Submitted by: Rob
Date: 2006-10-08 15:19
? Core Design
How to single disk it.
What you need:
- Original/SPS release game
- Tools DiskX, DiskFiller & Propack (download from link in the tutorial)
- Some copy program like BurstNibbler/X-Copy
- A few blank disks
- AR3 cart. or ROM image
So, the point with this txt, is to describe how to make Wolfchild fit on one disk instead of two.
Why ? ? I have no idea, just do it if you are bored enough.
All good has a price, including this. Of course there is a reason for the game being two disk, so
something have to go, and here the intro will have to suffer.
We?ll simply rip off the main file from disk one and write it to disk two and make the disk
bootable & wola ? you got a single disk version of Wolfchild. Question is where on disk two to locate the main file..
I tried playing the game from A-Z while keeping eye on track counter and it seems like tracks 68-79 is not used,
so we can put the file there.
Start of by booting the game. First the Core logo appears and then the intro. After the intro game
loads for a while, freezes and then a screen appears, asking for disk two. This freezing time, is probably
the main file being decrunched..
Boot up the game & enter AR after you skipped the intro and game stops loading.
(screen says ? PLEASE WAIT ? and nothing happens)
Lets have a look at what happens. Press D followed by enter a few times. This disassembles memory.
You will see some addresses in the 400 area of memory. Try having a look a memory below 400, ex. 310 with
N + enter a few times. Just blank memory, till address 400. This tells us the file most likely starts at address 400.
Ok, we are interested in ripping of the file before game starts, so next point is locating the instruction which executes
the file. Disassemble address 400 and stop when this appears:
Above looks interesting. From address 47E-4AE, some opcodes are moved into stack (not sure, but I might have seen
this some other place, can?t remember where) and executed by
address 4AE with a jump instruction into stack.
AR has a function called BREAKPOINT, which can be used to halt the computer, when a specific memory address
are reached. It could be interesting to halt the computer when the jump is executed, so we can see what happens.
Set a breakpoint at address 4AE; BS 4AE & exit AR with X+enter. After a few secs AR pops up, cause the breakpoint
Now, the jump was a JMP (A7), so we need to see which address A7 (stack) points to. You can see all regs. With
The function R+enter:
Ok, on the first row we have all data regs. From D0-D7 and next row is address regs. A0-A7. A7 points to
Address 6DC1E, this is the address game executes with JMP (A7). Disassemble address 6DC1E and hit enter a
Few times. A small routine appears, which ends at address 6DC3C ? looks like its copying something.
Put a new breakpoint at address 6DC3C (end of the routine) and exit AR, see above pic.
When AR pops up, see regs again:
When game reaches the RTS at address 6DC3C, it will execute the address which is stored in the stack (A7).
Guess which address..
See contents of stack with M 6DC7A + enter. Stack points to address 400. If you look at memory at address 400 with N 400,
You will see memory has changed, so our file is now decrunched.
Ok, so now we have a decrunched file in memory & we know it starts at address 400, but where does it end ??
Lets go back and have a little look at the copy routine in stack & the regs:
The routine is moving data from what A0 points to (address 9BC) to what A1 points to (address 400). And it continues
to do this, till reg. D0 is 0. Therefore D0 must hold size of file + 400 = 44490+400 = 44890, that?s our end address.
Insert a blank disk and save clean file: SM A,400 44890. You now have the main file on a disk, file called ?a?.
Next problem is the disk reg., asking for disk two. We need to bypass this. Insert disk two and exit AR.
The req. appears. Enter AR again and disassemble memory:
You might need to exit and AR a few times before you end up around address 121CE. What happens here, is the game
Is checking if fire has been pushed. If not, game loops the routine at 121C8, until fire is pressed. Simply remove the BEQ
At 121D8 with a NOP ? see above picture, and game will think fire has been pressed.
Next little problem is the copy protection. As this is not a cracking tut, no need to say much here.
Just insert the following opcodes at address 16C8E: 0a 9c 7c 23 80 a7 0e 23 e0 8f, followed by enter.
Also see pic:
When done, save file as ?b?: SM B,400 44890.
Next step is packing our new main file, to make it fit on disk. Copy program ?ppami.exe? to same disk as main file.
Boot the disk and crunch file by typing: PPAMI.EXE P M ?X400 B + enter.
Where M is for 68000 files
Where P is for command pack
Where X400 is to decrunch at address 400
Where B is filename.
When ProPack is done, you got a packed file called ?b.RNC?.
Next step is writing the file to disk. As mentioned earlier, it seems like game is not using data from track 68-79, so we can
Put file here. Start program ? Disk X ?, insert WolfChild disk two in DF0:. From Menu ? UNIT?, choose ?DF0:?.
In lower left corner, you can see which track # is shown and block # just above. Block 1516 is end of track 68 and should
be a good start point (even though it seems like there is data on the tracks..). We know to start on block 1516.
Start program DiskFiller. This is the program to use for writing the file.
With Wolfchild disk two in DF0: and disk with main file on in DF1:, press ?GET? and point to packed main file on DF1:
In field ?First Block? set it to 1516 & choose do it. Then it ask a question, just press ?YES?.
The field ?SAVE SOURCE ? can be pressed now. Save source as some file name and open it with a txt editor:
Values are important for writing the new boot loader. BD800 is offset to load from & 1E200 is amount to load, take
Note of these numbers.
Next if writing the actual loader. As you might remember, the file started at address 400, which is a little problem, since
The boot block is located in low chip and file would over write the boot block in memory, if loaded directly to 400 & cause
the mighty Guru to visit us.
We can fix this, by loading the file into high chip memory, put the computer in supervisor mode and then copy file
from high chip, down to low chip.
Here is how the final boot loader will look like: (its included on the adf called boot)
First it sets background colour to black, then loads the packed main file to address 50000. A copy routine copy
rest of the boot block into memory, starting from address 70000 & executes this in supervisor mode.
The little program at 70000 then copy main file from 50000 to 400 and executes it.
You can just copy the included boot block to your disk two.
And now you got Wolfchild on one disk..
Filesize: 0KB, downloaded 120 times