Cracking Sega games
(Once you learn the art you crack whatever you want)

by +Rcg

Courtesy of Fravia's page of reverse engineering
~
A very short, but interesting essay: +Rcg shows here how to apply our knowledge to Z80-type of cracking... And emulators are a world apart, that many of us enjoy, enjoyed or will enjoy!

	
Is reverse engineering only applicable to dos or windows cracking?

	No, of course not, you can crack Unix, OS/2 or... 

What other things could I do with my cracking knowledge?

	I.E. Reach the end of our unfinished favourite games... the games we
played on small Z80 computers when we were young.

Yes, but how?

	Let's take for example one of the best, in my modest opinion,
platform games ever made......"Alex Kidd in Miracle World" from Sega.
	
	You need an emulator (take for example Massage 0.72 shareware
version, but I use SPCAD195 because it supports my GUS) in order to
run it inside your machine, and you need a Z-80 dissasembler like DASMZ80, 
here are the relative credits:  

DASMZ80 Z80 Disassembler v.2.0 by Marat Fayzullin
"Sparcade!" aka Dave's Arcade Emulator, copyright David Spicer 1995/96
MASSAGE V0.72- Sega Master System/Game Gear Emulator by James McKay

and then you have a ROM: "you can use it for 24 hours only".

	Now, fire GameWizard, and play a little, 3 lives, 2 lives , 1 live 
and Bingo!!!, you get the addresses (or, better, the offsets) where 
your "lives" are stored.

	In my computer it was:

		With Sparcade ===> 9000:8025 (This is an useable offset)
		With Massage  ===> D000:1061 (This is not)	

Now we use the disassembler:

	dasmz80 alexkidd.sms > alex.asm

you will obtain a 3.5 Mb huge file.

	Now,  you must simply know that the Sega Master System RAM is 
addressed at C000h, and therefore you must search for C025 
(instead of 8025):

00006E1F:	CALL 0343h
00006E22:	CALL 9DF3h
00006E25:	LD HL,C025h	;Store in the HighLow register the address 
				;we need to access.
00006E28:	LD A,(HL)	;load in the Accumulator "left lives"
00006E29:	SUB 01h	;Subtract 1
00006E2B:	JP Z,6DC9h	;If zero ==> GAME OVER (Bad Player!!!)
00006E2E:	DAA		;Decimal Adjustement Acumulator
00006E2F:	LD (HL),A	;Store your "left lives"
00006E30:	LD A,82h
00006E32:	LD (FFFFh),A
00006E35:	LD IX,C300h
00006E39:	LD DE,0020h
00006E3C:	LD B,05h
00006E3E:	CALL 278Ah


Now, NOP the AlexKidd.sms offset 06E29,

00006E29:     D601		SUB 01h  
00006E2B:     CAC96D		JP Z,6DC9h

But remember that NOPping in Z-80 is done with 00.
Wow!!! Now I understand why all the "pokes" in the mags were 
00 (nop) or C9 (ret, do nothing).

So change D601 with 0000 or D600 (SUB 00h) and you will have
what you always wanted: "infinite lives".

I adore these "old" games and of course my old SegaMasterSystem,
where I had great moments, playing with my friends. 
Who needs a Pentium-200 with 32Mb to play 40 Mb games, if you have
games like this that use only 256 Kb? The space taken by a windoze's
icon! And they run perfectly well on my modest 486, in a DOS box!!!! 


It's time to play again!!!!

+Rcg 1997

homepage links anonymity +ORC students' essays tools cocktails
search_forms mailFraVia