|
ZX Power #03
31 декабря 1997 |
|
Likbez - Recovery programs by address search start-up, with perevzloma.
REHABILITATION PROGRAMS (continued, beginning in the ZX Power'e
# 2) (C) 1997 Alexander Desyatnichenko
_________________________________________ 6.Vosstanovlenie
programs run by the address search. Of course, finding an old
boot vovzlome and, using its data, restore novit game is simple
enough. But takoebyvaet infrequently, usually only vsamyh older
games. Newer programmyposle download occupy the entire memory
of bu-Schrieffer printer to the last byte in 65535i, of course,
no old-ka zagruzchi you will not find them. How did the
post-drinking in this case? If you already davnokovyryaetes on
game programs, either in search for the infinite life, whether
in search of interesting algorithms, it is probably You may
have noticed that many programs similar to each other, I mean
the programming structure. Usually one Keep the text messages
another - the graphics in the third - routines, ending with the
directive RET, and, of course, somewhere in all of these
routines are invoked through the CALL from, so to speak, the
main connecting programmy.Raz such program is, then, somewhere
in it there and a beginning - the address at which to begin
Start the game after you go
at him from the BASIC loader team
RANDOMIZE USR. And if you try to find
own this place and run it with the program? That's how often,
and have recover properly hacked
game. How does look like the assembly language
beginning of the program? Usually start every game starts with
a ban interrupt the machinery stack, clear the screen and color
setting BORDER, followed by withdrawal on-screen game menu, the
formation of a table, setting IM 2, the launch of melody and
etc. Here are illustrative examples:
DI
LD SP, 32768
SUB A
OUT (# FE), A
So begins the program TURBO-BOAT
(As you know, it starts from the address
32768). Approximately the beginning of
Most renewable programs.
It happens also that the main program immediately begins with a
subroutine call by Numerous CALL, it is immediately evident. Do
not be afraid to experiment, especially if you have the ability
to multiply quickly reloaded to drive - write down all the
"suspicious" of the address and try with all their pozapuskat
game. In addition, you will find the address start-up, you
still find entry points into different
routines that you will be interested in terms of implementation
of the or other interesting algorithms, and you
then be able to use it in
own programs. This method is certainly a good fit for other
purposes, for example, to break heavily protected programs.
Why, indeed, hack loaders? Only to find the address to download
and run the game! So for now you can generally leave the boot
alone and just get yourself a code file and find the address
run it! You say, address start find and how to deal with load
address? Believe me, it is also possible. Have you seen
cassette version of the game RAINBOW ISLANDS,
loader which has deterred most
only for its length! It's not like something, and almost brand
boot company OCEAN, was filmed only protection copy of this
very boot. So, when I have not had the drive, I passed
downloader, understood with the addresses of the viewing code
file in just a half hour. Well, if you
need to find the load address codes in MAGIC-file on the drive,
then there are no problems at all - looking
his DISK DOCTOR'om, STS'om, we can immediately
determine where there useful information, and where an empty
space and, accordingly, then make a discharge. Help to find the
address of the program can run itself a stack machine. After
all, before being hacked, the program has had time to run and
perform certain operations, dig deeper in the stack, you can
try to determine what and to find a place in program, after
which "dance for him." By the way, some games are spread in a
semi-recovery, for example, THE SCEPTRE. If you look like it
starts, you'll see that in the processor registers recorded
data taken by a hacker from the stack, and then he makes a JP
at the address specified in the same way, so the program still
does not start from the beginning, and from the place where was
once stopped. And another very interesting point about the
register R. After all, as you see, is nowhere restored! Well,
some games are quite sensitive to it. Thus, For example, if you
make JP the address start Game A.M.C. in the register R Record
high value, then permanently in the boxes you will
fall the same, as follows from
"Law of meanness," the most unnecessary weapon.
If its zero, then everything is in order, in each box is
different. But in the games company OCEAN for a large value in
register R before running all the enemies that do not at all,
and then once they go in droves, and the same ammunition - that
does not fall at all, and then suddenly all at once in one
place. In other words, if you want
recovery program, in which the course
game is given a random manner, ie
depending on the value of the register R (I
I think you can guess how this
know - a few times restart the game to play and see if one
always and the same thing at the same location, or every time
differently), worked fine, then before
how to make JP the address start, reset the register R or try
to put on him a different value. Some encoders can say that
because from the moment start and to the point where, depending
R is constructed from the game, he can register
proprygat than a dozen cycles ... Well
Well, try to experiment and you will surely see a lot of
interesting things. Apparently, the authors have used games
all, who knows, maybe none ELITE can not pass because of the
fact that in case R is not what we need ...
7.Vosstanovlenie programs
by perevzloma.
This method is based on the well-known popular saying "oil
will not spoil the porridge." It has already been an example of
how many times the game perevzlamyvalis, roaming from one
system to another. So Thus, if you again click on the MAGIC
in the same place, where once the button was pressed multifeysa
worst of it you have already do not, but his job much easier.
Only need to remember that this button spoils a few cells in
the system variables, so if there is valuable information, this
fact must be taken into account. This perevzlom
sometimes it is simply indispensable. For example, when
restoring games HYPER ACTIVE SOLOMON'S KEY and I tried to see
disassembler code blocks, and there
instead of the usual routines and text
communications - solid gibberish. Just
in hacking these programs multifeysnaya
button was pressed at a time when
game has already been loaded, but firm
multistage protection (the so-called
"Ksorka") has not yet completed the process of decoding the
main code block. To not wrestle with a decoder manually (and it
may be impossible this case) had to get ill hack program,
enabling it to fully start, and then Button fly MAGIC. AND
yet. If hacking 48K-128K programs use the machine with a floppy
drive, then why not use this technique for recovery programs!
Indeed, in our before it has a lovely 128K-disassembler STS,
which has a large opportunities. With this program,
You can download the whole file MAGIC-in
memory of the computer, view them and make any izmeneniya, then
save on disk in either sliced. So
way eliminates the need for multiple loading-unloading and
cutting-pasting the code block the main game. But you can do
48K machine, if you install the firmware into it with so-called
"shadow" monitor, this much has been said lately. Thus
restoring the program, you will sooner or later come across a
game that takes all the computer's memory. How to unload this
unit and how it then download it? It is clear that using STS on
128K-machines you have a problem with it is not, but if
someone will suffer a reduction
programs within the 48K, it would have
to do something like that done sometime
Polish hackers, loading-unloading separately long block from
the CLEAR and above and short length 1204-2048 bytes. You've
probably seen that many of the recovery program is loaded into
the end of a shaded black screen area small code blocks of
length 1704, or say, 1204 bytes, and then, using
protsedurki a native being moved
these bytes at address 23296. You can and you
to begin to try to do so. I
I would ask experienced hackers and coders are not
joking with my detailed explanations of such basic, sometimes
just lamernyh things, because its main purpose, I I think many
users attach to koderstvu way "from the simple to complex ", -
first, easiest LDIR in the restored toy, and then may
be a person wants to try and
himself to write ... In the turn, I
would like to remind them that if you
undertook the restoration game, too,
Please remove this hack all
superfluous: clogged stack fragments the data
transferred to another place with the help of
LDDR, old spouts at the end of memory
old system variables and the region
BASIC, the values of the stack, and then the stack itself
in the picture ... Suppose we have already recovered
your game looks to firm and from the inside, and then suddenly
someone wants to see how you restore it. And very much much to
ask not to change the text messages have fans inflate the year,
instead of authors' names say hello, distort the firm CHEAT.
8.Drugie recovery.
When you restore a game you can
face other challenges. Thus,
watching the game listing ELVEN WARRIOR,
You can find an old boot, which implies that the game is loaded
in three blocks: screensaver, the main unit and the music for
the coprocessor. Well, with the screen saver and music all
clear - in this case they are not recover, but the game itself
you can try. It would seem that everything is simple - to pull
out of the MAGIC-cracking unit of length 32768 bytes starting
at address 24576, and run from the address 33024. Alas, not
quite so. On the screen a lot of crashes and the game does not
work. Let's see what is available at launch. Yes, there are a
lot of "bloat" from transformation in the computer memory at
once after boot - before you display the game menu, the program
itself modifies the memory, there is transfer of codes from one
place to another, entering data into memory cells, etc. while
at the same time rubbing parts of a program, where before it
was useful The information already thrown teams
LDIR in other areas of memory. Of course,
if now upload a file of the above
length and then re-launch it from a place
old start, then again she will perform all these conversions,
transferring the other information already in the same place.
Such games can be recovered either deal with all these umklapp
and installing all the information on the place where
it should be before the start of the game,
or else unloaded all the used memory and deleting teams and
umklapp transformation, pretending that they have already
happened. Incidentally, the above example can be used for new,
original protection. For example, your program loaded, runs and
immediately destroy part of itself - the part that has just
been fulfilled, and more do not need it now, no one in your
program ends do not find it. And about ELVEN WARRIOR - I was
very depressing the fact that this and some other games
(SCEPTRE of BAGDAD, REBEL STAR 2, etc.)
have been translated into Russian ... in unrecovered (!) form.
Now a little bit to restore the graphics. After the restoration
of the game was CURRO JIMENEZ, that all game actions are
developed in middle of the screen, the rest of the screen was
black, itself begs the question
that probably during the game screen
framed by a beautiful static graphics
form of frames. When I carefully examined
Available in scraps of playing the game menu and
and uploaded it to the screen with no attributes
(6144 instead of 6912 bytes), the screen clearly vyrisovalas
black and white, carefully traced frame. It only remains
paint it and display the following
choice of management. Spoiled static graphics treated fairly
simple. We need to find a place in the program where she
stored (which can be determined by looking at all the transfer
addressed in the screen area), unload, correct in photo editor
and put in place. In another is the case with sprites,
especially working on a mask, for their Recovery can not do
without special software such as SCE or SPRITE TOOLS. About
loadable games. Many of them have cracked already,
when the memory has been loaded the first level. After the
restoration of such a program goes directly to the game,
without requiring podgruzki, since it is already there, on the
as evidenced by the internal system
variables of the game. So we got RICK DANGEROUS 2, STRIDER, and
many other games, in which the first level
presented twice: in the game and
tape or disk immediately after the game. Naturally, if you want
to restore everything as it was, then you can try to remove
from the memory of this level and make appropriate changes to
the system variables of the program. Frequent errors and within
levels, for example, contained in They chart. Most also have
still engaged in recovery mode
48/128K. After all, many games released
universal, working with any memory. And the definition of the
type computer (48/128K) was carried out of the boot and if it
was a 128K machine, the game has to finish loading additional
blocks music, graphics, fonts, etc. in the other pages in
memory. In addition, the designated memory cell were recorded a
certain value. During operation program appealed to the cell
and thus build. Of course, if a game has been hacked in the
mode of 128K, then it can not work after a break in the 48K
machine and vice versa. Especially This applies to games firm
CODEMASTERS. So, for example, have been widely
dissemination of such games as KAMIKAZE,
PANIC DIZZY, NINJA MASACRE, COLUMBUS JUMBO 1, 2, SLIGHTLY MAGIC
and others that work only on 128K, computers, although They
were issued universal. So, virtually all branded loaders
CODEMASTERS were checking machine type and record in a separate
dedicated memory cell "mark" about it. When the game itself
starts, it refers to those cells, and if there is recorded a
value corresponding to 128K, it permitted an appeal to other
pages in memory and the game is accompanied by more music and
graphics, but if your computer has only 48K, all this was
ignored and the game was as usual. Thus, if
your game is at 128K and refuses to run in 48K, then, first of
all, check to which cell it becomes, and what is there. If such
treatment there is, then you will only organize from the
bootloader checks the type computer with entering a
corresponding values in the desired cell and memory,
respectively, downloading, or ignoring additional blocks.
Checking procedure might look something like this:
XOR A; record in the major
; Page
LD (# C000), A; at # S000 zero
LD A, # 17
LD BC, # 7FFD
OUT (C), A; trying to choose
; Additional
; Page
LD (# C000), A; enters the cell
; # C000 number # 17
LD A, # 10
OUT (C), A; choose a major
; Page
LD A, (# C000); read from # C000
CP # 17, # 17 here if we have
, 48 machine, and if 0, then
; A 128 machine
JR NZ, LOOP
XOR A; zero out accumulator
, A constant 48 kB
JR LOOP1
LOOP LD A, # FF; as a constant for
, 128 KB
LOOP1 LD (23627), A; puts constant
; The type of computer in
; System variable
RET
Now, when this routine work is over, the main program will
be as previously envisaged, is in cell number 23627,
corresponding to the type of machine. Recently, much added work
for those involved in the restoration of names of these modes
in games, because some hackers, apparently ignoring the
interests of 48K users, intentionally make universal
48/128K-igry (The FLINTSTONES, LED STORM, YOGI BEAR GREAT
ESCAPE, and many others) 128K ONLY. And even worse, when the two
48K-games make one at 128K (PHANTOM F4,
MORTADELLO 'FILEMON 2, etc.), or add different nonsense, that
stretch the game to all the 128K, as was done with SATAN. Very
kindly requested to bring this fellow did not spoil the game
more!
To be continued ...
_________________________________________
Other articles:
Similar articles:
В этот день... 21 November