? Codemasters
You will need following:
1. Original game ? find on romshare.com
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. FIMP ? find on amiga-stuff.com
6. One blank disk
7. Some knowledge in file handling
Note! Some addresses may differ on your computer, due to different memory configurations.
Start by making a copy of original game disk. You will notice an error on track
0. This is most likely to be
a copylock.
Boot COPY of game. After some loading, this screen appears:
You could grab your phone and start calling?..
Enter AR. Find copylock with: ? F 48 7A ?
It returns three addresses. Disassemble the first one and hold enter down, until
you reach bottom of screen. Scroll back
up with curser up, until this appears:
So, the copylock starts at address 7878E. Let?s see if anything jumps
into this address; ? FA 7878E ?.
It returns only one address; 78054.
Disassemble address 78054 and hit enter a few times. We have a BSR to address
78676 straight after address 78054. Disassemble
address 78676:
I believe we have magic number at address 7867A. Magic number is (on my memory
configuration) returned in
address 79C08 (A1+4). I have checked with original game and magic number is
also returned at address 60.
The copylock is located in a EXE file called ? VC ?. This EXE file
is a decrunch routine, witch will decrunch some
File Imploded data. Load file ? VC ? into memory with: ? LM
VC,30000 ?
The standard decrunch ID for FIMP files is ? IMP! ?, but the programmers
have changed this to ? CHFI ?.
The opcode for ? CHFI ? is 43 48 46 49. Search for the opcode like
this: ? F 43 48 46 49,30000 ?. It will
return one address; 301E8 this is where the crunched file starts. The file ends
at address 33E36.
Let?s change the ID from ? CHFI ? to ? IMP! ?.
Do this by typing: ? N 301E8 ?; hit enter and type ? IMP!
?; hit enter + Esc.
If we don?t change the ID, FIMP can?t recognize the file and is
not able to decrunch it.
Insert your blank disk and save memory into a file called ? IMP ?;
? SM IMP,301E8 33E36?. Copy FIMP to this disk too
and boot it. Type this in DOS to decrunch saved file: ? FIMP IMP IMP2
?XO ?
After a few secs, you should have a new decrunched file called ? IMP2
?. Enter AR and load file into
memory; ? LM IMP2,30000 ?. The file is located between address 30000
? 37CA8. r
We still have to patch the actually check routine. To find it, search for magic
number; ? F E5 57 AD D7,30000 ?.
It will return two addresses, we are of course interested in the first one.
Address 3069C points to the magic number,
we have to subtract this address with two to get right address, because the
? CMPI.L ? is two bytes long. So the
actual address we are interested in is 3069A. Disassemble this address and hit
enter a few times.
Change the ? CMPI.L ? to ? MOVE.L ? and the ?
BEQ ? to ? BRA ?, see picture above. This will move magic
number into
the correct address, and then we BRANCH on with the game. Save memory back to
disk with: ? SM IMP3,30000 37CA8 ?.
Boot disk and type this in DOS, to pack your new file: ? FIMP IMP3 IMP4
?M11 ?
A moment after, you have a new crunched file called ? IMP4 ?. Insert
COPY of game and enter AR.
Load file ? VC ? into memory starting at address 30000; ?
LM VC,30000 ?. It?s located between 30000 – 33E3C.
The original file?s crunch ID was ? CHFI ?, search for the
opcode; ? F 43 48 46 49 ?. You?ll receive one address; 301E8.
Insert disk with your cracked file and load it into address 301E8; ? LM
IMP4,301E8 ?
We need to change FIMP?s crunch ID ? IMP! ? into games ID
? CHFI ?. Do this by typing: ? N 30818 ?; hit enter,
type: ? CHFI ?; hit enter + Esc.
Insert COPY of game and save file back to disk with: ? SM VC,30000 33E3C
?.
Reboot and see what happens.
Dedicated to sweet sweet Victoria?..
Rob
Publication author
