Noob Questions

[Crackersixx]

I am trying to learn a bit about creating trainers and I have a few general questions.

Question 1
-----------
My A1200 has 34 megs ram (2chip, 32 fast). Sysinfo says my ram is located at the following address ranges:

chip: $1000 - $1FFFFF
fast: $1000000 - 2FFFFFF

When I am using HRTMon or PDX-AR and want to search my memory, do I have to do this in 2 separate blocks since the memory is not contiguous?
for example: fs $1000 $1FFFFF "test" and then fs $1000000 $2FFFFFF "test"?

If my memory starts at 1000, what is below that address?


Question 2
-----------

I understand how a trackloader will load code from the disk into a specific memory location.

What I dont understand is when AmigaDOS is used and the file is loaded normally, how do I know where it was loaded?

If I have a disk that uses startup-sequence to launch an executable. How can I know where it was loaded to?

I may not even have this problem if I was using the AR search functions properly, but I cannot find the opcodes that signify the start of the program.

If I break into AR, type:
lm test, 50000

m 50000

and I get: 4E 75 4E 55 00 00 4A 6C

then exit and let the game load the startup-sequence and exe file then break in, I cannot find that opcode pattern in memory.
--------

Hope someone can shed some light on this :P

-C6

[Codetapper]

1. Yes you have to search it in 2 blocks. It is best to disable fast memory and let the game load, then you can guarantee it is in chip memory and only one block to search! (Note that some games will override you and load into fast memory anyway as they detect it by poking values and seeing if they read back the same).

SysInfo is lying, your chip memory starts at $0 and goes to $1fffff. The first $c0 bytes are vital to keep the computer running but you can safely use memory from $c0 to $1000 despite what SysInfo tells you! Many trainer makers use low memory to store their keyboard cheat code to toggle infinite lives etc.

2. There are a couple of things you can do to get around this, a common trick is to replace the first file with a simple loader. Say the original game was "hunter", you write a program "boot" which loads "hunter", waits for the mouse (and at this point you can break into it with AR etc) and then executes it.

To load the file you need to open dos.library and LoadSeg the file, which loads it somewhere in memory. You will be given back the loading address of the file.

With a completely clean operating system you should find the same file will load to the same address each time. It's only if you soft-reboot with Ctrl-Amiga-Amiga that it will appear all over the place.

If you are using WinUAE you can use the debugger to cause it to halt when the code is in memory rather than in ROM. Create a config with only chip memory, let the program start to load, Shift-F12 to enter debug mode, "f", then and as soon as it finishes the debugger will appear and you can see where the code is.

[gizmomelb]

from qustion 2:

I seem to recall that if you were writing an AmigaDOS friendly loader, first you would allocate how much free memory you needed using system library calls - and you'd be returned the address where the free memory was. Then you'd load the file into that memory address, then JMP there if it was executable code.

something like that.. it's been a long time.

[StingRay]

Quote:

Originally Posted by gizmomelb

from qustion 2:

I seem to recall that if you were writing an AmigaDOS friendly loader, first you would allocate how much free memory you needed using system library calls - and you'd be returned the address where the free memory was. Then you'd load the file into that memory address, then JMP there if it was executable code.

something like that.. it's been a long time.

Even though this approach works as well, using LoadSeg is much more simple as Codetapper already said.

[Codetapper]

Quote:

Originally Posted by gizmomelb

from qustion 2:

I seem to recall that if you were writing an AmigaDOS friendly loader, first you would allocate how much free memory you needed using system library calls - and you'd be returned the address where the free memory was. Then you'd load the file into that memory address, then JMP there if it was executable code.

something like that.. it's been a long time.

This method will not work with a lot of files, as they are split into various hunks and need to be relocated correctly. As an example, a file might be 200 bytes long consisting of 3 hunks, a piece of code, a BSS section of 200kb then another small piece of code. If you just allocate 200 bytes and read the file in, kaboom...

[Crackersixx]

Thanks for the information everyone

Slowly getting the hang of things. I'm sure i'll have more questions soon heh.

-c6

[StingRay]

Quote:

Originally Posted by Codetapper

This method will not work with a lot of files, as they are split into various hunks and need to be relocated correctly. As an example, a file might be 200 bytes long consisting of 3 hunks, a piece of code, a BSS section of 200kb then another small piece of code. If you just allocate 200 bytes and read the file in, kaboom...

True, I thought he was speaking about files with one hunk only.

[Crackersixx]

Is there an AmigaDOS cracking or trainer tutorial anywhere?

I thought I'd give myself some rather easy goals starting out, so I chose to try removing the novella protection from "Pirates!", since I own the original and the disk itself is not protected. I figured this would be easier than trying to figure out a custom mfm disk format.

Turns out, there is tons of information/tutorials on mfm protections and a complete lack of AmiDos tuts.

Anyone know of one? or maybe have something helpful in their collection?
(or even willing to write one, heh)

[adolescent]

Have you checked flashtro.com. They have tutorials for other novella protections.

[Crackersixx]

I have, and unless i've missed it, they are all mfm/rnc tuts.

On Flashtro.com, perhaps you should try menu item " Novella " ...

[Crackersixx]

I was hoping someone knew of somthing besides flashtro.

Of the 20 novella tutorials on flashtro, 18 of them are basically the same tutorial.

Only two of them are significantly different types of novella:

Risky Woods and Espana games92. These two require you to pick an object on screen, the other 18 are all "type in a word from ..."

Risky woods and espana both make it very easy to break into the code at the perfect location. (with an instruction that branches to itself endlessly, or by using the reset command which is easy to find)

The problem I am having is finding a good way to break into the code somewhere close to the protection.

With "Pirates!", you select 2 answers, but even if you get it wrong the game continues and you can still play.

Maybe I chose a tough game to start with...

[BippyM]

Where does it crash/end?

You need to find out what is set that makes the game do that, and then emulate/fix the condition