|
ZX Format #03
29 февраля 1996 |
|
Programmers - adapttsatsiya games: immortality.
Allowance for a small dirty dog
or
HOW TO BECOME IMMORTAL
(C) Rzhavelschik (A.A.M.) 1996
________________________________
So, you've successfully copied
game on the disc. However, chopped
in her four hours concluded that if the attempt would be
more, then, of course, the joystick would have remained alive,
while the Galaxy has been rescued. From this it is simple as a
cassette neutron warhead, the conclusion:
Your dirty work is not finished yet. Have to re-ship the
monitor and feel hungry eyes by kilobytes program.
Here, Global Benefits
Scorpios are the owners, because
they may operate on live,
just seeing the result. For other
required to overcome the barrier of decompression and ksorki
(ie browse to the game the way it was during her work). You can
use the reset MAGIC'om and program @-CRACK (it is possible that
the resulting file will not work as a game
but that is not required - it
only need to view). If LOADER beysikovy, it should be
instead of the last RANDOMIZE USR
supply output to the monitor. The hardest part will be the
owners of 48K (Surely there are still 48 with the drive?),
Advise them to use MONS - like monitor that is placed in the
display area.
So get started. First: the definition
define the diagnosis. Suppose we have determined that the game
suffers acute life-failure. Then we have to determine
treatment - the addition of primary resources, or removal
subtraction procedure (to know
when to stop, otherwise we can
overdo it, and instead of an infinite
energy obtained, for example, BATTLE
COMMAND, in which the tank safely
runs through all of the objects to finish the game for 5
minutes and throw away).
By the way, the search for immortality -
the best way to learn assembler
but if you do not know
with this subject, we have
difficult. Therefore record and
remember the basic commands to
that you have to pay
attention.
code: mnemonic:
# 3E, # DD: LD A, # DD register A = # DD
(Under # DD # DDDD and implied
Any number of one-and dvubaytnoe)
# 32, # DD, # DD: LD (# DDDD), A
equivalent to POKE adr, A
# 3A, # DD, # DD: LD A, (# DDDD)
LET A = PEEK adr
# 21, # DD, # DD: LD HL, # DDDD
---
# D6 # DD: SUB # DD A = A-# DD
# 3D: DEC A decrement A: A = A-1
# 3C: INC A growth rate of A: A = 1
# 35: DEC (HL) Accordingly,
# 34: INC (HL) dec and inc contents of memory at the address
which is in the HL.
Next - assembly instructions
CALL adr, JP adr and JR adr. Respectively - GO SUB adr and GO TO
adr. The last two teams are different way to address the problem
- JP in it's written directly in
JR - the shift to a certain
count of bytes. This team unconditional jump. There are teams
conditional jump - ie transition will occur if the observed
certain conditions. Condition
is the state of the corresponding bit in the register F -
"flag." The most commonly used two
Flag: Z - flag "0" and C - Flag
transfer. Zero flag is raised,
If in the course of the calculation was obtained
result = 0. Carry Flag -
if, for example, more
subtracted from a smaller (0-1).
The command is accordingly
so: JP Z adr, JP C adr - if
transition occurs at elevated
Flag and JP NZ adr, JP NC adr -
when dropped. The flag is determined by the result of last
operation, which affect it. Transition team for no flags
influence.
Remember? Then we go further.
Say you want to freeze option, which is defined
specific number - the number of
lives, for example (if the parameter
displayed on the screen strip
its numerical value is difficult to define). Record the number
of lives and all the rest numerical parameters, as well as all
inscriptions, to retain the font (upper case letters have
different codes, rather than lower). Now load game in its
working form and run the monitor. All games at the start
setting their initial parameters, ie number of lives
energy, time, etc. View
this need to start search
procedure starting configuration.
The most simple: enter search
sequences of type # 3E NN
# 32 - it translates as LD
A, NN: LD (addr), A; here NN -
number of lives. That is, for
address addr placed the number of lives.
Take for example REX1. There
There are 4 lives and 99 units of the security field.
Combination # 3E 2004 # 32 is found there more than once.
Finding it necessary to explore the area for the initial
units of other parameters. Inspection reveals that the most
suspicious places will be the address where is located
the following:
LD A, # 04
LD (# A063), A
LD A, # 02
LD (# A06C), A
CALL # BA49
LD A, # 63 <- # 63 = 99!
LD (# A04D), A
Obviously, this initial
installation, because are exposed not only the number of lives,
but and energy security (99 units).
Then ask the search for references to the address A063.
Remember one thing: in the low byte code number is
the first (if the number of double-byte)
ie look to a combination of
# 63, # A0. Links on the given
combination occur 5 times.
For us are only meaningful
those that modify the contents of
memory at this address. This
fragment there is only one:
LD A, (# A063)
DEC A <-e # 9C79 = 40057
LD (# A063), A
CP # FF
JP Z, 9C ..
Here we see that if the number of spare lives will be
less than 0, will move to
another address. This place is so suspicious that it is possible
try this address (eg
put in the loader before
Last RANDOMIZE USR, click
POKE 40057,0). For the final verdict must see
what is there, where the transition goes under the banner of Z.
There we see is:
LD HL, # AAED
LD B, 1
CALL # A13E
Remember that the combination of this type typically use
Print messages. Enjoying
dump at # AAED. And there are 3 bytes of official symbols and
the text: "GAME OVER". Conclusion: guilty suspect process
the deprivation of life, and sentenced to a correction by
replacing DEC A on the NOP (ie, 0). Everything. You
immortal.
This procedure could
go out and by the inscription GAME OVER.
Do this: find address
labels (ie the address in memory
which begins ASCII codes
label), then look for his mention. If the options do not address
found, then look for mention of the address by 1 less. In this
example, the address is shifted by three bytes ago. Find the
link (meaningful) to the address, look for the beginning of
routines, which have this link, then look for the mention
address entry into this routine.
The procedure for subtracting the lives
should have access to print messages that are already deducted
nothing (for this example -
GAME OVER).
If you hunt, then we can further facilitate their lives
through installation of an infinite protection.
Looking for reference addresses # A04D (4D
A0). Its also mentioned more than once. The procedure is
definitely reducing the contents of memory
this address is also the only one.
LD A, (# A04D)
SUB L
JP C, # 99EF
LD (# A04D), A <- # 99E8 = 39400
CALL # 99FA
RET
SUB L - A deduction of the contents of the register L.
Experience shows that in this situation easier to remove the
entry of new values in the memory - for example to replace #
32 to # 3A (this will not make failures in the program). Then
at # 99E8 LD will
A, (# A040). Or you can replace
address on the address in the ROM area -
it is enough to erase
byte address (POKE 39402,
0). The latter takes up less space in the boot line, because
this is preferable. For
illustration see another
Example - ARCANOID-2. In this game
at first glance, given three lives, but the search 3E March
1932 gives a suspicious address:
# 9DE4. If the search of his references, we can find the
procedure that change the contents of the cell
with this address, but do
this is very strange:
LD A, (# 9DE4)
SRL A
INC A
LD (# 9DE4), A
This is clearly not decrease by 1
to the same - there is no verification of the conditions. It is
assumed that number of lives instead of 3. Consider carefully
the game: before Every throw a ball subtracted one attempt,
which means that it happens and when start of the game - that
is, actually Life 4. Looking for 3E April 1932 - there are two
references, and both are similar to the initial installation.
Under suspicion enter two addresses:
# 7F86, and # 7815. Next, look for links
on the suspects. # 7F86 mentioned 3 times (the initial entry
does not count), including references to:
LD HL, # 7F86; INC (HL) - similar to the
the addition of one life.
LD HL, # 7F86
DEC (HL) <- # 926C = 37484
JP NZ # 82DC
JP # FC7B
This combination is rather suspicious, you can try.
When the command is used DEC
(HL), it must be replaced by OR
(HL) - code # B6 = 182. The audit showed that the address is
correct (check for yourself).
If you already understand everything, then
reset the machine and - in the battle.
For the rest I will give some
practical tips:
When searching for links to posts please be patient -
sometimes have to retreat too far, for example, in one tape
HERO QUEST version had
withdraw from the inscriptions already at 14
bytes. Sometimes the messages are printed from the table - then
when you call Set the print starting address
tables and the number of messages (look closely REX1, there
done so). Sometimes the inscription displays program that
standing right in front of the text - in
this case, the address of the message is not
states, but then this
programm must face
any single phrase. Sometimes
there are such phenomenal
Illiterate games that have
set of almost identical procedures weaning energy (STORM
HAWK, LICENSE TO KILL). As a rule, a procedure -
one kind of danger.
Do not hesitate to
brute force - if it is not
moves, then Locate all suspected sites, and freeze them
in turn.
Try to find an easy way
- Always check out a full dump
program - so sometimes come across secret codes and passwords.
On different stages of loading poke at the keys - is that
hackers that made this version pose undercover CHEAT MODE, for
example in 48 irons need to startup Press and hold until the
end of loading keys that make up the name of a group albums
SEPULTURA, and DIZZY Y (free copy) - FCM when loading the second
part.
When used for subtracting
DEC A, then wash it better. If the DEC (HL) - better to replace
the address, command itself can be changed only OR (HL) (code #
B6 = 182), Otherwise you will get GAME OVER
immediately. When using SUB dd
(Usually SUB 1), must be replaced
argument to 0 (a SUB 0).
If you are not sure of the number of lives - try both
numbers. Sometimes the programs are used protective measures -
such as check the status of major procedures or duplicate
procedures that look sometimes peacefully enough, while
as "empty" - literally screams
about yourself.
The hardest thing - when the obvious assignment procedure
and the press not (eg, Silk Worm). In this case, you can throw
a game with different amounts of lives and
comparison method to find the address
counter. Or - just for ZS256, - use the monitor, move, and
ch. (Move a piece of the game in extra RAM and compare values
in different positions).
When the value of a strip show on the screen (for example,
fuel), it can be changed is not what it seems. So in TRANTOR
energy is not subtracted and added.
Probably the latter - remember,
that the assembly is a set of
commands, and write the value in memory can be different ways
(This is done via the index
registers through LDIR, the stack
etc.).
P.S. The above information is not intended to be exhaustive,
but will greatly help you take the first steps to hacking
trail. To do this blindly -
extremely difficult, I know from personal experience.
I have not seen
"Benefit for hackers", published in hard copy, and this
- The only book on this
a topic that I come across.
The main advice one: learn assembler and then no one program
will not stand in front of you.
By the way, take the weapons: the game one of the company
have usually almost identical structure.
P.P.S. Perhaps the most interesting trick is done in XONIX
(in one of ours) - there life is determined by the number of
code number printed on the screen
(ASCII code).
________________________________
Other articles:
Similar articles: