Coding a Trainer

[redblade]

Hi.

I've seen alot of articles out there on cracking, but.. I am a bad looser, and I do like finishing games, "the ends more then justifies the means". So I was wondering what is involved.

I have the arc3 rom for UAE, and I have ARC4 rom by Paradox for the Amiga 1200.

I can find the address for lives etc. But how do I find the one for invincibilty, ie the routine so that when I do get hit, it just does a NOP or something.

Then also how do I put that information and code a trainer. Because wouldn't the address of the Lives, ammo etc change each time, unless the game used Fix addressing, which is frowned upon...

[Codetapper]

Firstly try and locate the life counter and then find all references to that address. The instruction used to decrement a life is often used by all other parts of a game, so if it was a sub.w #1,$xxxx then that is most likely to also be used to decrement energy/time aswell.

The opcode you can search for quickly is $5379. Usually you will find about 30 of these in a game (maximum) so you can experiment by changing a few and seeing what happens!

Other tips are that games often setup all the variables in one place when you start and often they are all together. So you will get a bunch of stuff like this:

move.w #3,$1234
move.w #50,$1236
move.w #5,$1238

That might be setting up number of lives, energy and grenades for example. If you find that $1234 is the life counter, look for places where it is set to the initial value (in the case above 3) and then sniff around the routines that set it to 3. You will often find everything is setup there - level, grenades, bombs, energy, timers etc etc

[redblade]

[The opcode you can search for quickly is $5379. Usually you will find about 30 of these in a game (maximum) so you can experiment by changing a few and seeing what happens!

Thanks for that and the other tips. I'll start ripping into the games. But what about setting up the code for the trainer.

Do I hijack _LVOForbid like a virus so that when it calls that it starts my program ?!?!?. Because I don't really want to ReSOURCE the game. or do I use one of those programs that turns the code to words, and then label the routines I want to modify ......

[Codetapper]

Firstly the majority of Amiga games use fixed addressing so no, the addresses don't move around.

I would suggest you stay away from Dos games because they are much more difficult to train cleanly. You basically have to know the offsets in each hunk of the file that need modification and follow the chain of hunks to find the one to alter.

A lot of the time the trainer guys actually modify the file itself, changing say sub.w #1,$1234 to a jsr $100.w and at $100 you copy your code which checks if the trainer is on, if so returns, otherwise emulates the code by subtracting one.

Hijacking _Forbid is *not* recommended either, LoadSeg would be the one you want for Dos games and for NDos games you don't need it.

And you should learn to walk before you can run - try and write a program to display some text with function keys to toggle the trainer options before you get too carried away with these virus like activities!

[redblade]

A lot of the time the trainer guys actually modify the file itself, changing say sub.w #1,$1234 to a jsr $100.w and at $100 you copy your code which checks if the trainer is on, if so returns, otherwise emulates the code by subtracting one.

hmm, first I better learn how to master this Action Replay cart, I've managed to find the lives in the AF demo of First samurai, but can't find the energy. Are there any tutorials for the ARC?!?!.

I did have trouble finding the rockets and grenades on Cannon Fodder 2 by Sensible Software.

I did Ts 4
found xxxx
shoot rocket
t 3
no results found etc.

[andreas]

Sorry for jumping in, but what's the matter with all those ntsearch.com links in your posts?
I even linked to this site, and it looks a bit like this multisearch sites "introduced" to your IE by "spy master" LOP.COM. Very unnecessary, frankly spoken.

Note that on RCK's forum, you *must* use vBulletin code and cannot use HTML (for security reasons, mind you).

[Codetapper]

Be aware with a lot of games (particularly Dos games and games that use 1Mb) that the load address will move around the place, so even if you find that $c24576 is the life counter, that won't help much as you must know the offset from the start of the loaded file.

Some other tips:

If you start with 5 lives, there is most likely a moveq #5,dx or move.w #5,$xxxxxx instruction. Try searching for that and in the same chunk of code you will often find initialisation for the start level, energy, time, grenades, sausages, ducks, gloves, pukeko's etc...

Search for decrement instructions like subq.w #1,d0 and sub.w #1,$xxxxxx to locate parts of the game that are counting down. Most games seem to have about 30 or 40 maximum.

[redblade]

Yeah sorry Andreas, I might get banned for mentioning this but I use windows xp on my laptop as I havn't/struggling to get FreeBSD running 100%. And I don't have a virus checker installed so yeah, my IE got hijacked (that word might trigger of us .gov computers ). and it totally started ruining my websurfing experience untill i finally removed it.

Thanks for the xtra advice Codetapper, I found the ARC 3 manual in .pdf format from atomic cabbage, and has lots of examples for the training commands which will help alot for now.

It also has a nice disclaimer to not remove protection from copyright games ehehehe.

[musashi9]

here is a little trainer code for you to try and experiment with
get a hold of a copy of MagicPockets EU version
it has to be the EU version either the 'Skidrow' cracked or EU CAPS release
the date on bootblock will be 8:09:91
load up the game to level one ,do your normal trainer search with action replay to get the values that we need changing

for this example we will use level skip

on level 1 press your action replay button / or Page up on Emu
the address points for level skipping is
001d7d
you can experiment with this by typing
M 001d7d
you will have somethign like this
;001d7d 00 00 03 00 03 00 90 ...ect...
change the first 00 to 47
now exit action replay and you will be instantly transported to the next level

but you dont want to have to use action replay everytime u want to skip a level

so now we find some active code to alter like code tapper said

we shall use the address 006BDA
dissasemble this address by doing this d 006BDA and we will see

~006BDA MOVE.B D0,3D5(A1)
remember this!
now lets alter this
type
A 006BDA
then enter this
JSR AF0.S

this will jump to address 000AF0 (empty space not used by the game) ,and at this address we will need to replace the code we changed
so type
A 000AF0
MOVE.B D0,3D5(A1)

but also add our little level skip patch so after MOVE.B D0,3D5(A1)
type
CMPI.B #28,d0
bne b00
move.b #47,00001d7d.s
rts

so it should look like this

A 00AF0
^00AF0 MOVE.B D0,3D5(A1)
^00AF4 CMPI.B #28,D0
^00AF8 BNE 0000B00
^00AFA MOVE.B #47,00001D7D.S
^00b00 RTS


the CMPI.B #28.d0 is telling the amiga to wait for the key 'L' to be pressed

the BNE is saying if its not pressed goto 00BOO which is a RTS returning back to the game code

the MOVE.B #47,00001d7d.s is putting 47 at address 001d7d like what we done at the start of this tutorial but insted of using the action replay every time we want to skip a level all we do now is press L when playing
so try it

(note you must press fire button once for this to work)

you can also experiment with this its good fun
for instance insted of putting a 47 try any number you want
i put 34 and it gives me a bike
so in our patch insted of typing 47 change it to 34 and insted of typing 28 for the letter 'L' type 35 for the letter 'B' for bike
but be carefull changing these number values could crash the game

[redblade]

From what I read from your post I take it that the adress you told me to edit was when the game was reading comparing the key press to see if you hit the pause key ?!?!
now that seems like a good idea, throwing a jsr in the Read the pause key routine once I get up to the enable in game keys for level skips etc etc.

Any quick hints about finding the jump loop, to jump that extra bit higher? would be nice to do in some of the coverdisk demoes i have.

[BippyM]

Quote:

Originally Posted by musashi9

here is a little trainer code for you to try and experiment with
get a hold of a copy of MagicPockets EU version
it has to be the EU version either the 'Skidrow' cracked or EU CAPS release
the date on bootblock will be 8:09:91
load up the game to level one ,do your normal trainer search with action replay to get the values that we need changing

for this example we will use level skip

on level 1 press your action replay button / or Page up on Emu
the address points for level skipping is
001d7d

<SNIP>

So how did you go about finding the address for the level skipper etc?