Cracking Tutorial: Carrier Command

[BippyM]

Here is an OLD carrier command crack that I found on the web..

It is not elegant or fancy and the author is a bit sarcastic and swears a heck of a lot.. but it's a start

Direct Link to Web

Code:

         CRACKING TUTORIAL


{8{5          -=By NEC of LSD=-

{6         FIRST A DISCLAIMER.

{1LSD would like to make it clear that they do not promote anyone to
undertake the following tutorial. There is no gun pointed at your head,
it ain't a game of "Simon Says!".  It is your decision when you decide to
partake in this article.  It is merely a guide, and nothing more.

Lsd and any persons affiliated to Lsd or its members CANNOT be held
responsible if you TOSS IT UP!  If you destroy your only original copy of
Carrier Command, ......TOUGH!  We have no sympathy.  The instructions are
clear enough, and if you cannot do the job according to this article,then go
and read something else!  If for some reason while you are noncing around
the code, and ACCIDENTALLY trip a routine that tries to access track 90,
and your drive head goes loopy, ......TOUGH!  If you follow the
tutorial correctly, there will be NO problems.  If you go off on a tangent,
then more fool you!

Lsd.

For this tutorial we have picked an old game, for various reasons; Carrier
Command is old and available to most people, and if a tutorial to a brand
new game was here there would be a few pissed off companies to say the least!

After reading the disclaimer and acting on it, you will need the
following:

{51.{1 A copy of the ORIGINAL game.

{52. {1A 1 meg Amiga with Action Replay

{53. {1A PRO-DECRUNCH capable packer.  So
for those that have Powerpacker....
forget it!  Any of the following will
do:
   
   Defjam 3.0 or higher
   Syncropacker
   Crunchmania
   Stone Cruncher
   Double Action
   Logo 7
   and any other decent ones that are
   PRO DECRUNCH capable.

Forget using Tetragons TETRAPACKER V2.2, it cannot pro-decrunch properly
NOTE: There is a bug in Defjam packer.It dosn't matter what version it is,
sometimes it really fucks files!  Ifyou add 5K to the actual file length
when crunching, it will stop Defjamfrom rear entry.  That was found out
by Shagratt of Lsd.  As an added note, the supposed "fixed" version of Defjam
packer recently released still contains ALL the bugs we are aware of
in the previous versions.  The requestor library is a useful addition
however.

If you want to crack games with speed and accuracy, you can forget
Amigamon.  If you think you have a couple of days to crack a game, think
again.  Action Replay isn't the hottest bit of kit, in fact it is
rather crude by C64 standards, but it serves its purpose a damn sight better
than Amigamon.


{3      HOW DO YOU LEARN TO CRACK?

{1Well it is as simple as this.  Many crackers are SELF taught.  Generally
there is no-one you can confer with except YOU.  Most quality crackers
have all been self taught.  Obviously if you have been with the Amiga from
the VERY start, you will have developed your cracking along with the
protection.  Some protections have got better through the years, but not
until they were hybrids of poorer versions.  For a total newcomer to try
and crack Full MFM is just not possible.

So am I gonna tell you how to do every protection under the sun? NO! Reasons?
{51. {1Well firstly as I said, we that have strived to get the experience we
now have, have done it through fucking hard work!  The last thing I want to
do is have a massive influx of people CLAIMING to be able to crack, and
put the reputations of ALL of the above in jeopardy.
   
{52. {1We got no help from anyone, so why should you have it on a plate?

{53. {1Software companies are cunts at the best of times, but some of them ARE
WORTH supporting.  For me to tell you how to do every protection would have
MAJOR repercussions on the software industry.  You dont believe me??
   
Well picture this.  Lets say that Grapevine has a mass distribution of
about 250,000 people over a period of months, which is quite feasible (I
hope!).  Of that 250,000, 10,000 look at my articles and are able from there
on to crack most protections.  That is a possible 2000 people out of 10,000
people that can swap, get to a modem, etc etc.  You figure it out.  We are
not here to put software companies out of business.  We just don't want to
pay 25 quid that in MOST cases is totally unjustified.  There are very
few GOOD crackers.  That is the way it will stay.  From my articles, you will
gain an insight and nothing more!

I hear someone saying that single filing is easy and lame!
Yes because MOST single filing is exceptionally easy to do with a few
exceptions.  No because who in their right mind would get a game with full
MFM protection on it, that loads in one go, and then crack the MFM!  I
know in some cases, like I.B.M. of Crystal, decided to retain the picture
on Mercenary III.  Nothing amazing in that you might think, but it is then
100%

This is the system that myself and Dreadnought will be doing from now on
also.  It makes that crack the little bit more appealing and you feel safe
in the knowlege that you have not deprived the Amiga community of
something.  The best example would have to be Rick Dangerous (first one).
It had tonnes of files, but loaded in one go.  I would be fucked if I could
be bothered to crack the full protection in favour of single filing
it.  Allthough SOME people think it is lame to just single file a game
instead of cracking the thing fully, can you remember to the good ole days
of Paranoimia, Trilogy, Thrust, and Bamiga Sector 1.  They would crack the
game properly.  Someone would then single file it, and FORGET TO CREDIT
THE ORIGINAL GROUP for cracking it. Bad news indeed.

So we have established that depending on what protection it had originally
will depend on how you go about cracking it.  I dont expect all the
beginners out there to code their own fileloaders to make it 100% with all
pictures, I just expect you to be able to single file a game with ease,
taking out all the other protection with it.




{3  HOW IS CARRIER COMMAND PROTECTED?

{1Well Carrier Command has two protections on the disk.  They both
link in with each other.  You can't dump one unless you get rid of the
other.

There is 'Light MFM' and Novella protection.


{3              LIGHT MFM

{1Light MFM has two purposes.  For a start, the Action replay cartridge
cannot read in Light MFM tracks at all.  The structure of the tracks has
been changed sufficiently enough for the Action replay to go GA GA!  Light
MFM can however be copied on NIBBLECOPY in X-Copy. (on an utility
disk near you)  So what is the point of having light MFM on the disk when
X-Copy can breach it?  Simple.  The other protection is the Novella
protection.  This is the protection like this:

{5What is the word on page 24, paragraph
3, line 4, word 8.

Please enter here>

{1I won't go to indepth at this point, but basically the novella protection
has to be ditched.  But if you can't read the tracks into memory, how are
you going to ditch the protection??

I can hear someone saying that why don't you just let X-Copy read in the
tracks into memory, and then save 'em down by intercepting them with the
Action Replay?  Because it encodes all the data thats why!
So first of all we need to locate exactly where the novella protection
is located.

So get your copy of Carrier Command
and do the following:

{61. {1Load the disk.
{62. {1Press 1 to select English.
{63. {1Type anything you like at the
   protection check three times.
{64. {1Stare at the screen with a blank
   look as you get presented with a
   black screen.

Now this is always how I go about ditching Novella.  You need to see
exactly what the protection does when you get it wrong.  So what you need to
do now is hit the button on the Action Replay.  You are now presented with
that lovely blue colour... Now what you need to do is hit the old
'D' button.  What does it do?  Well what it does is tell you the point at
which you broke into the program.  It will give you something like this.
(I am gonna use the EXACT numbers etc, so that there is no confusion.
Unfortunately I cannot gurrantee when you will press the button, but if I
feel that the number you get is gonna be radically different from the number
I get, then I will tell you so.)

I can tell you that the only possible
addresses that it WILL be is the
following.  I have done the whole
routine so that I can explain exactly
what it does.

======================================
   0000CB96  MOVE.L  (A7)+,0000121E.S
   0000CB9A  JSR     0001A3FA
   0000CBA0  JSR     000066D8.S
   0000CBA4  SUBQ.W  #1,000022A4.S
   0000CBA8  BNE     0000CA92
   0000CBAC  NOP
   0000CBAE  BRA     0000CBAC.S
======================================

When you break in, it will be in
either CBAC or CBAE.  It will not be
in any other routines, so if it ain't
in one of these two, then you have
fucked up!

It is basically cycling through these
two instructions, and will continue to
do so unless you stop it.  The
Protection check has noted that you
have screwed the protection up and has
dumped you in this routine.  Now how
do we go about ditching the
protection?  Well those dotted lines
around the routine are not there to
make Grapevine look more sexy!  They
are there to show the breaks in the
routines, a la Action Replay.  Now I
am gonna assume that everybody has the
very first version of the MK II.  The
later versions put the dotted lines
onto the screen when you scroll up,
where as the older version do not!
Thankfully all new versions have this
fixed.  So assuming that your Action
Replay is like mine, lets get too it.

So you see either of the two
instructions.

[BippyM]

Code:

{61. {1Press the RETURN key or the DOWN
   CURSOR, whatever you prefer to
   scroll the screen up.  As you get
   past the instruction CBAE, the
   Action replay will insert a dotted
   line after it.

{62. {1Now carefully keep it scrolling up
   the screen until the address that
   you FIRST saw when you broke into
   the Action replay is at the very
   top of the screen WITHOUT it
   dissapearing.

{63. {1Now press the UP CURSOR to scroll
   back up the screen so that the
   address that you first saw is below
   the middle of the screen.

{64. {1Look under the dotted line and you
   will see the instruction CB96.
   Hummm, is'nt that a little bit
   above the original instruction I
   was at before?  Yup, it certainly
   was.  Wonder if all of this routine
   is part of the protection?  The
   coders among you will be able to
   spot it straight away.  The
   instruction located at CBA4 is the
   SUB command for the protection.
   You have three goes to get it
   right.  Every time you get it
   wrong, this routine subtracts 1
   from the goes you have left.
   Experiment with a few routines etc,
   but if you fuck up, you will have
   to load it again.

{65. {1So you have found the top of the
   routine.  Now why do we need to do
   that?  Well it is simple.  This
   routine dumps the program and
   cycles in this routine.  So
   basically you want to find the
   instruction or routine that
   calls it up and tell it not to.
   Sounds hard?  We will see.  Surely
   if you tell the program not to goto
   the routine that dumps you, it
   should in fact carry on.  Read on.

Now we are going to implement the FA
command on the Action replay.  This
command means to FIND THE ADDRESS.
You want to find the address or
instruction that calls up the
protection.  So lets go.

{61. {1Type FA and then the Address that
   you know.  The one you should have
   is CB96.  If it aint, then check
   again.

{62. {1Hit RETURN and wait a while.

{63. {1Eventually all going well you
   should get a figure on the screen
   like this:


FA CB96 0 80000
SEARCH FROM: 0000000 TO: 080000
0000CB7E   BNE CB96

A quick rundown on the numbers etc.

The CB96 is the number you want the
Action replay to find an address that
goes to it.  The 0 is where I want it
to start the search from, and the
80000 is the end of where I want it to
search.

{6TIP: {1Generally the coders of these
games use lame code.  They like to be
able to get it sorted as quickly as
possible.  The chances are that the
address you want it to find is nearby.
So instead of searching the whole of
memory, how about searching from say
CB00 to 10000.  This won't always
work, but 90% of the time it does
yield.

So the Action Replay tells you that
the instruction that goes to it is
CB7E.  A BNE, yahoo!  With novella
protection, a BNE generally signifies
the end of your search.  Most of the
novella protections around are LAME.

So we have established that the BNE is
the problem.  How do we know?  I mean
there are loads of BNE's in the game,
how do we know that this is the one?
Well the mega giveaway is the fact
that it has a CMP instruction above
it.  This basically COMPARES either
bytes or words.  If the Byte or word
is not equal, then it goes to the BNE.
By the way, BNE stands for BRANCH NOT
EQUAL.  So think it through
methodically.  It compares the word
and says to itself,
"Hummmm, he has entered the wrong word
because I have compared it with the
one that is correct and the one he
entered was the wrong one.  Well now
it ain't right, I am gonna go through
the BNE cos it ain't equal"

Obviously it does'nt actually say it,
but it is just simplified down to what
it means.  It looks at what you
entered and checks that you fucked up,
so then it goes to the BNE.

Ok, so what if the BNE did not exist?
What purpose can that serve I hear you
mumble.  Well if your friend gets the
protection wrong, like he is gonna get
all the time cos theres umpteen
different words and only three
guesses, you need to tell the computer
not to worry about the protection and
not to bother.
Ok.  Let's see what we can do about
it.  Lets ditch the BNE and see what
happens.  Here is how to get rid of
it.

{61. {1Type 'A' and then the address CB7E.

{62. {1Type NOP and RETURN.

{63. {1Press ESCAPE to exit the Assembler.

We will assume that you have reloaded
the game, but this time leave it on
the protection screen.  Don't touch
the keyboard.  There is no need to
execute the protection, because you
know where the protection routine is
dont you?

Making sure you have assembled that
address you may now exit back to the
game.  Now type anything on the screen
and hit RETURN.

{6DA DA DA DA DA DA DAAAAAAAAAAA!!!!!

{1Oh my god it has started the game up.
And who would have thought that typing
FUCK OFF would bypass the protection!
So we have ditched the Novella
protection, but what about ditching
the protection on a permanent basis.
I mean it has light MFM tracks, which
means you cant save it back to disk.

Hang on a mo.  Carrier Command is a
vector based game, has very little
graphics and loads in one go!  Hmmmm.
Is it possible to save the whole file
out and make it work without the
original disk?  Yup and Yup again.

Little Jimmy at the back of the class
asked the question with a puzzled
look.  "But Miss, How do I know where
the file starts and ends?"

The teacher stared back hard at the
poor little lad and said "Why you look
at the loader you stupid little man!"

With that, little Jimmy made sure he
had noted the address to ditch the
novella, and reloaded the game.

(Jimmy by the way lives in Denmark
where it is perfectly legal to hack.
Hence the scenic and comforting
inclusion of the teacher in high heels
and suspenders!)

So having read the little tale of woe
by Jimmy, you wont feel stupid because
now little Jimmy had got the answer
for you!

So as the game is reloading, (Just
like little Jimmy!) hit da button on
the Action Replay.  Yes, In the middle
of loading.  Forget the bollocks from
the magazines telling you that it is
dangerous and that it will damage the
disks, because the Action Replay turns
off the drive when you hit the button.

Now do what you did when you wanted to
ditch the original novella protection.
So you have pressed 'D' and have noted
the address.

[BippyM]

Code:

When you break in, I have absolutely
NO IDEA WHERE YOU WILL BE
WHATSOEVER!  This particular loader is
a fickle bast, and as such it is
constantly loading data, so it is
going through different instructions
all the time.  This does not make me
happy, because now I have to write
tonnes more to explain exactly how the
you guys can find the start.

I am gonna cut a lot out for a start.
When you break in, the address is
gonna be between 76C00 and 77C00.  So
how about I tell you how to find the
start a little bit quicker.  I mean a
loader can't be that big  compared to
a whole game.  So lets ditch the
Dissassembler command for the mo, and
let's look at memory using the 'N'
command.  With this command it lets
you look at memory from the data point
of view, not the very boring asssembly
language.  So lets just pretend that
the address you broke in at was
address 76DE4.  So type da following.

N 76DE4

Then press RETURN.
You will be greeted with numerous
characters flung very tastefully
across the screen.  For those that
thought that Andy Warhol was
dead, guess again!  So for the
uneducated, it looks like a mass of
shit on the screen.  But it is in fact
code in it's data format.  By looking
at the code this way, you can scan
through memory a damn sight faster
than by dissassembly.  Dissassembley
goes through two instructions per
press of the RETURN, where as the N
command gets through forty of them.

For the experienced Hackers and
Coders, it is very possible to spot
the jump for a game or a demo like
this.  It don't always work, but once
you mess around the bast long enough,
you will pick up little things
yourself.
So what you need to do now is scroll
through memory.  Wow!  I can hear you
now.  The bibbley bobbley bits of crap
have all gone.  Could this mean the
end of the world or the end of the
loader?  So after pondering for an
eon, you have finally plumped for the
end of the loader.  So using your
amazing powers of deduction, you
immediately think.

"Jeepers Watson.  If this is the end
of the loader, then maybe, just maybe
If we scroll back up through memory,
we might find the start." said
Sherlock with a voice of sudden
realisation.

"Do you know Sherlock, I think you've
done it again.  By gad how come you
are so infeasibly intelligent and I am
always portrayed as a stupid fat
thick cunt!" came the answer to
Sherlock's first question.

"Because you are Watson!  I have said
it myself on numerous occasions that
you should stop indulging in prime
Spam from Gateways!" came the answer
that made Watson feel even more
suicidal than he was before, and
wishing he had never bloody asked!

So now we leave our two hero's to
carry on with the tutorial.

So taking our two friends advice we
scroll back up memory.  The loader
seems to stop at address 76C00.  I
know because I checked, and a little
voice told me that I should trust my
feelings and go with what I truely
believe to be a part of existence.  If
it means wearing a 1973 Addidas Maroon
tracksuit, no thanks matey!

So things to look out for in a loader
are the following.

{61. {1The LEA command with an address in
   it.

{62. {1A JMP with the same address
   preferably in the same routine.


{3               A STORY

{1I cracked the Godfather on 6 disks!
It had Novella protection, by forcing
you to read off a code wheel (terrible
inventions, about as much use as a
keylock device on an ocean game!).  I
did not even try and get the
protection wrong.  I broke in as soon
as it asked me to look on the code
wheel for the three letters.  There
before me was three BNE's.  I got rid
of them, saved it down, crunched it
and ran it.  It ran first time with
ALL the protection removed.  That will
only come with experience.  I don't
expect you all to be able to do it so
quickly, but time will tell.  It also
had light MFM on the disks as well, so
none of the less experienced would
have past that part anyway, as the
disks COULD not be copied!
So gain before you seek fame!

Not all loaders are as lame as this,
but a good majority have still not
changed their protections since this
one was introduced.

(If anyone from Eldritch the Cat Ltd.
is reading this, for gods sake change
your protection, otherwise MYTH is
gonna be a quick two minute crack!)

Eventually after searching through
reams of code using the assembler

(Remember, you only used the N command
to search quicker!)

You will come to this routine.

======================================
0076C9A LEA 0000400.S,A0
0076C9E BSR 0076DA8
0076CA2 BMI 0076C96.S
0076CA4 LEA 77400,A0
0076CAA JMP 0000400.S
======================================

Hummmmm.  Now lets break down some of
the commands down into laymans terms.
Well according to my wealth of immense
knowlege, an LEA is to LOAD EFFECTIVE
ADDRESS.  So the loader is gonna
locate something into the address 400
and into A0.  Hang on, it jumps to 400
later on in the SAME routine.  Well if
it is locating something there, and
then it jumps to it, nahhh it could
not be the start of the program.  Lets
find out.

Erm, how the hell do we find the end
of the game?

Right lets reload the game.  Yes
reload it.  When the picture comes up,
Hit Da button.  Press P for Picture.
You will now see the tacky Carrier
Command picture that no one at
Realtime Games is proud of!  Press the
HELP key.  If you move the mouse
around, you will see a little box of
figures and shit in it.  Look at the
first number.  The figure is where it
locates the picture in memory.  So, we
know that the picture is not essential
to the game at all.  So from that
area of memory to 80000 is wasteable.
The number should be 77400 I think!

You now know that you can ditch
whatever is located at 77400 and on.
Not much of a saving is it?  Okey
dokey.  Lets bung a breakpoint at
address 76CAA.  Why?  Well this is the
address the program jumps to once it
has loaded.  Now it is useless you
trying to save the game from any other
point as you wont know what the SR
registers are, or how big the file is
(ooer!).
3A LITTLE EXPLANATION OF HOW A GAME
SUDDENLY FILLS THE WHOLE OF MEMORY!

{1Lets assume you have got a game, and
you have bunged in a breakpoint in to
stop it from jumping to 400.  You know
that it ends at 60000.  But when you
play the game, and break in, all of a
sudden all of the memory past 60000
is filled with data!  Gasp shock
horror!  How are you gonna crunch the
damned thing now?  How did the memory
get filled with data?

Well if you were to play the game, and
break in with the button, press P for
picture and HELP.  Now ain't that
funny.  The screen graphics are
located past 60000.  Well were else do
you expect the damned thing to display
its screen display, in the middle of
the code!
So after that sarcastic jaunt into a
game we don't have, we will now go
back to Carrier Command.  So lets
break in as the game is loading, and
bung a breakpoint in at 76CAA.  This
way we get to look at memory before it
sets up any screen displays.
Eventually after a few moments, old
blue will kick in with the breakpoint.
Now lets saunter through memory.  So
we know that the picture is located at
address 77400.  So lets go backwards.
Oh there is the loader for the game.
Now let me think.  The game has
loaded.  So that means it wont be
needing it anymore.  Kewl, lets ditch
that bozo!

So we have trekked back through memory
and eventually we see code at around
the 4B700 area.  Great, it starts at
400 and ends at 4B740 or thereabouts.
Kewl!  Right before we forget, lets
NOP address CB7E.  Ho Ho, would'nt it
be funny if we forgot!

So are we gonna assume that it is all
the game code?  Well yes and no.
Yes, cos we know it loads in one go
and it don't need the  picture.  No,
because we are all new to this and we
want to test it out to be sure, for
sure!

Okay, get a blank formatted disk.  Put
it through VERIFY.  Although the
Action Replay format says its Kewl, it
ain't 50% of the time.  So always
chuck it through VERIFY.  There ain't
nothing worse than a file being saved,
only to have a datachecksum error
halfway through!  So do it!

Now we want to save the file out.
Follow these simple instructions.

{31. {1Type this.

SM CARRIER,400 4B740

{32. {1And then hit RETURN.  This will
   save the memory under the filename
   CARRIER, from address 400 to
   address 4B740.  Eventually after
   numerous noises that are not
   dissimilar to read/write errors, it
   will eventually finish.

{33. {1Reset the machine.

{34. {1When the Workbench hand appears,
   hit the button and type the
   following.

LM CARRIER,400

{35. {1And press RETURN.  This will Load
   into the memory, the filename
   CARRIER into address 400.  You
   don't have to work out what the end
   address is gonna be because the
   cartridge does it for you.

[BippyM]

Code:

   Now you know that 400 is the start,
   so type this.

G 400

{36. {1And press RETURN.

Oh FUCK, it dont work.  Now how can
that be?  Lets hit the button and
G 400 again!  Oh shit it worked this
time!  Now why was that I bet you are
wondering.  You saved all the details
that you could possibly need.  Or did
you?  Now if you look back a bit
further up this doc, you will see the
letters SR!  What the fuck are those.
Well the SR is an it, and it is called
the Status Register.  So how do we
find that out then guvnor?

Okay, hit da button and type R and
RETURN.  For the totally inept, it
will look like an entry test for
MENSA!  For the more intelligent, they
will mutter " Looks important to me!"
It is my friend.


{6         A QUICK EXPLANATION

{1The Status register sometimes needs
setting up, and sometimes it don't.
For most games that load in one go,
games programmers have made the game
reliant on a specific Status register.
They do calculations by it, they check
that the status register is the number
they want it to be.  I have seen loads
of oddball people manage to single
file a game.  Great, they have taken
their first steps, but then they turn
around and say to me,

"Well I can't crunch it, I can only
run it through the Action Replay, and
even then I have to goto the start
twice."

Oh dear.  It gets even worse when they
decide to let the cartridge save it
for them.  Very bad news.  Let me tell
you now.

It is considered the ultimate in
lameness to do an Action Replay "save
all"  Not only is it not cracking,
there is no challenge to it!

It is only guarenteed to work 100% on
a machine with the same Kickstart and
memory configuration!

If you just want a copy for your
mates, fine, but just dont try and
send it to anyone who will see it and
report it, or you really will come a
cropper!

Back to the tutorial.  So we have
established that programmers sometimes
use this as a protection if you like.
Budget games on the whole load in one
go, so the games programmers think
that the most likely people to try and
crack it are the usual joes on the
Amiga.

So what Status register could it
possibly be?  Do we take the one from
the game or the one from the loader?
Well surely if we took the one from
the game, it would work first time,
and not the second time.  So if we
take the one from the loader, we might
come up with a better result.

So this time, load up your original
game disk and bung in a breakpoint at
the same place you did before it
jumped to the start.  Eventually blue
will rear its ugly mug and you can now
press R for registers.  Now if you
look in the bottom right hand corner
of all the splurge, you will see the
letters

  SR

with a number next to it.  Note the
number and reset your machine.  Now
load in your datafile into memory.  So
how do we change the Status register?

Easy.  Type the following

{31. {1R then put a space.
{32. {1SR then put a space.
{33. {1The number you got.

After that you will see that the
status register has changed to the
number that you stated.  Now type

G 400

Da da da da da da da!  Well I think
you know a little more than when you
did several hours ago.  Kewl, the game
now officially don't need the original
disk.  Or does it?  I mean, you had to
manually change the status register.
A normal cruncher does'nt change the
stack for you.  Oh fuck, we have a
cracked game we can crunch, but wont
work!
Not so.  "Not so" I hear the muttered
mumurs of people in Strathclyde say!
Now at the beginning I specified that
you would need Pro-decrunch capable
packers.  I bet tonnes of you have
Defjam cruncher, but just never knew
how to use it properly!  Well lets get
that sorted now, because you need one
of these to crack the game properly.
So I am gonna use Defjam.  Reasons?

{31. {1Its a fine program.
{32. {1It sets up the stack properly.
{33. {1Everyone has got it.  If you ain't,
   oh dear what planet have you been
   on!
{34. {1Reliable.  (Most of the time!)

So we grab our copy of Defjam and load
it up.

I shall take you step by step through
Defjam and explain exactly what it
wants from you.

First up it asks you if you want to
MEGACRUNCH.  Unless your file is over
350K, then you don't need it, so type
N for no.

It will then ask you for Low mem, and
high mem.  Generally people just clear
an area big enough to load the file
into.  I prefer to stick with the
memory I need and no more.  So if we
know that the file starts at address
400, lets make low mem that address.
As for high mem, lets make it our end
address.

It will then allocate you some memory
and clear it for you so that other
data does not clash.

It will then ask for the Scan width.
The Scan Width is how hard you want
Defjam to crunch it.  $10 is the
lowest and quickest, and $8000 is the
hardest and slowest.  So for this
purpose we are gonna pick $25 for a
good result.  So just enter 25, and
RETURN.  $800 is recommended by the
programmer.

It will then ask you the load type.
It will give you three options.  You
can forget Trackdisk for now.  Are you
trying to crunch an intro that has
just been compiled from Devpac?  Nope,
so we are just going for Plain.  Plain
as in data  So enter O.

It will then ask you where do you want
to load it.  Obvious really.  You want
it to load in EXACTLY the same place
you took it from, 400.  So type 400
and then RETURN.

After a few
minutes/seconds/hours/centuries!
loading it will come up with the
same question.  Do you want Reloc
Plain or trackdisk.  This is because
it lets you load numerous files before
crunching, but as you don't want to
load anymore files, so just press
RETURN to start the packing.

After a few minutes, you will be asked
where you want the cruncher to jump
to.  Of course we all know that the
start is 400, so lets jump to 400.
Type 400 and then RETURN.

It will the ask you what colours you
want the decrunch.  This is not
important, but as a rule most people
stick with 00.  This gives fullscreen
decrunch colours, so that you can see
what it is doing.  (It is best to use
some kind of colour decrunch on files,
as if its just a blank screen for 30
seconds the user may think the program
has crashed.)

After that it will ask you do you want
to PRO-DECRUNCH.  Normally it is a no.
But in this case it is Yes.
Type Y for yes.

It will ask you what the DMACON is.
When you got the SR for the game, you
will have to also type INFO, to find
out what you need to know.  For this
exercise, I will tell you what they
are.

The DMACON is: 6CE
The INTENA is: 4018
The ADKCON is: 0
The SR     is: 2700

It will then ask the question, where
do you want to locate the decruncher.
Well you know that the file goes from
400 to 4b700, so anything after that
is perfectly safe.  Bung it in at
70000 to be sure.  That way it will
not clash with anything.  So enter
70000 and RETURN.

It will then ask you the A7 register.
Again this is in the INFO area.

It is 5869C.
So type it.

Now enter your save name for the file.
(Don't use the same one as you have
already used)

Once done, reset the computer.  Load
the file through the CLI, and HEY
PRESTO.  A fully working, 512K, A500+,
cracked, copyable version of Carrier
Command.

So that is how you single file a game
and get rid of some basic Novella.
This document was not illustrated on
how to crack Carrier Command.  It was
just an example of two protections.

In time you will perhaps get better
and better.  I mean we ALL started off
as humble Lamers at one time.  I can
remember when I single filed my first
ever game.  I was well impressed.  Now
I see it as boring and easy.  But that
is life.  Novella to me is boring and
easy.  Although the protection on
games like Powermonger and Defender of
Rome took about eight minutes longer
than usual!
Well that is it from me, NEC of Lsd.
I am thinking of doing one more
cracking tutorial but other than that,
I wait for suggestions.  It is your
magazine afterall.


If you want to find the hidden Carrier
Command Disk copier as the game is
loading, goto address 76CAE.  This
will activate the hidden disk copier
that was never revealed in the
original version.  There is also a
second protection check in the game.
If you just press RETURN without
entering a word or letter of some
sort, later in the game it will crash.
And don't forget, typing the documents
to your crack complete the release!



{6As a final note from Pazza, PLEASE do
not ask me for an original of Carrier
Command, Defjam Packer, or to borrow
my Action Replay for that matter.  Any
questions from stupid people regarding
this article will be ignored, if you
successfully single file Carrier
Command, then well done, but DON'T
send it to me.  These words may sound
unfriendly, but when I included
Budokan and 3D pool tutorials on my
docs disks I got dozens of requests
for some of the worlds oldest utils,
so if your offended then it's not
meant that way, but please - DON'T
SEND ME YOUR RESULTS OR YOUR PROBLEMS!

However any sensible constructive or
interesting ideas will be considered
for future issues!

End

[Adderly]

Really nice one, i enjoyed it very much to read this tutorial!
Like in most cracking tutorials it sounds quiet easy to crack but that's not always the case. I cracked some games/tools myself which was fairly easy but then other ones were unbeatable for me and i became very frustrated coz all the time i spend for nothing...
Ah, the good old times...

[demoniac]

I believe that I have this on floppy. Made me want to get an AR.

[Doc Mindie]

2 questions for those of us with no access to AR mk(any):

Is mkII or mkIII in the Tosec?
And, if one of them is, are they useable for this under WinUAE?

[BippyM]

Yes they are both in tosec and they are both compatible with WinUAE

[redblade]

What's this AmigaMon tool he mentions, is that the tool you activate by pressing the fire on the joystick?

Or is it like that old virus Monitor that boots up in a AmigaDos CLI window?

[BippyM]

it'll be your Action replay most likely

[Toni Wilen]

You can also use WinUAE's debugger. It is not easy to use but quite powerfull, especially memwatch-breakpoints can watch any memory address possible, even copper's or blitter's memory accesses can be trapped. Also there are other breakpoint modes like break when disk dma is started at track xx etc..

You can even trace Trace-vector-decoders which is impossible with AR or any other debugger

SHIFT+F12 and h shows most commands.

[spiff]

Quote:

Originally Posted by Toni Wilen

You can also use WinUAE's debugger...

Now that's just cheating and um.. morally wrong!!!

Nice read Bippy

[Galahad/FLT]

Thanks Bippy, that was a blast from the past. Oh jesus, thats also embarrasing. Sarcastic and not elegant.... you are being WAY too kind Bippy.

Jesus christ, absolute arse, what kind of writing 'style' did I use?????

Haha, funny... in an embarassing way!

[Galahad/FLT]

Quote:

Originally Posted by redblade

What's this AmigaMon tool he mentions, is that the tool you activate by pressing the fire on the joystick?

Or is it like that old virus Monitor that boots up in a AmigaDos CLI window?

AmigaMon was what was used before cartridges were made. It was a program that you would load up after resetting a game to have a look at memory to see what was there. Very basic in comparison to MonAM etc, but thats how cracking started on Amiga.

[BippyM]

Quote:

Originally Posted by Galahad/FLT

Thanks Bippy, that was a blast from the past. Oh jesus, thats also embarrasing. Sarcastic and not elegant.... you are being WAY too kind Bippy.

Jesus christ, absolute arse, what kind of writing 'style' did I use?????

Haha, funny... in an embarassing way!

heheh

I thought it was yours but couldn't quite remember

It's one of those actor type experiences isn't it.. where you see what you did back in the day and grimace

[Galahad/FLT]

Grimace? Not even close mate. My apologies to anyone that had to read through that, what a load of arse.

My lame attempts to be amusing, I look back at it and just cringe.

But funny to revisit though!

[Big-Byte]

After following that tutorial I actually went on and cracked 'F15 Strike Eagle II' manual protection using an action replay in approx 10 minutes! - I was very proud of myself at the time.

I dont think there was any protection other than the manual so Id recommend it as a nice easy example to have a go at.

[redblade]

Quote:

Originally Posted by Galahad/FLT

AmigaMon was what was used before cartridges were made. It was a program that you would load up after resetting a game to have a look at memory to see what was there. Very basic in comparison to MonAM etc, but thats how cracking started on Amiga.

Was this a AmigaDOS Tool? or did it run similar like the ARC, you hit a key combination and it takes over?

I have seen some AmigaDOS tools and you can dissassemble/assemble the memory and stuff.

If it was a AmigaDOS Tool must of been hard to find the address where the game was loaded?

[demoniac]

Quote:

Originally Posted by redblade

Was this a AmigaDOS Tool? or did it run similar like the ARC, you hit a key combination and it takes over?

I have seen some AmigaDOS tools and you can dissassemble/assemble the memory and stuff.

If it was a AmigaDOS Tool must of been hard to find the address where the game was loaded?

It was an ADOS tool running in CLI. IIRC, it wasn't memory resident, but later on other monitors had that capability.

[redblade]

Yeah I think I know the tool now, it had many clones right? ie VirusMonitor and stuff, which did pretty much the same thing.

I think I have V2.5 on my real Amiga HD, I think it was made/modified by a group in Yugoslavia.