Sword Of Honour
? Prestige
1992
You will need following:
1. Original game
? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay
or ROM image
4. Pencil and paper
Start by making a
copy of original game disks. Everything seems ok, so this is probably not a disk-based
protection.
Boot copy of game.
After some loading, a screen like this appears:
Hmmm? So this is
a novella protection. The game wants some word from the manual, and I don?t assume
you have the
it?
Type something in,
something sweet, like VICTORIA. When done, enter AR search through memory for
the word
VICTORIA:

AR returns address
189D7. Let?s see, what game does with this address: FA 189D7. This time AR returns
address
18822 & 1889E.
Disassemble the first address AR returns and hit enter a few times:

Address 18822 moves
what is typed in at the protection, to register A1. Address 18828 moves byte contents
of (A0)
into D0. Address
1882A makes a byte compare of (A1) ? (what we typed in) with D0. If not equal,
address 1882C
branches to address
18838 and protection restarts.
Try assembling address
1882C and insert a BRA 18832. In this way, the game will branch past the protection
test.
Exit AR and press
enter.
The game starts!
Next step, is making
our crack on a permanent base. Enter AR and type M 1882C, to see the opcodes for
our crack.
Take note of the
address and the red opcodes, as we shall use them later on.

?
The protection is
contained in a crunched file, so we have to find a way to patch file after it?s
decrunched, but before
it?s executed. Let?s
try to search through memory, for signs of jumps. The opcodes for ? JMP ? is 4E
F9, search for
it: F 4E F9. AR returns
1,2,3, many addresses?

Disassemble the first
one, at 222: D 222. It jumps to address 16000. The protection was located in this
area of
memory, so perhaps
we have found something interesting. Reboot game and enter AR SHORT after boot.
Try to disassemble
address 222 and hit enter. The ? JMP 1600 ? appear as this early stage, so this
part is probably not
crunched.

?
Stick a breakpoint
address 222 and exit AR: BS 222. When game reaches address 222, AR will pop up.
When AR activates,
disassemble address 18822 (protection) and hit enter a few times. The protection
is decrunched,
but not executed
yet! We are interested in taking over this jump, and make it jump to a crack-patch
instead.
This is a NDOS game,
and they usually load data into either low or high chip memory. The ? JMP 16000
? appears at
address 222, which
is pretty low. See memory with N 0 + enter and stop when this appears:

??
The data seems to
start at address 100 (it looks like a Byte Killer decruncher), we have a gap from
address 240 ? 400.
If we find this data
on disk, we could put the crack-patch at address 240.
This data is located
on track 51 ( find by trial and error ? or keep your eye on track counter upon
game boot ) read track
into memory, starting
at address 30000: RT 66 2 30000. See memory with N 30000 and hold enter down.
Stop when
this appears:

??
This hopefully looks
familiar?!
The code starting
at address 30C00 is loaded to address 100. The gap that started on address 240
must be address
30D40. This means,
that contents of address 30D40 will end at address 240 when game load?
Assemble address
30D40 and code the crack patch:
30D40; MOVE.W #6004,1882C;
insert new opcodes in address 1882C
30D48; JMP 16000;
we took over this jump, jump back to game

Find the ? JMP 16000
?, starting at address 30000: FA 16000 30000. AR returns four address, but only
30D22 is a
? JMP 16000 ?. Assemble
this address and change it to ? JMP 240 ? instead. Write track back: WT 66 2 30000.
When game reaches
address 222, which normally would jump to address 16000, it now jumps to address
240 instead.
Our small patch will
change the ? BNE 18838 ? to a ? BRA 18832 ? and then jump back to game. You can
now type
anything at the protection
screen.
Rob

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x