Prince of Persia

Hits: 11944

Remove MFM and Passwords

More
Tags
Category: TutorialsAmigaCrackingMFM
Author: Musashi9
Submitted by: musashi9
Date: 2004-07-25 17:24
No tags
Prince of Persia (1990) usa version
-------------------------------------------------

This has to be the USA version as the other 2 versions (uk / german) all load at different memory locations

what you will need
------------------------------
1. original game (find here)
2. an amiga or an amiga emulator (winuae)
3. an action replay cartridge or ar3 rom image for use with winuae
4. 1 megabyte of memory
5. Defjam Packer

once u have all these set up we shall begin

This has to be my all time favourite game of all time ,i fell in love with it the first time i played it on my cousins birthday ,his dad got a disk from work with 4 - 5 games on it and one of them was prince of persia :) it took us 3 days to do the first level :P
anyhoo back to the cracking ,
this game has 2 protections 1 is MFM,a disk based protection and the other is Password (i.e manual protection)
so lets fire up XCOPY and try to make a copy of this disk
as you can see from the picture below the disk is full of errors when we try and make a copy ,only the bootblock is error free so this disk can not be copied
but fear not we shall get past this :) i had a lot of fun with this game

ok lets have a look for more protection so boot up the game as normal
first you will see the Blue loading screen

then the title screen

so press fire to start the game at level one

you can either play the first level to get to level 2 or use the inbuilt cheat
lets use the cheat :P
press and hold LEFT SHIT key then press L key to skip to the next level
but level 2 doesn't appear instead we are at the Password protection screen

i hope you have your manual ready :P hehehehe
first enter action replay and press R then return

lets pay attention to this address highlighted in red
type M 63A6 and scroll down about 12 lines
hmm just text so lets start a little earlier type M 6300 and scroll down about 12 lines


hmm interesting :) lets go back to the game
ok so if you have your manual ready drink the potion required
once done you will be moved on to level 2
now hit you action replay button and scroll up to when we type m 6300
and hit return on that again ,go down 12 lines

hmm somethig has changed notice the 8 F's highlighted in red
interesting :)
press and hold CTRL key then press R to restart the game and go back to title
press fire to start level one then skip to password screen with left shift and L key
hmm hang on we are taken to level 2 not the password screen

ah this game has a built in option so if you have already entered a correct potion
you wont need to enter it any more no matter how many times you restart the game
so it puts FF FF FF FF at address 6378 if you picked the correct potion
and each time you leave level one it checks this address and if FF FF FF FF is there
it wont load the password level and will continue to level 2
i feel a easy crack coming on hehehe in other words no need to crack this part
we just put FF FF FF FF at address 6378 so prince of persia wont ever load the protection screen :) because we fooled it into thinking we already have :)
Devious and lazy i know but hey it works :P
ok so write that down FF FF FF FF needs to be put at address 3738
moving on :D
because we have 1 meg the game data is loaded into memory in one go ,which makes it better to crack ,(if you only have half a meg it will load each level as you complete it, hence the reason you must have 1 meg to crack this game)

ok so that is the password cracked but what about the MFM tracks how do we crack this one ,well like most early games they loaded in one go ,this game does but only if you have 1meg of ram that is why when you first boot a blue screen appears saying loading 1meg game ,if you only had 512k of ram it would say loading 512k version..... ok so lets load the game then rip off the data into 1 big file
ok so lets begin first thing is reboot with the original disk and once the blue screen appears saying loading 1meg game hit action replay and type
R
ok so lets take a look at what is loading ,to do this we read the bootblock into memory then disassemble it
so type
RT 0 01 50000
this will read track 0 to address 50000
now disassemble the bootblock by typing
D 5000c
we start at 5000c because this is where the boot-code always starts and not 50000
because the first few bytes spell the word DOS
ok so scroll down and search fora JMP keep searching until you find one
at around about 50200 + you should find 2 JMPs but only 1 is jumping to a specific location that is 50226 is jumping to address 7E988

hmm ok right this down ,if we go to this address we see some code ,type
D 7E988
scroll down some more until you see this

another jump,this look like a jmp into the main game ,but there is a lot of data being executed before it gets to this jump ,i suspect its the loader because if we leave action replay and come back in and press D to find out what code is running we will be around this area plus above this jump do you see LEA 00001000.S,A1
this is where the data starts to load into so this is the loader
ok so lets stick a freeze loop at the jump address so it wont jump into the game it will just stick at the loop going round and round
type
A 7EA30
BRA 7EA30
and exit action replay and let the game load after a while there is no activity lets check the game is finished loading by going back into action replay and press D and enter and we should have this

its stuck at our loop ok so lets rip off all the data shall we hmm but before we do
lets make some changes to the game ,the first thing we want to do is stop that pesky password screen from appearing ,we do this by putting FF FF FF FF at address 6378 ,remember?
ok so type M 6378
then replace the first 8 spaces with FF FF FF FF and press enter then ESC
ok that's that taken care of
oopps almost forgot replace the BRA loop we made with the original jump ,type
A 7EA30
JMP 1F636
once that has been done you should get some reg information, type R, then
type INFO to get some other information and it should look like this

now we have a problem if we load all this data in one go and run it then it will run the MFM track loader too and we don't want that . We know this starts at address 7E988 so lets remove the track loading routines
dissasemble address 7E988 type D 7E988
scroll down some
we have a lot of MOVE.L d0,.... ect... ignore those
scroll down some more until we come to our first BSR right this is the loading routine right down to the jump into the main game so we bypass this with a simple BRA to the jump ,so scroll and find that first BSR at address 7E9BE and we know the jump is at address 7EA30 but we want to bra to the code just above the jump at address 7ea2c otherwise the game wont load

so we found our first BSR ar address 7E9BE so this is where we skip the mfm track loader
type A 7E9BE
BRa 7ea2c
,right that's it for now lets finally save our data
put in a blank disk and type
SM 1,1000 bA000
we know it starts from address 1000 and if we do a NQ 70000 we know the last bit of data in memory ends at address ba000
phew ,once this is done lets
pack our data into 1 big executable
for this we need DEFJAM packer
so completely reset and load up defjam packer
once loaded you are asked if you want to do a mega crunch ,no we don't so say N for no
then we are asked for low memory so we put in our start address which is 1000
then we are asked for high memory so we say ba000
it will clear that amount of memory and then it asks for scan range
this is saying how much do you want to pack the file ,the higher the range the longer it takes to pack but the smaller the file size will be ,but this aint to important right now just put a safe number like 24

next it asks load type ,put O for plain then for file-name we insert our disk with the saved data on and type df0:1 and load into address 1000 it will then load the data so wait a while then once that is done hit return to start packing ,the screen will go funky and then black with some digits so dont panic after a while it should say finished ,you hit enter once more then it asks for a jump address ,here we type 7e988 because this is our jump address then it asks for flash register we want a good old fashion green and black flash so choose 00
now it asks do you want a pro de-cruncher ,yes we do the reason for this is our game uses up memory that DOS normally users so if we try load in dos it will crash but with a pro de-cruncher this isnt a problem so choose yes
then it asks for (sheesh it asks for a lot doesn't it)
DMACON :
right so now lets go back to our first image we saved ,remember we pressed R then typed INFO well all that information we need right now so go get it
just to remind you here it is

ok so for DMACON: we see on the image it is 0380 so type that
next is INTENA and from our picture we see it is 4000 so type that
next is ADKCON and we have it as 2100 so put that
next is status reg which is 2708 so use that
next is locate de-cruncher ,lets put it in a safe place at address 100
next is stack ,put 1000
ok now save it to a blank disk and save it as persia
it will ask do you want to save again ,choose no ,then it asks do you want to run it now ,choose yes ,and after a while the screen starts to flash
then hey presto the game loads

and you have a 1 filed fully cracked version of prince of persia
so far there are 2 other versions out there both are the same version PAL EURO
and both cracked and trained by angels ,although the fusion trainer says its +3 but its not they just ripped off angels hard work , the game has infinite lives anyway so that isn't a trainer option so anyhoo this is the USA version and I have 3 trainer options for it 1 is time one is energy and the other is a fully working proper level skip ,the inbuilt level skip only lets you go to level 4 but mine by passes that so trainer makers out there msg me and we can make a cool trainer for this too

Powered by the best online Amiga mod player: FLOD


Some more you may like:
Fusion - Prince of PersiaAngels - Prince of PersiaAngels - Prince of PersiaTal - Prince

Comments

Leave a Comment!

Name:
: Use this calculator
Your comment will be available for editing for 10 minutes
2004-09-23 00:10

1. Codetapper writes

You should avoid using the Defjam cruncher to pack files because it will only work on a 68000. It assumes a 6 byte stack, pushing the SR and game address and then does an RTE. This crashes on most Amigas and limits who can run the game.
reply
2011-12-23 22:15
Avatar

2. sergiu writes

я хочю эта игра на процэссор amd athlon x 2 спасибо балшое есль паидеот то ставите комент прашу я
reply
2011-12-23 22:16
Avatar

3. prince of persii 1990 writes

я вас прашу
reply
2011-12-23 22:19
Avatar

4. ыукпшг writes

я даволен и жду игра
reply
2012-09-12 10:11
Avatar

5. dave writes

Firstly excellant site, and tutorial!.
Excuse my ignorance but is somebody able to show me how you know the file ends at address ba000? and explain NQ 70000?
My AR MKIII doesnt understand area ba000? (N ba000 results in ??? / 80000 seems to be the max?). I dont think I have the correct memory configuration?
Also can you clarify when is the correct time to freeze and show Registers / INFO to get the correct SR, DMACON, INTERNA, ADKCON and A7 (stack) for Defjam packer purposes. Is the correct time to show this info as soon as the loader starts?. It says when the blue loading screen appears, I have done this several times, and sometimes I get a different values, how do I know which are the correct to use?
Go Amiga! :)
reply
2012-09-12 10:42

6. musashi9 writes

Oh dear I forgot this crappy tutorial was still on here :P
I suggest you use 1mb chip with your Winuae CONFIG. That way you shouldn't have any more memory problems.
As for the INFO section you can enter AR as soon as the blue screen appears
then Press R for the SR and then type INFO for the rest of the info, don't worry if your details differ.
reply
2012-09-12 18:15
Avatar

7. Dave writes

Thanks 4 reply!
Dumbness on my part, I now can access ba000 memory range, but I'm still struggling :(..
I set a loop at 7EA30, and let the PP load up, and jump back in and we are at 7EA30. I run NQ 70000, and last line displayed here is 7FED6 (Quick dump up to address 100000) I manually look through from 7FED6 and no data is displayed from about 80000 up to BA000? Nothing loaded here?.
Carrying on I have saved sm pp,1000 80000. At this point too the SR = 2708.
Now after a reset I go back into AR, lm pp,1000. Now when I set the SR = 2708 and type g 1F636 I get PP blue screen saying unexpected level6 interrupt, I go back into AR, now set SR = 2700 and type g 1F636, this time I get PP blue screen saying unpack failed, Im not sure if the SR is connected to this as I have tried a few times, and my blue screen errors are varying? :)?, plus we know I may not have saved all the data :)?

Im basically trying to lm back the file I saved to check it works first, but not sure how to correctly achieve this, and what registers to setup first, or how to find this?

An additional question :) :) I have aswell is can you explain why to skip MFM loader we BRA to 7EA2C, and not 7EA30 which JMP to 1F636 (Main Program), Just wondering why the address before, doesnt BSR 7EDD2 get executed?

Apologies if any of these questions sound dumb (I've waited 22 years! to find out this stuff :). Cheers again.
reply
2012-09-12 23:26

8. musashi9 writes

Sorry my fault, make sure you have only 1mb chip and no other memory (slow | fast) I suspect it is loading the rest of the data to slow memory

I have gone through this step by step, you are right, ignore the jmp to 7e988 with defjam packer, use jmp 1f636 instead.
if you reset and load your file with AR and jmp 1f636,with SR at 2708 (type: R SR 2708) you will get a level 6 error, if you re-enter AR and type G 1f636 again, the game should work.
I suspect the reason you get an unpacked failed error is because it still only loaded to 80000 and not b4000, therefore no files to unpack from 80000+. This should be fixed if you set only 1mb chip and no other memory.
I also now end up with a SR of 2708 so use that with defjam packer.

EDIT: I have updated the important images to make them easier to read and moved the GET INFO section to the MAIN GAME BRA LOOP section, and changed the SR to 2708.
reply
2012-09-13 17:24
Avatar

9. Dave writes

Hi musashi9, thanks for getting back to us, Ive made a little more progress :)............
The 1 MB chip and no other ram now means I'm able to rip data from 1000 to B33D0 (seems to end here on my machine). I believe this is all the data becuse I'm able to reset Amiga and enter AR then lm pp,1000. Now it doesnt seem to matter what I set the SR to, the first time I G 1F636 I always get a blue screen with 'unexpexted level6 interrupt', I go back into AR, then second time I G 1F636 it loads! :).I have tried this many times now, infact I can lm pp,1000, never set any registers, and the second time I G 1f636 it always seems to load?. So what are the correct settings so I can lm pp,1000 and G 1F636 first time to successfully load?, and how do I find these? Can you explain why it always seems to work second time round?
Very interested to know how I can successfully lm pp,1000 G 1f636 and it work first time?

Also with regards to skipping the MFM I still dont get why it says to set A 7E9BE to BRa to 7ea2c? (one line before 7EA30?). I have achieved the same results (if I can call it that) as above with setting A 7E9BE to BRA to 7ea30, 7ea30 is a JMP to 1F636. I can then either type G 7ea30, or G 1F636 as they both ultimately go to the same address 1F636.

One other thing my ADKCON setting is 1100, does this matter?

Cheers in advance :)
reply
2012-09-13 23:22

10. musashi9 writes

Congratulations :)
Ignore anything to do with skipping the loader stuff this was a mistake and you should always just jump to 1f636. I am going to remove references to jmp 7e988 for future readers.

As for AR booting the game without setting the SR, it could be because of the code at 1f636 | sets up a SR @ 1f648 | so the second time you g 1f636 it is already set by the first attempt?

Any way it is time for you to try it with DEFJAM packer, you can find it here
reply
2012-09-14 09:48
Avatar

11. Dave writes

Me again! :)
I still dont get what the registers should be before JMP 1F636, I have got blue screen 'unexpexted level 6 interrupt' first time round, then go back into AR, now just before G 1f636 for 2nd time (successfull). I have then noted all regsites A0-7 D0-7 PC USP SR, reset amiga lm pp,1000 again and this time set ALL registers to what I noted before, and it still doesnt work first time round?, 2nd time it works?. Guess Im not getting the right register values at the right time, you mention 1f648?

As for using Defjam packer, I have successfully packed the file, but when I run it and decrunches I get the blue screen 'unexpected level 6 interrupt', go into AR type G1f636 and it works. If I cant get it to work first time in AR lm pp,1000 it aint gonna work first time packing the file?

I've been trying this tutorial as initially I was having problems with the defjam part of Galahad/FLT Carrier command tutorial, but thats another story. Want to get this one resolved first, if possible :) Thanks for your patience :)
reply
2012-09-14 10:19

12. musashi9 writes

can you upload the single file you made some where (unpacked file not the defjam one)? I want to try and see what results I get.

Can you download and try my version on your set up
you can find it here
Boot to dos then type 3 plus enter

Regarding 1f648
if you disassemble from 1f636(main game jump) and continue on down to 1f648 you will see it set up
move.w #2700,sr

Perhaps always set your defjam to SR 2700 instead of what info AR gives you
reply
2012-09-14 11:20
Avatar

13. Dave writes

Hi Musashi9,
Your packed version works fine here first time.

Heres my grab of data unpacked that I'm trying to get to work.
here

Thanks agin!
reply
2012-09-14 12:08

14. musashi9 writes

This is what I made with your file.
exe file name is 1

These are the defjam settings I used
DMACON 380
INTENA 4000
ADKON 2100
SR 2700
DECRUNCHER LOCATION c00
STACK 1000
reply
2012-09-14 14:51
Avatar

15. Dave writes

Hi musashi9,
Right here is where I'm at. I had originally been using DefJam Packer v3.5, and when I did it did not work. When I tried with DefJam Packer v3.2 it did work!. It even worked using the settings I found on my machine here.
SR 2708
DMACON 380
INTENA 4000
ADKCON 1100
A7 1000
decrunch location 100
So maybe DefJam Packer v3.5 doesnt work properly?, even though it states it has bugs removed!?

One final question I have for curiousitys sake, is how I can load the datadump file up in AR. I can lm pp,1000 but I can not seem to set A7 register to 1000, when I type r a7 1000 it puts 1006 into A7, how would i get this file to work loading inside AR? Im sure if I can set A7=1000, and SR=2708 and then type g1F636 it will work first time.

One other little question, above you put the decruncher location at c00, this is 3072 in decimal, isnt this after the start of code at 1000?

Thanks for all ya' help.
reply
2012-09-14 21:54

16. musashi9 writes

Putting the decruncher location at $c00 (3072 decimal) is below $1000 (4096 decimal)

You can assemble some code as such
A $800
..... lea 1000,a7
..... move.w #2708,sr
..... jmp 1f636
then G 800
This did not work for me, but I tried again and put a BRA loop where the JMP 1f636 is and left AR and re-entered and pressed R to check A7 and SR were set up properly.
Then I replaced the BRA loop with JMP 1f636 and it worked first time, but I had to leave AR first then re-enter and put a jmp 1f636 in place of the bra loop.

I managed to trace back the call to the level 6 interrupt error
D when error occurs
we are at 7f396..trace up to the start of this routine = 7f38e
Find address 7f38e
FA 7f38e =
7e97e jmp 7f38e
7ea3e jmp 7f38e
7ec7e jmp 7f38e
Then I put a bra loop on each jmp and did a G 1f636 to see which jmp was called
It was the first jmp at 7e97e. Then I traced the start of the routine for 7e97e and found address 7e976. Once again I traced what called this, which led me to address 195b6. Trace the start of 195b6 and I found 19586. I cancelled this out like so
A 19586
rts
then I G 1f636 and the game works first time
So for a quick run do the following
AR

lm pp,1000

A 19586
rts

G 1f636

or

a 7e976
rts
g 1f636

Both seem to work
However I don't recommend you leave this rts in your final defjam version.
reply
2012-09-16 19:06
Avatar

17. |)ave writes

Hi musashi9, u da man:)
Cheers for the help!, school boy error with decruncher location memory :)

I can see and follow the logic above and find the same here. Any reason why you have to set up SR and A7 first , then go back in and it works? Just wondering?

Is there any reason too why it doesnt pack with Defjam v3.5, that you know of?

Wanna help me figure out why I cant pack carrier command to work? :) this one I can load into AR set the SR and G 400 first time, I just cant get the crunched file to work, and not sure where to pick up the correct DMACON, ADKON, INTENA, A7 settings?

Cheers again.:)
reply
2012-09-26 07:26

18. musashi9 writes

Which ipf are you using for Carrier Command?
reply