Rick Dangerous
? Core Design
You will need following:
1. Original game ? or disk image
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks – find it in your local Amiga store
6. 1Meg of RAM (for the cracking process only)
Start by making a copy of original game disk. You?ll notice an error on track 0. So we are dealing with a disk based protection. Let me surprise you all: It?s a copylock?
There are two layers of protection; an encrypted boot block and the game itself are encrypted. These will only decrypt, if disk has the original copylock track.
Let?s start by having a look at the main boot block.
Read track 0 into memory, starting at address 70000; ? RT 0 1 70000 ?
Disassemble start of boot code: ? D 7000C ? + enter a few times.
Line 70020 looks interesting. #60000 is destination address of the data boot block loads in. Armed with this info, reboot the original game. When game boot up, nothing seems to happen. This is the first copylock, that decrypts the original boot block. When game continues to load, enter AR. We should now have some decrypted code at address 60000. Disassemble address 60000 and hit enter some times:
Line 60070 makes a jump to address 10000. This must be beginning of the game. Let the game continue to load and enter AR when the title screen appears. The whole game has now been decrypted. Let?s have a little look at the code around address 10000:
There are two noticeable addresses: 10000 & 1003C. Address 10000 sets up the SR. This means that the Amiga has to be in supervisor mode before the code can be execute. This is important to know, as we are going to rip the memory from address 10000 ? 80000. If we just execute the game with A ? JMP ?, the game will crash. We have to put the Amiga in supervisor mode, using either the ? TRAP ? or the ? ILLEGAL ? instruction.
Next interesting address is 1003C. This ? BSR ? calls the main loader routine. We need to kill this instruction, as we will use the boot block for main loader.
Assemble address 1003C and insert two ? NOP ?;
Let?s have another look at the code. Type ? N 10000 ? and hit enter a few times:
It seems like we have some spare bytes around address 10900. Let?s use them for a trainer. I won?t show you how to find the address to patch, as the procedure is the same in
Rick Dangerous 2. So if you are interested have a look at that tutorial.
Assemble address 10900 and insert following code:
10900; LEA 1090C,A0 make A0 point to address 1090C
10906; MOVE.L A0,10.S; move contents of A0 to address 10
1090A; ILLEGAL; start supervisor mode
1090C; MOVE.W #F,DFF180; set background colour to blue
10914; BTST #6,BFE001; check for LMB
1091C; BEQ 1092C; if pressed, branch to address 1092C and start trained game
1091E; BTST #A,DFF016; check for RMB
10926; BEQ 10958; if pressed, branch to address 10958 and start normal game
10928; NOP; oops
1092A; BRA 1090C; loop till pressed
1092C; MOVE.L #4E714E71,D0; insert opcodes for two NOP?s in D0
10932; MOVE.L D0,45B94; train game
10938; MOVE.L D0,45B98; train game
1093E; MOVE.L D0,45C68; train game
10944; MOVE.L D0,45C6C; train game
1094A; MOVE.L D0,45E3C; train game
10950; MOVE.L D0,45E40; train game
10956; CLR.L D0; restore D0 to its original value
10958; JMP 10000; start game
Address 10900 is the new jump address.
Insert copy of game and write tracks back, starting at offset #1600: ? WT 1 70 10000 ?
We now need to make a few modifications to the boot block.
Read boot block into memory, starting at address 70000; ? RT 0 1 70000 ? and disassemble it: ? D 7000C ? +enter.
The addresses I have marked with red, needs to be changed.
Address 70020 has to be; MOVE.L #10000,10(A7); destination address for data
Address 70034 has to be; MOVE.L #5A000,24(A1); amount to read
Address 7003C has to be; MOVE.L #1600,2C(A1); read from offset
Address 70060 has to be; JMP 10900; jump to address 10900
Assemble the marked address and make the changes:
And finally correct boot block checksum and write track back:
Reboot and have phun?
When screen turns blue, press LMB for trained game (unlimited lives, bombs & shots) or RMB for normal game.
Thanks to Musashi9 for writing the original tutorial!
Rob
Publication author
I don’t know why, but at the halfway point when I’m writing the decrypted game data back to disk, it always fails on track 42 head 1. Is it the code or just my dodgy ADF copy?
i always asked myself why musashi9 didn’t publish his old tutorials from his first page on flashtro.com… they were the first amiga cracking tuts i found on the internet along with the carrier commander tutorial. which in turn made me aware of the great flashtro.com website 🙂
great game! 🙂