Super Space Invaders
? Taito
1991
You will need following:
1. Original game ? find on emunova.net
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. Two blank disks – find it in your local Amiga store
Note! Some addresses may differ on your computer.
This patch is NOT designed for the version in caps pack 57, but an earlier release and will NOT work with this version.
It?s a good idea to take note of opcodes and addresses during this quick tutorial.
In this text, we?ll crack two ICE! packed copylocks, by wire key to register D0+60 and skip all the encrypted code.
A small trainer is also included, with toggle function for energy on/off during game play.
Boot block crack can be downloaded in top of this page. ($ 0 ? 400)
Start by making a copy of original game disks. This is to determine type of protection.
You?ll notice an error on track 0, disk 2. This is some type of a disk based protection, where you can?t duplicate a specially written track. Most likely a copylock routine.
Copy of game will naturally not work.
First thing is to find the copylock key. Boot copy of disk 1 and enter AR when you are prompted to insert disk 2.
Only disk 2 was faulty, so copylock check is probably executed when game wants disk 2.
Find start of copylock with: ? F 48 7A ?. AR returns four addresses, there are $10 between the two first addresses, a typically sign for a copylock. Copylock starts at address 84C0. Disassemble this address, hold enter down, and don?t stop before normal code starts again.
You?ll see tons of encrypted code and it seems to end at address 8E0E, where normal code starts again. Stick a breakpoint to address 8E10, BS 8E10. Insert original disk 2, exit AR and continue game. When address 8E10 are reached, AR pops up.
When this happens, press ? R ? to see registers. The key is returned in D0. Many copylocks from early ?90 also returned the key at address 60. Check address 60 with M 60. We now know, that copylock starts at address 84C0, ends at 8E10, copylock key is returned in register D0 + address 60. This was only copylock 1, there is another copylock routine a
little later in the game. Exit AR and continue loading. Copylock 2 is decrunched when you are prompted to select type of game. Enter AR, search for copylock once more: ? F 48 7A ?. AR returns address 6FDE & 6FEE, copylock starts at the first address.
Disassemble address 6FDE and hold enter down until normal code starts again. This happens at address 792E.
This copylock does the same as the first one. With this one, we only has to return copylock key in D0, as address 60 still holds the key, and game doesn?t clear it.
All files are crunched with ? ICE! ?, so we have to patch the decrunched files before they are executed. We?ll patch the Copylocks, by inserting a ? MOVE.L copylock key,D0 ? and ? BRA past copylock ?. We can?t apply this code directly to the files, so we?ll have to find the opcodes for our patch and move these opcodes into the decrunched files.
Let?s find the opcodes for the first copylock. We do this, by inserting the code we want in start of copylock and see opcodes with the ? M ? command. Assemble address 84C0 and insert following code:
Divide the opcodes into four long words, see picture above.
We now know opcodes for copylock 1 & where to insert them. Assemble address 6FDE and do copylock 2:
This time we don?t have to move copylock to address 60, as it?s never cleared. We make two long words and one word.
Next step is to find the jump into the decrunched data, and take over this jump.
Let?s start by having a look at the boot block. Read it into memory, staring at address 70000: ? RT 0 1 70000 ?. Disassemble: ? D 7000C ?
Boot block load?s data into the address that D0 contains. Loaded data is then executed by the ? TRAP #0 ? at line 70052.
Let?s change this to a loop, so we can have a look at data before it?s executed. Do following:
Reboot and enter AR when game hangs. Press ? R ? to see registers. D0 holds start address of loaded data.
Disassemble address 59E8 and watch out for jumps. I have found (by using the well-proven, trial & error method), that the jump at address 5C18 is very interesting. Game access this jump several times, also when copylocks have been decrunched. We still have to notice, that the copylocks are NOT decrunched at the same time. This means that our patch has to detect which (if any) of the two copylocks have been decrunched, when patch is called.
The patch coding can begin now. Read boot block into mem: ? RT 0 1 70000 ?
Assemble line 7004E on boot block, and change it to ? BRA 70100 ?. Take note of the code before you remove it, as it?s needed to start game.
We can then put a little routine at offset $ 100, to move main patch into memory.
Assemble 70100 and insert following:
70100; MOVEM.L D0-D7/A0-A6,-(A7); save registers
70104; LEA C0,A0; set address C0 to destination for crack patch
7010A; LEA 70200(PC),A1; copy data from offset #200 on disk
7010E; MOVE.W #200,D7; copy $ 200 of data
70112; MOVE.B (A1)+,(A0)+; copy
70114; DBF D7,70112; copy
70118; MOVEM.L (A7)+,D0-D7/A0-A6; restore registers
7011C; MOVEM.L D0-D7/A0-A6,-(A7); save registers
70120; MOVEA.L D0,A0; make A0 point to start of loaded data
70122; MOVE.L #4EF800C0,22E(A0); insert ? JMP C0.S ?, taking over the game
7012A; MOVEM.L (A7)+,D0-D7/A0-A6; restore registers
7012E; MOVE.L D0,80.S; move start address of data to address 80
70132; TRAP #0; execute loaded data
Assemble 70200 (offset $ 200 on disk) and code main patch:
70200; MOVEA.L D0,A0; restore code we changed to ? JMP C0.S ?
70202; CMPI.W #487A,6FDE.S; check if second copylock appears in mem
70208; BEQ 7023E; if true, branch to 7023E and crack it
7020A; CMPI.W #487A,84C0; check if first copylock appears in mem
70212; BNE 7023C; if not, branch to 7023C and continue game
70214; MOVE.L #203C4C19,84C0; move new opcodes into copylock 1
7021E; MOVE.L #6AC50000,84C4; move new opcodes into copylock 1
70228; MOVE.L #21C00060,84C6; move new opcodes into copylock 1
70232; MOVE.L #60000944,84CA; move new opcodes into copylock 1
7023C; JMP (A0); continue game ? jump we took over
7023E; MOVE.L #203C4C19,6FDE.S; move new opcodes into copylock 2
70246; MOVE.W #6AC5,6FE2.S; move new opcodes into copylock 2
7024C; MOVE.L #60000948,6FE4.S; move new opcodes into copylock 2
70254; MOVE.W #F,DFF180; set background to blue
7025C; BTST #6,BFE001; check for LMB pressed
70264; BEQ 70272; if equal, branch to 70272 and train game
70266; BTST #A,DFF016; check for RMB pressed
7026E; BEQ 7028A; if equal, branch to 7028A and start normal game
70270; BRA 70254; loop till mouse is pressed
70272; MOVE.L #4EB90000,6A9C.S; hook call to toggle function (JSR 14C)
7027A; MOVE.W #14C,6AA0.S; hook call to toggle function (JSR 14C)
70280; MOVE.L #4E714E71,141A4; NOP out instruction that decreases energy
7028A; JMP (A0); JMP (A0); continue game ? jump we took over
7028C; CLR.W 1F9DA; run code we removed at 6A9C
70292; BTST #A,DFF016; check for RMB pressed
7029A; BEQ 7029E; if pressed, branch to 7029E and toggle energy
7029C; RTS; mouse not pressed, return to game
7029E; EORI.L #1D014E71,141A4; toggle energy
702A8; MOVE.W #FF,17A.S; 702A8-702B8; delay routine
702AE; ADDQ.W #2,17A.S
702B2; SUBQ.W #1,17A.S
702B6; BNE 702AE
702B8; RTS
Quick description of trainer:
The trainer code will turn screen blue, during loading and wait for mouse to be pressed. If LMB is pressed, patch NOP?s out instruction that decreases energy. It also inserts a ? JSR 142 ? in the game code, to call the toggle function.
I found the place to hook ? JSR 142 ?, by simply enter AR during play and press ? D ?. Address 6A9C popped up, so I tried if it was run continuously during play, which it where.
The code at address 142 checks if RMB is pressed, if it is, patch EOR value #1D014E71 with the subtraction routine, which will toggle it. To find the value to EOR with, do this:
The decreasing routine at 141A4 is; SUBQ.W #1,0(A0,D0.W) opcodes; 53 70 00 00 6B. We wish to change the routine to NOP NOP, opcodes; 4E 71 4E 71. EOR 4E 71 4E 71 with 53 70 00 00 6B = 1D 01 4E 71. To toggle between 53 70 00 00 6B ( SUBQ.W #1,0(A0,D0.W) ) and 4E 71 4E 71 (NOP NOP), just EOR with 1D 01 4E 71.
The delay routine will pause game VERY shortly, to indicate your selection during play, and avoid trainer from being turned both on/off when mouse is pressed.
Correct boot checksum: ? BOOTCHK 70000 ?
Write track back: ? WT 0 1 70000 ?
When screen turns blue, press LMB for trainer or RMB for normal game. During play, press RMB to toggle energy on/off. During play, the energy meter will start decrease at a point, even though the trainer is on.
This is not a problem, as you will NOT die when it indicates no energy.
Game has been tested until completion.
Dedicated to sweet sweet Victoria.
Rob
Publication author
