Voir le sujet pr�c�dent :: Voir le sujet suivant |
Auteur |
Message |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Lun 06 Sep 2010, 18:28 Sujet du message: Dungeon (TSR, 1980-1982) |
|
|
Another D&D game from TSR HOBBIES.
PROTECTION TYPE
On a standard DOS 3.3 diskette with a standard RWTS:
- Change of markers: D5 AA 96, DE AA, D5 AA xx where xx depends on the track number,
- Change of sync nibble. Instead of FF, the sync nibble is DD.
DISK COPY
- Launch Advanced Demuffin 1.4
- Insert Dungeon in drive 1
- Insert a blank (volume 254) diskette in drive 2
- Press P to by-pass boot
- Copy tracks 0 to 4
The second step: the other tracks:
- Launch Advanced Demuffin 1.4
- Insert Dungeon in drive 1
- Re-use the same diskette in drive 2
- Press B to get the RWTS of the game
- Apply patch (see next message)
- Copy tracks 5 to $22 of the disk
REMOVE THE PROTECTION
Launch your favorite disk editor (mine is Disk Fixer 4)
- on track 0 / sector F / offset $C8: replace 20 with 4C
- save the sector back to disk
Your backup copy is now ready, enjoy that D&D game!
Toinet |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Lun 06 Sep 2010, 18:48 Sujet du message: |
|
|
Now the data markers per track:
Code: |
MARKER
TRACK
F7 00
F7 01
F7 02
F7 03
F5 04
F7 05
F7 06
B7 07
F7 08
B7 09
F5 0A
F5 0B
F7 0C
B7 0D
F7 0E
B7 0F
F5 10
F7 11
F7 12
B7 13
F5 14
B7 15
F7 16
B7 17
F5 18
F7 19
F7 1A
F5 1B
F5 1C
F7 1D
F7 1E
F7 1F
F5 20
F7 21
B7 22
|
And, now, for something completely different, the routine at $ADE0 that determines the marker value:
Code: |
00E0:AC EC B7 LDY $B7EC
00E3:B9 00 F8 LDA $F800,Y get value from ROM
00E6:29 42 AND #$42
00E8:D0 02 BNE $00EC
00EA:A9 42 LDA #$42
00EC:09 B5 ORA #$B5
00EE:8D 5D B8 STA $B85D write data marker routine
00F1:8D FC B8 STA $B8FC read data marker routine
00F4:60 RTS
|
And, the routine at $AE10 which reads the sync nibbles before it jumps to the above routine:
Code: |
0010:BD 8C C0 LDA $C08C,X
0013:10 FB BPL $0010
0015:C9 D5 CMP #$D5 Is that the data marker?
0017:F0 C7 BEQ $FFE0 Go to $ADE0
0019:C9 DD CMP #$DD Or the sync nibble?
001B:F0 F3 BEQ $0010 Loop until...
001D:4C CB BF JMP $BFCB Return
|
And now, the routine at $BFC8. The crack just replaces the JSR with a JMP at offset $C8. Easy one
Code: |
00C8:4C A0 B9 JSR $B9A0 move arm
00CB:A0 0A LDY #$0A read sync nibbles
00CD:BD 8C C0 LDA $C08C,X
00D0:10 FB BPL $00CD
00D2:C9 DD CMP #$DD a sort of nibble count
00D4:D0 F5 BNE $00CB
00D6:88 DEY
00D7:D0 F4 BNE $00CD
00D9:4C 10 AE JMP $AE10 if we're ready, set the marker
|
But, heh, where is that routine called? At two places:
1/ once the DOS is loaded in T0/S7, offset $41: 4C C8 BF
2/ after a RAM modification at T0/SE, offset $8B: 4C A0 B9
Next thread, please... |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Lun 06 Sep 2010, 19:33 Sujet du message: |
|
|
The following routine, let's call it "patch" is to be entered in the monitor:
Code: |
B700: 20 A0 B9 A0 04 B1 48 A8 B9 00 F8 29 42 D0 02 A9 42 09 B5 8D FC B8 60
BE8B: 4C 00 B7
|
That patch takes the track number from the IOB table, moves the value in Y, reads the corresponding value from ROM and calculates the data marker value.
The second change patches the call to the MOVEARM routine by, at first, call our patch.
That is the main core to copy tracks 5 to $22.
Enjoy,
Antoine
9/2010 |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
|