toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Jeu 05 Juil 2007, 10:51 Sujet du message: California Games (Epyx, 1987) |
|
|
That game from Epyx is part of a long series of simulation games for the Apple II line. I do not really like that game even though it is really well-made: DHGR, nice animations, etc.
Protection scheme
- disk protection: D5 AA 96, FF FF EB, D5 AA AD, FF FF EB
- desynchro routine with values used to EOR the RWTS
Diskette type
- a DOS 3.3 format with a standard RWTS on track 0
Cracking method
This can be applied on both sides of the game.
Step 1- launch Advanced Demuffin
- replace FF with DE at $B935 and $B991
- replace FF with AA at $B93F and $B99B
- copy both sides of your diskette
Step 2- launch your favorite sector editor
Track 0/Sector 2/Offset 9E : DE (to allow score recording)
0/2/A3 : AA
0/3/35 : DE
0/3/3F : AA
0/3/91 : DE
0/3/9B : AA
0/6/AE : DE (to allow score recording)
0/6/B3 : AA
Step 3- Apply the standard end of boot0 process
0/0/4A: 6C FD 08
That prevents the desynchro routine to be called.
Step 4- EORing the RWTS
The values read by the desynchro routine found at $BB00 and stored in zero page $F0..$F7 are: FC EE EE FC E7 EE FC E7
There were two ways of cracking it:
- change code at $BB00 by storing the desynchro values at the right place in zero page, or
- use your favorite sector editor to EOR the right sectors. I will describe that method now:
- Launch your favorite sector editor (Disk Fixer)
- Read Track 0, Sector 1
- Press the X key, set EOR value to FC, press CTRL-T to activate the mask
- Save the sector, press CTRL-T to turn the mask off
- Read Track 0, Sector 2
- Press the X key, set EOR value to EE, press CTRL-T to activate the mask
- Save the sector, press CTRL-T to turn the mask off
- Read Track 0, Sector 3
- Press the X key, set EOR value to EE, press CTRL-T to activate the mask
- Save the sector, press CTRL-T to turn the mask off
- Read Track 0, Sector 4
- Press the X key, set EOR value to FC, press CTRL-T to activate the mask
- Save the sector, press CTRL-T to turn the mask off
You now have a decoded RWTS from $B700 to $BAFF.
Reboot the diskette... your backup copy is ready
Toinet |
|