|
-
I used original disk from the IPF file #609
EU Retail (see Web
IPF Analyzer by Giants)
- AR or HTRMon and/or a disassembler/debugger like Mega-Mon
(not specific tuto)
- an assembler (AsmOne/DevPac/Barfly...) if you want
to rewrite the boot.
- Sector
Trasher/Silents or Sectorizator
/ Exe2Boot
(see ToolDisks)
|
|
Try
the IPF disks. Non-Dos game, No passwords required.
Do a quick scan of the disk with X-Copy : something
is wrong at the first track. Seems to be a disk
based protection.
Make a copy of disk. boot it : the screen stay black
after reading the track 1. |
From
AR, disassemble where the program is stopped (F4D6)
:
Compare start of sector with $4521 (MFM sync marker).
cross backward : this test routine start at F4D0
and is called from F3E2 (fa f4d0) : read sector
1 at D2F6. at F408, test if read error. jump to
F434 if ok.
here is the routine called for reading sector (motor on,
trackload...)
at F56E, he jumps to F4D0 : the uncode MFM
routine.
It's used as the "protection".
so,
reboot. stop with AR after track 49 loaded. Then, disassemble
at F4D0 (d F4D0) : the code is here.
first try : put RTS at F4D2 to skip the whole routine.
restart (x)
lets loading until track 1.
...it's Ok! Intro start !
but
what is this sector. Important one ? only protection
?
disassemble
more :
at F4D0 he decode the data from D2F6 to D396.
at F448, he copy D2F6 to D396
at F45c, D2F6 is used with sub prog at F616 :
seems to be a writing track routine!
this game save the hiscore on disk : at sector 1 !
the hiscore is used as protection.
so,
for the patch, we have to nop the test of $4521 else
the hiscore is not decoded. And also erase the $4521
at write sub prog (at F6Ac).
put 6x 4E71 at F4D6 and 3x 4E71 at F6AC.
(I've
not tested the hiscore saving because I used winuae
: unsupported format for writing)
patching:
I loaded and disassembled the starter program - 44 block
loaded @ 50000 from block 22. It's the main program
crunched. Starting at 50024, decrunch it to 40000, then
jump to 40000, copy the main program at 0 and jump to
500 to start.
The program load some files and load Intro at B000.
the "protection" is in the Intro code.
it's
possible to patch directly from boot :
after loading prog at 50000, change boot
...
move.w #$4e75,$5012a ; replace JMP $40000 by RTS
jsr $50024 ; replace JMP by JSR : decrunch to 40000
and return here |
after
this line, we have to install the patch of the Intro,
but not yet loaded at this moment...patch copied at free
space $b8.
lea
$b8.w,a0
move.l a0,$40100+$5DA ; replace JSR $B000 by JSR
$B8 |
I
use $40100 as base, because it's the part of the prog
copied at 0. and I copy the patch at $40100+$b8...the
patch will be at $b8!
lea
patchintro(pc),a1 ; copy patch to $b8 (unused address)
lea $40100+$b8,a0
moveq #sizepatch-1,d7
.cpy
move.b (a1)+,(a0)+
dbf d7,.cpy
jmp
$40000 ; copy prog to $500 and start
|
here
is the patch:
patchintro:
; skip test $4521
move.l #$4e714e71,$f4d6
move.l #$4e714e71,$f4da
move.l #$4e714e71,$f4de
; skip $4521 in write score
move.l #$4e714e71,$f6ac
move.w #$4e71,$f6b0
jmp
$B000 ; start Intro
sizepatch=*-patchintro
|
write
new boot and restart : the loading is ok!
Start
game, play. Quit game (Esc) : program jump to Intro
(read hiscore - track 1)
that works.
You can test the whole game by using builtin trainer
: J+1 to 6 for level, J+K for invulnerability.
to
fix the hiscore save, try to replace sync word $4521
with standard one : $4489
new patch:
...
move.w #$4e71,$f4da
move.w #$4e71,$f4e0
move.l #$44894489,$f6ae
jmp $B000 |
(not
tested on real amiga. doesnt work on winuae)
Original
game have some bugs. why not fix them now ?
- first bug : the Intro logo is not centered with ECS
(Agnus).
lets go with AR:
take a look at the copperlist intro : c1
the logo is at the bottom of screen/copperlist.
found at BD40 : $e0,$2,$e2,$3e84,... bitplan pointer
for logo.
a
shift of 128 pixels (16 bytes - $10) :
add $10 to values of bplxpt : 3e84 -> 3e94 ...
try : it's ok!
is
this address directly in copperlist or from a pointer?
searching BD40 : nothing. searching BD42 : found at
C492.(or searching $23e84 - fa 23e84 : found at bd83).
The logo pointer is at BD80
so,
add the fix to the patchintro:
...
move.l #$23e94,$bd80 ; $23e84 -> $23e94
... |
reboot, and enjoy.
BUT... the HiScore panel is now bugged : characters
are shifted... so... to fix !
note: in WHDLoad source, there is a patch after the
"centering logo" :
move.l #$fffffffc,$c41a ; small alnum letters (see hiscore)
others
bugs are found by crackers or whdload patchers: fixes
for the main program ($40000)
- problem with weapons in 2 players mode : fixed by
Angels/Defjam
move.b
#$14,$40100+$3E5A ; clr.w $12(a3) -> clr.w $14(a3)
move.b #$14,$40100+$3E60 ; addq.w #1,$12(a3) ->
addq.w #1,$14(a3) |
-
gfx bug in level 5 : fixed by Harry/WHDteam
| move.b
#$20,$40100+$7C34 ; copperlist wait $4000 ->
$2000 |
-
trainer keys J+K replaced by J+I (pb with a2000/4000
keyboard): by WHD patchers (Jotd/Harry)
| move.b
#$17,$40100+$1A9B ; replace keycode "K"
by "I" |
final
boot code :
dc.b
'DOS',0
dc.l 0
dc.l $370
; original code
Start
move.w #$180,$DFF096
clr.w $DFF180
move.l a1,-(sp)
lea loc_0_400AA(pc),a5
movea.l 4.w,a6
move.l #$20004,d1
jsr -$D8(a6) ; availmem(req)(d1)
move.l d0,4(a5)
move.l #4,d1
jsr -$C6(a6) ; allocmem(size,req)(d0,d1)
add.l d0,4(a5)
clr.w d0
move.l d0,(a5)
movea.l (sp)+,a1
move.w #2,$1C(a1)
move.l #$50000,$28(a1) ; load crunched main program
move.l #44*512,$24(a1) ; len: 44*512
move.l #22*512,$2C(a1) ; offset: 22*512
jsr -$1C8(a6)
move.w #9,$1C(a1)
clr.l $24(a1)
jsr -$1C8(a6)
move.w #$7FFF,$DFF09A
move.w #$7FFF,$DFF096
movem.l d0-a6,-(sp)
nop
nop
nop
movem.l (sp)+,d0-a6
move.l 0(a5),d0 ; ptAllocMem C00000
move.l 4(a5),d1 ; ptAvailMem+ptAllocMem C7E800
; patch
move.w #$4e75,$5012a ; replace JMP $40000 by RTS
jsr $50024 ; decrunch to 40000 and return here
;
patch 40000 main prog
; trainer key j+k replaced by j+i (pb with a2000/4000
keyboard)
move.b #$17,$40100+$1A9B ; replace keycode "K"
by "I"
; fix weapons in 2 players mode (by Angels/Defjam)
move.b #$14,$40100+$3E5A ; clr.w $12(a3) ->
clr.w $14(a3)
move.b #$14,$40100+$3E60 ; addq.w #1,$12(a3) ->
addq.w #1,$14(a3)
; gfx bug in level 5
move.b #$20,$40100+$7C34 ; copperlist wait $4000
-> $2000
; install patch Intro
movem.l d7/a0-a1,-(sp)
lea $b8.w,a0
move.l a0,$40100+$5DA ; replace JSR $B000.L by
JSR $B8.w
lea patchintro(pc),a1 ; copy patch to $b8 (unused
address)
lea $40100+$b8,a0
moveq #sizep-1,d7
.cpy
move.b (a1)+,(a0)+
dbf d7,.cpy
movem.l (sp)+,d7/a0-a1
jmp
$40000 ; copy prog to $500 and start
patchintro:
; correct centering of Advantec logo in ECS Agnus
only ($dff07c = $ffff ocs / $fffc ecs
; ECS Agnus/Full ECS only
move.l #$23e94,$bd80 ; $23e84 -> $23e94 ->
but issue with hiscore panel (characters shifted)
to fix...
move.l #$fffffffc,$c41a ; small alnum letters
(see hiscore)
;
crack it!
;the hiscore-track (=01) acts also as protection
move.b #$60,$f40a ; tst d7. beq -> bra $f434
: success check
move.w #$4489,$f488 ; normal sync word ($4521)
move.w #$4489,$f4d6+2 ; cmp.w
#$4521,(a3)+
move.w #$4489,$f4dc+2 ;
; write score
move.l #$44894489,$f6ac+2 ; sync word $45214521
jmp
$B000
sizep=*-patchintro
loc_0_400AA:
ds.l 2
|
that's all
UPDATE : Saving Hiscore in NDOS mode fixed.
Don't forget to copy the hiscore track content on the
new disk :
with AR, the saved hiscore is loaded to $d2f6-$d396
and the original game-resetscores to $d396-$d436
2008
(c) Heavy/VrS!/Cyb
Download
:
- Cracked disk 1
(use built-in trainer)
- sources of the
original boot and patched boot
|
..=
Cracking Tuto : Disk Based Protection - not proper final version
=.. 
