|
25 July 2011, 17:14
|
#41 |
|
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Just goes to show what you know, Codetapper - I'm about to show StingRay my personal notes about what I know about these checksums (most of them anyway)! Don't assume silence to mean a lack of knowledge.....
Sorry for the delay, StingRay, had issues elsewhere, but I've been wanting to gather this up and post some good detailed chit-chat about what does what. My 'triggering' meant intentionally acheiving the bad flags so that I know what effect they cause on the game. Bear in mind I'm not out to "educate" you guys (since you know the game inside out already) or anything like that, just want to prove that I'm not talking out of my behind like you so love to believe. Anyhoo.... Code:
(Note: all offsets here are based on viewing "GAME.500" in a hex editor, and *not* on Resourcer or RAM memory.)
Checksum #1 @ $14C88
--------------------
When is it called? Just before the game starts (i.e. before the stats screen appears). It is called several times in succession for some reason.
What does it do? It checks if $2CEDA = -1 (or FFFF). If it matches, it clears the instruction at $13A74 (called when you proceed to make a bid for a player in the Transfer Market section).
Result: Game gurus when you attempt to bid for a player in said section.
Notes: The most likely result for a cracker who assumes skipping the protection check will be all that's required. Thank heavens I've learnt to come up with a better instruction then! ;)
Checksum #2 @ $2103A
--------------------
When is it called? Just before you access the "Stadium Construction" screen.
What does it do? It checks if $2CC16 = 303A ("MOVE.W XX(PC),D0"), the start of the routine called upon a non-match in the answer check. If it does not match, it inserts an RTS at $13D0, which is the routine called whenever the game has to swap graphics over in-between screen changes.
Result: Game is denied the routine to clean out and refresh graphics upon each screen change, resulting in numerous glitches and an increasingly-difficult-to-make-out game.
Notes: I'm not quite sure what reason someone would have to alter $2CC16 myself!
Checksum #3 @ $27304
--------------------
When is it called? Unsure, have not found a way to invoke it in the game so far.
What does it do? It checks if $2CEDA = anything other than 0 or -1. If it finds a 0, it calls $2CD08 - the routine that usually runs upon a failed answer check.
Result: Same screen as if you answered incorrectly three times, game lost, will need to reboot.
Notes: I don't know how the heck StingRay managed to come up with a different offset for the target check area, seeing as it's the same spot checked in #1!
Checksum #4 @ $276F4
--------------------
When is it called? Haven't found it yet.
What does it do? It checks if $2CC08 = DF - though why it would check for an illegal value in that spot and why anyone would want to put it there to begin with is a mystery for the ages. This routine is supposed to clear the screenmem if it gets a match, apparently.
Result: Unknown?
Notes: StingRay already made a point about what exactly the point of this routine is (i.e. seemingly none).
Checksum #5 @ $29BAC
--------------------
When is it called? On the first page of the options menu (the one you get from clicking the question mark icon in the main menu). It seems exclusive to the first page of it as it is called everytime you click the left icon at the bottom.
What does it do? It does a double-check, checking first if (the answer check spot at) $2CC08 = NOP, then checking the space after that ($2CC0A) for the same value. If it gets a match during either one of these times, it inserts an RTE at $1C240, the start of the routine that's called when you click on the Phone icon in the main menu.
Result: The next time you choose to access the phone, the game immediately gurus.
Notes: I initially assumed it was going off by two bytes, but then I noticed it was doing the check twice in succession, so there you go!
Checksum #6 @ $2C70C
--------------------
When is it called? Just before the name entry screen appears, post-decryption-routine (if you allowed it to happen or not of course).
What does it do? It checks if $2E6CA = RTS, $2E6CA being the start of the decryption routine that is called before you get to enter your name. If it matches, it empties out the exec area ($4 in RAM).
Result: Game gurus after you finish the codewheel check.
Notes: Strange how there's no check to see if the decryption call is branched past to begin with, as that is the one way of avoiding the decryption routine without falling foul of a checksum!
|
|
|
25 July 2011, 17:22
|
#42 |
|
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
That doesn't really answer my question! How did you find these checksums? So far you have written what I already wrote in the comments of my source, you just used more words.
|
|
|
|
25 July 2011, 17:37
|
#43 |
|
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Well technically you didn't mention what effect checksum #2 caused
 , but seriously, I'm not quite sure what you mean exactly. Your notes didn't point the locations of the checksums out for me immediately, so I had to use my wit and find matching opcodes within the memory, put 2 and 2 together etc. I did initially have trouble with ARIII not finding the checksums straight away, but then I wisened up and made my search requests more explicit than usual, and that's when the fun part of setting up breakpoints and messing about with specific spots to achieve bad flags began. ^.^Hard as it is for you to believe, I do take the time to back my findings up! At the end of the day, I've managed to learn a lot more internal stuff about this one game than I used to before. |
|
|
|
25 July 2011, 17:46
|
#44 | |||||
|
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
Quote:
Quote:
And it's very easy to find the exact locations of the checksums once someone tells you that the hunk header is not included in the offsets... Quote:
Quote:
|
|||||
|
|
|
25 July 2011, 18:03
|
#45 |
|
Junior Member
Join Date: Dec 2002
Location: The Streets
Age: 39
Posts: 2,731
|
Wait wait wait, mistaken identity much? I never claimed to be the first one to track down the checksums. Yes, you did all of that first, but it was through the discussion of this game, the notes and the checksums that I took an interest in this game in the first place and decided to check it out for myself. Yes, I made a few mistakes regarding patches on here, but you learn every single day. We all do!
And I did assume at first that all the offsets were simply $20 bytes off of yours with the hunk header included, but my little spot of research proved otherwise! I know I tend to get my words mixed up at times, but it seems time and time again people on here see me as some kind of arrogant, egotistical "know-it-all" master cracker. Frankly, I'd quite like to have whatever you're smoking please. Anyway, as far as I'm concerned, I'm done with the game for now. I learnt all about the decryption routine, the LEA adjustment tricks in the checksums, the way random spots in the game are chosen to initiate them, and even how to come up with alternate answer check opcodes that the routine changes into valid ones that mark all the ticks. Like I said, I'm not good with footie sims and I don't intend on spending many more hours trying to find any more ticks with it. This was a good learning experience, nothing more, nothing less. Now please cease the interrogations. |
|
|
|
25 July 2011, 18:15
|
#46 | ||||
|
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
Quote:
Quote:
Quote:
- you have learned to copy my work and to brag about how you "tracked down the checksums" when it's clear that you don't have any clue how to do that You have nothing to brag about until you prove that you can actually do things on your own! |
||||
|
|
|
27 July 2011, 01:47
|
#47 |
|
The Headstrong
Join Date: May 2010
Location: Älvängen / Sweden
Age: 49
Posts: 273
  |
@MethodGit: Don't you understand that it is meaningless to re-do the same work that has just been presented and then present that again. Even if you have done all the work yourself with no guidance (which is hard for anyone to believe) there's still no point to it.
Does it give US anything? I'll answer that for you - NO, there's no new information. All it could possibly do is to boast your own ego ("I can do it too") but still, no idea in publishing your findings after the nut is already cracked. @StingRay: Interesting crack, impressive work, how much time did you have to spend on it? Perhaps noone has cracked it properly before because it's a boring game to play. ;-) Is there a lot of prestige in using certain rudimentary tools for a crack, seems smarter to me to do it the easiest way. I understand it's best to fully understand a protection scheme and backwards engineer the programmers ideas but it's perhaps not always the fastest approach? |
|
|
|
27 July 2011, 18:18
|
#48 | ||
|
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
Quote:
|
||
|
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Problem between Winuae and Premier Manager 3 Deluxe | ramon23035 | support.Games | 3 | 20 September 2012 09:19 |
| Premier manager 1 | Gordon | project.WHDLoad | 2 | 26 August 2009 10:55 |
| Premier Manager 3 | citytillidie89 | request.Old Rare Games | 4 | 28 September 2006 13:35 |
| Premier Manager 2 | FolkfordUtd | Retrogaming General Discussion | 2 | 07 March 2006 16:51 |
| Premier Manager 2 | kaepi | support.Games | 0 | 24 January 2006 19:51 |
|
|
