How to crack ELITE 100%
What's needed:
1. A knollege of assembly language.
2. Elite the original game.
3. An Amiga.
4. An Action Replay Cartridge. (turn off memory clear and virus alert) or big brother running in the back ground.
5. Cmon.
6. Deksid.
7. Blank formated disk.
8. Large amounts of strong coffee.
9. A pack of 20 Malboro.
First thing to do is make a cup of coffee (helps the old gray matter). Second light a fag!
Now that we have dealt with the necesseries onto the task in hand (any 14 year olds in the audience, I don't mean that task!!!), my little cracking apprentices.
The first thing to do when cracking is to load up the offending peice of software! Once loaded you will be presented with the Novella protection screen, asking you to type the word on page xx, line xx, word xx. The way I do this is to type any old thing and hit return. Carry on doing this (you get three goes) until you have used up all credits. You will be dumped into a routine that say's something like, "you have fucked up". Now is the time to hit the little red but on the cart or go into bigbrother. Old blue will tick in. On the promt type "D" and return. No let's break this down for the inept amongst you. When you just type "D" you will dissasemble from the PC (PC = program counter). The first line will be:
00BD34 BRA 0000BD34.S
Take a closer look at this line. What do you notice? Yep your right it branches to the same line. This is what's called an infinite loop.
Keep on pressing return, and the screen will scroll up. Just after the "D" disappears off the top of the screen, scroll t' other way. When the original line you interrupted appears it will be followed by:
===================
This signals the end of the routine.
Once you get this write it down. Now find the top of the same routine. To cut along story short, it will be 00BCE2.
If you have a printer, do a screen dump, if you haven't got a printer, get one as they make life sooo much easier.
NOVELLA PROTECTION ROUTINE
--------------------------
=============================
1 00BCE2 LEA 264(A6),A0
2 00BCE6 LEA 86F(PC),A1
3 00BCEA JSR 000009EA
4 00BCF0 BNE 0000BCF6.S
5 00BCF2 ST 36F2(A6)
6 00BCF6 MOVEA.L (A7)+,A5
7 00BCF8 MOVE.W (A7)+,D7
8 00BCFA MOVEQ #2,D6
9 00BCFC MOVEA.L A5,A0-----------
10 00BCFE LEA 264(A6),A1 |
11 00BD02 JSR 000009EA |
12 00BD08 BEQ 0000BC40 |
13 00BD0C TST.B (A5)+------- |
14 00BDOE BNE 0000BDOC.S-- |
15 00BD10 DBF D6,0000BCFC-----
16 00BD14 DBF D7,0000BC44
17 00BD18 JSR 00000E4E
18 00BD1E LEA 83F(PC),A0
19 00BD22 MOVEQ #2,D1
20 00BD24 JSR 000008E6
21 00BD2A LEA 000008AE
22 00BD2E JSR 000008AE.S
23 00BD34 BRA 0000BD34.S
=============================
This whole routine deals with the Novella. Take a quick scan, at line 8. Does this ring a bell? Think about it.... Well you have 3 tries at geting the answer right don't ya! Yes I know it say's 2. That is because when doing conditional loops a data register is initialized with a value 1 less than you are to do the loop.
Keep scanning the routine. On line 15 it will conditional branch to line 9. If you think about this little nested routine, you will notice that it post-increment test the value pointed to by A5.
It is basicaly cyling from line 9 throught to line 15, until either the right word is entered or all 3 goes have been used, and there after dumping you in the "fuck up" routine.
The only conditional branches in the routine are on line 4,12, and 14. Let's have a closer look at these:
Line 4: Can't be this, becuase it's not in the check-loop.
Line 14: Not this one either, becuase it just goes to the line above, depending on the results or a5.
So this only leaves line 12. This is the only possible way of jumping out of the Novella check, so let's see what will happen if we bypass this.
Reset Amy and load up the game again. When asked to enter the word, press the button, and do the following lines.
Change line 12 to read BRA instead of BEQ.
A 00BD08
00BD08 BRA 0000BC40
All done so "X" and return to get back to the game.
Type anything ya want, hit return, viola! it's cracked or is it?
Now we have to change this on a permenant basis. Save the protection routine out onto your blank disk!
SM PROT,00BCE2 00BD34
(PLEASE NOTE I DO THIS ONLY IF CMON OR DEKSID WILL OVERWITE THE MEMORY I NEED TO LOOK AT)
Wait for the drive to stop. Reset and load CMON. When CMON loads hit da button, and type:
LM PROT,30000
When done "X" return.
Back to CMON now type "d 30000"
It will dissasemble from 30000. Keep hitting return and looking, you are looking for the line you want to change. Have you found it? Take note of the 4 digit hex number after the address. Write this down, to aid in your disk search write down the number above and below the line you want to change.
30000 4EB9 BEQ 0000BC40
30004 6700 TST.B (A5)+
30006 4A1D BNE 0000BDOC.S
Right then done that? Now on with the show. Quit CMON, and load DEKSID. Put Elite in the drive and choose "search hex" you are looking for 4EB9. Return twice and DEKSID will search. It will find more than one occurence. To find the right one look for the four digit hex number behind and in front of the number highlighted. Found it? Block 224 pos 10C. The command you want to change is BEQ (6700) so change it for BRA (6000). Choose write block, yes really write, no don't do checksum.
The protection is now cracked on a permenant basis?
Reset and load the game.
BYTE COUNT ROUTINE
------------------
What the fucks going on, the screen is all funny colors?
Oh dear the end of the world is near! Now then it can't be the checksum cause we did not change this. Think about it! It's got to be some kind of byte counting routine. So hit d' but, and "D".
7F0B8 BRA 0007F0B0
You will be presented with the above line. Find the whole routine. The bit your interested in is:
1 0007F0AC B018 CMP.B (A0)+,D0
2 0007F0AE 670A BEQ 0007F0BA
3 0007F0B0 33C0 MOVE.W D0,$DFF0180---
4 0007F0B6 5240 ADDQ.W #1,D0 |
5 0007F0B8 60F6 BRA 0007F0B0------
6 0007F0BA 4EF8 JMP 00000400.S
Have a closer look into this routine. Line 1 compares the byte pointed to by a0 with d0. Line 2 checks this number and branches to line 6 if = to zero. Otherwise it drops to the next instruction wich moves d0 into the background color, next 1 is added to d0 and the last line branches to line 3, so by flashing the screen funny colour's. Mystery solved!
If the check is = to, a branch is made to line 6. This line then jumps to 400. 400 must be the start of the loader for the game. So logically if we bypass this routine it will not check the disk for the right amount of bit's. and just jump stright into loading.
Quit CMON and load DEKSID. As before we will search for BEQ (670A). Found it? Yes no problem it's on the boot block. This is the right routine we know this because we wrote down the numbers before and after. Didn't we?
Quit DEKSID and load CMON, yes load CMON again!
Type: < s 30000 0 0 0 T0 S0 H0
Type: < s 30200 0 0 1 T0 S0 H1
The lenght of 1 block = 512k($200)
This will load the bootblock into address 30000. Dissasemble from 30000 and scan this for the above routine. Found it? Good.
Now assemble the BEQ 007F0BA to BRA 007F0BA.
Calculate the BootBlock checksum. Type "B 30000" or B and the address we loaded bootblock into, and hit return. Now this is done, we want to write it back to the disk.
Type: >s 30000 0 0 0 T0 S0 H0
Type: >s 30200 0 0 1 T0 S0 H1
CMOS SLEEPER WARNING
--------------------
Now reset and load up the game. When the protection question comes up type anything you want. Viola. The games starts? Do you what to load an old commander? Yes or no. Select LAUNCH. Oh fuck what's this shit on the screen?
PLEASE NOTE THAT THIS IS THE BIGGEST LOAD OF SHIT I HAVE EVER READ.
IT IS IMPOSSIBLE TO ALTER THE HARDWARE, THIS IS JUST TO SCARE THE LAMER'S.
This is a mother to crack eh!
Press the button again. "D" return, what do you see (I don't know, what do you see?)
Look closer then you stupid thick bastard!!!
Press the Butt on t' cart and "D" from the PC. Scroll up then scroll down so the below routine in in sight.
you will be on 0162E0 BRA 000162E0
===================
0162AE LEA 3206(A6),A0
0162B2 LEA 25F9(A6),A1
0162B6 MOVE.W 4D2(A0),D0
0162C0 JSR 0000836E
0162C6 JSR 00000E4E
0162CC LEA 00004B2C,A0
0162D2 MOVEQ #2,D1
0162D4 JSR 000008E6
0162DA JSR 000008AE
0162E0 BRA 000162E0.S
===================
Now we have found the start of the CMOS routine, we want to get the line wich calles this. So type:
FA 0162AE
Let the cart search, after many hours it will come back with, found the address: 016288
So dissasemble this address and you will find:
===================
016288 BRA 0162AE
===================
01628C LEA 00000702,A0
16292 CLW.W D0
Now we know the CMOS routine does not have an RTS and the end, just a BRA to the beginning of the routine (infinite loop). So logically we must take out the BRA, but if we change this to a NOP the the next instruction in line will be executed, and we don't want this to happen do we? So the obvious answer is to change the BRA to an RTS. Well let's try this and see if we are right!
A 016288
016288 RTS
01628C NOP
Yep and yep again, it works!
Is all that remains now is to change this to a permenant fix.
So either save the lines to be changed onto your blank disk, or take a chance and just reset, hoping that when you load up CMON it will not ovewrite the memory we whant to inspect.
Whithin CMON dissasemble 016288. Is the original code thill there? If not load up the data file into any address.
Before:
016288 6000 BRA 0162AE
01628C 41F9 LEA 00000702,A0
16292 4240 CLW.W D0
After:
016288 4E75 RTS
01628A 4E71 NOP
01628C 41F9 LEA 00000702,A0
016292 4240 CLW.W D0
Now we know the numbers to search the disk for, 6000, 41F9 and 4240.
Quit CMON and load deksid. As before "search hex" for 6000. Check all found occurrences until there is a 41F9 soon afterwards. If both numbers are located then you know that you have found the routine on disk. Once found change 6000 FOR 4E75. Next select "write block", do not recalculate the checksum.
Reset and load up the game. It should now be 100% cracked on a permanent basis. If it works, well done for following this idiot's guide, if not, you are a sad pathetic winker! and should have been shot at birth!
This is a fairly easy game to crack.