Naughty Ones

Naughty Ones

? Interactivision

1994

Created my Melon Dezign

You will need following:

1. Original game
? get it from your local supplier 🙂

2. An Amiga or WINUAE

3. Action Replay
or ROM image

4. Pencil and paper

Start by making a
copy of original disk. All tracks seems ok, so we are probably not dealing with
a disk based protection.

Boot copy of game.
After some loading, a screen similar to this, appears:

If you have misplaced
your manual, continue reading?.

Enter something,
let?s choose ? SIGNE ?. When done, DON?T press enter, but enter AR. Search through
memory for

the word ? SIGNE
?: FS ? SIGNE ?. AR returns address 1BE6E.

Let?s see, what game
does with this address: FA 1BE6E. AR returns three addresses, disassemble 1BD08
and hit enter

a few times:

Address 1BD08 moves
what we type in, into A4. Address 1BD10 seems interesting. It compares what A4
points to,

with D0. If not equal,
address 1BD12 branches to 1BD20, which subtracts 1 from the attempts counter.

Let?s try to ? NOP
? out the BNE, assemble address 1BD12 and insert a ? NOP ?:

Exit AR and press
enter. The protection passes and game continues? Take note of address 1BD12, needs
to be NOP?ed

out.

The protection is
located in a crunched file, so we can?t just modify it on disk. We have to find
the point, where it?s

decrunched , but
not executed yet. In this way, we can make a patch, which will insert a ? NOP
? in the decrunched

protection.

Read boot block into
memory, starting at address 70000: RT 0 1 70000. Disassemble address 7000C and
hit enter a few

times. This will
show us, what happens at boot start.

Let?s follow the
code. We have a BRA 70036 at 70020. Disassemble 70036 and hit enter a few times.

The interesting part
is 70060 ? 70074. This code moves a part of the boot block into memory, starting
from $7A,

into memory, starting
at address 6F000 and then executes it. Disassemble address 7007A and hit enter
a few times:

We have a JMP 3000
at 700DE, this will then appear in the 6F000 area of memory, when game is booted.

Reboot game and enter
AR, short after it begins to load. Disassemble address 6F000 and stop when the
? JMP 3000 ?

appears. Stick a
breakpoint to address 6F064: BS 6F064, exit AR and continue game.

After some loading
AR pops up when address 6F064 are reached. Try disassemble address 1BD12, to see
if the ? BNE ?

we want to NOP out,
should be decrunched: D 1BD12. Seems not. Exit AR and continue game. Enter again,
when

protection appears.

The ? BNE ? was at
address 1BD12, so maybe protection starts at address 10000. See memory with N
10000 and hit

enter a few times.
Interesting?.. And he?s right?.

Check, what calls
address 10000: FA 10000. AR returns address 31C4. This call, must be part of the
file starting at

address 3000. So,
we could change the ? JMP 3000 ? on boot block to ? JMP 100 ?, and put a little
crack patch here.

The patch should
first modify address 31C4 to jump to second part of our patch, which insert?s
a ? NOP ? at 1BD12 and

then jumps to address
3000. Take note of address 31C4.

Reboot game, enter
AR when it begins to load and insert a breakpoint to address 6F064 again.

When I was poking
around in the code, I fell over the word ? joshua ? in middle of the main file.
A bit strange to put

that here?

But not really, if
you type the word at the title screen, screen flashes and you activate the game?s
build-in trainer.

? joshua ? appears
at address 3352.

Perhaps the game
uses some kind of compare routine, to check if the word is type in at the title
screen. Let?s see, what

happens with address
3352: FA 3352. AR returns address 331C. Disassemble this address and hit enter
a few times.

The interesting address
is 3336, if 3294 is set to 1, the trainer is on. Also notice 333E, this code makes
the screen

flash, when the code
is typed in at the title screen. If you follow the code the next steps, it ends
with a ? RTS ?, so

it?s just a little
sub- routine. We could put a ? JSR 3336 ? in our crack patch, to activate the
trainer. With some

right or left mouse
bottom check, to disable or enable the trainer.

Next step, is to
find a place for our crack + trainer patch and a way to move it into memory. Read
boot block into memory,

starting at address
70000: RT 0 1 70000. See memory with ? N 70000 ? and hit enter some times.

Boot block seems
to pretty full, except $3C0 ? 400. But this is not enough bytes, to the patches
+ moving them into

memory. Continue
holding enter down, to check for some more free space:

Offset $800 seems
free, let?s pick it for our patches. Assemble address 70800 and code the patches:

70800; MOVE.L #4EB90000,31C4;
change address 31C4 to JSR 138

70808; MOVE.W #138,31C8.S;
change address 31C4 to JSR 138

7080E; MOVE.W #F,DFF180;
turn screen blue

70816; BTST #6,BFE001;
check for left mouse

7081E; BEQ 7082C;
if left mouse pressed, branch to 7082C and activate cheat mode

70820; BTST #A,DFF016;
check for right mouse

70828 BEQ 70834;
if right mouse pressed, branch to 70834 and start normal game

7082A; BRA 7080E;
loop above routine

7082C; JSR 3336.S;
execute cheat mode

70830; JMP 3000.S;
jump back to game, after cheat activated

70834; JMP 3000.S;
jump to game, without cheat

70838; MOVE.W #4E71,1BD12;
insert ? NOP ? at address 1BD12, crack game. This code will appear at address
138

70840; JMP 10000;
jump into protection, this code will appear at 140

When game have loaded
& decrunched the main file, we?ll make it jump to address 100 instead of 3000.
When patch

is run, address 31C4
is changed to ? JSR 138 ?. When address 31C4 are reached, the game jumps to our
patch, which

cracks the protection
and then executes it. After address 31C4 has been patched, the screen turns blue
and wait?s for

left or right mouse
to be pressed. If left is pressed, the games own trainer will be activated and
game started. If right is

pressed, the game
starts normally.

We?ll now alter the
? JMP 3000 ?, located at $DE to ? JMP 100 ?, see picture below.

We had some spare
bytes at offset $3C0 on boot block. Let?s a little track loader here, to move
our patch into address

100. But first, we
need to alter the original boot code, so our loader is called. Assemble address
70036 and insert a

? BSR 703C0 ? and
a ? NOP ? the ? NOP ? is needed, to make addresses add up. Assemble address 703C0
and code

the track loader:

Address 703E2 can?t
be assembled with AR, so insert the opcodes instead. The loader will move $200
bytes of data

into memory, starting
at address 100. it loads data, starting from offset $800 on disk. In end of loader,
we restore the

code removed from
the original loader and then returns with the ? RTS ?.

Correct boot block
checksum, if you would like game to boot: BOOTCHK 70000

And finally write
boot block back: WT 0 1 70000.

If trainer activated,
use ? Return ? to skip levels. You might also crack the game, by simply remove
the call routine at

address 31C4. This
of course requires, that protection doesn?t messes with game?s memory?.

And now?. Musashi9
suggested to put a cracktro on. Well, isn?t that a nice idea! Musashi9 has done
a GREAT job

in ? transforming
? a Anthrox cracktro into a Flashtro cracktro. Find it here cracktro.zip

You can load it into
memory and edit the txt as you wish!, to do this run action replay and insert
cracktro.adf
type this
LM 60000,60000
then type this
N 601DA
and edit the text to suit your needs
When done, crunch it with ByteKiller V2.0, using min.

Crunch offset $200.
Use 60000 for load & jump address.

I have found some
spare tracks on disk, where we can locate the intro. Read tracks 76 ? 79 into
memory, starting at

address 30000: RT
99 7 30000. As the observant reader can see, it?s actually only half of track
76 (152) ? 79.

Type NQ 30000 + enter.
You should see this flash over your screen:

You should only see
the above crap and nothing else. This is just blank disk space, none code. It
ends around address

399F3. Insert disk
with saved cracktro and load it into memory, starting at address 30000: LM CRACKTRO,30000.

End address must
NOT exceed 399F3. If it does, repack file at a higher crunch offset or use ProPack
!

Insert your copy
of game and write tracks back: WT 99 7 30000.

Next problem, is
to move it into memory, as whole boot block is full. We get around this, by simply
move the

boot block to another
location on disk and write a new one, that moves our cracktro into memory and
then the original

boot block.

Read track 0 into
memory, starting at address 70000: RT 0 2 70000. See memory with N 70000 and stop
when this

appears:

Notice our crack
+ trainer at offset $800. Offset $A00 seems free and $400 onwards, so transfer
original boot block

to this location:
TRANS 70000 70400 70A00.

When you have done
that, assemble start of boot code and make two new track loaders:

You can?t assemble
address 7002A & 7005A with AR, so insert the opcodes instead. Se picture above.

The new loader will
move our cracktro into address 50000 and execute it by the ? JSR 50024 ? ? It?s
a exe file?.

After that, original
boot block is move to address 60000 and executed by the ? JMP 6000C ?

Correct boot block
checksum: BOOTCHK 70000

Write track 0 back:
WT 0 2 70000. Reboot and check it out!

Dedicated to sweet
sweet Victoria

Rob