Ski Or Die

Ski Or Die
? Electronic Arts
1990

You will need following:

1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper

Start by making a copy of original game disk. Every track seems to be ok. So this
is probably a novella protection.
Boot game and press fire at the title screen. A few moments after, a screen like
this appears:

Keep inserting letters until this appears:

Enter AR and press D to see actual memory. We are standing at line 324C witch is
jumping to itself. In other words;
a loop routine.

Let?s see what happens if we remove the JMP 324C. Assemble address 324C and
insert three NOP?s and exit AR.

The game starts! We will make a patch, witch will insert three NOP?s from
address 324C.
Let?s start by seeing what the boot block is doing. Read boot block into memory
with: RT 0 70000.
Disassemble address 7000C and hold enter down, until you reach line 70172;

Line 70172 jumps into the game. At this time, the protection must have been loaded
into memory. We have to find a
place for our patch.
We have plenty of room in the file, boot block is loading into memory. File is located
on track 64 ? 66.
Read tracks into memory; RT 80 6 30000. We have room after txt ? dos.library
?

Lets choose address 37200. Assemble this address and make a patch like this:

Write tracks back with WT 80 6 30000. This patch will insert three NOP?s from
address 324C and then jumps into the game.
We will change the JMP 3100 on boot block to JMP OUR PATCH. We don?t know
what address our patch will be
loaded to, so reboot machine and enter AR when screen turns purple. Type N 3100
(where mainfile is loaded to) and
hold enter down, until this appears:

See something new ? That?s right, our patch is located on address 4900. Let?s
load boot block into memory and change
The JMP 3100 to JMP 4900. Read boot block into memory, starting at address 70000;
RT 0,70000

The JMP 3100 was located on line 70172. Assemble this line and change it to JMP
4900, see picture above.
Correct boot block chksum with: BOOTCHK 70000

Write bootblcok back; WT 0 1 70000. Reboot game and insert some letters at the protection
screen.

If you want to bypass the whole protection instead, make this patch:
37200; MOVE.W #4E75,3708.S
37208; JMP 3100.S
This will insert a RTS in start of the protection and it will never appear. If you
use this solution, game will start in the
shop.

Dedicated to sweet sweet Victoria

Rob

Publication author

offline 2 weeks

mus@shi9

Comments: 1160Publics: 2780Registration: 06-03-2017

Recent Comments

ROG on Rog Source Code – Beam HackWhen I moved out from my parents' home I put my A500, the additional hardware and hundreds of demo disks into a big box, but unfortunately there was not enough

Annatar on Rog Source Code – Beam HackWhat happened to your Amiga?

prime_evil on Rog Source Code – Bean ScrollerNice one ROG - Epic!!!!

SToRM on Rog Source Code – Bean Scrollerthx 4 da greet, nice idea, but it's not that easy to read.

SToRM on Rog Source Code – Beam Hackwho's that girl?

ROG on Rog Source Code – Beam HackI highly recommend to run the source on a (winUAE-)emulated A500 according to the 'instructions file' for having a more flicker-free experience. And maybe