Outrun Europa
US Gold 1991

Required items
1) Out_Run_Europa_(1991)(U.S._Gold)[1597] SPS
2) An Amiga or WinUAE (I’m using WinUAE)
3) Action Replay III or Rom Image
4) Pencil and paper
5) Blanks, if you use a real Amiga.

Given that this game was cracked by Skid Row over twenty years ago and the crack is readily available on the Internet, we are not doing a disservice to the authors by analyzing the code. This is for educational purposes only and at your own risk.
Make a copy of the first disk using the built in Burstnibbler (type burst at the action replay prompt) to see what we are facing.

It appears to be a one cylinder protection on cylinder 79. You can do the same for disk 2 and this seems to have the same protection tracks.
Boot the copy of disk one. It boots and does nothing.
Activate the cartridge and see the program is looping at address 850. BMI is branch on negative which is taken if the N flag of the CCR is set to 1.
Disassemble from before the infinite loop (e.g. D 836).

The TST.W D1 is right before the BMI instruction and D1 is likely set by the routine at 16dac (848 JSR 16DAC). So let’s disassemble 16DAC. There is part of the routine shown below.

This is the protection routine and you can save/resource this at your leisure. The obvious pointers are the sync register (7E(A6)) and the double move to 24(A6) which reads the track. The protection either passes 0 (passed) or FFFF (failed) back in D1. When the protection fails it reaches 16E16 which moves FFFFFFFF into D0 and the next instruction is move.w D0,D1. The MFM buffer is a 16FEE and you’ll see in the protection that it looks for the sync markers (4124) in that memory area. It checks that the second
marker is between 1840 and 1950 words in the buffer. If it is then it exits correctly. If not it reads the track a maximum of 16 times before failing.

As usual there are a number of ways to bypass the protection. The easiest and probably the most risky would be to NOP out the instructions to JSR to the protection, test on D1 and BMI if the N flag is set. Slightly less risky is to NOP out the BMI instruction so that the protection runs but the check on D1 is never performed. You can also change the instruction at 16E16 to moveq #0,D1. It turns out, as far as I can see, that the protection is not protected by any checksums or other methods.
You can read the whole disk into memory and run f 06 57 80, as I saw the game only read the first 9 cylinders then just read them using rt 0 14 30000 (rt <start track> <num tracks> <address>). The only occurrence is at 32c55 which, given that each track is 1600 hex long, means that the call to the protection is on the start of track 2 (2*1600 = 2c00hex). So we can read track 2 (rt 2 1 30000)

NOP out the BMI 30050 line (a 30050 and type NOP) and write the track back (wt 2 1 30000). Boot and play the game.

Now go back and read the bootblock (rt 0 1 30000)

It assigns memory (JSR –C6(A6)) and writes the address to A3. Then this address is moved to 28(A1). The length to read is $1600 (1 standard track) which is moved to 24(A1) and the offset (1 standard track in) on the disk is $1600 which is moved to 2C(A1). We can read track 1 and see what’s going on.

The first part just relocates the code to 70000. The rest is the loader. You can resource this loader and see how it loads the first cylinders and jumps to 800. Also train the timer, boost and ammunition to help testing the game. The timer is using binary coded decimal and uses the instruction SBCD to decrement the timer at 10A5A (10dd8 SBCD.B D1,D0). This can easily be found using the time in the game, running ts and the time (e.g. ts 79). Let the timer count down and then run for the new time (e.g. t 78). Then run faq on the address to find where it’s referenced.
The boost is held at 10A4F (71A6 SUBQ.W #1,10A4E). The ammunition is at 10A51 (71C8 SUBQ.W #1,10A50). You can use the same method for the boost and ammunition as the time.
I finished the game despite losing the will to live after starting the first stage, as per the screen shot below. It looks like the protection is never checked again.

Thanks to Wayne for suggesting this title and Musashi9 for this great site.


Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
aLpHa oNe
12 years ago

Nice!!!

DeaTure
DeaTure
12 years ago

Yes well done writing the tutorial, always nice to read about other peoples take on it 🙂

WayneK
12 years ago

Nice + clear analysis – even better, nice to see some tutorials written by ‘new blood’ on Flashtro! We want more 🙂

0
Would love your thoughts, please comment.x
()
x