toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Jeu 02 Juil 2009, 18:41 Sujet du message: International Gran Prix (Riverbank Software, 1981) |
|
|
After months of hard work, it is now time to go back to my favorite activity... and the victim is International Gran Prix by Riverbank Software, Inc. Play against yourself in five different international grand prix races.
That game is one of my favorites. Real-time, feeling of speed, etc. A must for 1981!
The game cannot be copied with a standard disk copier. When it is booted, the game loads fast and once in memory, there are no more calls to the disk. Soooo, let's boot trace it:
Code: | 9600<C600.C6FFM
96FB: 4C 59 FF (remember, I have a IIgs)
9600G
C0E8
|
The first sector of the first track is loaded from $0800 to $08FF, here is the code:
Code: |
*
* Internation Gran Prix
* (c) 1981, Riverbank Software, Inc.
* Author: Richard Orban
*
* (k) 2009, LoGo
*
org $0800
mx %11
lst off
*-----------
L0800 DB $01
LDY #$00 ; Copy boot 1 code
]lp LDA L0800,Y ; to $0300 and jump
STA $0300,Y
INY
BNE ]lp
JMP $0310
DB $00
*----------- $0310 is here
org $0310
LDA #$00
STA $01 ; number of $800 bytes to load
STA $10 ; low buffer
STA $15 ; track
JSR L0350 ; move head
LDA #$08 ; load at $0800
STA $11
JSR L0350 ; move head
JSR L0386 ; read data
JSR L0350 ; move head
LDA #$60 ; load at $6000
STA $11
LDA #$09 ; nine chunks of $0800 data
STA $00
L0830 LDA $11 ; every $0800 bytes we said
AND #$F8
STA $11
JSR L0350 ; move head
JSR L0386 ; read data
DEC $00
BNE L0830 ; until that's done!
JSR L0350 ; move head
JSR L0350 ; move head
LDX $2B
LDA $C088,X ; stop drive
JMP $6000 ; JUMP
DB $00
DB $00
*-----------
L0350 JSR L035A
JSR L035A
LDA #$FF
BNE L037B
L035A LDA $15
PHA
INC $15
LDA $15
AND #$03
ASL
ORA $2B
TAX
LDA $C081,X
LDA #$01
JSR L037B
PLA
AND #$03
ASL
ORA $2B
TAX
LDA $C080,X
LDA #$70
L037B LDY #$11
]lp DEY
BNE ]lp
SEC
SBC #$01
BNE L037B
RTS
*----------- Read header
L0386 LDX $2B
L0388 LDY $C08C,X
BPL L0388
CPY #$FF ; first marker
BNE L0388
NOP
]lp LDY $C08C,X
BPL ]lp
CPY #$FF ; marker
BEQ ]lp
CPY #$AA ; data marker
BNE L0388
*----------- Read data
L039F LDY $C08C,X ; A sort of 4*4
BPL L039F ; coding using
L03A4 LDA $0300,Y ; our own code
ASL ; to decypher!
ASL
ASL
ASL ; first part of the nibble
]lp LDY $C08C,X
BPL ]lp
ORA $0300,Y ; second part of the nibble
LDY $01
STA ($10),Y ; save data
INC $01
BNE L039F
]lp LDY $C08C,X ; read...
BPL ]lp
INC $11 ; next buffer pointer
CPY #$FF ; ...until #$FF
BNE L03A4
RTS
HEX 00000000000000000000000000000000
HEX 000000000F000E0D0C00000000000000
HEX 0000000B0A0009080700000000000605
HEX 040000030200010000
|
What kind of protection is it?
It is a sort of a 4*4 nibble coding where real bytes are determined by the translation table at the end of the program above.
Getting the program in memory
Oh, it appears to be simple, bypass the JMP $6000 and replaces it with JMP $FF59:
Code: |
9600<C600.C6FFM
96FB:A9 59 8D 4C 08 A9 FF 8D 4D 08 4C 01 08
9600G
Bip
|
Bingo, the program is completely loaded at the following memory locations:
- $0800..$0FFF
- $6000..$A7FF
And that's it! No checks further, nothing at all. No, really. I am really disappointed.
Making a working copy
Two ways:
- Create a DOS 3.3 disk, merge the two parts in one, make it a BIN file with two move routines and BRUN it,
- Make your own loader, load the program into memory and execute.
I will do that one and post it on the BD site.
Antoine
6/2009 |
|