Shadow Fighter

? Gremlin

1994

1. Original game
? find on capsdi.free.fr

2. An Amiga or WINUAE

3. An Action Replay
or ROM image

4. Pencil and paper

Start by making a
copy of original game disks. Everything seems ok, so this is probably not a disk-based
protection.

Boot copy of game.
After some loading, a screen like this appears:

Type something in
three times, so it fails. You will see a new screen, asking you to reboot. Enter
AR and press D, to

disassemble actual
memory. You should receive address 26284 that is branching to itself. Game will
loop like this

forever. Continue
disassemble, until you reach bottom of screen and scroll back up:

The routine seems
to be starting at address 2625E. Next step, is to find what calls this ? fail
? routine. We can?t do that

now, since protection
flush memory when it fails, it removes part of itself. Reboot game and enter AR
when protection

appears. Search for
calls to address 2625E: FA 2625E. AR returns four addresses. We are interested
in 25922.

Disassemble address
25922 and hold enter down, until bottom of screen has reached. Scroll back up
and stop when

this appears:

We have the compare
routine at address 258FE. If it passes, address 25900 branches to 25926 and exits
protection.

We simply have to
change the ? BEQ ? branch equal ? to ? BRA ?. The protection will then pass, no
matter what is

typed in.

Game files are crunched,
so we have to patch the decrunched protection, before it?s executed. The patch
should be pretty

simple, as it only
has to change to ? BEQ ? to a ? BRA ?. We will do this, by inserting new opcodes
at address 25900.

See old opcodes with
? M 25900 ?. Assemble 25900, change it to a ? BRA ? and see new opcodes:

Old opcodes marked
with red and new with green. Take note of address 26900 and the new opcodes!

Next step, is finding
what calls the protection. To do so, we need to find start of it. Protection seems
to be in the 25000

area of memory. Disassemble
address 25000 and stop when some ? reasonable ? code appears:

It seems to start
at address 25826, take note. See what calls this address: FA 25826. AR returns
four address and only

one of them is a
? JSR ?. Address 8544 calls the protection. The ? JSR 25826 ? at address 8544
is part of another

crunched file?

Perhaps this file
starts at address 8000 straight. Disassemble address 7FF0 and hit enter a few
times:

??

Reasonable seems
to be starting at address 8000. Take note.

What calls address
8000?

Reboot game and enter
AR, when the loading screen appears. The main loader must be in memory now. Search
for

jumps to address
8000: FA 8000. AR returns two addresses and 7A0D0 does a ? JMP 8000 ?. Take note!

?

We now have all addresses
needed, to patch the protection. Read boot block into memory, starting at address
70000:

RT 0 1 70000. Disassemble
boot code, to see what it does: D 7000C. Seems like we have a jump to address
7A000.

And we had a ? JMP
8000 ? at address 7A0D0. This jump must be part of the file loaded to address
7A000.

Nice to know, isn?t
it? 🙂

See contents of boot
block with N 70000 and press enter a few times. Seems like we have spare bytes
here, to put our

crack-patch. Assemble
address 70100 (offset $100 on disk) and code the patch:

Assemble address
700C0 and code a little routine, that will move our patch to address 100 and patch
the ? JMP 8000 ?

to ? JMP 100 ?. See
picture above.

Correct boot block
checksum, so game can boot: BOOTCHK 70000.

Write boot block
back: WT 0 1 70000.

Boot game and type
any number at the protection screen.

I haven?t done much
play testing with this one, just so you know.

Rob

Publication author

offline 20 years

Rob

0

Comments: 103Publics: 79Registration: 20-07-2004