Rick Dangerous II? Core DesignYou will need following:1. Original game
2. An Amiga or WINUAE3. Action Replay
or ROM image4. Pencil and paper5. Two blank disks?
– find it in your local Amiga store6. ARIV ? find on
romshare.net7. Kickstart 2.0Start by making a
copy of original game disk. You?ll notice an error on track 0. So we are dealing
witha disk based protection.
Let me surprise you all: It?s a copylock?When protection fails,
it messes with the game, so it freezes when you try to start a level or during
game play.Let?s start by retrieving
the copylock key. Boot copy of game, and enter AR when it hangs.Search for copylocks:
F 48 7A. AR returns nine addresses? There are three identical copylocks in this
game and a fourthstrange one. It?s
very small in size and is not used, or perhaps it passes data the other copylock
routines.?Pick one of the copylocks
to save. Disassemble ex. address 10084, hold enter down and release it when non-encryptedcode appears. In
this way, you?ll have a start and end address of the copylock. Insert a blank
disk and save copylock:SM COPYLOCK,10084
10972. Start ARIV and enter it with right mouse. Load in saved copylock, starting
at address50000: LM COPYLOCK,50000Activate the build
? in RNC decrypter: ROBD. Disassemble address 50000 and stop when ? second ? part
of copylockappears:This part gives us
some troubles, since it flushes copylock key from D0 so we can?t just read it
out, when copylockhas run. The routine
starts at address 50818, let?s insert a ? BRA 50818 ? here, so D0 won?t be flushed.Type M 50818 and
take note of the first long word of opcodes, as we shall use them later on to
locate this part ofcopylock again.Assemble 50818 and
inset a ? BRA 50818 ?. When done, type M 50818 and see the opcodes for our new
instruction.The first four opcodes
has changed, take note. The shown opcodes are already encrypted, as we are still
in ROBD mode.The encryptions works
by XOR, ROBD mode shows the decrypted code, so when we insert normal code, it
will appearas encrypted.Boot original game
and enter AR when copylock is executed. Either lessen for the drive grinding sound
or when trackcounter moves to
0 in WINUAE. Search for the long word you took note of: F 26 3E 25 F0. AR return
three addresseshence, three copylocks?See opcodes for the
first address with M 1089C + enter.? Insert the new opcodes, and don?t forget
to press enter whendone. Exit AR and
wait a few secs for the game to hang.Enter AR and press
R to see registers. Voila, copylock key in D0. Armed with the key, enter ARIV
again and load insaved copylock: LM
COPYLOCK,50000.
And enable the RNC decrypter: ROBD. Disassemble address 50000 and stop when this
appears:Address 5042A is
the one we are interested in. This code will appear in most copylocks and it?s
here we?ll wirecopylock key. In
this way, there is a better chance for a 100% crack, since ? dirty tricks ? will
be executed this way.These dirty tricks
are often executed in end of the copylock.?When we have done
that, there is no need for disk access part to be executed, so we can branch past
that part.Continue disassembling
a few lines further. You?ll notice a BRA at address 50474, this BRA also appears
in mostcopylocks, and it
branches to ? second ? part of copylock, as mentioned earlier. We can either branch
directly to50818, or to 50474,
it makes no difference. Today, let?s choose 50818.We wish to alter
the opcodes at 5042A, but before we do this, take note of the existing opcodes.
These can then beused, to locate the
opcodes on disk. See opcodes: M 5042A.Assemble address
5042A and insert the code you see in the picture beneath. We only do this, so
we can see the newopcodes. Type M 5042A,
to see the new ENCRYPTED opcodes? We are still in ROBD mode, sonormal code will
appear as encrypted code.I have marked the
new opcodes with red in the above picture.Next step, is to
replace the old opcodes with our new ones.Copylocks are located
between track 18 ? 22, read them into memory, starting at address 30000: RT 24
A 30000.Search for the opcodes,
you took note of a little earlier, starting at address 30000: F A8 B2 C7 85. AR
returns threeaddresses. Insert
the new opcodes at all three addresses and don?t forget to press enter after each
modification.Write tracks back:
WT 24 A 30000.Test your new crack.Wouldn?t it be great
fun, if we had unlimited life?s, bombs & shots ? If you think so, continue
reading 🙂Start game and do
nothing! You have six life?s to start with. Enter AR and start trainer: TS 6.
Exit and loose ONE
life. Enter AR again and type: ? T 5 ?, to continue trainer. Yu will receive address
178AF.Exit trainer with
? TX ?. Start new trainer with ? TS 6 ? and fire ONE shot. Enter AR and type ?
T 5 ?. Continue this way,also with the bombs.
You will end up with these addresses:Life: 178AF / 178AEShots: 17893 / 17892Bombs: 178A1 / 178A0.Theses addresses
looks a bit odd, I ?am not joking here. Subtract 1 from all three addresses, and
you?ll get the numbersin the second row.Let?s see, what game
does with theses addresses. Starts with life: FA 178AE. AR returns six addresses.
Addresses13C22 looks interesting,
since it subtracts 1 from the count address 178AE. We could change the instruction
from? SUBI.W #1,178AE
? to ? SUBI.W #0,178AE ?. Game will then subtract 0 from the life counter, each
time you loosea life, hence unlimited
life?s!Take a look at the
instruction with M 13C22. This will show you the opcodes. If you add one long
word (4) to theaddress, you?ll get
13C26. See opcodes with M 13C26. Notice the ? 01 ?, marked with red. This is the
? 1 ? in the? SUBI.W ? instruction.
If we make a little patch, that does a ? MOVE.W #0,13C26 ?, the instruction will
be changedto ? SUBI.W #0,178AE
?.Follow the above
instructions for the Shots & Bombs. You should end up with these three addresses:Life: 13C26Shots: 13F14Bombs: 13B38Let?s find a way,
to patch these addresses, before game starts. Boot game and enter AR when it begins
to load. Press ? D ?to disassemble actual
memory. Seems like we are in the 70000 area of memory. Try to disassemble address
70000and hit enter a few
times.We have a ? JMP 10000
? at address 70024. Stick a breakpoint to this address and exit AR: BS 70024.
When gamereaches the address,
it will pop-up. When this happens, try to disassemble the addresses, that subtracts
# 1 from thecount addresses.All addresses appears
to be loaded now. Let?s take over this jump and make it jump to address 100 instead.
We?ll thenput a little trainer
routine at address 100.The ? JMP? 10000
? is located on track 1, read it into memory, stating at address 30000: RT 2 2
30000. Find the JMP:FA 10000 30000. AR
returns address 30078. Assemble this address and insert a ? JMP 100 ?Write track back:
WT 2 2 30000.Next step, is to
find a place on disk for our trainer and a way to move it to address 100. Start
by reading the boot blockinto memory, starting
at address 70000: RT 0 1 70000. See memory with: N 70000 + hit enter a few times.Plenty of spare bytes.
Assemble 70100 and code the trainer:Disassemble start
of boot code to determine, how to move our trainer into memory:7005C jumps into
the code, that boot block load into memory. Let?s alter this to ? BRA 700C0 ?
and put a little copyroutine at 700C0,
that moves our trainer into memory. See picture above.Assemble 700C0 and
code this little routine, which will move our patch from boot block into address
100:This code, will move
contents of boot block from offset $100 and $200 amount of data into memory, starting
ataddress 100. In other
words, it moves our trainer to address 100.When done, correct
boot block checksum: BOOTCHK 70000. And write boot block back: WT 0 1 70000.When you boot game,
it loads a while and a blue screen appears. Press left mouse for trainer or right
for normal.Dedicated to sweet
sweet Victoria.Rob
Bad Brothers – Music Line Editor
Publication author offline 14 hours mus@shi9 0 Comments: 1166Publics: 2810Registration: 06-03-2017
I know, it’s exist : AR_IV_CHIPMEM.ROM and AR_IV_FASTMEM.ROM
Is they are any body know if it’s possible to use this ‘IV’th version directly under WinUAE With ‘CARDRIDGE ROM FILE’ and not the adf file !?
Thks
yes, it is not possible. At least not with the AR version by Blackhawk. You gotta use CRTMON instead.
no pb Rob, it just required me to press fire…. i feel stupid 😀
I can’t remember from where, but sed me a PM with your mail, and i’ll send it to you
Hey rob, do u have a rom of the action replay mk iv by blackhawk? any hint where you downloaded it?
Try check your code, I can’t replicate the error. Also sounds odd, cause the trainer is not touching the kb routine..
Rob, i have tested the game, there is something going bad, when i pause the game,
the game stays frozen, i’m unable to come back to the game.