Sword Of Honour? Prestige1992You will need following:1. Original game
? find on emunova.net2. An Amiga or WINUAE3. Action Replay
or ROM image4. Pencil and paperStart by making a
copy of original game disks. Everything seems ok, so this is probably not a disk-based
protection.Boot copy of game.
After some loading, a screen like this appears:
Hmmm? So this is
a novella protection. The game wants some word from the manual, and I don?t assume
you have theit?Type something in,
something sweet, like VICTORIA. When done, enter AR search through memory for
the wordVICTORIA:
AR returns address
189D7. Let?s see, what game does with this address: FA 189D7. This time AR returns
address18822 & 1889E.
Disassemble the first address AR returns and hit enter a few times:
Address 18822 moves
what is typed in at the protection, to register A1. Address 18828 moves byte contents
of (A0)into D0. Address
1882A makes a byte compare of (A1) ? (what we typed in) with D0. If not equal,
address 1882Cbranches to address
18838 and protection restarts.Try assembling address
1882C and insert a BRA 18832. In this way, the game will branch past the protection
test.Exit AR and press
enter.The game starts!Next step, is making
our crack on a permanent base. Enter AR and type M 1882C, to see the opcodes for
our crack.Take note of the
address and the red opcodes, as we shall use them later on.
?The protection is
contained in a crunched file, so we have to find a way to patch file after it?s
decrunched, but beforeit?s executed. Let?s
try to search through memory, for signs of jumps. The opcodes for ? JMP ? is 4E
F9, search forit: F 4E F9. AR returns
1,2,3, many addresses?
Disassemble the first
one, at 222: D 222. It jumps to address 16000. The protection was located in this
area ofmemory, so perhaps
we have found something interesting. Reboot game and enter AR SHORT after boot.Try to disassemble
address 222 and hit enter. The ? JMP 1600 ? appear as this early stage, so this
part is probably notcrunched.
?Stick a breakpoint
address 222 and exit AR: BS 222. When game reaches address 222, AR will pop up.When AR activates,
disassemble address 18822 (protection) and hit enter a few times. The protection
is decrunched,but not executed
yet! We are interested in taking over this jump, and make it jump to a crack-patch
instead.This is a NDOS game,
and they usually load data into either low or high chip memory. The ? JMP 16000
? appears ataddress 222, which
is pretty low. See memory with N 0 + enter and stop when this appears:
??The data seems to
start at address 100 (it looks like a Byte Killer decruncher), we have a gap from
address 240 ? 400.If we find this data
on disk, we could put the crack-patch at address 240.This data is located
on track 51 ( find by trial and error ? or keep your eye on track counter upon
game boot ) read trackinto memory, starting
at address 30000: RT 66 2 30000. See memory with N 30000 and hold enter down.
Stop whenthis appears:
??This hopefully looks
familiar?!The code starting
at address 30C00 is loaded to address 100. The gap that started on address 240
must be address30D40. This means,
that contents of address 30D40 will end at address 240 when game load?Assemble address
30D40 and code the crack patch:30D40; MOVE.W #6004,1882C;
insert new opcodes in address 1882C30D48; JMP 16000;
we took over this jump, jump back to game
Find the ? JMP 16000
?, starting at address 30000: FA 16000 30000. AR returns four address, but only
30D22 is a? JMP 16000 ?. Assemble
this address and change it to ? JMP 240 ? instead. Write track back: WT 66 2 30000.When game reaches
address 222, which normally would jump to address 16000, it now jumps to address
240 instead.Our small patch will
change the ? BNE 18838 ? to a ? BRA 18832 ? and then jump back to game. You can
now typeanything at the protection
screen.
Rob
Publication author
Comments: 103Publics: 79Registration: 20-07-2004
