HOW TO HACK

By Jon North

Sinclair ZX Spectrum
ISSUE 68
This issue marks the end of this series, because I've more or less covered everything that I wanted to. There are just a few things left to clear up, so I thought I'd do them as a question-and-answer type of thing. Oh, and there are some pointers for the Search loader and Alkatrazz in there too.
A Few Questions
Is Your * Key Stuck?
Stephen Gregory of Derbyshire wants to know what the * means in front of *Load and *List. These two are not basic commands, but listings I gave in issue 56. You'll need them both to hack just about anything. *Load loads a basic program and stops it autorunning, and *List lists the program as it would be run (because it's possible to disguise basic so that it LISTs differently to how it RUNs).
Where's The Game?
Loads of you have written asking the simple question, how do you load a game and disassembler at the same time? For old games, which start at 32768, you can load the game code to it's normal address and load Devpac in low memory (about 25000ish). Remember that Devpac will execute wherever you load it to - it relocates itself! On larger games, which use all the memory, load the game then load Devpac in either low memory (about 25000ish) or high memory (about 60000ish). That way, you'll be more likely to overwrite graphic and map data rather than the all-important game code. The ideal set-up should be Devpac for hacking protection systems, and a Multiface and Genie, or SoftRom and SoftCrack to hack games - for hacking games you only need a very limited disassembler, but the advanced features of Devpac make it ideal for protection.
One last point for anyone hacking the new Speedlocks (5 upwards). Check the CALL address in the routine which loads the first short turboload block. That address is later overwritten with a very simple game decrypter, which you will need to crack before you can hack the game (it usually resides around FE5Cish). And don't forget to check if the game is moved when loaded - you won't be able to backtrack if you don't move it to where it should be.
HOW DO YOU FIND TIME POKES?
There are two ways of hacking infy time. Firstly, backtrack from the Game Over message and simply remove all JPs and CALLs to it, and that will make the counter loop back to it's highest value when it reaches zero. Alternatively, slap on your Multiface button and check the value of I (a special register used for Interrupt Mode 2). Go to the page number that I dictates (eg. if I is 9C, then check 9C00) and check the contents. Whatever is at that address, go to where it points by typing it twice (eg. if (9C00) is 9D, check 9D9D). It will probably be a JP to another routine. Check this other routine and play around with it (maybe take a CALL out of it or something). Somewhere in that routine is the code to decrease the timer, because interrupts work in real time (50 every second) so it's ideal.
NOTES ON ALKATRAZZ
Basically, Alkatrazz is dead easy as long as you can handle R-reg decrypters. The only thing it is notorious for is it's length - an average Alkatrazz game has about 150-200 decrypters. The basic has about 10 or 20 standard decrypters with nothing to worry about. The turboloader to load the first short turbo block overloads itself and changes while its doing it, so watch out for that. Three NOPs toward the end are changed into a JP to the main decryption, so they'll need patching at some stage. The main decrypters have different endings and, like recent Speedlocks, use their own last byte as the first byte for decryption. They end in JP NZ, JR NZ, RET NZ and a few other variations, so make sure if you move them that you know what they're doing and where they're going. The main turboloader is easy to crack. There is a LDIR towards the end of it which blanks itself out once the game has loaded - simply replace it with your infy lives pokes and follow them with a RET to start the game.
NOTES ON THE SEARCH LOADER
First of all, that big headerless block is treated as a series of shorter blocks without leader tones (like Powerload and Softlock), but you need to hack each one so you'll have to keep going back to the start of the block each time. Don't worry though - there are only three or four you need to keep control over before you can access the game. The game decrypters work by filling all the unused memory with garbage, then adding the whole memory together (including the encrypted game) to get a value in A - this value is used to decrypt. The easiest way of overcoming it is to write a simple FOR-NEXT loop in Basic to move the code to be decrypted somewhere, and patch in every possible value of A. Check the code after it's been decrypted and see if it makes sense (if it's another CALL to the decrypter you've used the correct value of A). The main game decrypter works in a similar way but returns a value from the addition routine in HL (so it's anything from 0-65535, not 0-255).
The easiest way of getting the value of HL is with a Multiface and stopwatch. Load the game and time how long it takes to start, then reload and press your Multiface button just before - with a bit of luck you'll break in while it's in the middle of that decrypter and be able to just look at HL to find it's value. Your hack can load the game, stop the garbage routine (so you've got somewhere to put your hack) and patch in the correct values for those checksums (ie instead of letting it add all the memory to get a value for A or HL, just do LD A,nn or LD HL,nnnn in your hack followed by a CALL to the decrypter).
Is That It Then?
Yep, 'fraid so. That's it. If another juicy protection system comes out, I might do a one-off special. We'll see. If you've got any hacking probs, you can still drop me a line. The name's Jon North and the address, as ever, is How to Hack, YS, 30 Monmouth Street, Bath, Avon BA1 2BW. See you in the scrolly.
Sinclair ZX Spectrum

  Previous Page Back Next Page