PARAMAX (1991) KINGSOFT
———————————–
what you will need
——————————
1. original game (find
here)
2. an amiga or an amiga emulator (winuae)
3. an action replay cartridge or ar3 rom image for use with winuae
once u have all these set up we shall begin
our first task is to see what type of protection this game has
so boot the orignal up and play for a while ,notice anythingpop up saying goto
manual page XX line Xx ect….? yes?
right well take note of this protection ,lets see if their is any disc protection
,try and make a copy with XCOPY
everything ok? no errors? good
so we have a password orwhats called a Novella protection to bypass
ok fire up the game
you should first see the paramax logo like this
and not long after you should see the dreded password screen
EEEKK!!!!
hey calm down pull ya self together ,now when you download this disc from B2TR
if comes with a scan of the manual but well we dont need that do we? hehehehe
well lets find out ,press action replay button and type D the npress enter
you will notice we are in the memory area $40000 so i assume this code we are
in starts are 40000 check it out just to be sure
type
N 3fff0 if you see nothing then some code suddenly hit at address 40000 then
yeah it starts at 40000
right keep skipping down using enter untill you come acroos some text in all
that mubo jumbo
can you see —- PLEASE ENTER…. ect…
like in the picture above
notice the —- hmm i see 2 of them ,ok exit action replay and typ 12 ,so on
screen you should have 12–
now go back into action replay scroll up to line 40440 then hit enter back down
to were you was ,and you should see —- change to 12–
hmm ok but we have 2 hmm lets use the last one because this one has PLEASE next
to it like what the black screen has
type M 4068a ;this should bring us up to the 12– hmm interesting lets see what
code users this
type
FA 4068a ,40000 ;Find Address 4068A ,start searching from address 40000
we end up with 2 address points ,the first is putting the original —- at this
address hmm so lets skip that one
the second is interesting it seems to be moving the contents of 4068a (which
would be the code we enterd) into D1
probibly for a calculation to see if its the corect code or not
lets see
type
D 4052E ;hit enter a few times to scroll down
hmm look at that CMP.L it seems to be checking something checking the number
we enterd ,and below it is a BNE so if the number is not right it must loop
back with fresh numbers ,right so lets remove that BNE see what happens
type
A 40538 ;hit enter once
then type
NOP ;hit enter once
NOP ;hit enter twice
now exit action replay and finish the numbers 1234 or anythign you want and
press enter
oh my gawd the game starts to load hehehehhe 🙂 cool eh
but hmm we need to change this for good
so fire up action replay ,type
RT 0 01 050000
lets see what happens at address 40000 because we know this is where the code
gets loaded to ,so type
FA 40000 50000
we end up with 2 points
i think this is a decrunch routine so the loader must be packed ,lets have a
look at address 50a46 so type
N 50A46
scroll down hmmm ok we have some empty space here ,at address 50DC6 type
HERE ‘then press enter
why are we doing this? well you will soon find out
letrs write this back to disc
WT 0 01 050000
reboot and when you get to the protection screen load action replay again
type
F 48 45 52 45 ;find the hex value for the letters HERE
once its done we end up with an address
take note of this address 5EDC6
right read in track 01 again type
RT 0 01 50000
and what we want to do here is put a small patch to put our NOP NOP at address
40538 after the loader has decrunched
remember the address JSR 40000 was loacted at 50A46 this is the jump into the
loader after it has unpacked
so lets edit this type
A 50A46 ;hit enter once
then type
JSR 5EDC6 ;jump to our patch then press enter twice
now lets code a patch
type
A 50DC6 ;remember this is where we put the HERE text we will use this for out
patch
then type
MOVE.L #4e714e71,40538 ;put NOP NOP at address 40538 ..hit enter once
JMP 40000 ;we replace the original jump after our patch has executed ..hit enter
twice
right that should be it lets write back to disk and find out
type
WT 0 01 050000
and reboot
once again we are faced wit hthe password screen ,so try it out type a number
and press enter see what happens
it works hmm reboot just incase you enterd a lucky number adn try again hehehe
wow it works again cool
now go kick some alien butt
me thinks this game needs a trainer hint hint cough cough
Publication author
Nice tut…
As for the trainer, there’s 3 trained versions already in TOSEC, 1 crap one by AFL, and 2 decent trainers which cover most/all possible options by ZENITH and BACKLASH… so, no need to make more work for yourself 🙂