Robin Hood Legend Quest
? CodeMasters
1992
You will need following:
1. Original game ? find on ???
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Byte Killer or similar cruncher
6. ARIV
7. Kick 2.0 or higher
8. One blank DD disk 🙂
One of my good friends requested a crack for ? Robin Hood ? from CodeMasters. He had a old copy from the original and would really like to play it. I found out it was a copylock protected game and quite interesting actually.
This game reminds me lot of a brilliant Bitmap Brothers game?.
If you have the original, then start by making a copy of it. You?ll most likely see a fault on track 0, due to the copylock track.
As in most Code Master game, the copylock is located in a file called ? VC ?. It?s (for this game) crunched with IMP! and we need to decrunch it, to access the protection routine.
With copy of game in DF0: , load file ? VC ? into memory, starting at address 30000: LM ? VC,3000 ?.
We want to find the place where the file executed the decrunched data, and then take over this jump. Disassemble start of file and stop when this appears:
Line 3007A looks quite interesting, as it makes a jump to what A2 points to. Assemble and insert a loop routine instead, see picture above. In this way we can grab the decrunched & untouched data. When done, execute file with ? G 30024 ?
A few secs after, screen turns black and you can enter AR again. Press ? D ? + enter. If everything is ok, you should be stuck at the loop routine. Press ? R ? + enter to see registers. A2 points to start of the file. Take note of this address.
Our next mission is to find end of the file. Type ? N 78000 ? and hold enter down. Lot of crap will flash over your screen and file ends, when the crap ends?
If we choose address 79000, we should have all data with us.
When I originally had done this part, I decrypted the copylock. It?s a nasty one, with a decryption routine inside. Usually when this type of copylock is used, there is no stupid ? CMP.L #key,D0 ? in the game code, just giving the copylock key away. This is a big problem, as there is no point in warping a copy of the game?.
I decided to disassemble the decrunched data, and guess what? They put a cmpi routine in the code!
Take a look at address 78A7A, this routine compares copylock key with D0. Take note of the key, as it?s needed, to crack the game. Also take a note of the ? JMP 1000.S ? at line 78A94, this line executes the game after loading.
This might become handy, if we want to make a small trainer?.
Insert a blank disk and save memory: ? SM V1,78000 79000 ?
Start ARIV and enter with RMB. Load saved file into memory, starting at address 78000: ? LM V1,78000 ? + enter.
Enable the RNC-decrypter, so we can decrypt the copylock: ? ROBD ? + enter.
Disassemble address 78000 (a bit early, but no harm done) and look out for following code:
We can wire the key into the code, two places. We usually do it at 7841E, but it can also be done at 78432. The BRA address will then differ a bit too, as it has to be before the registers are restored. Disassemble a bit further down:
The BRA address will then be at 78464. The ? advantage ? of this is, that we can set register D1 to value 0, as it seems to have this value with original copylock. It seems not to make any difference, as the decryption routine is executed ok in both ways. But no harm in doing things a bit different sometimes?
Assemble 78432 and insert the key, as in the above picture. When the copylock is executed, the disk accessing part is skipped, correct copylock key is moved to D0 and the decryption routine for the game is executed correctly.
You can see routine by disassembling from address 7880E.
Let?s have a little look at the code in start of the file. Disassemble address 78000 and hit enter a few times.
Before you do this, it might be a good idea to disable the RNC-decrypter: ? ROBD ? + enter. (unless you can EOR code in your brain)
Line 7800A is setting up the SR. This will cause problems, if just execute the data with a ? JMP ?. The Amiga has to be in supervisor mode, done with a ? TRAP ?($80) or like Rob, with ? ILLEGAL ? ($10) (think this also disable caches).
Assemble address 77F00 and insert following:
77F00; LEA 77F0C,A0; make A0 point to address 77F0C
77F06; MOVE.L A0,80.S; move A0 to address 80
77F0A; TRAP #0; execute address 77F0C in supervisor mode
77F0C; LEA 78000,A2; make A2 point to address 78000
77F12; JMP 78000; execute the file
Remember the ? JMP 1000.S ? at line 78A94 ? which starts the game? If you want to add a trainer, change this to ? JMP 100.S ?. We?ll then put the trainer code here. See picture above. If you don?t care, just save file.
Save memory back, as a file called ? V2 ?; ? SM V2,77F00 79000 ? Address 77F00 is now the new load and jump address !
Start ByteKiller and crunch the file. Parameters to fill in is marked with red, in the below picture. The crunch offset is not so important, set it how you like, we just want to make the file executable so it can be started from DOS.
Install the boot block, so it?s a normally DOS boot block. If you don?t want a trainer, copy file ? V3 ? to copy of game and make a drawer called ? S ?, with a startup-sequence file in it, containing the txt ? v3 ?.
I assume know very well, how to do this?
If you want a trainer, there is more to come. I have chosen to train energy and life. You can still be killed if you do something real stupid (jumping into hot lava or stuff like that), but you wont loose any life?s. There is no point in training the energy a 100 %, as you might then get stuck in the game (like if you fall into hot lava ).
We train the game, by finding the address where game saves the number of ex. life?s. Then we see what game does with this address, by using the ? FA ? command in AR. This will gives us the routines that ex. subtract #1 from your life counter. The trainer then works, by simply removing these instructions with NOP?s. This is will need a lot of NOP?s, so we use one of the registers, to store the opcodes in. Before we push new values into ex. register D0, we have to see the original value in it, so it can be restored, we are finished using it.
Copy file ? V3 ? to copy of game and boot it. When file has loaded the game, we have altered it, so it jumps to address 100 instead of 1000. Enter AR and put a loop at address 100:
Exit AR and type ? V3 ? + enter, to start game. If your crack is working, the game should start loading now. When it?s finished (no disk activity), enter AR and press ? R ? + enter to see registers. PC should be pointing to your loop and registers seems pretty empty. If you disassemble the file at 78000, you?ll also see, that it?s clearing almost everything.
Let?s use D0 to store values in. Start game by jumping to address 1000: ? G 1000 ? + enter.
You have three lives to start with, so enter AR and start trainer: ? TS 3 ? + enter.
When it?s finished searching, exit and loose ONE life. Renter AR and continue search: ? T 2 ? + enter. AR returns address 1358D. This is where the number of life is stored. Many games uses WORD instructions to subtract with.
This means, that the code is probably messing with address 1358C. Check it out: ? FA 1358C ? + enter.
Look out for ? SUB ? and ? ADD ? instructions. It?s also a good idea to remove the instructions that adds a life or energy, as you newer loose any. If they are not removed, you?ll see a extra head or heart every time you find some power up, and that might be annoying as they will never decrease, due to the trainer?
I have chosen the addresses marked with red, there are more that could be removed but this suited my needs.
Do the same with the energy, and take note of the addresses.
Time to code the trainer. We?ll locate it on offset $100 of boot block. Read boot block into memory, stating at address 70000: ? RT 0 1 70000 ? + enter.
Assemble 70100 and insert following:
70100; MOVE.W #F,DFF180; set background to blue
70108; BTST #6,BFE001; test for LMB pressed
70110; BEQ 7011E; if so, train game
70112; BTST #A,DFF016; test for RMB pressed
7011A; BEQ 70192; if so, start normal game
7011C; BRA 70100; loop till mouse is pressed
7011E; MOVE.L #4E714E71,D0; insert opcodes for 2 x NOP in D0
70124; MOVE.L D0,CABA; from 70124 – 7018a, NOP?s out game code
7012A; MOVE.W D0,CABE
70130; MOVE.L D0,CAD0
70136; MOVE.W D0,CAD4
7013C; MOVE.L D0,149B6
70142; MOVE.W D0,149BA
70148; MOVE.L D0,14A44
7014E; MOVE.W D0,14A48
70154; MOVE.L D0,14A9A
7015A; MOVE.W D0,14A9E
70160; MOVE.L D0,14A30
70166; MOVE.W D0,14A34
7016C; MOVE.L D0,149A2
70172; MOVE.W D0,149A6
70178; MOVE.L D0,CA64
7017E; MOVE.W D0,CA68
70184; MOVE.L D0,CACA
7018A; MOVE.W D0,CACE
70190; CLR.L D0; clear D0, restoring it to original value
70192; JMP 1000.S; start game
Next step is moving the trainer into memory, starting at address 100. For this we?ll use a little copy routine, moving the trainer from boot block and into memory. Disassemble start of boot code so we can determine, how to call the copy routine. ? D 7000C ? +enter. Take note of the first line of code. ( LEA 7004C(PC),A1 )
Assemble and insert a ? BSR 700C0 ? instead, see picture below.
Assemble 700C0 and code the copy routine:
700C0; LEA 100,A0; dest. address for trainer
700C6; LEA 70100(PC),A1; copy from offset $100 on disk
700CA; MOVE.W #200,D7; amount to copy
700CE; MOVE.B (A1)+,(A0)+; copy
700D0; DBF D7,700CE; copy
700D4; LEA 7004C(PC),A1; restore code, we removed in start
700D8; RTS; return to original boot code
Correct boot block checksum: ? BOOTCHK 70000 ? + enter.
Write boot block back: ? WT 0 1 70000 ?.
Make a drawer ? S ? and add a startup-sequence, containing the ? V3 ? txt.
When you boot game, screen turns blue when it?s finished loading. Press LMB for trainer or RMB for normal game.
Dedicated to sweet sweet Victoria.
Rob
Publication author
Image links broken?
fixed