WIZ ?N? LIZ

FROM PSYGNOSIS

You will need following:

1. Original game
2. An Amgia or WINUAE
3. Action Replay
4. Pencil and paper
5. 1 blank disk
6. Pro-Pack v2.08 ? find on amiga-stuff.com
7. X-Copy or some similar program
8. Basic knowledge in file handling

Yes, here we go again? Make a copy of the original game disks. You will
notice an error on track 0, but only on disk 1

Boot copy of game, after some loading and the Psygnosis picture, the trackcounter
goes to track 0 and you see a
black screen. Nothing is happening. Hmm.. probably the copylock kicking in.
Enter AR, press ?D? and hit enter a few times.
You Should see something like this:
NOTE: address may differ on your computer, depending on your memory config.

Line C0034 and C0036. It look?s like some test routine. What this does
is, checking if D5 is different to 0,
If not it will just loop. If D5 is not 0 then it will continue. Try and press
?R? and hit enter, you will se something like
this:

Notice that D5 is equal to 0. Try changing D5 from 0 to 123456 by typing: ?R
d5 123456?; hit enter

Notice that D5 has changed to 123456, now exit AR with X and enter.

What in the name of sweet Jesus, the game is loading and starting. HEHE cool
eh?. So magic number must be returned
in D5. Ok so we could make a patch witch will just return something in D5. The
problem is, we don?t know if the
REAL magic number is used for ?SOMETHING USEFUL?, later in game,
like some checksum routine.
So lets get our little greasy hands on REAL magic number.
Insert ORIGINAL disk1 and reset your machine. When you see this picture , start
pay attention

After this picture, the game loads for some time and then returns to track 0.
In the exact moment it turns to track 0
enter AR. Now it?s time to find the copylock. Do a search for HEX 48 7A
with: ? F48 7A?, and hit enter. Copylocks
often start with this. See pic:

It will return four addresses, we are interested in the first one. Type this:
?D1932?, and hit enter, you will se signs of a
typical copylock routine. Hold down enter until you see this:

Line 21FC, this is where the copy ends. Take a look at line 2200, this line
will jump into the game after the copylock have
been run. Write down this: ?JMP (A0). Ok, we wanted magic number, so insert
this piece of code at line 21FE:
BRA 21FE

Press ESC, and exit AR with X. After a little while the games jumps to track
32 and hangs. Enter AR again and press
?R? to see registers.

Our BRA at line 21FE makes an eternity loop, after the copylock have returned
magic number. Normally the game
would have moved magic number to another location and then flushed registers.
Ok, now we have magic number I D5. Notice that all other registers are full
too, except for D1. We know for sure that
we need D5, but we don?t know about the others. Since the original game
is returning them, we probably should
do this too when we make our patch, it wont hurt anyway, so write down the contains
of D0,D2,D3,D4,D5,D6 AND D7.
Now we need to find out where the copylock is located on disk. This is a hard
job, since everything is crunched
with ProPack. The ONLY way is, to rip all files and decrunch them, one by one
and then search through them
for signs of copylock routines. To spare you A LOT of time, ill tell you where
its located. It all happens between
track 19 ? 37. So lets read them out.
Before you do this, remove disk in drive and reset, after reset enter AR again
an insert disk again. We do this to
clear memory. Read tracks with: ?RT 26 26 30000?; read track 19-37
starting at memory location 30000.

ProPacked files crunch ID is ?RNC?, so lets search for that. The
opcode for ?RNC? is ?52 4E 43?.
Type in this and hit enter: ?F 52 4E 43,30000?. It will return 10
address, but we are only interested in the first one.
See pic above. Address 31C00 is for certainty start of the file. Write this
down. We can?t find the exact end of file,
because it haven?t any ID. Luckily ProPack is only checking start of the
file for the ?RNC? ID. It don?t care about the end
of file. To find end of data Loaded into memory, type: ?NQ 31C00?;
hit enter. A whole lot of crap will flash down your
screen and it ends at address 64400.

Now we got an end address. Let?s save this into a file. Insert blank disk
and type this: ?SM RNC,31C00 64400?; hit enter.
Now you should have a file called ?RNC? on disk. Copy ProPack to
this disk too and reset.
In DOS, type this: ?PROPACK U D RNC??; see pic below:

Now you should have a new (decrunched) file on disk, called ?RNC.RNC?.
Enter AR again, and type this:
? LM RNC.RNC,20000?; load file into memory starting at address 20000.
File is located in memory between
20000 ? 73944. Write this down. Lets find the copylock routine, do this
by typing ?F 48 7A,20000?

It returns two addresses, the first one is where the copylock starts. In some
copylock routines there is a line before
the ?PEA?, witch mess around with registers. Disassemble line 690E0
and hit enter a few times. See picture above.
Notice line 690E8 (marked with a red line), this is where we will insert our
patch. Now, find the piece of
paper where you have written all the registers down. Assemble line 690E8 with
?A690E8? and hit enter.
Type in the following: (see picture below)

This will move values taken from the original game into registers, so the game
?thinks? that everything is ok.
Also remember at address 69112 to do a “move.l d5,f4.s “, and move “jmp (a0) to address 6911a, missing in the above pic. This will return the key at address f4. The JMP (A0) will start the game. A0 contains an address witch will start the game.
Hmm.? Kylie Minogue, sorry watching television.
Now you probably think that its time to save memory to a file and then crunch
it. Well? you couldn?t be more wrong.
Our changes will affect the cruncher?s efficiency, causing our file to
be LARGER than original file. We will deal
with this, by inserting A LOT of ?NOP??s. Repeated code is
easier to crunch and will cause a smaller file. The reason our file
must NOT be larger than original, is that this game is NODOS. NODOS games only
load?s a certain amount of data
into memory. This amount is defined by the ?loader routine?. So
if our file is too large, end of file MAY not be loaded
into memory and this will cause a visit from ?THE GURU?. (on plain
English: your computer F**K?s up).
A good place to insert these NOP?s, would be after our patch. Our patch
ends at address 69112, so start inserting
NOP?s from address 69114 till 6917A. I know? at lot of NOP?s,
but just do it, I? am NOT kidding.

When done, it?s time to save memory into a file. First you should delete
the file called ?RNC.RNC? and ?RNC?,
to free some disk space. When done, type this: ?SM RNC, 20000 73994?;
hit enter.

When done reset and crunch file. In DOS type this: ?PROPACK P D RNC?;
hit enter

If u use WINUAE, you will be able to take a degree in rocket science before
it?s finished.
(this takes approx. 25 mins, with floppy speed set to 800%)
By now you should have a new file called ?RNC.RNC?. Now you may
be thinking ?how do I know if my newly packed
file is equal or smaller than the original file size?. The original file
size is 149428 bytes long so? Now you say the
file I ripped was WAY bigger. Yes you?re right, but when we use AR?s
track ripping function, we read ?enough? tracks,
so we are sure we got the whole amount of data we need. This will result in
a much bigger file than actual necessary.
I know the exact file size because I have ripped the files with a program called
?Wrip?, but this program needs
KS 2.0 min. And we use KS 1.3 so?.
Ok, back to work. Insert COPY of disk 1 and enter AR. Read out the same tracks
as before, ?RT 26 26 30000?

Remember that our file started at address 31C00 ? Type : ?N 31C00?
; hit enter a few times and Esc. See the ?RNC? ?
Now insert your disk that contains the cracked file. Load file into memory,
starting at address 31C00.
Type: ? LM RNC.RNC,31C00?; hit enter. When done, insert COPY of
disk 1 and write memory back to disk with:
?WT 26 26 30000?

When done, reset computer and see what happens?

It works! I have playtested this on different memory configs and it worked fine.
I know this was a lot of work, but this game is well worth it.
This crack is dedicated to an angel on earth?. Victoria