Xenon
? Bitmap Brothers
1988
You will need following:
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
Start by making a copy of the original game disk. You?ll notice an error on track 0. This means, that we are dealing with adisk-based protection.
When you boot copy of game, it crashes short after the logo appears. Reboot game and enter AR when the logo appears and you hear a pause in the loading process. This is the protection routine checkingtrack 0.
Press ? D ? to disassemble actual memory. We are somewhere in the protection routine, so hold enter down till bottom of screen has been reached and scroll back up. Watch out for code, that looks like ? start ? of a new routine.
Address 600C is start of the protection. In end of the routine, contents of (A5)+C is returned in D0.
This is the key-value. Let?s see, what calls the protection: ? FA 600C ?. AR returns six addresses. Address 5CFC calls the protection. Take note of the five other addresses, as we need them later on.
Disassemble start of the call routine and hit enter a few times. Address 5D00 checks if D0 = 1. If NOT, it branches on with game. If it IS, then game executes address 5D06, that will crash the game. To crack it, D0 must be set to 0.
Seems easy, right ? There is still one little problem; checksum routines. You took note of some addresses earlier, Disassemble ex. address 62F2:
Based on a DBF loop, this routine calcs a key based on the protection code. If the protection is modified, the key at address 6304 will differ and game crashes due to the routine at address 630C. If the key is correct, game branches to address 6314, restores registers and game continues. We need to kill these 5 checksums. The way to kill them, is simply to change the ? BEQ ? to a ? BRA ?. Try to disassemble a bit further on:
This is another type of checksum. It?s not checking the protection, but it?s checking code from address 5CF2 ? the routine that calls the protection. You can also see at address 652C, that the key differs. The other key was: B8E69B8E the first long word for this routine must then be: B0 BC B8 E6.
B0 BC = CMPI.L.
The second type must be B0 BC DE 19. Take note of these opcodes, so we can find the checksums on disk.
We also need the opcodes for the protection routine. See them with ? M 600C ?.
Read out a big chump of the disk, stating at address 10000: ? RT 0 40 10000 ?. Search for the opcodes, starting at address 10000: ? F 48 E7 7F FE 2A 40 06 80,10000 ?.
AR returns address 132A4.
Disassemble address 132A4, so we get a view of the protection. Address 132CC moves the contents of (A5)+C into D0. This number had to be 0. Assemble address 132B4 and insert a ? CLR.B C(A5). Then fill in NOP?s till address 132CC, where the value is moved to D0.
Next step is busting the checksums. Search for the first five: ? F B0 BC B8 E6,10000 ?. AR returns five addresses.
Disassemble the first one and hit enter a few times.
Take note of the ? BEQ ? address and change this to ? BRA ?. Do this with the next four checksums.
When done, find the next six checksums: ? F B0 BC DE 19 ?.
Repeat the procedure as with the earlier checksums.
If you don?t like this method, there is another way of doing it. Start the game and find, ex. the first checksum routine.
Change the ? CMPI.L B8E69B8E ? to a loop routine. (make the address branch to itself). Execute start of the checksum with the ? G ? command and enter AR right after. Then press ? R ? to see registers. You will the have the key based on our cracked code, in D0. Change the key in the ? CMPI.L ? routines, to the key you read out from D0?. 🙂
And finally write tracks back: ? WT 0 40 10000 ?.
If you find this game just a little hard to play, then insert 1 NOP address E8BE and 2 NOP?s from address EA4A.
Rob
Publication author
