Xenon II
? Bitmap Brothers
1989
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Three disks
6. 1meg. of memory (for cracking process only)
This applies for the copylock protected version.
Start by making a copy of the original game disks. You?ll notice an error on track 0, disk 1.
This means that we are dealing with a disk-based protection. Game is protected with several copylock routines.
We?ll crack it by grabbing the decrypted memory and writing it back to disk.
In this tutorial, I have NOT included ripping the intro.
Boot original game and wait for the intro to start. When intro is finished, press fire to continue game.
When game continues loading, enter AR. Try pressing ? D ? + enter. You should be somewhere in the 64000 area of memory
Look out for following code:
When game reaches address 64282, the last copylock appears in memory. We didn?t have to think of the other
copylocks, as they where part of the annoying intro.
Stick a breakpoint to address 64282 and exit AR: ? BS 64282 ?.
When AR pops up, it?s time to find start of file. Type ? N 0 ? and hit enter a few times:
File seems to start at address 400. Disassemble address 400 and locate the copylock:
Copylock routine starts at address 70F6. Find end of the routine, so we can breakpoint it and get the copylock key:
Copylock ends at address 7638 and normal code starts at address 763A. Stick a breakpoint in end of copylock and
exit AR: ? BS 7638 ?. When AR pops up, press ? R ? to see registers:
Take note of all registers except A7. Also notice that copylock key is returned at address 24, very common for
old copylock routines.
Assemble 70F6 (start of copylock) and insert following code:
This will set all registers to the same values, as after the original copylock has run. After this, patch jumps to code
after copylock routine, so it?s totally bypassed.
We don?t know where file ends, just set 80000 to end address. Insert a blank disk and save memory as a file
called ? a ? : ? SM A,400 80000 ?.
Next problem is getting our cracked file loaded into memory?
Let?s use the games own loader for this. Insert copy of disk 1 and read a nice big chump of it into memory, starting at
address 10000: ? RT 0 9F 10000 ?
Game starts by loading the intro. Let?s find beginning of the intro and overwrite it with our crack file.
After reading disk into memory (nice with extra mem, right?), type ? N 10000 ? and hit enter some times. This will
show contents of memory:
You?ll see some unused space, a extra boot block, more unused space and suddenly we have some code at 12C00.
This code is beginning of the intro. Insert disk with cracked file and load it into memory, starting at address 12C00:
? LM A,12C00 ?. This will cause game to load crack file instead of the intro. And yes, intro is also loaded to addr. 400. 
When file is loaded into memory, insert copy of disk 1 and write tracks back: ? WT 0 9F 10000 ?
Reboot and have fun
Testing by Yuggi Bear
Rob
Publication author
