Nigel Mansell

Amiga cracking: Nigel Mansell’s World Championship (c)
1992 Gremlin

[0] Introduction
[1] Bypassing the codewheel protection
[2] Make the patch permanent
[3] Final words

.-=[ [0] Introduction ]=-.
Things you will need:
1. The original of “Nigel Mansell’s World Championship (c) 1992 Gremlin”
(2 disks, not AGA or a budget re-release). The CAPS version (numbered
0137) is the
one I’ve used here.
2. An Amiga or a copy of UAE.
3. An Action Replay 3 cart (or ROM image for use w/ UAE above).

Ok, first things first, let’s quickly try to make a copy of the Game
Disk (disk one) and see if there’s any disk copy-protection. Fire up XCopy
and you should
see:

No errors, and the disk copy boots perfectly… but before you think this
is the shortest tutorial in history, continue letting the game load…and
you see this:

So what we have here is a codewheel protection scheme, using a cheap cardboard
wheel w/ inner/outer rings that you rotate to show a particular code-number.
But what if we’ve lost the codewheel, how on earth can we play this really
awful racing game? It’s time to start…

.-=[ [1] Bypassing the codewheel protection ]=-.
At this stage, we test to see what input the code protection scheme takes…and
we find that we are limited to a 3-digit code. We know that the game is
storing
the digits we enter somewhere, presumably in ascii format since it’s echoing
them back to us onscreen, so let’s use this to hunt down the location
of our
entered code in memory.

We enter a 3 digit code, but don’t press return: 691 Press the AR button,
and then search for this string in memory using the following command:
F “691”
Only 1 occurence found, this is a good sign! Let’s check out memory at
this location:

So we can be reasonably sure that this is where the game stores our entered
code, and will later read it from in order to validate our entry.
NOTE: remember this game is relocatable, so if the locations you see in
the pictures don’t exactly match the values you find, substitute your
addresses
where required!

Now let’s use the Action Replay to find code that references the location
we discovered above:

NOTE: Check the registers using the “R” command before you do this search,
if one of the registers points to the location you found the string at
you will be
flooded with false references…in this case simply alter the register
temporarily, for example if A0 pointed to the reference, change it by
doing:
R A0 12345678
then perform the search, and then change A0 back to it’s original value.

We should have 3 references as shown in the picture above, and we can
disregard the first one since it’s writing 7f into our location (so it’s
obviously not
reading our codenumber from there). Let’s take a closer look at the other
2 bits of code that reference our codenumber memory-location.

Looks like we’re in the right place, take a look at the code at the last
reference we found (comments are in italics below each line):

.-=[ [2] Make the patch permanent ]=-.
So, normally we would just load the track/file that contains the code
we want to patch, byte-patch it, and we’re finished…however, if we
look for the bytes we
need to change in order to make our permanent patch, they’re not found
in any of the files on the disk. The most obvious reason for this is
that the files are
packed, and sure enough this is the case!
If we look at s:startup-sequence on the disk, we can see that the maingame
file is called “mansell”, and when we load this into a hex-editor (I
use NewZAP) we
see the tell-tale signature early in the file:
524E4301, or if you prefer “RNC”,01
This is the signature for data packed with the “Rob Northen Cruncher”,
in this case using mode 1 (slower decrunch, but higher compression than
mode 2). Rob’s
packer was officially called “ProPack”, and luckily for us the “xfdmaster”
decrunch library supports unpacking these files. Of course, we already
have a
copy of xfdDecrunch, so we run that and unpack the mansell executable
from the game disk and write it to a backup floppy.
if you dont have XDFMASTER then you can use the acutal ProPack util
find it here RNC
PROPACK
Now we load this decrunched amiga executable into NewZAP, and search
for some bytes around the code we want to patch, I chose:
4A6D0278
which are the opcodes for the TST.W 278(A5) instruction that comes immediately
after the BEQ instruction we want to patch to a BRA.
Aha, success…we’ve found them:

We know that the 67000014 before the found value, is the opcode we want
to change, so let’s do it… using your hex-editor, modify the 67 byte
to 60, and
that’s it – Nigel Mansell’s World Championship is cracked. By changing
this instruction:
00C0A66E : BEQ.W 00C0A684
into this:
00C0A66E : BRA.W 00C0A684
we have forced the game to accept our code whatever the result of the
comparison, and the game loads as expected.

.-=[ [3] Final words ]=-.
Now you should pack the modified executable with whichever amiga executable
packer you feel like using or just use PROPACK
, and replace the “mansell” exe on your backup copy
with the newly cracked & packed one… and that’s it, codewheel bypassed.Not
a very interesting crack really, but it does give us some things to
look for
when we’re cracking future codewheel/manual protections:
1. Search for your onscreen input in memory, then search for references
to this to track down the code that manipulates your entry.
2. Games usually limit you to a specific number of attempts at entering
the correct code – we can take advantage of this by using “trainer”
techniques and finding this counter, and therefore the protection code
that modifies this value when we fail to get the correct code.
Ok, I’m sorry this tutorial isn’t very interesting, but my excuse is
that it can
only be as ‘good’ as the protection being described 🙂

-Wayne Kerr, May 2004