Go back

PART 5 - Advanced Hacking Methods

Remember in Part 2, when I said there were other ways of hacking, apart from forwards and backwards tracing? Well, you can find them here. But you need a Multiface to be able to use them. The two we're interested with here are what I call a stack trace and an interrupt trace.

STACK TRACE:

We've already come across the stack as a means of storing numbers. What you haven't come across yet is how the stack is used. Well, in a CALL to a subroutine, what actually happens is that the return address from the subroutine (which is the address after the CALL instruction) is stored on the stack, and with a RET, the top value of thhe stack is taken off and jumped to. With a Multiface, the value on the top of the stack is the return address to the program. and subsequent values refer to return addresses in subroutines.

To do a stack trace, load and play the game, and wait until the "death effect" occurs - this may be a beep, a flashing border or something else recognisable. Now quickly press the Multiface button during this effect - if you're too slow, you won't get the values you're looking for (so return to the game and die again). Now, look at the value of the stack pointer (your Multiface manual will tell you how to do this), and write down all the values on top of the stack for the first ten bytes. All numbers are stored in the normal reversed two-byte form, so if the bytes on the top of the stack were #00,#80,#80,#70,#90,#60, the values would be #8000,#7080 and #6090. Have a look at all of these addresses - you should find that some of them are addresses right after CALL instructions.

Now for the hacking bit - go to one of these address and write down the two bytes there. Then change them to the magic codes #18 and #FE (this is the machine code version of JR -2, which is an endless loop, a bit like 1 GOTO 1 in BASIC). Restart the game, and hopefully, you'll find that the game pauses as soon as you do something which would normally result in you losing a life! (If not, replace the #18FE with the original two bytes, look at another address on the "hit list" and repeat the whole procedure).

Once you've found a target address, try putting a RET (#C9) at the start of the subroutine. If this just cancels the death effect, but you still "die", activate the Genie Disassembler if you have it (or use the NEW routine in Part 4 at any address, then load in STK or Devpac somewhere far away from the area of memory you're looking at), and search for CALLs to this routine. Then go back from this CALL until you find a RET or a JP, and search for the address of the instruction after this (if nothing comes up, search for one more than this, then two more etc.). You will hopefully either see one of these:

JP Z
JP NZ
JP C
JP NC

(The JP may be a JR or a CALL instead)

Simply overwrite this instruction with NOPs to get immunity or something similar.

On the other hand, when searching from the CALL address, you may find a JP Z or JP NZ, etc. Change this to an unconditional JP to get immunity.

INTERRUPT TRACE:

This involves looking at the interrupt routine in the game. Since the whole routine must be executed in 1/50th of a second, the routines are usually quite short, especially if there is a LDIR or something similar. Most of the time you'll find infinite time in this routine (because interrupts work in real time, so its an ideal place to put a time routine), and you need a Multiface to find it.

Load the game and start playing as normal. Then activate the Multiface, and have a look at the I register. If the value is #3F, there are no special interrupts, so forget about an interrupt trace altogether (but you can use a stack trace which will make the clock loop round to 99 or whatever when it reaches 0). If it is between #80 and #FF (and if it's not in that range and not #3F you've probably crashed the computer!), go to the address #100 time that of the value in the I register (so if the value of I is #F0, look at #F000). You will see an area of memory filled with the same number. Go to this address (if this area of memory is filled with #FE, go to #FEFE etc.) There will either be a jump to the interrupts routine, or the interrupts routine itself. Have a look at the routine, and somewhere you will see the commands to decrease the timer - just remove the DEC instruction to get infinite time.



[ Valid HTML4.01 ]
Free Web Hosting