Navy Seals
? Ocean
1991
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. One blank disk – find it in your local Amiga store
I loved playing this back in the days, but I always missed a trainer for it. In this tutorial, I also added a trainer option for lives, energy, time & a level skipper.
Start by making a copy of original game disk. This is to determine type of protection. You?ll notice an error on track 0, this is probably a copylock track.
You can boot and start copy of game, but you?ll never get to level 2, due to the failing copylock. Let?s start by retrieving the copylock key. Boot original game and enter AR when you hear the drive ? grinding sound or track counter moves to 0. Copylocks starts with ? PEA$$$$(PC) ? search for the opcodes: F 48 7A. AR returns two addresses. Disassemble the first address and hold enter down. You?ll see tons of encrypted code, release enter when normal code appears again:
Normal code seems to begin at address B7D2. We have a compare routine at address B7F0, comparing some number with D0. This number is probably copylock key. Stick a breakpoint to this address and exit AR: BS B7F0. When game reaches address B7F0, AR will pop up.
When AR activates, press ? R ? to see registers. We have the key in D0. Check address 60 with M 60, as many copylocks also return copylock key here. As you can see, we have the key both in D0 + address 60.
We?ll crack this one, by inserting the key in D0 + address 60 and branch past the copylock. Copylock is located on track 65. Insert copy of game and read track 65 into memory, starting at address 30000: RT 82 2 30000. Search for the copylock, starting at address 30000: F 48 7A,30000. AR returns address 312AE & 312BE. Copylock starts at address 312AE, take note.
We also need to find end of copylock. Disassemble address 312AE and hold enter down, until normal code appears.
Copylock ends at address 31BD2. Assemble address 312AE and wire key into D0 + 60 and branch to end of copylock:
Write track back: WT 82 2 30000.
Boot your new crack.
Wouldn?t it be great fun with a trainer?
Let?s train energy, time and make a level skipper. We start with the time. Assuming you have 3 mins and 5 sec. left, enter AR. Find the seconds count address: TS 05 + enter. When it?s finished searching, exit AR and wait for second counter to show 04. When this happens, enter AR and continue searching: T 04. AR will return address ACCD.
ACCD points to the seconds. Subtract 1 from ACCD = ACCC. See contents of address ACCC with M ACCC.
It says 03 04. ACCC must be pointing to the minutes. Let?s see what game does with this address: FA ACCC.
You?ll get a bunch of addresses. We are interested in 23D2. Try disassembling address 23C0, to see what happens before address 23D2.
Address 23CE subtracts #140 from D0. Address 23D2 then writes contents of D0 into the time count address. If we remove 23D2, the time counter will newer be updated. Take note of address 23D2. There is a little problem though?. When you have finished a level, you?ll get time bonus for remaining time.
If we have unlimited time, the bonus counter will go on forever. We have to avoid that. Notice address 199A, disassemble this address and hit enter a few times.
Address 199A is testing if the time counter is equal to 0. If not, address 19A0 loops the routine and your score keeps growing for ever, as time will newer be equal to 0. We deal with this, by simply removing the ? BNE 1978 ? at 19A0. It takes two ? NOP ? to remove this. Take note!
The level skipper: At level one, you have to find 09 bombs. Exit old trainer: TX. Start new trainer: TS 09. when it?s finished searching, exit AR and find ONE bomb. When done, enter AR and continue trainer: T 08. You will receive address ACD9.
See contents of address with M ACD9 + enter. Insert a ? 0 ? instead of ? 8 ?, press enter and exit AR. What happens ?
You continue to next level. Game thinks you have found all the bombs, and continues to level two. Take note of address ACD9. But how do we make a level skipper ?. Remember we should remove address 23D2 to get unlimited time?
How about inserting a ? JSR 16C ? at 23D2, and make the following routine at address 16C:
16C; BTST #6,BFE001; check for left mouse
174; BEQ 20C; if pressed, branch to address 20C
176; RTS; if not pressed, return
178; MOVE.W #0,ACD8; set address ACD8 to word 0; game thinks you found all bombs and skip to next level
180; RTS; return
Instead of updating the time counter, game will jump to address 16c and check for left mouse to be pressed. If not, our routine simply returns. If pressed, address ACD8 is set to word 0 and game jumps to next level.
Next step is the energy. It?s a bit harder to find, as you can get hurt a little or a lot. We?ll search for the number of lives instead, as the energy counter is probably located nearby the life counter. Follow the earlier steps, just for life and you?ll end up with address ACCE. I have tried to alter different addresses in this area and found, that ACDA holds the energy.
See what game does with address ACDA: FA ACDA. You?ll get a bunch of references. I have marked the addresses we are interested in, with red.
The ? CLR.W ACDA ? instructions kills you, ie. If you fall down from great heights or get shot. We?ll ? NOP ? out these instructions, each one takes three ? NOP ??s. The ? SUBI.W ? instructions removes a small amount of your energy.
We?ll deal with these, by changing them from ie. ? SUBI.W #1,ACDA ? to ? SUBI.W #0,ACDA ?.
Like with time bonus, we have the same problem with energy bonus. When a level is finished, you?ll get bonus based on your remaining energy. Unlimited energy = unlimited bonus. The game will loop forever in the bonus routine.
Notice the ? TST.W ACDA ? at address 19C8. After that we have a ? BNE 19A4 ? at address 19CE. This routine exit the bonus count for energy, when D0 = 0, and it will never be, as we trained the game. Therefore, we have to remove the ? BNE 19A4 ? at address 19CE. Take note.
We should now be armed with all needed addresses.
Next step is finding where game jumps into loaded data, and take over this jump. Boot copy of game, and enter AR when it begins to load. Press ? D ? to disassemble actual memory. Seems like we are in the 70000 area of memory.
Loader probably begins at address 70000 straight. Disassemble address 70000 and hit enter a few times. At address 7001A we have a ? JMP 800 ?. This jumps into the loaded data. We simply have to take over this jump, and alter it to ? JMP 100 ?. We?ll then locate the trainer at this address. The ? JMP 800 ? is located on track 61. Read track into memory, starting at address 30000: RT 7A 2 30000. Find ? JMP 800 ?, starting at address 30000: FA 800 30000
AR returns two addresses and we are interested in 3123E. Assemble and insert a ? JMP 100 ?. Write track back:
WT 7A 2 30000. See picture above.
We?ll locate our trainer at the boot block, as most of it is left empty. We also need a copy routine, to move our trainer from the boot block into address 100. We choose address 100, as game leaves 100 ? 200 unchanged.
Read boot block into memory, starting at address 70000: RT 0 1 70000. Assemble offset 100 (70100) and code the trainer:
70100; MOVE.W #F,DFF180; turn screen blue
70108; BTST #6,BFE001; check for left mouse
70110; BEQ 7011E; if pressed, branch to 7011E and execute trainer patch
70112; BTST #A,DFF016; check for right mouse
7011A; BEQ 70168; if pressed, branch to 70168 and start normal game
7011C; BRA 70108; loop the above, until mouse is pressed
7011E; MOVE.L #4E714E71,D0; insert two ? NOP ? in register D0
70124; MOVE.L D0,19A0.S; NOP out ? BNE ?, in bonus routine, or game will loop in end of level
70128; MOVE.L D0,1BD8.S; NOP out ? energy kill ?
7012C; MOVE.W D0,1BDC.S; NOP out ?energy kill ?
70130; MOVE.L D0,1DEA.S; NOP out ? energy kill ?
70134; MOVE.W D0,1DEE.S; NOP out ? energy kill ?
70138; MOVE.L D0,21FC.S; out ? energy kill ?
7013C; MOVE.W D0,2200.S; out ? energy kill ?
70140; MOVE.W #0,19B0.S; set energy countdown from #1 to #0
70146; MOVE.W #0,1DE2.S; set energy countdown from #12 to #0
7014E; MOVE.L D0,21F4.S; NOP out energy countdown
70152; MOVE.W D0,21F8.S; NOP out energy countdown
70156; MOVE.L D0,19CE.S; NOP out ? BNE ? in bonus routine, or game will loop in end of level
7015A; MOVE.L #4EB90000,23D2.S; kills time countdown and make a ? JSR 16C ? to level skip routine
70162; MOVE.W #16C,23D6.S; kills time countdown and make a ? JSR 16C ? to level skip routine
70168; JMP 800.S; jump to game
7016C; BTST #6,BFE001; this will appear at 16C, check for LMB
70174; BEQ 70178; if pressed, branch to 70178
70176; RTS; not pressed, just return
70178; MOVE.W #0,ACD8; set number of bombs left to find, to value #0, causing a skip to next level
70180; RTS; return
We also need a copy routine. Before we code this, we need to alter original boot code, so our routine is called. Disassemble 7000C and hit enter a few times:
Line 70066 jumps to data, that boot block loads in. We?ll take over this jump, and insert a ? BRA 700C0 ? instead.
We?ll put the copy routine at 700C0 and end it with a ? JMP (A3). Assemble 700C0 and insert following:
700C0; LEA 100,A0; destination address 100 for patch
700C6; LEA 70100(PC),A1; copy from offset 100 on disk
700CA; MOVE.W #200,D7; size to copy
700CE; MOVE.B (A1)+,(A0)+; copy
700D0; DBF D7,700CE; copy
700D4; JMP (A3); jump we took over
Correct boot block checksum: BOOTCHK 70000
Write boot block back: WT 0 1 70000.
Boot game. When screen turns blue, press LMB for trainer or RMB for normal. If trainer is chosen, hold down LMB a few secs during game play, and you?ll skip to the next level.
Ohh, by the way? I have decrypted ? Crackers Nightmare ? and it contained no further copylock routines.
I have added a boot block crack, that can be downloaded in top of this tutorial. Just install supplied boot block on a fresh copy of game, and it’s cracked + trained.
Rob
Publication author
