Whizz
? Flair Software
1994

You will need following:

1. Original game ? find on romshare.com
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Some experience in using AR

First of all, this game needs 1 MEG. of CHIP memory, not slow or fast but CHIP.

Start by making a copy of original game disks. Both disk seems to be fine.
The protection is probably a Novella.

From now on, we will only use our copy of the game. Boot game, skip anims and
press start at the title screen.
When prompted, insert disk 2. A moment after you?ll see this screen:


Hmmm. If you have the manual, you should stop reading now.
Enter AR and hit ?D?, you?ll see something like this:


Ok, we are in the 7C000 area. Lets find out where this starts. If we?re
lucky, it starts at address 7C000. Search for
Jumps into this address by typing: ? FA 7C000?.


It will return one address; 29770. Notice that it does a ?JSR?,
so maybe the protection is a subroutine, witch can be
totally bypassed. Write down address 7C000. Disassemble address 29770, when
you reach bottom of screen,
scroll back up with curser up, until you see this:


Notice address 296E6, it look like the start of ?something?. This
something will call the protection and after that,
start the game. Let?s see if anything jumps into this address, see pic:


Address D5914 jumps to 296E6, the main loader is probably located in area D5900.
Write this address down too (296E6), it might become handy later. Reboot game,
when you?re prompted to insert disk 2, enter
AR, assemble address 7C000 and insert a ?RTS?, exit and start game
see pic:


After a while this screen will appear:

It?s the game! So, this means that we can bypass the whole protection.
That was the easy part, the hard part is making
this on a permanent base. This game is packed with some unknown packer or changed
crunch ID?s, so we will have to make a patch
witch will insert a ?RTS? on address 7C000, after the protection
have been depacked.
Start by ripping the main loader, it?s located on track 01 ?06,
read them out with ?RT 2 0C 30000?.
Remember the last address you wrote down, 296E6 ? good , find sings of jumps
into this address, beginning the
search at address 30000. See pic:


Change the ?JMP 296E6? to ?JMP C0?, see pic above. We
will put our patch at this address. Our patch will insert
the ?RTS? to address 7C000 and the jump back into game at address
296E6. Write tracks back with ?WT 2 0C 30000?
Now we must find a suitable place on disk to our patch. The best would be to
find some spare ?room? inside the loader
but there is none, so we leave this option.
Next option is to find some free disk space and put it there. A good place would
be on the bootblock, there is plenty
of space. Read bootblock into memory; ?RT 0 70000?.


From address 700C0 and onwards is free. Yes, yes, I know. The copylock RNC thing?.
I don?t think this game is
copylock protected, it only uses the RNC loading system. IF I?am wrong?
then you?re just going to have some more fun?
Ok, assemble address 70200 and insert this code:


That was our patch, next problem is getting it into memory. Lets add a little
track-loader routine, loading our patch
into memory, starting at address C0.
Assemble address 7000E and insert this code:


Assemble address 700C0 and insert this code:

You can?t assemble line 700DE with AR, so type ? M 700DE?;
hit enter, and insert the opcode you can see on the
picture above.
When done, correct bootblock chksum with: ? BOOTCHK 70000?


Write bootblock back with: ?WT 0 1 70000?. Reset and see what happens.

It works of course !
It was very hard to find a constant free memory location for the patch, since
this game likes to ?spread it?s wings? in
memory. C0 is VERY low for A1200 users, but I have tested it on a REAL A1200
with and without accelerator and it worked fine.
I haven?t done much playtesting with this game, so I don?t know
I there is more protection calls later in game?.
Dedicated to the sweets girl on earth? Victoria

Rob


Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
musashi9
musashi9
Admin
13 years ago

fixed

MarzSyndrome
MarzSyndrome
13 years ago

No piccies…

WayneK
17 years ago

There is one little problem with this method of cracking the novella protection check – you can’t enter any cheatcodes 🙁
The game checks for "KAZZY" (levelskip, press 1-9 ingame) and "DEEPPAN" (still no idea what this does!)…

Protection ‘good’ flag is @ $00086D ($01 = good, $00 = bad), better way to crack it is to change:

$7C366 BNE 0007C378
(branch if bytes from real pw and entered pw dont match)

change this to:

$7C366 BNE 0007C36E

this forces a jump to the "set good flag" routine instead, and allows you to use the cheatcodes as normal.

0
Would love your thoughts, please comment.x
()
x