Top Gear 2
© Gremlin 1994
What you need:
Original game or SPS release #1737
Amone
AR 3 cart.
Little asm knowledge
I’ve included a disk here you can download, with the crackpatch on and asmone.
Start by making a copy of the two game disks. You’ll see both disks copy ok, no red mark appears. Then this is
Most likely a off-disk protected game.
Boot your fresh copy, and this will soon appear:
Novella type protection..
Press fire on joystick 3 times and this appears:
and your Amiga crashes…
ok, reboot and wait for protection screen to appear again. When it does, enter AR.
We could press fire three times, before game crashed. Then there must be a routine counting down from
Three and then crash Amiga at last wrong attempt. Lets find this routine. And what is better, than using
The trainer function in AR; TS 3.
After first trainpass, exit AR, press fire one time and re-enter AR. Continue trainer search: T2.
AR soon after return address $ 36dbf. This is where game saves the count-down value. Many programs
Uses word addressing, so lets see what game uses address $ 36dbe for: FA 36dbe. After a while, it
Returns address $ 36db0, disassemble and have a look:
Address $ 36da6 compares what we enter, if its wrong, then $ 36daa calls the routine starting at $ 36db0,
Which subtract 1 from the counter, when it reaches 0, the JMP –23A(A6) at $ 36dba is executed.
This jump calls “crap” code and crashes the Amiga. If we remove the BNE call to routine at $ 36db0
Then crash code is never called. Take note of address $ 36daa, as we need it later on.
Try NOP out the BNE:
Exit AR and press fire at protection screen. Then this happens:
Nice!
But no cigar.. L
If you start game and complete first level, then this appears:
Huh, looks familiar. Game crashes. This is not happening with original, so something is wrong.
This is probably a checksum routine failing, due to our crack of the protection.
This screen is very similar to the crash screen when novella protection failed..
Reboot and enter AR when protection screen appears.
Disassemble the “ novella crash “ routine, see above. The JMP –23A(A6) caused the crash. Maybe
The programmer used the same routine in checksum routine, to crash computer. Opcodes for the
Jump is “ 4E EE FD “, try searching for these: F 4E EE FE, see above.
AR returns two addresses; $ 30740 & $ 36dba. We already know about $ 36dba, but $ 30740 is new to us.
Have a look around this address:
At $ 30740 we have the “crash jump” & at $ 30704, $ 3070e, $ 30732 we have calls to this jump, if
The checksum values fail. At $ 3073C, we have a branch PAST the crash, if the checksum is ok.
Easiest thing to kill this, is simply to NOP out the “crash jump “ at $ 30740.
Ok, take note of address $ 30740, needs to be NOP’ed out.
Next step is making the actual crack. To make it a bit more difficult, main files is crunched. This means we can not
Just hardwire our changes to the game, we have to make a patch, which will crack game, after it has been
decrunched.
Have a look at files on disk:
I think file “topgear2.exe” might be interesting. Load it into memory; lm topgear2.exe,10000
Disassemble memory: d 10000
What do we look for ? A place in file, where we easily can put a call to our crackpatch…
Offset $ 138 looks interesting, a jump is usually easy to take over.
Replace the “ jsr 4(a0) “ with “ jsr 100.s “. We will then put our patch at $ 100.
Also take note of the code we remove, as it must be restored ( jsr 4(a0)).
See above pic.
Insert a blank disc and save file back; “ sm TOPGEAR2.EXE,10000 10484 “.
Delete original file from your copy of disk 1 and copy changed file to this disk.
Reboot. Before game starts to load, enter AR and insert a loop at $ 100:
When loading stops, enter AR and check if protection code has been loaded and decrunched.
D $ 36daa, yup its there, see above pic.
The game is not using fixed addresses, ie. mainfile is not always loaded to ex. $ 40000. This means we must
Work from an offset. We took over game, where it was doing a “ jsr 4(a0) “. Then why not use A0 for this.
See regs with “ r “ command. Ok, A0 points to $ 27778. Novella should be cracked at $ 36daa.
Subtract $ 27778 from $ 36daa this gives f632. So, we must add f632 to A0, to make it point to novella protection.
Checksum crack was at address $ 30740. Subtract $ 30740 (checksum) from $ 36daa (novella)
This gives 666a. This will make a0 point to checksum crack.
If we then subtract 666a from f632 (value to add to make a0 point to novella) this gives 8fc8. Then we
Subtract this value from A0, to restore A0 to original value.
Open up your fav. Txt editor and make the crack patch;
Save it and open Asmone and assemble:
After you type “ r “ + enter, point to your crack asm, and assemble, see above. Write patch as exefile to
disk 1 in df0: “ wo df0:crack “
Now, open txt editor and add the crack to s/startup-sequence, see above. And finally save file back
Rob.
Publication author
0
Comments: 1160Publics: 2780Registration: 06-03-2017
Happy new year Rob, and welcome back here 😀 ! And of course thank you for this crack tut 😀
Easy to follow and enjoyable tutorial. Nice twist in the tail with the extra checksum. Should have placed it after the third level to weed out the lazy! 🙂 . Cheers for taking the time to write this Rob.
Thanks WayneK!
I dont think so. I’ve checked whole file and did lots of testing, so i’am pretty dure 🙂
Cool, a new tutorial and it’s only the 4th day of 2010! I hope there are lots more to come this year…
Are you sure there are no further checksums in this one Rob? (I’m just asking, I have never even loaded the game).