? Core Design
How to train it
You will need following:
1. Original crack done here on flashtro
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Double Action ? find at amiga-stuff.com
6. DiskFiller ? find at http://wuarchive.wustl.edu/aminet/disk/misc/DiskFiller11.lha
Source can be downloaded in top of this tutorial.
In this txt we will make a trainer for Rick Dangerous, using Alpha 1 / Siriax trainer menu.
(thanks to A1 for giving the Instruction for keyboard access)
Following options will be included:
- Unlimited lives
- Unlimited shots
- Unlimited bombs
- No collision detection
- In-game keys
Start a new game. We have six lives to start with. Enter AR and start trainer: ? TS 6 ?
When it?s finished searching, exit AR and loose ONE life. Enter AR and continue trainer: ? T 5 ?. You will end up with address 44972. This is the address where game store number of lives. Let?s try finding instructions that subtract a value from this address. Type in: ? FA 44972 ?. AR will return some addresses, but only one with a subi.
Address 45e3c subtracts one from the lives counter. Have a look at the hex code of this instruction: ? M 45e3c. ? The red marked ? 01 ? is the number of lives to subtract. If this is changed to ? 0 ?, you have unlimited lives. This means we need to put a ? 00 ? at address 45e3c. Follow the above procedure to locate the instructions for shots & bombs. You should end up with this:
Lives put 00 at 45e3f
Shots put 00 at 45b97
Bombs put 00 at 45c6b
No collision detection would be nice. Let?s see where the routine starts, that counts down on the # of lives.
Disassemble address 45e3c and hold enter down, till bottom of screen has been reached. Scroll back up and watch out for start of the routine. It starts at address 45e34. See what calls the routine: ? FA 45e34 10000 ?.
AR returns two addresses, disassemble the first one, scroll down and back up to get an overview of the routine:
Address 456ba checks if address 4557e is equal to 0. if it IS, then address 456ca is called, if NOT, a BSR calls the address that subtracts a life from the life count address.
What if we change this BEQ to a BRA, so the count down routine is never called?
Type ? M 456c0 ?. The ? 67 ? means BEQ change the value to ? 60 ? which means BRA. Exit AR and see what happens when the rock hits you:
Yep, nothing, it goes right through you. This collision cheat works with everything, except spikes placed on ie. a rock.
It would also be nice with some in-game keys. We can do toggle for the options and refresh.
To toggle, the EOR command is perfect. It is very usable to shift between two values.
To train lives, we put a ? 00 ? at address 45e3f. The original value was ? 01 ?. If #01 is EOR with #01, the result will shift between ? 00 ? and ? 01 ?. So, to toggle lives, shots & bombs, simply do a ? EOR.B #01,lives, shots, bombs ?
To toggle collision, the value will have to be #7. Original opcodes was 67 (BEQ), want to change to 60 (BRA).
To refresh ie. lives, we need to write the value 6 (start value for lives, shots & bombs) to the count address. The count address is shown by the SUB instruction:
To refresh lives, we need to do: ? move.b #6,44972 ?.
To use in-game keys, we need to hook in on the keyboard routine. It often starts with BFEC01.
Ocean uses a different way. You can find their routine by searching for ? 4E 73 ? (RTE). If the above routine is something with ? move.b c00(a1),d0 or d2 ?, then you got it.
Lets search for ? F BF EC 01 ?. AR returns address 4282B. The routine look like this:
We can change address 42828 to a ? JSR patch ?. In start of patch we need to restore ? MOVE.B BFEC01,D0 ?. This instruction moves the input from keyboard into D0.
I would like to use the functions keys to toggle options. Question is, what value do they have ? Insert a breakpoint at address 4282e, and exit AR. (breakpoint right after input has been moved into D0) In game, press F1. AR pops up, due to breakpoint. See registers with ? R ?. Byte value of D0 is = 5F.
This means to check if F1 is pressed we do a ? CMPI.B #5F,D0 ?.
What about F2 ? Repeat above procedure, and you?ll see F2 has value 5D. F3 is 2 smaller; 5B, etc.
We can now begin to code the actual trainer. Load in the source in ASMONE or some txt editor. We need to start by setting up some functions in the trainer.
Patch address is location for trainer patch. Set it to $ 1fc. CMPBYTES is where to locate the bytes to check for options on/off. Choose $ c0.
LINES is number of trainer options, we have 5, so set 5 :)
PAGEADR. This is number of txt pages, I have removed page 3.
Trainer code must be inserted after txt ? PATCH ?. Never mind my ? crack ?.
Start trainer with ? Trainer: ? Start each option with it?s description, ie. for lives, ? LIVES: ? Each options must start with a ? CMPI.B #01,$xx ?. If your first option is lives, and user chooses unlimited lives on, address c0 will be set to #01, if it?s chosen off, c0 is set to #00. Therefore each option must start by checking if the option has been chosen or not. Next options, ie. unlimited shots, will be set at address $ c1.
Start with lives:
cmpi.b #$01,$c0.w; check if user selected unlimited lives
bne shot; if not, branch to shots
move.w #$0,45e3e; set address 45e3f to 0 ? train lives
Trainer should end with starting the game. To start this game, I can see the cracker jumps to address 10000, so we have to do the same.
Then there is the txt to do:
When done, save your source and start up ASMONE. Set up parameters marked with red:
After pressing enter, a file req. will appear. Choose your source code:
Assemble the file by typing ? A ?. Then save file: ? WO ?. Choose a filename and exit asmone.
Next part is relocating & packing the trainer, so we can trackload it.
Start Double Action & select ? load ? from file menu.
Select your saved exe file and press OK, I called it ? RR ?:
A new screen appears:
Fill out all spaces marked with red. This will crunch file to address 30000. Decruncher will be located at 10000, and overwritten by game. When done, save file.
Next part is writing the file as tracks to the disk. For this I use a program called ? DiskFiller ?. Select ? GET ? and choose your newly crunched file. In field ? first block ?, choose 1600 & press ? do it ?. I have of course checked if block 1600 is free, use ie. DiskX for this purpose.
It will say ? last block 1628 ?, ok to write ? ?, select yes to question. When done, the field ? save source ? can be chosen. Choose it and save source to ie. RAM disk. Open saved source, and you can see values for your track loader:
Value marked with red if disk offset and green value is amount to load.
Insert your crack in DF0: and read boot block into address 70000: ? RT 0 1 70000 ?.
Assemble 70100 and make a track loader, based on source from DiskFiller:
Track loader itself end at address 70134. We need to call the track loader as the first thing. Disassemble start of bootblock and take note of first code. Change it to ? BRA 70100 ? Assemble 70134 and restore code removed in start of boot block and end with a BRA 70010 back to original loader.
The original crack jumps to address 10900, where game is started in supervisor mode. We need to change this, so our trainer patch at address 1fc is called instead. Assemble 70060 (original jump into game) and insert code marked with red:
This will call our patch instead and our patch starts game by jumping to address 10000.
Correct boot block checksum and write track back.
Boot up your new trainer and have fun. Now ? normal ? people should have a chance to complete this HARD game.
Filesize: 0KB, downloaded 178 times