12 January 2006, 00:24 | #1 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
Cracking Tutorial: Carrier Command
Here is an OLD carrier command crack that I found on the web..
It is not elegant or fancy and the author is a bit sarcastic and swears a heck of a lot.. but it's a start Direct Link to Web Code:
CRACKING TUTORIAL {8{5 -=By NEC of LSD=- {6 FIRST A DISCLAIMER. {1LSD would like to make it clear that they do not promote anyone to undertake the following tutorial. There is no gun pointed at your head, it ain't a game of "Simon Says!". It is your decision when you decide to partake in this article. It is merely a guide, and nothing more. Lsd and any persons affiliated to Lsd or its members CANNOT be held responsible if you TOSS IT UP! If you destroy your only original copy of Carrier Command, ......TOUGH! We have no sympathy. The instructions are clear enough, and if you cannot do the job according to this article,then go and read something else! If for some reason while you are noncing around the code, and ACCIDENTALLY trip a routine that tries to access track 90, and your drive head goes loopy, ......TOUGH! If you follow the tutorial correctly, there will be NO problems. If you go off on a tangent, then more fool you! Lsd. For this tutorial we have picked an old game, for various reasons; Carrier Command is old and available to most people, and if a tutorial to a brand new game was here there would be a few pissed off companies to say the least! After reading the disclaimer and acting on it, you will need the following: {51.{1 A copy of the ORIGINAL game. {52. {1A 1 meg Amiga with Action Replay {53. {1A PRO-DECRUNCH capable packer. So for those that have Powerpacker.... forget it! Any of the following will do: Defjam 3.0 or higher Syncropacker Crunchmania Stone Cruncher Double Action Logo 7 and any other decent ones that are PRO DECRUNCH capable. Forget using Tetragons TETRAPACKER V2.2, it cannot pro-decrunch properly NOTE: There is a bug in Defjam packer.It dosn't matter what version it is, sometimes it really fucks files! Ifyou add 5K to the actual file length when crunching, it will stop Defjamfrom rear entry. That was found out by Shagratt of Lsd. As an added note, the supposed "fixed" version of Defjam packer recently released still contains ALL the bugs we are aware of in the previous versions. The requestor library is a useful addition however. If you want to crack games with speed and accuracy, you can forget Amigamon. If you think you have a couple of days to crack a game, think again. Action Replay isn't the hottest bit of kit, in fact it is rather crude by C64 standards, but it serves its purpose a damn sight better than Amigamon. {3 HOW DO YOU LEARN TO CRACK? {1Well it is as simple as this. Many crackers are SELF taught. Generally there is no-one you can confer with except YOU. Most quality crackers have all been self taught. Obviously if you have been with the Amiga from the VERY start, you will have developed your cracking along with the protection. Some protections have got better through the years, but not until they were hybrids of poorer versions. For a total newcomer to try and crack Full MFM is just not possible. So am I gonna tell you how to do every protection under the sun? NO! Reasons? {51. {1Well firstly as I said, we that have strived to get the experience we now have, have done it through fucking hard work! The last thing I want to do is have a massive influx of people CLAIMING to be able to crack, and put the reputations of ALL of the above in jeopardy. {52. {1We got no help from anyone, so why should you have it on a plate? {53. {1Software companies are cunts at the best of times, but some of them ARE WORTH supporting. For me to tell you how to do every protection would have MAJOR repercussions on the software industry. You dont believe me?? Well picture this. Lets say that Grapevine has a mass distribution of about 250,000 people over a period of months, which is quite feasible (I hope!). Of that 250,000, 10,000 look at my articles and are able from there on to crack most protections. That is a possible 2000 people out of 10,000 people that can swap, get to a modem, etc etc. You figure it out. We are not here to put software companies out of business. We just don't want to pay 25 quid that in MOST cases is totally unjustified. There are very few GOOD crackers. That is the way it will stay. From my articles, you will gain an insight and nothing more! I hear someone saying that single filing is easy and lame! Yes because MOST single filing is exceptionally easy to do with a few exceptions. No because who in their right mind would get a game with full MFM protection on it, that loads in one go, and then crack the MFM! I know in some cases, like I.B.M. of Crystal, decided to retain the picture on Mercenary III. Nothing amazing in that you might think, but it is then 100% This is the system that myself and Dreadnought will be doing from now on also. It makes that crack the little bit more appealing and you feel safe in the knowlege that you have not deprived the Amiga community of something. The best example would have to be Rick Dangerous (first one). It had tonnes of files, but loaded in one go. I would be fucked if I could be bothered to crack the full protection in favour of single filing it. Allthough SOME people think it is lame to just single file a game instead of cracking the thing fully, can you remember to the good ole days of Paranoimia, Trilogy, Thrust, and Bamiga Sector 1. They would crack the game properly. Someone would then single file it, and FORGET TO CREDIT THE ORIGINAL GROUP for cracking it. Bad news indeed. So we have established that depending on what protection it had originally will depend on how you go about cracking it. I dont expect all the beginners out there to code their own fileloaders to make it 100% with all pictures, I just expect you to be able to single file a game with ease, taking out all the other protection with it. {3 HOW IS CARRIER COMMAND PROTECTED? {1Well Carrier Command has two protections on the disk. They both link in with each other. You can't dump one unless you get rid of the other. There is 'Light MFM' and Novella protection. {3 LIGHT MFM {1Light MFM has two purposes. For a start, the Action replay cartridge cannot read in Light MFM tracks at all. The structure of the tracks has been changed sufficiently enough for the Action replay to go GA GA! Light MFM can however be copied on NIBBLECOPY in X-Copy. (on an utility disk near you) So what is the point of having light MFM on the disk when X-Copy can breach it? Simple. The other protection is the Novella protection. This is the protection like this: {5What is the word on page 24, paragraph 3, line 4, word 8. Please enter here> {1I won't go to indepth at this point, but basically the novella protection has to be ditched. But if you can't read the tracks into memory, how are you going to ditch the protection?? I can hear someone saying that why don't you just let X-Copy read in the tracks into memory, and then save 'em down by intercepting them with the Action Replay? Because it encodes all the data thats why! So first of all we need to locate exactly where the novella protection is located. So get your copy of Carrier Command and do the following: {61. {1Load the disk. {62. {1Press 1 to select English. {63. {1Type anything you like at the protection check three times. {64. {1Stare at the screen with a blank look as you get presented with a black screen. Now this is always how I go about ditching Novella. You need to see exactly what the protection does when you get it wrong. So what you need to do now is hit the button on the Action Replay. You are now presented with that lovely blue colour... Now what you need to do is hit the old 'D' button. What does it do? Well what it does is tell you the point at which you broke into the program. It will give you something like this. (I am gonna use the EXACT numbers etc, so that there is no confusion. Unfortunately I cannot gurrantee when you will press the button, but if I feel that the number you get is gonna be radically different from the number I get, then I will tell you so.) I can tell you that the only possible addresses that it WILL be is the following. I have done the whole routine so that I can explain exactly what it does. ====================================== 0000CB96 MOVE.L (A7)+,0000121E.S 0000CB9A JSR 0001A3FA 0000CBA0 JSR 000066D8.S 0000CBA4 SUBQ.W #1,000022A4.S 0000CBA8 BNE 0000CA92 0000CBAC NOP 0000CBAE BRA 0000CBAC.S ====================================== When you break in, it will be in either CBAC or CBAE. It will not be in any other routines, so if it ain't in one of these two, then you have fucked up! It is basically cycling through these two instructions, and will continue to do so unless you stop it. The Protection check has noted that you have screwed the protection up and has dumped you in this routine. Now how do we go about ditching the protection? Well those dotted lines around the routine are not there to make Grapevine look more sexy! They are there to show the breaks in the routines, a la Action Replay. Now I am gonna assume that everybody has the very first version of the MK II. The later versions put the dotted lines onto the screen when you scroll up, where as the older version do not! Thankfully all new versions have this fixed. So assuming that your Action Replay is like mine, lets get too it. So you see either of the two instructions. |
12 January 2006, 00:25 | #2 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
Code:
{61. {1Press the RETURN key or the DOWN CURSOR, whatever you prefer to scroll the screen up. As you get past the instruction CBAE, the Action replay will insert a dotted line after it. {62. {1Now carefully keep it scrolling up the screen until the address that you FIRST saw when you broke into the Action replay is at the very top of the screen WITHOUT it dissapearing. {63. {1Now press the UP CURSOR to scroll back up the screen so that the address that you first saw is below the middle of the screen. {64. {1Look under the dotted line and you will see the instruction CB96. Hummm, is'nt that a little bit above the original instruction I was at before? Yup, it certainly was. Wonder if all of this routine is part of the protection? The coders among you will be able to spot it straight away. The instruction located at CBA4 is the SUB command for the protection. You have three goes to get it right. Every time you get it wrong, this routine subtracts 1 from the goes you have left. Experiment with a few routines etc, but if you fuck up, you will have to load it again. {65. {1So you have found the top of the routine. Now why do we need to do that? Well it is simple. This routine dumps the program and cycles in this routine. So basically you want to find the instruction or routine that calls it up and tell it not to. Sounds hard? We will see. Surely if you tell the program not to goto the routine that dumps you, it should in fact carry on. Read on. Now we are going to implement the FA command on the Action replay. This command means to FIND THE ADDRESS. You want to find the address or instruction that calls up the protection. So lets go. {61. {1Type FA and then the Address that you know. The one you should have is CB96. If it aint, then check again. {62. {1Hit RETURN and wait a while. {63. {1Eventually all going well you should get a figure on the screen like this: FA CB96 0 80000 SEARCH FROM: 0000000 TO: 080000 0000CB7E BNE CB96 A quick rundown on the numbers etc. The CB96 is the number you want the Action replay to find an address that goes to it. The 0 is where I want it to start the search from, and the 80000 is the end of where I want it to search. {6TIP: {1Generally the coders of these games use lame code. They like to be able to get it sorted as quickly as possible. The chances are that the address you want it to find is nearby. So instead of searching the whole of memory, how about searching from say CB00 to 10000. This won't always work, but 90% of the time it does yield. So the Action Replay tells you that the instruction that goes to it is CB7E. A BNE, yahoo! With novella protection, a BNE generally signifies the end of your search. Most of the novella protections around are LAME. So we have established that the BNE is the problem. How do we know? I mean there are loads of BNE's in the game, how do we know that this is the one? Well the mega giveaway is the fact that it has a CMP instruction above it. This basically COMPARES either bytes or words. If the Byte or word is not equal, then it goes to the BNE. By the way, BNE stands for BRANCH NOT EQUAL. So think it through methodically. It compares the word and says to itself, "Hummmm, he has entered the wrong word because I have compared it with the one that is correct and the one he entered was the wrong one. Well now it ain't right, I am gonna go through the BNE cos it ain't equal" Obviously it does'nt actually say it, but it is just simplified down to what it means. It looks at what you entered and checks that you fucked up, so then it goes to the BNE. Ok, so what if the BNE did not exist? What purpose can that serve I hear you mumble. Well if your friend gets the protection wrong, like he is gonna get all the time cos theres umpteen different words and only three guesses, you need to tell the computer not to worry about the protection and not to bother. Ok. Let's see what we can do about it. Lets ditch the BNE and see what happens. Here is how to get rid of it. {61. {1Type 'A' and then the address CB7E. {62. {1Type NOP and RETURN. {63. {1Press ESCAPE to exit the Assembler. We will assume that you have reloaded the game, but this time leave it on the protection screen. Don't touch the keyboard. There is no need to execute the protection, because you know where the protection routine is dont you? Making sure you have assembled that address you may now exit back to the game. Now type anything on the screen and hit RETURN. {6DA DA DA DA DA DA DAAAAAAAAAAA!!!!! {1Oh my god it has started the game up. And who would have thought that typing FUCK OFF would bypass the protection! So we have ditched the Novella protection, but what about ditching the protection on a permanent basis. I mean it has light MFM tracks, which means you cant save it back to disk. Hang on a mo. Carrier Command is a vector based game, has very little graphics and loads in one go! Hmmmm. Is it possible to save the whole file out and make it work without the original disk? Yup and Yup again. Little Jimmy at the back of the class asked the question with a puzzled look. "But Miss, How do I know where the file starts and ends?" The teacher stared back hard at the poor little lad and said "Why you look at the loader you stupid little man!" With that, little Jimmy made sure he had noted the address to ditch the novella, and reloaded the game. (Jimmy by the way lives in Denmark where it is perfectly legal to hack. Hence the scenic and comforting inclusion of the teacher in high heels and suspenders!) So having read the little tale of woe by Jimmy, you wont feel stupid because now little Jimmy had got the answer for you! So as the game is reloading, (Just like little Jimmy!) hit da button on the Action Replay. Yes, In the middle of loading. Forget the bollocks from the magazines telling you that it is dangerous and that it will damage the disks, because the Action Replay turns off the drive when you hit the button. Now do what you did when you wanted to ditch the original novella protection. So you have pressed 'D' and have noted the address. |
12 January 2006, 00:25 | #3 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
Code:
When you break in, I have absolutely NO IDEA WHERE YOU WILL BE WHATSOEVER! This particular loader is a fickle bast, and as such it is constantly loading data, so it is going through different instructions all the time. This does not make me happy, because now I have to write tonnes more to explain exactly how the you guys can find the start. I am gonna cut a lot out for a start. When you break in, the address is gonna be between 76C00 and 77C00. So how about I tell you how to find the start a little bit quicker. I mean a loader can't be that big compared to a whole game. So lets ditch the Dissassembler command for the mo, and let's look at memory using the 'N' command. With this command it lets you look at memory from the data point of view, not the very boring asssembly language. So lets just pretend that the address you broke in at was address 76DE4. So type da following. N 76DE4 Then press RETURN. You will be greeted with numerous characters flung very tastefully across the screen. For those that thought that Andy Warhol was dead, guess again! So for the uneducated, it looks like a mass of shit on the screen. But it is in fact code in it's data format. By looking at the code this way, you can scan through memory a damn sight faster than by dissassembly. Dissassembley goes through two instructions per press of the RETURN, where as the N command gets through forty of them. For the experienced Hackers and Coders, it is very possible to spot the jump for a game or a demo like this. It don't always work, but once you mess around the bast long enough, you will pick up little things yourself. So what you need to do now is scroll through memory. Wow! I can hear you now. The bibbley bobbley bits of crap have all gone. Could this mean the end of the world or the end of the loader? So after pondering for an eon, you have finally plumped for the end of the loader. So using your amazing powers of deduction, you immediately think. "Jeepers Watson. If this is the end of the loader, then maybe, just maybe If we scroll back up through memory, we might find the start." said Sherlock with a voice of sudden realisation. "Do you know Sherlock, I think you've done it again. By gad how come you are so infeasibly intelligent and I am always portrayed as a stupid fat thick cunt!" came the answer to Sherlock's first question. "Because you are Watson! I have said it myself on numerous occasions that you should stop indulging in prime Spam from Gateways!" came the answer that made Watson feel even more suicidal than he was before, and wishing he had never bloody asked! So now we leave our two hero's to carry on with the tutorial. So taking our two friends advice we scroll back up memory. The loader seems to stop at address 76C00. I know because I checked, and a little voice told me that I should trust my feelings and go with what I truely believe to be a part of existence. If it means wearing a 1973 Addidas Maroon tracksuit, no thanks matey! So things to look out for in a loader are the following. {61. {1The LEA command with an address in it. {62. {1A JMP with the same address preferably in the same routine. {3 A STORY {1I cracked the Godfather on 6 disks! It had Novella protection, by forcing you to read off a code wheel (terrible inventions, about as much use as a keylock device on an ocean game!). I did not even try and get the protection wrong. I broke in as soon as it asked me to look on the code wheel for the three letters. There before me was three BNE's. I got rid of them, saved it down, crunched it and ran it. It ran first time with ALL the protection removed. That will only come with experience. I don't expect you all to be able to do it so quickly, but time will tell. It also had light MFM on the disks as well, so none of the less experienced would have past that part anyway, as the disks COULD not be copied! So gain before you seek fame! Not all loaders are as lame as this, but a good majority have still not changed their protections since this one was introduced. (If anyone from Eldritch the Cat Ltd. is reading this, for gods sake change your protection, otherwise MYTH is gonna be a quick two minute crack!) Eventually after searching through reams of code using the assembler (Remember, you only used the N command to search quicker!) You will come to this routine. ====================================== 0076C9A LEA 0000400.S,A0 0076C9E BSR 0076DA8 0076CA2 BMI 0076C96.S 0076CA4 LEA 77400,A0 0076CAA JMP 0000400.S ====================================== Hummmmm. Now lets break down some of the commands down into laymans terms. Well according to my wealth of immense knowlege, an LEA is to LOAD EFFECTIVE ADDRESS. So the loader is gonna locate something into the address 400 and into A0. Hang on, it jumps to 400 later on in the SAME routine. Well if it is locating something there, and then it jumps to it, nahhh it could not be the start of the program. Lets find out. Erm, how the hell do we find the end of the game? Right lets reload the game. Yes reload it. When the picture comes up, Hit Da button. Press P for Picture. You will now see the tacky Carrier Command picture that no one at Realtime Games is proud of! Press the HELP key. If you move the mouse around, you will see a little box of figures and shit in it. Look at the first number. The figure is where it locates the picture in memory. So, we know that the picture is not essential to the game at all. So from that area of memory to 80000 is wasteable. The number should be 77400 I think! You now know that you can ditch whatever is located at 77400 and on. Not much of a saving is it? Okey dokey. Lets bung a breakpoint at address 76CAA. Why? Well this is the address the program jumps to once it has loaded. Now it is useless you trying to save the game from any other point as you wont know what the SR registers are, or how big the file is (ooer!). 3A LITTLE EXPLANATION OF HOW A GAME SUDDENLY FILLS THE WHOLE OF MEMORY! {1Lets assume you have got a game, and you have bunged in a breakpoint in to stop it from jumping to 400. You know that it ends at 60000. But when you play the game, and break in, all of a sudden all of the memory past 60000 is filled with data! Gasp shock horror! How are you gonna crunch the damned thing now? How did the memory get filled with data? Well if you were to play the game, and break in with the button, press P for picture and HELP. Now ain't that funny. The screen graphics are located past 60000. Well were else do you expect the damned thing to display its screen display, in the middle of the code! So after that sarcastic jaunt into a game we don't have, we will now go back to Carrier Command. So lets break in as the game is loading, and bung a breakpoint in at 76CAA. This way we get to look at memory before it sets up any screen displays. Eventually after a few moments, old blue will kick in with the breakpoint. Now lets saunter through memory. So we know that the picture is located at address 77400. So lets go backwards. Oh there is the loader for the game. Now let me think. The game has loaded. So that means it wont be needing it anymore. Kewl, lets ditch that bozo! So we have trekked back through memory and eventually we see code at around the 4B700 area. Great, it starts at 400 and ends at 4B740 or thereabouts. Kewl! Right before we forget, lets NOP address CB7E. Ho Ho, would'nt it be funny if we forgot! So are we gonna assume that it is all the game code? Well yes and no. Yes, cos we know it loads in one go and it don't need the picture. No, because we are all new to this and we want to test it out to be sure, for sure! Okay, get a blank formatted disk. Put it through VERIFY. Although the Action Replay format says its Kewl, it ain't 50% of the time. So always chuck it through VERIFY. There ain't nothing worse than a file being saved, only to have a datachecksum error halfway through! So do it! Now we want to save the file out. Follow these simple instructions. {31. {1Type this. SM CARRIER,400 4B740 {32. {1And then hit RETURN. This will save the memory under the filename CARRIER, from address 400 to address 4B740. Eventually after numerous noises that are not dissimilar to read/write errors, it will eventually finish. {33. {1Reset the machine. {34. {1When the Workbench hand appears, hit the button and type the following. LM CARRIER,400 {35. {1And press RETURN. This will Load into the memory, the filename CARRIER into address 400. You don't have to work out what the end address is gonna be because the cartridge does it for you. |
12 January 2006, 00:26 | #4 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
Code:
Now you know that 400 is the start, so type this. G 400 {36. {1And press RETURN. Oh FUCK, it dont work. Now how can that be? Lets hit the button and G 400 again! Oh shit it worked this time! Now why was that I bet you are wondering. You saved all the details that you could possibly need. Or did you? Now if you look back a bit further up this doc, you will see the letters SR! What the fuck are those. Well the SR is an it, and it is called the Status Register. So how do we find that out then guvnor? Okay, hit da button and type R and RETURN. For the totally inept, it will look like an entry test for MENSA! For the more intelligent, they will mutter " Looks important to me!" It is my friend. {6 A QUICK EXPLANATION {1The Status register sometimes needs setting up, and sometimes it don't. For most games that load in one go, games programmers have made the game reliant on a specific Status register. They do calculations by it, they check that the status register is the number they want it to be. I have seen loads of oddball people manage to single file a game. Great, they have taken their first steps, but then they turn around and say to me, "Well I can't crunch it, I can only run it through the Action Replay, and even then I have to goto the start twice." Oh dear. It gets even worse when they decide to let the cartridge save it for them. Very bad news. Let me tell you now. It is considered the ultimate in lameness to do an Action Replay "save all" Not only is it not cracking, there is no challenge to it! It is only guarenteed to work 100% on a machine with the same Kickstart and memory configuration! If you just want a copy for your mates, fine, but just dont try and send it to anyone who will see it and report it, or you really will come a cropper! Back to the tutorial. So we have established that programmers sometimes use this as a protection if you like. Budget games on the whole load in one go, so the games programmers think that the most likely people to try and crack it are the usual joes on the Amiga. So what Status register could it possibly be? Do we take the one from the game or the one from the loader? Well surely if we took the one from the game, it would work first time, and not the second time. So if we take the one from the loader, we might come up with a better result. So this time, load up your original game disk and bung in a breakpoint at the same place you did before it jumped to the start. Eventually blue will rear its ugly mug and you can now press R for registers. Now if you look in the bottom right hand corner of all the splurge, you will see the letters SR with a number next to it. Note the number and reset your machine. Now load in your datafile into memory. So how do we change the Status register? Easy. Type the following {31. {1R then put a space. {32. {1SR then put a space. {33. {1The number you got. After that you will see that the status register has changed to the number that you stated. Now type G 400 Da da da da da da da! Well I think you know a little more than when you did several hours ago. Kewl, the game now officially don't need the original disk. Or does it? I mean, you had to manually change the status register. A normal cruncher does'nt change the stack for you. Oh fuck, we have a cracked game we can crunch, but wont work! Not so. "Not so" I hear the muttered mumurs of people in Strathclyde say! Now at the beginning I specified that you would need Pro-decrunch capable packers. I bet tonnes of you have Defjam cruncher, but just never knew how to use it properly! Well lets get that sorted now, because you need one of these to crack the game properly. So I am gonna use Defjam. Reasons? {31. {1Its a fine program. {32. {1It sets up the stack properly. {33. {1Everyone has got it. If you ain't, oh dear what planet have you been on! {34. {1Reliable. (Most of the time!) So we grab our copy of Defjam and load it up. I shall take you step by step through Defjam and explain exactly what it wants from you. First up it asks you if you want to MEGACRUNCH. Unless your file is over 350K, then you don't need it, so type N for no. It will then ask you for Low mem, and high mem. Generally people just clear an area big enough to load the file into. I prefer to stick with the memory I need and no more. So if we know that the file starts at address 400, lets make low mem that address. As for high mem, lets make it our end address. It will then allocate you some memory and clear it for you so that other data does not clash. It will then ask for the Scan width. The Scan Width is how hard you want Defjam to crunch it. $10 is the lowest and quickest, and $8000 is the hardest and slowest. So for this purpose we are gonna pick $25 for a good result. So just enter 25, and RETURN. $800 is recommended by the programmer. It will then ask you the load type. It will give you three options. You can forget Trackdisk for now. Are you trying to crunch an intro that has just been compiled from Devpac? Nope, so we are just going for Plain. Plain as in data So enter O. It will then ask you where do you want to load it. Obvious really. You want it to load in EXACTLY the same place you took it from, 400. So type 400 and then RETURN. After a few minutes/seconds/hours/centuries! loading it will come up with the same question. Do you want Reloc Plain or trackdisk. This is because it lets you load numerous files before crunching, but as you don't want to load anymore files, so just press RETURN to start the packing. After a few minutes, you will be asked where you want the cruncher to jump to. Of course we all know that the start is 400, so lets jump to 400. Type 400 and then RETURN. It will the ask you what colours you want the decrunch. This is not important, but as a rule most people stick with 00. This gives fullscreen decrunch colours, so that you can see what it is doing. (It is best to use some kind of colour decrunch on files, as if its just a blank screen for 30 seconds the user may think the program has crashed.) After that it will ask you do you want to PRO-DECRUNCH. Normally it is a no. But in this case it is Yes. Type Y for yes. It will ask you what the DMACON is. When you got the SR for the game, you will have to also type INFO, to find out what you need to know. For this exercise, I will tell you what they are. The DMACON is: 6CE The INTENA is: 4018 The ADKCON is: 0 The SR is: 2700 It will then ask the question, where do you want to locate the decruncher. Well you know that the file goes from 400 to 4b700, so anything after that is perfectly safe. Bung it in at 70000 to be sure. That way it will not clash with anything. So enter 70000 and RETURN. It will then ask you the A7 register. Again this is in the INFO area. It is 5869C. So type it. Now enter your save name for the file. (Don't use the same one as you have already used) Once done, reset the computer. Load the file through the CLI, and HEY PRESTO. A fully working, 512K, A500+, cracked, copyable version of Carrier Command. So that is how you single file a game and get rid of some basic Novella. This document was not illustrated on how to crack Carrier Command. It was just an example of two protections. In time you will perhaps get better and better. I mean we ALL started off as humble Lamers at one time. I can remember when I single filed my first ever game. I was well impressed. Now I see it as boring and easy. But that is life. Novella to me is boring and easy. Although the protection on games like Powermonger and Defender of Rome took about eight minutes longer than usual! Well that is it from me, NEC of Lsd. I am thinking of doing one more cracking tutorial but other than that, I wait for suggestions. It is your magazine afterall. If you want to find the hidden Carrier Command Disk copier as the game is loading, goto address 76CAE. This will activate the hidden disk copier that was never revealed in the original version. There is also a second protection check in the game. If you just press RETURN without entering a word or letter of some sort, later in the game it will crash. And don't forget, typing the documents to your crack complete the release! {6As a final note from Pazza, PLEASE do not ask me for an original of Carrier Command, Defjam Packer, or to borrow my Action Replay for that matter. Any questions from stupid people regarding this article will be ignored, if you successfully single file Carrier Command, then well done, but DON'T send it to me. These words may sound unfriendly, but when I included Budokan and 3D pool tutorials on my docs disks I got dozens of requests for some of the worlds oldest utils, so if your offended then it's not meant that way, but please - DON'T SEND ME YOUR RESULTS OR YOUR PROBLEMS! However any sensible constructive or interesting ideas will be considered for future issues! End |
12 January 2006, 02:55 | #5 |
[Satan^God]
|
Really nice one, i enjoyed it very much to read this tutorial!
Like in most cracking tutorials it sounds quiet easy to crack but that's not always the case. I cracked some games/tools myself which was fairly easy but then other ones were unbeatable for me and i became very frustrated coz all the time i spend for nothing... Ah, the good old times... |
12 January 2006, 03:27 | #6 |
Registered User
Join Date: Jul 2005
Location: -
Posts: 1,698
|
I believe that I have this on floppy. Made me want to get an AR.
|
14 January 2006, 20:11 | #7 |
In deep Trouble
Join Date: Sep 2004
Location: Manchester, Made in Norway
Age: 51
Posts: 841
|
2 questions for those of us with no access to AR mk(any):
Is mkII or mkIII in the Tosec? And, if one of them is, are they useable for this under WinUAE? |
14 January 2006, 22:35 | #8 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
Yes they are both in tosec and they are both compatible with WinUAE
|
14 January 2006, 22:48 | #9 |
Zone Friend
Join Date: Mar 2004
Location: Middle Earth
Age: 40
Posts: 2,127
|
What's this AmigaMon tool he mentions, is that the tool you activate by pressing the fire on the joystick?
Or is it like that old virus Monitor that boots up in a AmigaDos CLI window? |
14 January 2006, 22:51 | #10 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
it'll be your Action replay most likely
|
15 January 2006, 00:25 | #11 |
WinUAE developer
Join Date: Aug 2001
Location: Hämeenlinna/Finland
Age: 49
Posts: 26,553
|
You can also use WinUAE's debugger. It is not easy to use but quite powerfull, especially memwatch-breakpoints can watch any memory address possible, even copper's or blitter's memory accesses can be trapped. Also there are other breakpoint modes like break when disk dma is started at track xx etc..
You can even trace Trace-vector-decoders which is impossible with AR or any other debugger SHIFT+F12 and h shows most commands. |
17 January 2006, 00:04 | #12 | |
Oh noes!
Join Date: Mar 2003
Location: Neverland
Posts: 766
|
Quote:
Nice read Bippy |
|
23 January 2006, 17:57 | #13 |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 9,016
|
Thanks Bippy, that was a blast from the past. Oh jesus, thats also embarrasing. Sarcastic and not elegant.... you are being WAY too kind Bippy.
Jesus christ, absolute arse, what kind of writing 'style' did I use????? Haha, funny... in an embarassing way! Last edited by Galahad/FLT; 23 January 2006 at 18:19. |
23 January 2006, 18:20 | #14 | |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 9,016
|
Quote:
AmigaMon was what was used before cartridges were made. It was a program that you would load up after resetting a game to have a look at memory to see what was there. Very basic in comparison to MonAM etc, but thats how cracking started on Amiga. |
|
23 January 2006, 20:40 | #15 | |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
Quote:
I thought it was yours but couldn't quite remember It's one of those actor type experiences isn't it.. where you see what you did back in the day and grimace |
|
23 January 2006, 20:42 | #16 |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 9,016
|
Grimace? Not even close mate. My apologies to anyone that had to read through that, what a load of arse.
My lame attempts to be amusing, I look back at it and just cringe. But funny to revisit though! |
24 January 2006, 13:41 | #17 |
Long time member
Join Date: Jul 2001
Location: UK
Posts: 754
|
After following that tutorial I actually went on and cracked 'F15 Strike Eagle II' manual protection using an action replay in approx 10 minutes! - I was very proud of myself at the time.
I dont think there was any protection other than the manual so Id recommend it as a nice easy example to have a go at. |
25 January 2006, 01:57 | #18 | |
Zone Friend
Join Date: Mar 2004
Location: Middle Earth
Age: 40
Posts: 2,127
|
Quote:
I have seen some AmigaDOS tools and you can dissassemble/assemble the memory and stuff. If it was a AmigaDOS Tool must of been hard to find the address where the game was loaded? |
|
25 January 2006, 02:50 | #19 | |
Registered User
Join Date: Jul 2005
Location: -
Posts: 1,698
|
Quote:
|
|
26 January 2006, 02:43 | #20 |
Zone Friend
Join Date: Mar 2004
Location: Middle Earth
Age: 40
Posts: 2,127
|
Yeah I think I know the tool now, it had many clones right? ie VirusMonitor and stuff, which did pretty much the same thing.
I think I have V2.5 on my real Amiga HD, I think it was made/modified by a group in Yugoslavia. |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Carrier Command credits | Codetapper | HOL data problems | 5 | 12 April 2011 09:02 |
New Carrier Command | -=ARA=- | Retrogaming General Discussion | 12 | 18 September 2009 10:37 |
WTB: Carrier Command | Drac | MarketPlace | 0 | 05 July 2009 00:35 |
Carrier Command | BippyM | request.Old Rare Games | 1 | 17 November 2002 19:35 |
Carrier Command DOCS | Darkseid | request.Old Rare Games | 2 | 09 June 2002 22:03 |
|
|