HOW TO HACK

By Jon North

Sinclair ZX Spectrum
ISSUE 55
After about five years of hacking for all three Speccy mags, I have decided to tell the world exactly what to do and how to do it - and it's been causing quite a stir amongst hacking circles! Over the next few months I'll be showing how to hack infinite lives and energy out of games, and how to crack just about every protection system ever written. You won't need an in-depth knowledge of machine code, and everything you will need will be handed to you on a plate. I'll be concentrating mainly on old YS Covertapes, so you won't need to shell out too much on new games. Anyway, enough of the waffle and on with the show...
What You'll Need First and foremost, you'll need a disassembler, preferably one that you can load anywhere. HiSoft's Devpac springs to mind. If you want to find pokes for protected games before I've gone through the protection system, you'll also need a Multiface with Genie. Finally, and most importantly, you'll need time, determination and patience. You won't find pokes within a second of looking for them - not yet anyway.
How To Hack
There are three ways of hacking out an infinite lives poke - working forwards, working backwards and not working at all(!).
WORKING FORWARDS
First of all, find the number of lives you get (say, 5). Your disassembler should have a "find" or "search" option, so use that. Now look in the code for 3E 05 32 (where 05 is the number of lives). This is hex for the machine code instruction LD A,05 which is the same as the Basic command LET a=5. The 32 is the code for instruction LD (address),A. The brackets signify PEEK, so this instruction is the same as Basic's POKE address,a. Write down all the addresses you find. Now do the same, but using lives+1 and lives-1, for example if you have 5 lives, look for 3E 04 32 and 3E 06 32.
Now for the trial and error part - the most time-consuming. This is where you'll ideally need a Multiface. POKE each value of 5 you've found, one by one, with a different value, say 2 or 3. Eventually you'll find the one that gives you 2 or 3 lives. If you don't have any success, try repeating this whole procedure, but this time looking for number of lives + or - 1, i.e. search for 4 and 6.
You've just found the number of lives POKE. Make a note of the address it's put into. For instance, if the instruction after LD A,05 was LD (5B3A),A then the address you need to know is 5B3A. This is called the "lives store", and is what you need to look for next.
Search for 21 address or 3A address. Note that address should be entered with the second two digits, then the first two. In this example, search for 21 3A 5B or 3A 3A 5B. Note down every value you find, then disassemble them. For every 21 you check, the instruction you want to find is DEC (HL). DEC implies "subtract 1", and "(HL)" signifies PEEK HL, i.e. POKE HL,PEEK HL-1. Note the addresses of every one you find. Similarly, when you check 3A, look for DEC A and SUB n, where n is a number between 1 and 255 (usually between 1 and 20). 3A is code for LD A,(address). After the DEC A or SUB n you should find LD (address),A where the address is the lives store. If not, you can ignore the DEC or SUB because they have no effect. If you find several of DEC A, DEC (HL) or SUB n instructions, note them all. They will be for loss of life at different points in the game, for instance one may be for level 1 and another for level 2. Now for the good bit - POKE all the addresses you've written down for DEC (HL) or DEC A with 0. POKE any SUB n's you've found to read SUB 0 (POKE the address after the SUB instruction), then play the game. Infinite lives should be yours. Note that when you try the game with the POKEs in place, you may get just one life before the "Game Over" message. If this happens, just replace all the POKEs with 182 for DEC (HL) and 183 for DEC A. This is code for OR (HL) and OR A. I'm not sure why this happens, but it is not important.
Example: A Nightmare on Robinson Street
You get 50 life points at the start of the game. Search for 32 32 3A. There are two, one at C2E1 and the other at C322. The one at C322 does nothing, the other gives 'x' amount of life points. The instruction after the one at C2E1 is LD (D310),A so you know that the lives are stored at D310. Now look for 3A 10 D3. There are four - at C3B0, D00D, D3E6 and DB47. The code at C3B0 reads:
       
LD A,(D310)   (A is the value in the lives store)
CP 0   (Compare with 0)
JP Z,DE4B   (If it is, Jump to address DE4B. This is the same as GOTO)
There are no DEC A's here, so ignore it.
The code at D00D reads:
LD A,(D310)  (Put the new value back in the lives store)
CP 0  (Compare with 0)
RET Z  (RETurn if it is. This is the same as RETURN in Basic)
DEC A  (Aha!)
LD (D310),A  (Put the new value back in the lives store)
RET     (And return)
You should POKE this DEC A with 0. The address is D013. The code at D3E6:
LD A,(D310)   (A is the value in the lives store)
LD E,0A   (LET e=10)
LD D,30   (LET d=48)
SUB E   (LET a=a-e)
JR C,D3F4   (Jump forward if less than 0)
INC D   (LET d=d+1)
JP D3ED   (GOTO address D3ED)
This does nothing. Although there is a SUB E here, it is not put back into the lives store and can be ignored. The code at DB47:
LD A,(D310)   (A is the value in the lives store)
SUB 4   (SUBtract 4)
LD (D310),A   Put the new value back in the lives store)
JP NC,DB37   (Jump to DB37 if greater than 0)
XOR A   (Otherwise A=0)
LD (D310),A   (Put 0 in the lives store)
JP DB37   (And jump to DB37)
       
The SUB 4 should be POKEd to read SUB 0. The SUB instruction is at DB4A, but the 4, which you want to change, is one after this, i.e. DB4B.
So for infinite lives, POKE D013,0 and POKE DB4B,0
WORKING BACKWARDS
This is known as "backtracking". You work backwards from the Game Over message to find infinite lives. To start with, find the message you get after you lose your last life, like "Game Over" or "GAME OVER" or "You're Dead" etc. Now convert each letter into it's ASCII value and search for the first, say, 5 or 6. Don't search for the last one, because this sometimes has a different value, to tell the printing routine that it is the last letter. If the message is "GAME OVER", the values you search for are 47 41 4D 45 20 4F 56. This will search for GAME OV which can only be the Game Over message, and so will only appear once. If you can't find it, forget any ideas about backtracking for that game - the text will be encrypted and will take lots of knowledge and time to find.
If you do find it, you now search for the address it appears at - if the address is ED47, say, search for 47 ED. If nothing comes up, try going one or two back from this, i.e. 46 ED or 45 ED. There may be some special characters at the start of the message, like the PRINT AT coordinates, or the ink colour. Go back up to about 5 or 6 bytes away.
Now check the values before each occurance of the address. The values you are looking for are 01, 11 and 21, which are LD HL,address; LD DE,address and LD BC,address. This is the routine that prints the message on the screen. If the address occurs several times, there should only be one occurance that prints it. If there are more, write them all down and treat them seperately.
Go back about 30 or 40 bytes from each LD BC/DE/HL you find and look for the start of the Game Over routine. You are looking for JP, JR and RET instructions. The address after these should be the start of the routine. If you don't find one, go back even further.
When you know the start of the routine, look for that address in the same way as you looked for the address of the message. Write down every address it occurs at. Now check the byte before the occurance - you are looking for JP (perhaps with a Z,NZ,C,NC after it) or a CALL (again with the same letters after it, perhaps). For each one you find, go back about 10 bytes and have a look. Somewhere you should find a LD A,(address). The address will be the lives store, and you can search for infinite lives in exactly the same way as you did by going forwards.
Example: A Nightmare on Robinson Street
The message is GAME OVER, so search for 47 41 4D 45 20 4F 56. This occurs at DF8D. Now look for 8D DF. Nothing useful appears, but when you search for 8C DF there is a LD DE at DE53. Go back about 10 bytes and the start of the routine can be seen to be DE4B. Now look for 4B DE; there is a JP Z at C3B5. Go back about 10 bytes and you will see LD A,(D310) so you know that D310 is the lives store. You can now look for infinite lives as described above.
NOT WORKING AT ALL
This is the ultimate cheat - hacking without hacking. You will need a Multiface with Genie or something similar, and a game where you can press the button while you are actually dying - perhaps when the screen flashes or a bleep bleeps. This is the first step - press the button AS you die. Timing is critical, because if you are too fast or too slow, you will not find out what you need to.
When you break into the game, look at the address of SP - one of the Z80 registers (like Basic variables). Examine the address and write down the value there and for the next, say, 10 bytes. Check the contents of the address given by the first two bytes at SP, for instance, if they are A3 B5 then disassemble B5A3. Look for the start of the routine, and backtrack from it as described above.
Example: Moley Christmas
When you lose all your energy, the energy icon flashes for about a second. Press the button while it is flashing. Your values may be slightly different from mine, but when I did it, the value of SP was 5DF8. At this address were the following values: F1 A2 9A 1D 49 92. Disassemble A2F1, you will see:
       
POP BC    
DJNZ A2D8    
RET      
Because of the RET I know I am towards the end of the routine, so go back a bit, say to A2D0. Here we see:
RET    
LD IY,5C3A  
So I know where the start of the routine is - A2D1. The RET is the end of the previous routine. Now search for D1 A2. There is only one, at 9247. Go back from here, say to 9230:
SET 2,(HL)  
LD A,(HL)  
RET    
LD (95E2),SP  
CALL 9EA0  
LD IX, 8125  
LD A, (810D)  
OR A  
JP P, 925B  
CALL A2D1   etc.
The address it checks before it ends up at the flashing energy bar routine is 810D, so this will be the energy store. Search for 0D 81, there are four - at 8543, 855F,876E and 9240.
8542:
LD HL, 810D  
DEC (HL)  
RET M  
JP 876D  
POKE the DEC (HL) with 0 (at 8545).
855E:
LD (810D),A  
There are no DECs here, so you can ignore it.
876E:
LD A, (810D)  
AND F0  
ADD A,A  
LD L,A  
LD H,0  
ADD HL,HL   etc.
       
There are no DECs here, either. Hence, for infinite energy simply POKE 8545,0.
Well, that lot should keep you out of trouble for a month or two. From next month on, I'll be dealing with loading systems. Next month I'll cover headerless loaders, easy turboloaders, decryption and Firebird Bleepload - and I'll show you how I went about writing the Multipoke. In the meantime, if you've got any questions, write to Jon North, How-2-Hack, YS, 30 Monmouth Street, Bath, Avon BA1 2AP. Remember - if it loads, hack it!
Sinclair ZX Spectrum

  Previous Page Back Next Page