? Image Works
1990
You will need following:
1. Original game ? find on romshare.com
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Some basic knowledge in using AR
This crack covers both the copylock and novella protection. If you own a A1200,
I have included a simple AGA fix.
Start by making a copy of original game disk. You will notice an error on track
0. This is most likely to be
a copylock.
Start copy of game, after a while you?ll see a screen saying ?Decompacting
please wait?? after that, track counter goes
to track 0 and you?ll see something like this:
Well well, if it isn?t our luck day?. Both a copylock and novella.
Lets start with the novella protection.
Enter ? 124 ? as mission code and enter AR Search for 1 2 4 as hex,
like this: ? F 31 32 34?, it will return two addresses
We are interested in the first one because this address holds, what we enter
at the protection screen. Type ?FA 7DCBC?,
to see what else happens with this address. It returns three addresses. The
first address makes the four ?-?. The next
two addresses moves address 7DCBC into D0 and A0. Disassemble address 7EEEE
and hold down enter, until you
see this:
Take a look at line 7EF44, it compares A0 + D0 an if they are not equal it branches
to address 7E4EC. Try to remove
the ?BNE? at address 7EF46 by inserting two ?NOP?s?,
at address 7EF46 + 7EF48 and exit AR. See picture above.
Enter whatever you want at the protection screen. After that, this screen will
appear:
The game starts! We still have the copylock to think about. Enter AR and search
for signs for copylock routines
with: ?F 48 7A?. It will return three addresses, we are interested
in the second one.
Disassemble address 7E576 and hold down enter until you reach bottom of screen.
Use curser up to scroll back up
until you see this:
The copylock starts at address 7E56C, where D0 gets cleared. Line 7E570 looks
interesting, it moves address 28A9E
into A4. Lets see what else happens with this address. Type: ? FA 28A9E?.
We are interested in the second address; 7EF58. Disassemble this until you reach
address 7EF6C, see picture above.
Address 7EF58 moves address 28A9E into D0 and address 7EF62 compares magic number
with D0. Magic number
must be returned in address 28A9E. I have checked with original game and it?s
also returned in address 2B5CE and
2B60C. I don?t think it means anything, but we will return magic number
in these addresses too, when we make our
patch, just to be sure.
Disassemble address 7E56C and hold enter down until you see this:
The copylock ends at address 7EE42. Take note of this. We?ll need it for
our patch, when that time comes.
Remember that copylock started at address 7E56C ? Lets se if anything jumps
into this address. Type: ?FA 7E56C?
It returns one address. 2D1F6 makes a ?JSR? into the protection
routine. Since it?s a ?JSR?, the copylock probably
always get loaded into address 7E56C. Let?s find this ?JSR?
on the disk and change it to jump into a patch, witch
will return magic number in the right places and insert two ?NOP?s?
at address 7EF46+ 7EF48 to crack the novella protection.
To ease things a little, I?ll tell where the JSR is located on disk; track
49. Read it into memory with: ? RT 62 2 30000?
Search for jumps into address 7E56C with; ?FA 7E56C 30000?. It will
return one address. Assemble address 3276A
and change the ?JSR 7E56C? to ?JSR C0?.
Write track back with ?WT 62 2 30000?. Now we need to find a suitable
place on disk for our patch. Let?s see if there is
empty space on the bootblock. Read it into memory with: ?RT 0,70000?,
see memory with ?N 70000?.
Plenty of free space. Let?s put the patch at address 70200. Assemble address
70200 and insert this code:
70200; MOVE.L #4E414E71,7Ef46; INSERT TWO NOP?S AT ADDRESS
7EF46+ 7EF48; CRACK NOVELLA
7020A; MOVE.L #E55A6DD8,28A9E; INSERT MAGIC NUMBER AT ADDRESS
28A9E
70214; MOVE.L #E55A6DD8,2B5CE; INSERT MAGIC NUMBER AT ADDRESS
2B5CE
7021E; MOVE.L #E55A6DD8,2B60C; INSERT MAGIC NUMBER AT ADDRESS
2B60C
70228; JMP 7EE42; JUMP TO END OF COPYLOCK. DON?T USE
A ?JSR?!
Now we need the patch to get moved into memory upon startup. For that we will
add a little extra track loader routine.
Assemble address 7000E and insert this code:
7000E; BSR 70100; GO TO EXTRA TRACK LOADER
70012; NOP; WE?LL NEED THIS, ELSE ADDRESSES WON?T ADD UP
Assemble address 70100 and type this code in:
You can?t assemble address 7011E with AR. Insert the opcode instead by
typing: ?M 7011E?; hit enter. Type in
the eight first numbers you see in the picture above.( 4E AE FE 38) When done,
hit enter + Esc and type: ? A 70122 ?; hit enter
and continue assembling.
When done, correct bootchksum with: ? BOOTCHK 70000?; hit enter
Write bootblock back with: ?WT 0 1 70000?; hit enter
Restart game. Notice that the track counter stays away from track 0 right before
the novella protection appears.
Type in what ever you want at the novella screen, and?.
The game starts of course!
You cold crack this game by inserting a ? RTS ? in the beginning
of the copylock, causing the whole protection routine
to be bypassed. I don?t think this is a good idea. It seems like magic
number is used for chksum calculations, witch is
checked later in game?
If you own a A1200, you will notice that the game runs pretty fast? this
due to the CPU caches.
Here is a little fix for that. Instead of the ?RTS? at line 7012C,
insert this code:
You can?t assemble address 7013C with AR. Insert the opcodes instead:
? M 7013C?; hit enter
Insert the eight first numbers you see in the picture above (4E AE FD 78?);
hit enter + Esc
Continue assembling by typing: ? A 70140 ?; hit enter
Correct bootblock chksum with: ? BOOTCHK 70000?
Write track back with: ? WT 0 1 70000?
After our patch have been loaded into memory, the above code will kick in. It
will check for Workbench v2.0 or
higher, if equal it will disable CPU caches and return to the original track
loader.
Dedicated to sweeeet Victoria.
Rob
Publication author
