Winter Olympics ? Lillehammer ?94
? U.S Gold
1993

You will need following:

1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. 1 blank disk
6. Pro-Pack v2.08 ? find on amiga-stuff.com

Start by making a copy of original game disks. Every thing seems fine, so this
is probably a novella protection.
Boot copy of game. After a while a screen similar to this appears:

Hmm?.
Press enter three times and you?ll see a flashing red screen. Enter AR, press
D to disassemble actual memory and
hit enter a few times. Depending on where in the routine you are, something like
this should appear:

This routine makes screen flash red. Address 4238 branches to address 4200, this
is probably start of the routine.
Press R to see registers. Notice that A3 points to address 4200.

We will see what jumps into address 4200 (flash routine). Before we do that, we
have to set A3 to 0 or we will get
a lot of false references. Set A3 to 0: R A3 0; press enter.
See what jumps to address 4200; FA 4200.

Address 95A looks interesting. Disassemble this address and hold enter down until
you reach bottom of screen. Scroll
back up with curser up until this appears;

The BNE routine at address 93C seems to be skipping past the jump to the loop routine.
Let?s see what happens, if
we jump to address 960, like the BNE do. Type G 960 and press enter.
The game starts. Interesting?.
Enter AR again.

At address 934 we have a BSR to address 1338, this is probably the protection routine
starting here.
Let?s crack this by removing BSR 1338 at address 934, the TST.B at address
938 and change the BNE 960 on address 93C
to BRA 960.
Remove Disks from drives and reset. Enter AR when Kickstart picture appears.
The protection is crunched, so we have to decrunch it before any changes can be
made to it.
It?s located in a file witch starts on track 0 and ends on track 10. Insert
copy of game and read track 0 ? 10 into memory,
starting at address 30000; RT 0 16 30000.

Crunch ID for ProPack files are ? RNC ?. Search for the opcodes, starting
at address 30000; F 52 4E 43,30000.
AR returns two addresses. File starts at address 30800. Next RNC file starts at
address 4CA00. If we save memory from
address 30800 ? 4CA00, we know we have the whole file.
Insert blank disk and save memory as a file called RNC; SM RNC,30800 4CA00. Copy
ProPack to this disk too and
boot it. Type this in DOS to decrunch file:
PROPACK U D RNC
After some time, you should have a new file called RNC.RNC. Enter AR and load it
into memory; LM RNC.RNC,30000
File is located between 30000 63F8E.

We need to find the lines of code witch calls the protection. Remember the JMP 4200,
to the loop routine ?
Let?s search for that jump; FA 4200,30000. AR returns address 3015A. Disassemble
address 30100 to get the whole
picture:

Hopefully this looks familiar. Lets insert NOP?s from address 30134 to 3013C
and change the BNE 30160 on address
3013C to BRA 30160. This will skip the whole protection and branch on with the game.
Assemble address 30134 and insert this code:

Note. If you don?t want to skip the whole protection, insert a NOP on address
30BEC and don?t change anything else.
This will cause the protection screen to appear, but it accepts what ever you type
in.

Delete file RNC and RNC.RNC, to free some disk space.
Save memory back as a file called CRACK; SM CRACK,30000 63F8E. Exit to DOS and crunch
file:
PROPACK P D CRACK
You should now have a new file called CRACK.RNC. Insert COPY of game and enter AR.
Read tracks 0 ? 10 into memory, starting at location 30000; RT 0 16 30000.
Remove game and insert disk with cracked
file. The file from disk started on address 30800. Load cracked file into memory,
starting at address 30800;
LM CRACK.RNC,30800.

Insert COPY of game and write tracks back: WT 0 16 30000.

Dedicated to sweet sweet Victoria

Rob

0

Publication author

offline 20 years

Rob

0
Comments: 103Publics: 79Registration: 20-07-2004

Subscribe
Notify of
guest

0 Comments
Newest
Oldest
Inline Feedbacks
View all comments
scenex
19 years ago

to crack the manual check routine instead of skipping it, you’d have to patch as follows:

..
13E8 NOT.B D6
13EA EOR.B D6,D5
13EC BNE 13FC <- NOP
13EE DBF D3,13E0
13F2 ST 28F
13F8 BRA 148E <- MANUAL CHECK SUCCEEDED
=============
13FC ADDQ #1,D7
13FE CMPI.B #3,D7 <- ENTERED 3 TIMES WRONG?

0
musashi9
Admin
20 years ago

the RNC isnt packed very well on the original ,you can read in first track ,then you can edit the BNE to a NOP
rt 0 1 50000
a 50e26
nop

it works but havent tested fully so probibly best to unpack the file then repack it like what rob done

0
Authorization
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Registration
*
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

0
Would love your thoughts, please comment.x
()
x