Amiga cracking: Nigel Mansell’s World Championship (c)
1992 Gremlin

[0] Introduction
[1] Bypassing the codewheel protection
[2] Make the patch permanent
[3] Final words

.-=[ [0] Introduction ]=-.
Things you will need:
1. The original of “Nigel Mansell’s World Championship (c) 1992 Gremlin”
(2 disks, not AGA or a budget re-release). The CAPS version (numbered
0137) is the
one I’ve used here.
2. An Amiga or a copy of UAE.
3. An Action Replay 3 cart (or ROM image for use w/ UAE above).

Ok, first things first, let’s quickly try to make a copy of the Game
Disk (disk one) and see if there’s any disk copy-protection. Fire up XCopy
and you should

No errors, and the disk copy boots perfectly… but before you think this
is the shortest tutorial in history, continue letting the game load…and
you see this:

So what we have here is a codewheel protection scheme, using a cheap cardboard
wheel w/ inner/outer rings that you rotate to show a particular code-number.
But what if we’ve lost the codewheel, how on earth can we play this really
awful racing game? It’s time to start…

.-=[ [1] Bypassing the codewheel protection ]=-.
At this stage, we test to see what input the code protection scheme takes…and
we find that we are limited to a 3-digit code. We know that the game is
the digits we enter somewhere, presumably in ascii format since it’s echoing
them back to us onscreen, so let’s use this to hunt down the location
of our
entered code in memory.

We enter a 3 digit code, but don’t press return: 691 Press the AR button,
and then search for this string in memory using the following command:
F “691”
Only 1 occurence found, this is a good sign! Let’s check out memory at
this location:

So we can be reasonably sure that this is where the game stores our entered
code, and will later read it from in order to validate our entry.
NOTE: remember this game is relocatable, so if the locations you see in
the pictures don’t exactly match the values you find, substitute your
where required!

Now let’s use the Action Replay to find code that references the location
we discovered above:

NOTE: Check the registers using the “R” command before you do this search,
if one of the registers points to the location you found the string at
you will be
flooded with false references…in this case simply alter the register
temporarily, for example if A0 pointed to the reference, change it by
R A0 12345678
then perform the search, and then change A0 back to it’s original value.

We should have 3 references as shown in the picture above, and we can
disregard the first one since it’s writing 7f into our location (so it’s
obviously not
reading our codenumber from there). Let’s take a closer look at the other
2 bits of code that reference our codenumber memory-location.

Looks like we’re in the right place, take a look at the code at the last
reference we found (comments are in italics below each line):

00C0A64A : LEA.L 00C107E9,A0 ;A0 points to code we entered
00C0A650 : MOVE.L #00000000,D0 ;clear D0
00C0A652 : MOVE.B (A0)+,D1 ;copy one byte from our codenumber into
D1, and increment A1 to point to the next one
00C0A654 : BEQ.B 00C0A66A ;branch if the last byte we read was zero
00C0A656 : CMP.B #7F,D1 ;7F is an ‘end of code’ marker used by the game
00C0A65A : BEQ.B 00C0A66A ;branch if we’ve reached marker byte.
If you set a breakpoint on the next instruction,
you will end up here when you press return after you entered a 3-digit
00C0A65C : SUB.B #30,D1 ;ascii-adjust value (subtract 30 turns “0” into 00,
“1” into 01, etc.)
00C0A660 : EXT.W D1 ;extend to a word (clears high-byte of word)
00C0A662 : MULU.W #000A,D0 ;D0 * 0a (10), kept as rolling sum of code we entered
00C0A666 : ADD.W D1,D0 ;add next code byte to rolling total…
00C0A668 : BRA 00C0A652 ;and loop until we’ve done this for the 3 digits in
the code
So the 3 digits we entered are converted to their numerical
values (from the ascii values), multiplied by 10 and added to the previous
total. Now we’re looking for something that checks this calculated value,
and we don’t have far to look 🙂 In fact, it’s the next instruction:
00C0A66A : CMP.B (A5,023A),D0 ;Compare the value calculated based on our code-entry,
with some value
00C0A66E : BEQ.W 00C0A684 ;Branch if they are equal
Let’s change the code here to always branch, and see if
it works!

So now the code above is patched to always branch, let’s return to the
game and
see what happens…wow, it works! Now all we have to do is…

.-=[ [2] Make the patch permanent ]=-.
So, normally we would just load the track/file that contains the code
we want to patch, byte-patch it, and we’re finished…however, if we
look for the bytes we
need to change in order to make our permanent patch, they’re not found
in any of the files on the disk. The most obvious reason for this is
that the files are
packed, and sure enough this is the case!
If we look at s:startup-sequence on the disk, we can see that the maingame
file is called “mansell”, and when we load this into a hex-editor (I
use NewZAP) we
see the tell-tale signature early in the file:
524E4301, or if you prefer “RNC”,01
This is the signature for data packed with the “Rob Northen Cruncher”,
in this case using mode 1 (slower decrunch, but higher compression than
mode 2). Rob’s
packer was officially called “ProPack”, and luckily for us the “xfdmaster”
decrunch library supports unpacking these files. Of course, we already
have a
copy of xfdDecrunch, so we run that and unpack the mansell executable
from the game disk and write it to a backup floppy.
if you dont have XDFMASTER then you can use the acutal ProPack util
find it here RNC

Now we load this decrunched amiga executable into NewZAP, and search
for some bytes around the code we want to patch, I chose:
which are the opcodes for the TST.W 278(A5) instruction that comes immediately
after the BEQ instruction we want to patch to a BRA.
Aha, success…we’ve found them:

We know that the 67000014 before the found value, is the opcode we want
to change, so let’s do it… using your hex-editor, modify the 67 byte
to 60, and
that’s it – Nigel Mansell’s World Championship is cracked. By changing
this instruction:
00C0A66E : BEQ.W 00C0A684
into this:
00C0A66E : BRA.W 00C0A684
we have forced the game to accept our code whatever the result of the
comparison, and the game loads as expected.

.-=[ [3] Final words ]=-.
Now you should pack the modified executable with whichever amiga executable
packer you feel like using or just use PROPACK
, and replace the “mansell” exe on your backup copy
with the newly cracked & packed one… and that’s it, codewheel bypassed.Not
a very interesting crack really, but it does give us some things to
look for
when we’re cracking future codewheel/manual protections:
1. Search for your onscreen input in memory, then search for references
to this to track down the code that manipulates your entry.
2. Games usually limit you to a specific number of attempts at entering
the correct code – we can take advantage of this by using “trainer”
techniques and finding this counter, and therefore the protection code
that modifies this value when we fail to get the correct code.
Ok, I’m sorry this tutorial isn’t very interesting, but my excuse is
that it can
only be as ‘good’ as the protection being described 🙂

-Wayne Kerr, May 2004


Publication author

offline 10 hours


Comments: 1983Publics: 20Registration: 15-05-2004

Notify of

Inline Feedbacks
View all comments
17 years ago

Cracked my first Amiga game to day thanks to bits of this tut.
Thx alot WayneK and u other dudes here.

19 years ago

Fantasitc Tutorial ,ive included a link to ProPack for depacking and packing the amiga exe ,incase people dont have XDFMaster


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Would love your thoughts, please comment.x