Prince of Persia (1990) usa version
————————————————-
This has to be the USA version as the other 2 versions (uk / german) all load
at different memory locations
what you will need
——————————
1. original game (find
here)
2. an amiga or an amiga emulator (winuae)
3. an action replay cartridge or ar3 rom image for use with winuae
4. 1 megabyte of memory
5. Defjam Packer
once u have all these set up we shall begin
This has to be my all time favourite game of all time ,i fell in love with it
the first time i played it on my cousins birthday ,his dad got a disk from work
with 4 – 5 games on it and one of them was prince of persia 🙂 it took us 3
days to do the first level 😛
anyhoo back to the cracking ,
this game has 2 protections 1 is MFM,a disk based protection and the other is
Password (i.e manual protection)
so lets fire up XCOPY and try to make a copy of this disk
as you can see from the picture below the disk is full of errors when we try
and make a copy ,only the bootblock is error free so this disk can not be copied
but fear not we shall get past this 🙂 i had a lot of fun with this game
ok lets have a look for more protection so boot up the game as normal
first you will see the Blue loading screen
then the title screen
so press fire to start the game at level one
you can either play the first level to get to level 2 or use the inbuilt cheat
lets use the cheat 😛
press and hold LEFT SHIT key then press L key to skip to the next level
but level 2 doesn’t appear instead we are at the Password protection screen
i hope you have your manual ready 😛 hehehehe
first enter action replay and press R then return
lets pay attention to this address highlighted in red
type M 63A6 and scroll down about 12 lines
hmm just text so lets start a little earlier type M 6300 and scroll down about
12 lines
hmm interesting 🙂 lets go back to the game
ok so if you have your manual ready drink the potion required
once done you will be moved on to level 2
now hit you action replay button and scroll up to when we type m 6300
and hit return on that again ,go down 12 lines
hmm somethig has changed notice the 8 F’s highlighted in red
interesting 🙂
press and hold CTRL key then press R to restart the game and go back to title
press fire to start level one then skip to password screen with left shift and
L key
hmm hang on we are taken to level 2 not the password screen
ah this game has a built in option so if you have already entered a correct potion
you wont need to enter it any more no matter how many times you restart the game
so it puts FF FF FF FF at address 6378 if you picked the correct potion
and each time you leave level one it checks this address and if FF FF FF FF
is there
it wont load the password level and will continue to level 2
i feel a easy crack coming on hehehe in other words no need to crack this part
we just put FF FF FF FF at address 6378 so prince of persia wont ever load the
protection screen 🙂 because we fooled it into thinking we already have 🙂
Devious and lazy i know but hey it works 😛
ok so write that down FF FF FF FF needs to be put at address 3738
moving on 😀
because we have 1 meg the game data is loaded into memory in one go ,which makes
it better to crack ,(if you only have half a meg it will load each level as
you complete it, hence the reason you must have 1 meg to crack this game)
ok so that is the password cracked but what about the MFM tracks how do we
crack this one ,well like most early games they loaded in one go ,this game
does but only if you have 1meg of ram that is why when you first boot a blue
screen appears saying loading 1meg game ,if you only had 512k of ram it would
say loading 512k version….. ok so lets load the game then rip off the data
into 1 big file
ok so lets begin first thing is reboot with the original disk and once the blue
screen appears saying loading 1meg game hit action replay and type
R
ok so lets take a look at what is loading ,to do this we read the bootblock
into memory then disassemble it
so type
RT 0 01 50000
this will read track 0 to address 50000
now disassemble the bootblock by typing
D 5000c
we start at 5000c because this is where the boot-code always starts and not 50000
because the first few bytes spell the word DOS
ok so scroll down and search fora JMP keep searching until you find one
at around about 50200 + you should find 2 JMPs but only 1 is jumping to a specific
location that is 50226 is jumping to address 7E988
hmm ok right this down ,if we go to this address we see some code ,type
D 7E988
scroll down some more until you see this
another jump,this look like a jmp into the main game ,but there is a lot of data
being executed before it gets to this jump ,i suspect its the loader because
if we leave action replay and come back in and press D to find out what code
is running we will be around this area plus above this jump do you see LEA 00001000.S,A1
this is where the data starts to load into so this is the loader
ok so lets stick a freeze loop at the jump address so it wont jump into the
game it will just stick at the loop going round and round
type
A 7EA30
BRA 7EA30
and exit action replay and let the game load after a while there is no activity
lets check the game is finished loading by going back into action replay and
press D and enter and we should have this
its stuck at our loop ok so lets rip off all the data shall we hmm but before
we do
lets make some changes to the game ,the first thing we want to do is stop that
pesky password screen from appearing ,we do this by putting FF FF FF FF at address
6378 ,remember?
ok so type M 6378
then replace the first 8 spaces with FF FF FF FF and press enter then ESC
ok that’s that taken care of
oopps almost forgot replace the BRA loop we made with the original jump ,type
A 7EA30
JMP 1F636
once that has been done you should get some reg information, type R, then
type INFO to get some other information and it should look like this
now we have a problem if we load all this data in one go and run it then it
will run the MFM track loader too and we don’t want that . We know this starts
at address 7E988 so lets remove the track loading routines
dissasemble address 7E988 type D 7E988
scroll down some
we have a lot of MOVE.L d0,…. ect… ignore those
scroll down some more until we come to our first BSR right this is the loading
routine right down to the jump into the main game so we bypass this with a simple
BRA to the jump ,so scroll and find that first BSR at address 7E9BE and we know
the jump is at address 7EA30 but we want to bra to the code just above the jump
at address 7ea2c otherwise the game wont load
so we found our first BSR ar address 7E9BE so this is where we skip the mfm
track loader
type A 7E9BE
BRa 7ea2c
,right that’s it for now lets finally save our data
put in a blank disk and type
SM 1,1000 bA000
we know it starts from address 1000 and if we do a NQ 70000 we know the last
bit of data in memory ends at address ba000
phew ,once this is done lets
pack our data into 1 big executable
for this we need DEFJAM packer
so completely reset and load up defjam packer
once loaded you are asked if you want to do a mega crunch ,no we don’t so say
N for no
then we are asked for low memory so we put in our start address which is 1000
then we are asked for high memory so we say ba000
it will clear that amount of memory and then it asks for scan range
this is saying how much do you want to pack the file ,the higher the range the
longer it takes to pack but the smaller the file size will be ,but this aint
to important right now just put a safe number like 24
next it asks load type ,put O for plain then for file-name we insert our disk
with the saved data on and type df0:1 and load into address 1000 it will then
load the data so wait a while then once that is done hit return to start packing
,the screen will go funky and then black with some digits so dont panic after
a while it should say finished ,you hit enter once more then it asks for a jump
address ,here we type 7e988 because this is our jump address then it asks for
flash register we want a good old fashion green and black flash so choose 00
now it asks do you want a pro de-cruncher ,yes we do the reason for this is our
game uses up memory that DOS normally users so if we try load in dos it will
crash but with a pro de-cruncher this isnt a problem so choose yes
then it asks for (sheesh it asks for a lot doesn’t it)
DMACON :
right so now lets go back to our first image we saved ,remember we pressed R
then typed INFO well all that information we need right now so go get it
just to remind you here it is
ok so for DMACON: we see on the image it is 0380 so type that
next is INTENA and from our picture we see it is 4000 so type that
next is ADKCON and we have it as 2100 so put that
next is status reg which is 2708 so use that
next is locate de-cruncher ,lets put it in a safe place at address 100
next is stack ,put 1000
ok now save it to a blank disk and save it as persia
it will ask do you want to save again ,choose no ,then it asks do you want to
run it now ,choose yes ,and after a while the screen starts to flash
then hey presto the game loads
and you have a 1 filed fully cracked version of prince of persia
so far there are 2 other versions out there both are the same version PAL EURO
and both cracked and trained by angels ,although the fusion trainer says its +3
but its not they just ripped off angels hard work , the game has infinite lives
anyway so that isn’t a trainer option so anyhoo this is the USA version and I
have 3 trainer options for it 1 is time one is energy and the other is a fully
working proper level skip ,the inbuilt level skip only lets you go to level
4 but mine by passes that so trainer makers out there msg me and we can make
a cool trainer for this too
Publication author
Which ipf are you using for Carrier Command?
Hi musashi9, u da man:) Cheers for the help!, school boy error with decruncher location memory 🙂 I can see and follow the logic above and find the same here. Any reason why you have to set up SR and A7 first , then go back in and it works? Just wondering? Is there any reason too why it doesnt pack with Defjam v3.5, that you know of? Wanna help me figure out why I cant pack carrier command to work? 🙂 this one I can load into AR set the SR and G 400 first time, I just cant… Read more »
Putting the decruncher location at $c00 (3072 decimal) is below $1000 (4096 decimal) You can assemble some code as such A $800 ….. lea 1000,a7 ….. move.w #2708,sr ….. jmp 1f636 then G 800 This did not work for me, but I tried again and put a BRA loop where the JMP 1f636 is and left AR and re-entered and pressed R to check A7 and SR were set up properly. Then I replaced the BRA loop with JMP 1f636 and it worked first time, but I had to leave AR first then re-enter and put a jmp 1f636 in… Read more »
Hi musashi9, Right here is where I’m at. I had originally been using DefJam Packer v3.5, and when I did it did not work. When I tried with DefJam Packer v3.2 it did work!. It even worked using the settings I found on my machine here. SR 2708 DMACON 380 INTENA 4000 ADKCON 1100 A7 1000 decrunch location 100 So maybe DefJam Packer v3.5 doesnt work properly?, even though it states it has bugs removed!? One final question I have for curiousitys sake, is how I can load the datadump file up in AR. I can lm pp,1000 but I… Read more »
This is what I made with your file.
exe file name is 1
These are the defjam settings I used
DMACON 380
INTENA 4000
ADKON 2100
SR 2700
DECRUNCHER LOCATION c00
STACK 1000
Hi Musashi9,
Your packed version works fine here first time.
Heres my grab of data unpacked that I’m trying to get to work.
here
Thanks agin!
can you upload the single file you made some where (unpacked file not the defjam one)? I want to try and see what results I get.
Can you download and try my version on your set up
you can find it here
Boot to dos then type 3 plus enter
Regarding 1f648
if you disassemble from 1f636(main game jump) and continue on down to 1f648 you will see it set up
move.w #2700,sr
Perhaps always set your defjam to SR 2700 instead of what info AR gives you
Me again! 🙂 I still dont get what the registers should be before JMP 1F636, I have got blue screen ‘unexpexted level 6 interrupt’ first time round, then go back into AR, now just before G 1f636 for 2nd time (successfull). I have then noted all regsites A0-7 D0-7 PC USP SR, reset amiga lm pp,1000 again and this time set ALL registers to what I noted before, and it still doesnt work first time round?, 2nd time it works?. Guess Im not getting the right register values at the right time, you mention 1f648? As for using Defjam packer,… Read more »
Congratulations 🙂
Ignore anything to do with skipping the loader stuff this was a mistake and you should always just jump to 1f636. I am going to remove references to jmp 7e988 for future readers.
As for AR booting the game without setting the SR, it could be because of the code at 1f636 | sets up a SR @ 1f648 | so the second time you g 1f636 it is already set by the first attempt?
Any way it is time for you to try it with DEFJAM packer, you can find it here
Hi musashi9, thanks for getting back to us, Ive made a little more progress :)………… The 1 MB chip and no other ram now means I’m able to rip data from 1000 to B33D0 (seems to end here on my machine). I believe this is all the data becuse I’m able to reset Amiga and enter AR then lm pp,1000. Now it doesnt seem to matter what I set the SR to, the first time I G 1F636 I always get a blue screen with ‘unexpexted level6 interrupt’, I go back into AR, then second time I G 1F636 it… Read more »
Sorry my fault, make sure you have only 1mb chip and no other memory (slow | fast) I suspect it is loading the rest of the data to slow memory I have gone through this step by step, you are right, ignore the jmp to 7e988 with defjam packer, use jmp 1f636 instead. if you reset and load your file with AR and jmp 1f636,with SR at 2708 (type: R SR 2708) you will get a level 6 error, if you re-enter AR and type G 1f636 again, the game should work. I suspect the reason you get an unpacked… Read more »
Thanks 4 reply! Dumbness on my part, I now can access ba000 memory range, but I’m still struggling :(.. I set a loop at 7EA30, and let the PP load up, and jump back in and we are at 7EA30. I run NQ 70000, and last line displayed here is 7FED6 (Quick dump up to address 100000) I manually look through from 7FED6 and no data is displayed from about 80000 up to BA000? Nothing loaded here?. Carrying on I have saved sm pp,1000 80000. At this point too the SR = 2708. Now after a reset I go back… Read more »
Oh dear I forgot this crappy tutorial was still on here 😛
I suggest you use 1mb chip with your Winuae CONFIG. That way you shouldn’t have any more memory problems.
As for the INFO section you can enter AR as soon as the blue screen appears
then Press R for the SR and then type INFO for the rest of the info, don’t worry if your details differ.
Firstly excellant site, and tutorial!. Excuse my ignorance but is somebody able to show me how you know the file ends at address ba000? and explain NQ 70000? My AR MKIII doesnt understand area ba000? (N ba000 results in ??? / 80000 seems to be the max?). I dont think I have the correct memory configuration? Also can you clarify when is the correct time to freeze and show Registers / INFO to get the correct SR, DMACON, INTERNA, ADKCON and A7 (stack) for Defjam packer purposes. Is the correct time to show this info as soon as the loader… Read more »
я даволен и жду игра
я вас прашу
я хочю эта игра на процэссор amd athlon x 2 спасибо балшое есль паидеот то ставите комент прашу я
You should avoid using the Defjam cruncher to pack files because it will only work on a 68000. It assumes a 6 byte stack, pushing the SR and game address and then does an RTE. This crashes on most Amigas and limits who can run the game.