.
Once again boot game and enter ARIV when the novella appears. Enable the RNC decrypter and disassemble start of the first copylock (10BC2). Stop when this appears:
The copylock key needs to be wired into address 11000. After that, we set register D1 to #0. This will emulate Copylock in the best possible way. We can then branch past the whole disk accessing part.
Continue to disassemble a few lines further:
The registers are restored at address 11032, so this must be our branch address.
Assemble address 11000 and wire key in, see picture above. We can now read out the new opcodes that needs to wired into the copylock.
Take note of the original opcodes at address 11000, as we can use them to locate the two other copylocks.
Opcodes are marked with red in the above picture. Search for them: ? F 35 23 9C 7E ?. ARIV returns address 15A46 & 2C4DE.
New opcodes also needs to be inserted here. They are marked with green in the above picture.
We are not going to modify the tracks on disk, but patch the protections. Therefore, we need to know the addresses to alter. Addresses for all three copylocks are shown beneath and divided into two long words and one word, per copylock.
1. long word = green, 2. long word = yellow and last word = red.
Next step is to determine how to patch the protections before they are executed.
Enter AR and read out boot block from copy of game. ? RT 0 1 70000 ?
And see contents of boot block + ? N 70000 ? +enter a few times.
We have plenty of spare bytes here. We?ll locate the crack patch (and a little trainer) at offset $100.
To move the patch into memory, we need a routine to copy it from boot block and into memory upon game boot.
Disassemble boot code, so we can determine how to call the copy routine:
Data loaded into memory by boot block, is executed by the ? JMP (A3) ? at line 7005C. Alter this to a lop routine, see above picture. Then correct boot block checksum and write track back:
Reboot and enter AR when game hangs. Before programming the patch and copy routine, we need to find the addresses to patch, so we can take over the game before protections are executed.
Press ? R ? to see registers. A3 points to start of loaded data.
A3 points to address 59E8, so this is start of data. Disassemble this address look out for jumps:
Address 5A60 makes a jump to address 10000. When game reaches this address, both the novella and the copylocks has been loaded in. The main code appears in memory at this time, so it?s also suitable for activating a trainer.
We?ll patch this jump, so it jumps to address 100 instead, where we will locate our patch.
The location of the ? JMP 10000 ? is relative; we can?t expect it to always appear at address 5A60.
If we subtract the JMP address from the start address of the code, we have the value to add to A3, to make it point to the ? JMP 10000 ?. The calc looks as follows: ? ?5A60-59E8 ? The result is 78.
Read boot block into memory, starting at address 70000: ? RT 0 1 70000 ?. Change the loop routine to ? BRA 700C0?
See picture:
Assemble address 700C0 and code the copy routine and patch the
? JMP 10000 ? to ? JMP 100 ?
700C0; LEA 100,A0; destination address for patch
700C6; LEA 70100(PC),A1; copy from offset $100 on disk
700CA; MOVE.W #200,D7; copy $200
700CE; MOVE.B (A1)+,(A0)+; copy
700D0; DBF D7,700CE; copy
700D4; MOVE.L #4EF90000,78(A3); patch ? JMP 10000 ? to ? JMP 100 ?
700DC; MOVE.W #100,7C(A3); patch ? JMP 10000 ? to ? JMP 100 ?
700E2; JMP (A3); jump we took over
The copy routine will copy our crack patch and trainer to address 100 and the jump to main code will be changed to jump to our patch instead.
Assemble 70100 and code crack + trainer patch.
70100; MOVE.W #F,DFF180; set background colour to blue
70108; BTST #6,BFE001; check for LMB
70110; BEQ 7011E; if pressed, branch to 701E, train & crack game
70112; BTST #A,DFF016; check for RMB pressed
7011A; BEQ 70144; if pressed, branch to 70144 and crack game
7011C; BRA 70100; loop till pressed
7011E; MOVE.L #4E714E71,D0; 2 x NOP in D0
70124; MOVE.L D0,1628E; train game
7012A; MOVE.L D0,16292; train game
70130; MOVE.L D0,16226; train game
70136; MOVE.L D0,1622A; train game
7013C; MOVE.W D0,162A4; train game
70142; CLR.L D0; set D0 to its original value
70144; MOVE.L #42790002,2BF80; crack novella
7014E; MOVE.L #CAB84E71,2BF84; crack novella
70158; MOVE.W #4E71,2BF7E; crack novella
70160; MOVE.L #741F3F6B,11000; crack copylock 1
7016A; MOVE.L #47254D6B,11004; crack copylock 1
70174; MOVE.W #270D,11008; crack copylock 1
7017C; MOVE.L 11000,15A46; crack copylock 2
70186; MOVE.L 11004,15A4A; crack copylock 2
70190; MOVE.W 11008,15A4E; crack copylock 2
7019A; MOVE.L 11000,2C4DE; crack copylock 3
701A4; MOVE.L 11004,2C4E2; crack copylock 3
701AE; MOVE.W 11008,2C4E6; crack copylock 3
701B8; (MOVE.W #4E71,2BF04); skip copyright screen
701C0; JMP 10000; start game
A little note: If you don?t like the purple copyright screen, then just add a single NOP to address 2BF04?
When patch is run, screen will turn blue and wait for mouse to be pressed.
LMB will train life and energy. RMB will start normal game.
Patch will then moves new cracked opcodes into copylock 1 and copy opcodes from this copylock to copylock 2 & 3.
Correct boot block checksum and write track back:
Reboot your new crack.
When screen turns blue, select LMB for normal or RMB for trainer.
When the novella screen appears, press fire twice. This screen will appear:
Hehe, seems like your cheese knowledge is excellent now.
Dedicated to all fruitcakes 🙂
Rob
Publication author
