So you want to learn how to hack? Well, you've come to the right place. But for all you complete novices a hacker isn't someone who chops violently through the undergrowth, a flogger of overworked horses or someone with a dry, spasmodic cough. It is in fact someone who spends his or her time hacking into computer programs for fun.
Hacking means altering a game so that it works differently to the way the programmers first intended it to. For instance, you can alter a game so that your lives counter doesn't decrease when you die - leaving you with infinite lives to play with. Most games these days also have a protection system to stop you getting at them and copying them, so this has to be hacked through before you can start altering the program. However, this doesn't mean that hacking is for piracy. In fact, if you think about it, you'll realise that hacking is the hardest, most time-consuming and least effective way to copy a game. Hacking simply enables you to get more fun out of a game when you've reached that stage where you just can't get any further.
It's essential to have a disassembler/monitor. I use HiSoft's DevPac which also includes an excellent assembler. Many people, though, find that the Multiface One, by Romantic Robot, is just as good. You can even find a disassembler and monitor in your Spectrum Emulator.
Just one thing really - machine code. In the case of the Spectrum that means Z80 machine code.
Before you leave this article, muttering that you'll never manage machine code, let me tell you something - it ain't that difficult. There are loads of good books on the subject that'll teach a complete beginner how to use machine code in only a few hours. I started off with Spectrum Machine Language For The Absolute Beginner by Melbourne House, and once you've read this, or any other book, a couple of times, you'll then feel confident enough to have a go. The other thing you'll need is a reference book so that you can work out what each instruction does. A pretty good one is the Z80 Reference Guide also by Melbourne House.
First you'll need to find a game that's difficult to play - otherwise, what's the point of hacking it to make it easier? Then you've got to get through its protection system - often not an easy task. Of course if your doing this via an emulator this does not apply. Once you've done that you must work out how to make the game easier, and produce a program that'll do this.
The easiest way to start is to find a game which isn't protected, so that you can get used to the process of hacking without having to worry about how to break through the game's protection. You can tell if a game is protected or not by looking at how it loads. If the normal blue and yellow lines are there and if the pitch of the loading noise stays more or less the same all the time its loading, then the chances are that it isn't protected. A great game to start with is good ol' Jet Set Willy.
First of all you have to load your monitor program into the Speccy. The position of this has to be carefully chosen - it must go in what's called high memory - usually above the 55000 address. This means that it's out of the way, and won't interfere with the actual game. When you get more experienced in hacking, you can use header readers to find out where the game code is, and load your monitor program after it.
Next, you put in the first bit of your chosen game. Instead of typing LOAD "" as you normally do, type in MERGE "" and press play. When the OK message appears you can then press LIST. A bit of BASIC code will appear on the screen, usually about half a screen long. This'll be made up of all sorts of BASIC statements, such as PRINT, INK, PAPER. Also there'll be an optional CLEAR statement, an optional LOAD "" SCREEN$, one or more LOAD "" CODE and a PRINT USR xxx or RANDOMIZE USR xxx (where xxx is the execution address of the game). There may be other statements in this bit of BASIC, but if it's an unprotected game, they won't do anything important. The CLEAR address is important as the machine code for the game will appear above this address. Failing to CLEAR might cause your Speccy to crash when you LOAD the code if the stack gets overwritten.
None of this applies if you are working through an emulator. In this case LOAD the program as normal, do not run it! Then start the monitor via the ARexx button. Using JSW as an example, when the monitor is running type PC and press ENTER - at the PC: prompt type 35896 and ENTER. The monitor will show;
| 35896 | CA4A8C | JP Z,35914 | ||
| 35899 | 35 | DEC (HL) | ||
| 35900 | 21D785 | LD HL,34263 |
35899 is the address which reduces the number of lives, so we need to change this to a NOP instruction - i.e. POKE 35899,0. This can be done from the emulator screen or from here, so type P and ENTER. At the P: prompt type 35899,0 and ENTER. You now need to repeat the first instruction by typing PC and then 35896 at the PC: prompt. Note that the first three lines now read; 35896 CA4A8C JP Z,35914
| 35899 | 00 | NOP | ||
| 35900 | 21D785 | LD HL,34263 |
Type Q and ENTER to quit the monitor and run the program in the normal way. SHAZAM - infinite lives.
Games will differ greatly in the things to keep an eye out for, but some things are fairly standard, and are easy to alter. The obvious one to go for is the number of lives you have in a game. Look for two instructions that'll appear something like LD A,x : LD (nn),A, where x is the number of lives you start with (though it may appear as the number of lives + 1, so if you start with three, x will actually appear as 4) and nn is the address where the lives are stored. Then you have to look for some code which does LD A,nn : DEC A or LD HL,nn : DEC HL where nn is the address you've just worked out. You may find that there are a few addresses that have the same number put into them as the one you're looking for and will decrease at a later stage, so you may have to try more than one address. Make a note of these addresses, 'cos you then have to go back into the BASIC program and change them. This you do by replacing the DEC instruction with a NOP by POKEing the address of the DEC with a zero. Make sure you add this before the RAND USR command and then, when you've done them all, RUN it so that it loads in the game, including the POKEs you've added. In the case of the emulator POKE them via the Poke button and then Run the program.
Infinite time (for games with a time limit) can appear in the same way. Though this time you should look for instructions such as LD HL,xx : LD (nn),HL and then LD HL,(nn) : DEC HL 'cos most time counters are larger than 255.
If you can't find infinite lives in this way, then look for the "GAME OVER" message, find out the address it refers to (by looking for LD HL,nn or LD DE,nn where nn is the address of the message), find out what makes it go to the code that does this, and somewhere round there will be a message to decrease your lives counter or the time counter. This is back- tracking, 'cos that's really what you're doing - starting at the end and working backwards!
This is the one major problem you may come across when you get into hacking protected games. After all, they're put there to stop the hackers! Most of them incorporate some machine code into the BASIC loader so that it can't be MERGEd. This machine code contains another loader that loads up the game and then executes it, so that the game actually auto-loads - you can't stop it in the middle. You can LOAD up a MERGE- proof program so that it doesn't auto-run by creating a false header for it. However, you'll need to do some more book reading on this, 'cos now you are talking complications. For some in-depth information read The Complete ROM Disassembled by, yep, you guessed it, Melbourne House. You'll also need to know something about system variables 'cos some protection systems check these to see if you're hacking, so have a look in a Spectrum Manual for details of these.
Okay, that's a thumbnail sketch of how to hack. It's really fun to do once you've started. So next time you load that game and your about to poke in a hack, run the monitor and see what your changing first.