? Factor 5
How to train it
You will need following:
1. Original crack done here on flashtro
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Double Action ? find at amiga-stuff.com
This will only be a quickie, with few details?
Source (which is well commented) can be downloaded in top of this tutorial. Also the trainer as bin file & boot block.
In this txt we will make a trainer for Turrican II, using Alpha 1 / Siriax trainer menu.
Following options will be included:
- Unlimited lives
- Unlimited energy
- Unlimited big weapons
- Unlimited time
- In-game keys for toggle lives, time, refresh time & level skip
Special thanks to Muashi9 for supplying level skip address!
When you enter / exit AR in this game, it?s best to be standing in a waterfall, or game might crash for some strange reason.
Let?s start with lives. When you enter a first level, go to the waterfall and activate AR. Start trainer: TS 3
Exit and loose one life. With two lives left, go back in the waterfall and enter AR, continue trainer: T 02. AR returns two addresses. Nr. of remaining lives is stored at 15D.
Some games uses word instructions instead of byte, or count address is moved to a register- like this one. See if games messes with address 15C: FA 15C.
AR returns seven addresses, try disassemble address 74F2 and hit enter a few times:
Address 74F2 make A4 point to address 15C. Then it checks if 15C is = #0, if not, if branches to 74FC, some more tests and 7502 subtracts #1 from (A4)+1 = 15D. We either NOP out this instruction or change it to a TST.B. We choose the last option, cause it takes up less memory, and we have only a few spare bytes for our trainer. To change instruction to a TST, simply insert hex value #4A at 7502.
To make a toggle function for lives, we need to shift between SUB.B #1(A4) and TST.B 1(A4). This can easily be done with the EOR instruction. To find the value to EOR with, we EOR 4A (TST) with address 7502, and resulting value can be used to toggle with. Assemble address 100 and calculate the value:
Resulting value can be read at address 7502, marked with green above.
Next is energy. Often different values for ex. energy, lives & time is stored in the same area.
I tried searching for hits on address 15B, and was lucky. See what game does with this address: FA 15B.
AR returns nine addresses, but only one of them is a subtraction instruction; 769E. To remove this, we need 2 NOP?s.
To find side shots, follow the same cycle as for lives. You should end up with address 7476, which also can be killed with hex value 4A. Exactly the same can be used for rapid fire or mega shot, you know where you press fire and space at the time, and he goes nuts :). For this, you should end up with address 2D3A, which also can be killed with hex value #4A.
Time is a bit more tricky. Start game and wait till time hits 555 remaining seconds. Search for this: F 05 05 05.
AR only returns on address; 7868. Check what game does with this address: FA 7868.
You get seven hits. Try disassemble address 7552 and hit enter a few times:
Above routine is similar to lives routine, address 755C can be killed with hex #4A.
To make a fresh option for time, we could simply move value #600 (time start value) into address 7868.
To make a toggle function, we can just use the same value as for lives, as the routines are the same. For making the toggle functions work, we need to take over the keyboard routine and assign some keys.
Keyboard routine often starts with BFEC01. Search for it: F BF EC 01. AR returns address 6CFA. Disassemble Address 6CF6, to get an overview of the routine:
We can take over address 6CFA and make it call our patch with a JSR patch. In patch we of course have to restore BFEC01 in patch.
I?ll use F1, F2 & F3 for toggle options. If you read one of the previous training tuts, you?ll see they have hex values 5F, 5D & 5B.
Musashi9 found a way to skip levels, by putting value #FF at address 1D6. He did this by enter AR when level ended, and noticed a routine setting address 1D6 to FF.
To skip level, we have to do a MOVE.B #FF,1D6.S. Let?s assign HELP for level skip. Enter AR and set a breakpoint to address 6D00, exit to game and press HELP. AR will activate and hex value for HELP can be read out from register D0.
Hex value is #40.
Next question is where to locate patch ? This game eats up memory all ready from address C0 and up high in chip. I tried booting Amiga and filling memory with #FF. At start of level one, address B0-C0 was left intact and a chump in high chip at address 7FE80. We can locate cmpi bytes at address B0 and trainer code at address 7FE80.
We also have to find a suitable place in code, to call our trainer. I tried searching for JSR instructions: F 4E F9, and got lot?s of hits:
I tried taking over the first one at address 4C6 and it was called just before level starts. This is suitable, as code that needs to be patched, is present in memory when JSR is called. Take note of the hex values for address 4C6-4CC, so we can find the JSR on disk, and change it to call patch. Values marked with red in the picture above.
Read chump of disk intro memory, starting at address 40000: RT 0 16 10000.
Locate JSR address: F B9 00 01 F0 4C 70 18,40000. AR returns address 49CF6.
Assemble 49CF6 and change it to JSR 7FE80. Write tracks back: WT 0 16 40000. WE must of course remember to call address 1F04C from our trainer.
To cut down on trainer size, remove following calls in source, using a txt editor or ASMONE?s own: MT_INIT, MT_END & MT_MUSIC. And cut out the Protracker replayer routine in end.
In ASMONE fill in following marked with red:
? r ? means read source and will fetch a file req. where you can select source. WO will write EXE file. I saved it as ? TRAINER ?.
Time to relocate & pack up the fella. Start Double Action, select ? load ? from file menu and choose your newly assembled file. Fill in values marked with red:
This will relocate & pack file to address 30000. When it?s finished, choose ? save ? from file menu and save file as ? trainer2 ? to a floppy disk. Track 1 is free, so we can locate trainer here. Insert disk 1 and read track 1 to address 30000: RT 1 1 30000.
Insert disk with saved file, and load it to address 30000: LM TRAINER2,30000. Write track back:
Next step is track loading the trainer:
Above will call track loader we locate at 70100. Track loader itself:
Line 70126 can?t be assembled with AR, insert hex values instead. They are marked with red above. Correct boot block checksum: BOOTCHK 70000. And write back: WT 0 1 70000.
Filesize: 0KB, downloaded 154 times