Game hacking - but using modern tools

[Spec-Chum]

Wasn't really sure where to put this, but it's more related to asm I think, so I'll put it here.

Back in the late 80s/early 90s I used to love hacking games on my humble ZX Spectrum, I wasn't very good as I didn't have the right tools, or knowledge, at the time but more recently, with the help of emulators I've got back into it and it's great challenging fun.

I do confess to cheating somewhat tho, as modern Speccy emulators do have very comprehensive debuggers, far exceeding the software, and even hardware ones of the time (multiface).

I'd like to try the same with the Amiga, again using modern tools to help - as I'm only doing this for fun.

I know there's Action Replay or HRTMon, which was what used back in the day, but as above I want to know if I can make life easier with more modern tools.

What modern tools or tips would help me with this, either PC or Amiga side? I know winuae has a debugger, and I've had a quick play today, but I'm not really sure how to best utilise this to achieve what I want with the custom loaders, protection systems etc? I appreciate it probably wasn't designed for this.

[Spec-Chum]

Scrap that, did more reading.

If I can't do it with either an AR and/or the winuae debugger then, well, I shouldn't be trying this lol

Any suggestions for "easier" games, with easier copy protections, to try?

[mcgeezer]

Quote:

Originally Posted by Spec-Chum

Scrap that, did more reading.

If I can't do it with either an AR and/or the winuae debugger then, well, I shouldn't be trying this lol

Any suggestions for "easier" games, with easier copy protections, to try?

Have you checked out flastro?

[Antiriad_UK]

Quote:

Originally Posted by Spec-Chum

Scrap that, did more reading.

If I can't do it with either an AR and/or the winuae debugger then, well, I shouldn't be trying this lol

Any suggestions for "easier" games, with easier copy protections, to try?

Yeah I don't know how they do it. I can't even understand my own assembler code if the comments were removed lol

[jotd]

On windows:

- WinUAE debugger is the best, with read/write breakpoints and all. Beats HRTMon (except for the UI: hrtmon has mouse)
- IRA has a windows version. Disassembles executables & memory blocks. If symbols were kept, it injects them in the source. And the resulting code can be reassembled with phxass, vasm, whatever! A must have. I remember cracking/modifying BattleChess with that: disassemble/change stuff/reassemble: works.
- I've written a wrapper to reinject OS calls into IRA (python). Works wonders with OS-compliant games.

[ross]

Quote:

Originally Posted by Antiriad_UK

Yeah I don't know how they do it.

Crack is often the easiest part..
The difficulty begins when you have to render everything for a proper ADF release.

Quote:

I can't even understand my own assembler code if the comments were removed lol

Even worse when I don't even understand my own commented parts

..and when I look for code that I'm sure I've written and end up rewriting it..

[WayneK]

Quote:

Originally Posted by Spec-Chum

Scrap that, did more reading.

If I can't do it with either an AR and/or the winuae debugger then, well, I shouldn't be trying this lol

Any suggestions for "easier" games, with easier copy protections, to try?

Earlier Gremlin Graphics games basically boil down to a simple "check track, BEQ good BNE notgood", copy a few old games to ADF (XCopy in UAE, .IPF to .ADF) and find games which seem to copy successfully except for 1 bad track - a bad track 0 is more than likely a CopyLock which I would avoid at first, a bad track 79 could be the Gremlin loader or similar ("Outrun Europa" from US Gold is a simple track 79 check, don't cheat and read the Flashtro tutorial!).


If you've worked with protected Speccy loaders like Alcatraz + Speedlock, you'll find the Amiga stuff much easier once you get familiar with the system/cpu


Good luck!

[Spec-Chum]

Quote:

Originally Posted by mcgeezer

Have you checked out flastro?

Yeah, I found that after posting this.

They're not very "tutorial" if I'm honest - some seemed OK tho, mainly the codetapper ones.

Often they were just like "So, as you can see the boot loader shows..." OK, how do I load the bootloader? Although, that is probably something I should, and need to know, before I start this adventure.

Quote:

Originally Posted by Antiriad_UK

Yeah I don't know how they do it. I can't even understand my own assembler code if the comments were removed lol

Hehe, I'm fine with that bit, I know Z80, 6502, 65816, 68k, x86 and x64 asm.

Quote:

Originally Posted by jotd

On windows:

- WinUAE debugger is the best, with read/write breakpoints and all. Beats HRTMon (except for the UI: hrtmon has mouse)
- IRA has a windows version. Disassembles executables & memory blocks. If symbols were kept, it injects them in the source. And the resulting code can be reassembled with phxass, vasm, whatever! A must have. I remember cracking/modifying BattleChess with that: disassemble/change stuff/reassemble: works.
- I've written a wrapper to reinject OS calls into IRA (python). Works wonders with OS-compliant games.

I was thinking more along the lines of how to load the boot loader? I'm guessing native tools best for this?

I've not seen IRA for many years, I'll check it out again.

I do know cutter (GUI for radare2) does 68k, but it has no idea about the Amiga - I do have contact with the cutter devs tho, so I might ask about this.

Promising tho, once you start adding comments and setting the data:

Quote:

Originally Posted by ross

Crack is often the easiest part..
Even worse when I don't even understand my own commented parts

..and when I look for code that I'm sure I've written and end up rewriting it..

Haha, been there, done that!

Quote:

Originally Posted by WayneK

Earlier Gremlin Graphics games basically boil down to a simple "check track, BEQ good BNE notgood", copy a few old games to ADF (XCopy in UAE, .IPF to .ADF) and find games which seem to copy successfully except for 1 bad track - a bad track 0 is more than likely a CopyLock which I would avoid at first, a bad track 79 could be the Gremlin loader or similar ("Outrun Europa" from US Gold is a simple track 79 check, don't cheat and read the Flashtro tutorial!).


If you've worked with protected Speccy loaders like Alcatraz + Speedlock, you'll find the Amiga stuff much easier once you get familiar with the system/cpu


Good luck!

Nice, I'll take a look at some gremlin ones, thanks.

I did do speedlock yeah, on looking last night the Amiga ones do seem much simpler by comparison.

Plus, using modern speccy emulators really help with R reg decryptors, it really was just a case of breakpointing right after it ran and plugging the numbers into the hack.

For example, here's my hack for Daley Thompson's Decathlon:

Code:

	org $ff78

	; CLEAR 65490
	
	; second BASIC block
bblk2:
	ld ix, $5ccb
	ld de, 827
	ld a, 255
	scf
	call $0556
	jr nc, bblk2
	
	; decryptor
	di
	ld hl, $5e28
	ld de, $fde8
	ld bc, $01aa
	ld a, $61
	call $5ff3
	
	ld a, $c3
	ld ($ff7d), a
	ld hl, pokes
	ld ($ff7e), hl
		
	jp $ff5e
	
pokes:
	xor a
	ld (24000), a
	ei
	jp $5b00

The values for the registers on the "; decryptor" section would have been a pain, even with a multiface, but using an emulator makes it far easier.

[Spec-Chum]

Spoke to Cutter devs and they gave me these links for adding Amiga Hunk to Cutter:
https://radare.gitbooks.io/radare2book/plugins/dev-bin.htm
https://github.com/radareorg/radare2...ter/libr/bin/p

Not really looked too deeply into the Hunk format yet, so will be a while before I even attempt this, but thought it might be useful to others.

[Spec-Chum]

I've just discovered amitools:
https://github.com/cnvogelg/amitools...ster/README.md

Disassemble the bootloader in seconds with 1 command.

Now we're taking!