Rick Dangerous II

? Core Design
You will need following:
1. Original game
2. An Amiga or WINUAE
3. Action Replay
or ROM image
4. Pencil and paper
5. Two blank disks?
– find it in your local Amiga store
6. ARIV ? find on
romshare.net
7. Kickstart 2.0
Start by making a
copy of original game disk. You?ll notice an error on track 0. So we are dealing
with
a disk based protection.
Let me surprise you all: It?s a copylock?
When protection fails,
it messes with the game, so it freezes when you try to start a level or during
game play.
Let?s start by retrieving
the copylock key. Boot copy of game, and enter AR when it hangs.
Search for copylocks:
F 48 7A. AR returns nine addresses? There are three identical copylocks in this
game and a fourth
strange one. It?s
very small in size and is not used, or perhaps it passes data the other copylock
routines.?

Pick one of the copylocks
to save. Disassemble ex. address 10084, hold enter down and release it when non-encrypted
code appears. In
this way, you?ll have a start and end address of the copylock. Insert a blank
disk and save copylock:
SM COPYLOCK,10084
10972. Start ARIV and enter it with right mouse. Load in saved copylock, starting
at address
50000: LM COPYLOCK,50000

Activate the build
? in RNC decrypter: ROBD. Disassemble address 50000 and stop when ? second ? part
of copylock
appears:

This part gives us
some troubles, since it flushes copylock key from D0 so we can?t just read it
out, when copylock
has run. The routine
starts at address 50818, let?s insert a ? BRA 50818 ? here, so D0 won?t be flushed.
Type M 50818 and
take note of the first long word of opcodes, as we shall use them later on to
locate this part of
copylock again.
Assemble 50818 and
inset a ? BRA 50818 ?. When done, type M 50818 and see the opcodes for our new
instruction.
The first four opcodes
has changed, take note. The shown opcodes are already encrypted, as we are still
in ROBD mode.
The encryptions works
by XOR, ROBD mode shows the decrypted code, so when we insert normal code, it
will appear
as encrypted.
Boot original game
and enter AR when copylock is executed. Either lessen for the drive grinding sound
or when track
counter moves to
0 in WINUAE. Search for the long word you took note of: F 26 3E 25 F0. AR return
three addresses
hence, three copylocks?
See opcodes for the
first address with M 1089C + enter.? Insert the new opcodes, and don?t forget
to press enter when
done. Exit AR and
wait a few secs for the game to hang.

Enter AR and press
R to see registers. Voila, copylock key in D0. Armed with the key, enter ARIV
again and load in
saved copylock: LM
COPYLOCK,50000.
And enable the RNC decrypter: ROBD. Disassemble address 50000 and stop when this
appears:
Address 5042A is
the one we are interested in. This code will appear in most copylocks and it?s
here we?ll wire
copylock key. In
this way, there is a better chance for a 100% crack, since ? dirty tricks ? will
be executed this way.
These dirty tricks
are often executed in end of the copylock.?
When we have done
that, there is no need for disk access part to be executed, so we can branch past
that part.
Continue disassembling
a few lines further. You?ll notice a BRA at address 50474, this BRA also appears
in most
copylocks, and it
branches to ? second ? part of copylock, as mentioned earlier. We can either branch
directly to
50818, or to 50474,
it makes no difference. Today, let?s choose 50818.

We wish to alter
the opcodes at 5042A, but before we do this, take note of the existing opcodes.
These can then be
used, to locate the
opcodes on disk. See opcodes: M 5042A.
Assemble address
5042A and insert the code you see in the picture beneath. We only do this, so
we can see the new
opcodes. Type M 5042A,
to see the new ENCRYPTED opcodes? We are still in ROBD mode, so
normal code will
appear as encrypted code.

I have marked the
new opcodes with red in the above picture.
Next step, is to
replace the old opcodes with our new ones.
Copylocks are located
between track 18 ? 22, read them into memory, starting at address 30000: RT 24
A 30000.

Search for the opcodes,
you took note of a little earlier, starting at address 30000: F A8 B2 C7 85. AR
returns three
addresses. Insert
the new opcodes at all three addresses and don?t forget to press enter after each
modification.

Write tracks back:
WT 24 A 30000.

Test your new crack.
Wouldn?t it be great
fun, if we had unlimited life?s, bombs & shots ? If you think so, continue
reading 🙂
Start game and do
nothing! You have six life?s to start with. Enter AR and start trainer: TS 6.

Exit and loose ONE
life. Enter AR again and type: ? T 5 ?, to continue trainer. Yu will receive address
178AF.
Exit trainer with
? TX ?. Start new trainer with ? TS 6 ? and fire ONE shot. Enter AR and type ?
T 5 ?. Continue this way,
also with the bombs.
You will end up with these addresses:
Life: 178AF / 178AE
Shots: 17893 / 17892
Bombs: 178A1 / 178A0.
Theses addresses
looks a bit odd, I ?am not joking here. Subtract 1 from all three addresses, and
you?ll get the numbers
in the second row.
Let?s see, what game
does with theses addresses. Starts with life: FA 178AE. AR returns six addresses.
Addresses
13C22 looks interesting,
since it subtracts 1 from the count address 178AE. We could change the instruction
from
? SUBI.W #1,178AE
? to ? SUBI.W #0,178AE ?. Game will then subtract 0 from the life counter, each
time you loose
a life, hence unlimited
life?s!

Take a look at the
instruction with M 13C22. This will show you the opcodes. If you add one long
word (4) to the
address, you?ll get
13C26. See opcodes with M 13C26. Notice the ? 01 ?, marked with red. This is the
? 1 ? in the
? SUBI.W ? instruction.
If we make a little patch, that does a ? MOVE.W #0,13C26 ?, the instruction will
be changed
to ? SUBI.W #0,178AE
?.
Follow the above
instructions for the Shots & Bombs. You should end up with these three addresses:
Life: 13C26
Shots: 13F14
Bombs: 13B38
Let?s find a way,
to patch these addresses, before game starts. Boot game and enter AR when it begins
to load. Press ? D ?
to disassemble actual
memory. Seems like we are in the 70000 area of memory. Try to disassemble address
70000
and hit enter a few
times.

We have a ? JMP 10000
? at address 70024. Stick a breakpoint to this address and exit AR: BS 70024.
When game
reaches the address,
it will pop-up. When this happens, try to disassemble the addresses, that subtracts
# 1 from the
count addresses.

All addresses appears
to be loaded now. Let?s take over this jump and make it jump to address 100 instead.
We?ll then
put a little trainer
routine at address 100.
The ? JMP? 10000
? is located on track 1, read it into memory, stating at address 30000: RT 2 2
30000. Find the JMP:
FA 10000 30000. AR
returns address 30078. Assemble this address and insert a ? JMP 100 ?

Write track back:
WT 2 2 30000.
Next step, is to
find a place on disk for our trainer and a way to move it to address 100. Start
by reading the boot block
into memory, starting
at address 70000: RT 0 1 70000. See memory with: N 70000 + hit enter a few times.

Plenty of spare bytes.
Assemble 70100 and code the trainer:

Disassemble start
of boot code to determine, how to move our trainer into memory:

7005C jumps into
the code, that boot block load into memory. Let?s alter this to ? BRA 700C0 ?
and put a little copy
routine at 700C0,
that moves our trainer into memory. See picture above.
Assemble 700C0 and
code this little routine, which will move our patch from boot block into address
100:
This code, will move
contents of boot block from offset $100 and $200 amount of data into memory, starting
at
address 100. In other
words, it moves our trainer to address 100.

When done, correct
boot block checksum: BOOTCHK 70000. And write boot block back: WT 0 1 70000.
When you boot game,
it loads a while and a blue screen appears. Press left mouse for trainer or right
for normal.

Dedicated to sweet
sweet Victoria.
Rob
0

Publication author

offline 13 hours

mus@shi9

0
Comments: 1160Publics: 2778Registration: 06-03-2017

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
Giants
8 years ago

I know, it’s exist : AR_IV_CHIPMEM.ROM and AR_IV_FASTMEM.ROM
Is they are any body know if it’s possible to use this ‘IV’th version directly under WinUAE With ‘CARDRIDGE ROM FILE’ and not the adf file !?
Thks

0
SIRIaX
Reply to  Giants
8 years ago

yes, it is not possible. At least not with the AR version by Blackhawk. You gotta use CRTMON instead.

0
DLFRSILVER
16 years ago

no pb Rob, it just required me to press fire…. i feel stupid 😀

0
Rob
Rob
16 years ago

I can’t remember from where, but sed me a PM with your mail, and i’ll send it to you

0
Tone
16 years ago

Hey rob, do u have a rom of the action replay mk iv by blackhawk? any hint where you downloaded it?

0
Rob
Rob
16 years ago

Try check your code, I can’t replicate the error. Also sounds odd, cause the trainer is not touching the kb routine..

0
DLFRSILVER
16 years ago

Rob, i have tested the game, there is something going bad, when i pause the game,
the game stays frozen, i’m unable to come back to the game.

0
Authorization
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Registration
*
*
*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Password generation

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

0
Would love your thoughts, please comment.x
()
x