Rick Dangerous 2

Rick Dangerous II

? Core Design

You will need following:

1. Original game

2. An Amiga or WINUAE

3. Action Replay
or ROM image

4. Pencil and paper

5. Two blank disks?
– find it in your local Amiga store

6. ARIV ? find on
romshare.net

7. Kickstart 2.0

Start by making a
copy of original game disk. You?ll notice an error on track 0. So we are dealing
with

a disk based protection.
Let me surprise you all: It?s a copylock?

When protection fails,
it messes with the game, so it freezes when you try to start a level or during
game play.

Let?s start by retrieving
the copylock key. Boot copy of game, and enter AR when it hangs.

Search for copylocks:
F 48 7A. AR returns nine addresses? There are three identical copylocks in this
game and a fourth

strange one. It?s
very small in size and is not used, or perhaps it passes data the other copylock
routines.?

Pick one of the copylocks
to save. Disassemble ex. address 10084, hold enter down and release it when non-encrypted

code appears. In
this way, you?ll have a start and end address of the copylock. Insert a blank
disk and save copylock:

SM COPYLOCK,10084
10972. Start ARIV and enter it with right mouse. Load in saved copylock, starting
at address

50000: LM COPYLOCK,50000

Activate the build
? in RNC decrypter: ROBD. Disassemble address 50000 and stop when ? second ? part
of copylock

appears:

This part gives us
some troubles, since it flushes copylock key from D0 so we can?t just read it
out, when copylock

has run. The routine
starts at address 50818, let?s insert a ? BRA 50818 ? here, so D0 won?t be flushed.

Type M 50818 and
take note of the first long word of opcodes, as we shall use them later on to
locate this part of

copylock again.

Assemble 50818 and
inset a ? BRA 50818 ?. When done, type M 50818 and see the opcodes for our new
instruction.

The first four opcodes
has changed, take note. The shown opcodes are already encrypted, as we are still
in ROBD mode.

The encryptions works
by XOR, ROBD mode shows the decrypted code, so when we insert normal code, it
will appear

as encrypted.

Boot original game
and enter AR when copylock is executed. Either lessen for the drive grinding sound
or when track

counter moves to
0 in WINUAE. Search for the long word you took note of: F 26 3E 25 F0. AR return
three addresses

hence, three copylocks?

See opcodes for the
first address with M 1089C + enter.? Insert the new opcodes, and don?t forget
to press enter when

done. Exit AR and
wait a few secs for the game to hang.

Enter AR and press
R to see registers. Voila, copylock key in D0. Armed with the key, enter ARIV
again and load in

saved copylock: LM
COPYLOCK,50000.
And enable the RNC decrypter: ROBD. Disassemble address 50000 and stop when this
appears:

Address 5042A is
the one we are interested in. This code will appear in most copylocks and it?s
here we?ll wire

copylock key. In
this way, there is a better chance for a 100% crack, since ? dirty tricks ? will
be executed this way.

These dirty tricks
are often executed in end of the copylock.?

When we have done
that, there is no need for disk access part to be executed, so we can branch past
that part.

Continue disassembling
a few lines further. You?ll notice a BRA at address 50474, this BRA also appears
in most

copylocks, and it
branches to ? second ? part of copylock, as mentioned earlier. We can either branch
directly to

50818, or to 50474,
it makes no difference. Today, let?s choose 50818.

We wish to alter
the opcodes at 5042A, but before we do this, take note of the existing opcodes.
These can then be

used, to locate the
opcodes on disk. See opcodes: M 5042A.

Assemble address
5042A and insert the code you see in the picture beneath. We only do this, so
we can see the new

opcodes. Type M 5042A,
to see the new ENCRYPTED opcodes? We are still in ROBD mode, so

normal code will
appear as encrypted code.

I have marked the
new opcodes with red in the above picture.

Next step, is to
replace the old opcodes with our new ones.

Copylocks are located
between track 18 ? 22, read them into memory, starting at address 30000: RT 24
A 30000.

Search for the opcodes,
you took note of a little earlier, starting at address 30000: F A8 B2 C7 85. AR
returns three

addresses. Insert
the new opcodes at all three addresses and don?t forget to press enter after each
modification.

Write tracks back:
WT 24 A 30000.

Test your new crack.

Wouldn?t it be great
fun, if we had unlimited life?s, bombs & shots ? If you think so, continue
reading 🙂

Start game and do
nothing! You have six life?s to start with. Enter AR and start trainer: TS 6.

Exit and loose ONE
life. Enter AR again and type: ? T 5 ?, to continue trainer. Yu will receive address
178AF.

Exit trainer with
? TX ?. Start new trainer with ? TS 6 ? and fire ONE shot. Enter AR and type ?
T 5 ?. Continue this way,

also with the bombs.
You will end up with these addresses:

Life: 178AF / 178AE

Shots: 17893 / 17892

Bombs: 178A1 / 178A0.

Theses addresses
looks a bit odd, I ?am not joking here. Subtract 1 from all three addresses, and
you?ll get the numbers

in the second row.

Let?s see, what game
does with theses addresses. Starts with life: FA 178AE. AR returns six addresses.
Addresses

13C22 looks interesting,
since it subtracts 1 from the count address 178AE. We could change the instruction
from

? SUBI.W #1,178AE
? to ? SUBI.W #0,178AE ?. Game will then subtract 0 from the life counter, each
time you loose

a life, hence unlimited
life?s!

Take a look at the
instruction with M 13C22. This will show you the opcodes. If you add one long
word (4) to the

address, you?ll get
13C26. See opcodes with M 13C26. Notice the ? 01 ?, marked with red. This is the
? 1 ? in the

? SUBI.W ? instruction.
If we make a little patch, that does a ? MOVE.W #0,13C26 ?, the instruction will
be changed

to ? SUBI.W #0,178AE
?.

Follow the above
instructions for the Shots & Bombs. You should end up with these three addresses:

Life: 13C26

Shots: 13F14

Bombs: 13B38

Let?s find a way,
to patch these addresses, before game starts. Boot game and enter AR when it begins
to load. Press ? D ?

to disassemble actual
memory. Seems like we are in the 70000 area of memory. Try to disassemble address
70000

and hit enter a few
times.

We have a ? JMP 10000
? at address 70024. Stick a breakpoint to this address and exit AR: BS 70024.
When game

reaches the address,
it will pop-up. When this happens, try to disassemble the addresses, that subtracts
# 1 from the

count addresses.

All addresses appears
to be loaded now. Let?s take over this jump and make it jump to address 100 instead.
We?ll then

put a little trainer
routine at address 100.

The ? JMP? 10000
? is located on track 1, read it into memory, stating at address 30000: RT 2 2
30000. Find the JMP:

FA 10000 30000. AR
returns address 30078. Assemble this address and insert a ? JMP 100 ?

Write track back:
WT 2 2 30000.

Next step, is to
find a place on disk for our trainer and a way to move it to address 100. Start
by reading the boot block

into memory, starting
at address 70000: RT 0 1 70000. See memory with: N 70000 + hit enter a few times.

Plenty of spare bytes.
Assemble 70100 and code the trainer:

Disassemble start
of boot code to determine, how to move our trainer into memory:

7005C jumps into
the code, that boot block load into memory. Let?s alter this to ? BRA 700C0 ?
and put a little copy

routine at 700C0,
that moves our trainer into memory. See picture above.

Assemble 700C0 and
code this little routine, which will move our patch from boot block into address
100:

This code, will move
contents of boot block from offset $100 and $200 amount of data into memory, starting
at

address 100. In other
words, it moves our trainer to address 100.

When done, correct
boot block checksum: BOOTCHK 70000. And write boot block back: WT 0 1 70000.

When you boot game,
it loads a while and a blue screen appears. Press left mouse for trainer or right
for normal.

Dedicated to sweet
sweet Victoria.

Rob

Publication author

offline 2 weeks

mus@shi9

0

Comments: 1160Publics: 2780Registration: 06-03-2017