Voir le sujet pr�c�dent :: Voir le sujet suivant |
Auteur |
Message |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mer 17 Oct 2007, 21:38 Sujet du message: Silent Service (Microprose, 1985) |
|
|
THE submarine simulation. A complex game by Microprose, specialists of air and sea simulations.
Deckard tells me my crack is not complete as the game may crash during a round. As I have not played the game intensively, that might come, who knows?
PROTECTION TYPE
It is a standard DOS3.3 16-sector diskette.
DISK COPY
- Launch Locksmith 6.3 fast disk backup
- Copy the disk
- or, alternatively, copy the disk with Advanced Demuffin (B942:1
REMOVE THE PROTECTION
Launch your favorite disk editor
Remove the first protection routine
- T5/S9/3B: 4C 3D 02 => 4C 9D 02
Remove a copy of the protection routine !!!
- T4/S9/3B: 4C 3D 02 => 4C 9D 02
The next message contains the complete protection routine disassembly.
Your backup copy is now ready,
Toinet |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mer 17 Oct 2007, 21:41 Sujet du message: |
|
|
That is the disassembly of file \\ which contains the protection. The code modifies itself.
The aim of the protection is to make an indirect jump to $0200 which goes to the next loading step or goes to the HARDWARE FAILURE message.
Code: |
*
* MICROPROSE : SILENT SERVICE
*
* BOOT PROGRAM: \\
*
ORG $000200
MX %11
LST OFF
*
*
*
LB900 = $B900
PWREDUP EQU $03F4
ROMIN2 EQU $C081
LCBANK2 EQU $C083
*
*
*
L0200 NOP ; D0 eor EA = $3A
L0201 NOP ; $DB or $02
LDA #$8E
STA $03D1
LDA #$03
STA $03D2
LDA #$82
STA $D6
INC PWREDUP
LDA LCBANK2
LDA $37
CMP #$BE
BCS L022A
LDA #>LB900
STA L0248+2
STA L0278+2
STA L0260+2
STA L0290+2
L022A LDA #$D0 ; D0 eor
EOR L0200 ; EA =
STA L0200 ; 3A
LDX #$60 ; turn drive on
LDA $C089,X
L0237 JMP L023D ; Why not jump to $029D ?
L023A JMP L02C2
*
L023D LDA $0478 ; track
ASL
STA $0478
L0244 LDA #$43
LDX #$60
L0248 JSR $F9A0 ; B9A0
LDA $0478 ; track
LSR
STA $0478
ASL
STA $047E
LDA #$00 ; read
STA $2E
LDA $C08C,X
LDA $C08E,X
L0260 JSR $F944 ; B944
BCS L02A5 ; read error !
*
LDA L0244+1
LSR
CMP $2E
BNE L02B3
LDA $0478
ASL
STA $0478
LDA #$44
LDX #$60
L0278 JSR $F9A0 ; B9A0
LDA $0478
LSR
STA $0478
ASL
STA $047E
LDA #$00
STA $2E
LDA $C08C,X
LDA $C08E,X
L0290 JSR $F944 ; B944
BCS L02A5 ; read error
LDA L0244+1
LSR
CMP $2E
BNE L02B3
* Synchro is equal !
L029D LDA #$DB ; $DB3A
STA L0201
JMP L02AA
*
L02A5 LDA #>L0200 ; $023A -> HARDWARE FAILURE
STA L0201
L02AA LDA $C088,X
LDA ROMIN2
JMP L02BB
L02B3 LDA #>L0200 ; $023A -> HARDWARE FAILURE
STA L0201
JMP L02AA
L02BB LDY #>L02CD
LDA #<L02CD
JMP (L0200) ; Indirect jump
L02C2 LDY #>L02DD ; BOING
LDA #<L02DD
JSR $DB3A
L02C9 JMP L02C9
HEX 00
L02CD ASC 84
ASC "BLOADG"8D
ASC 84
ASC "BRUNA"8D00
L02DD ASC "HARDWARE FAILURE"00
|
|
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
Deckard
Inscrit le: 29 Mar 2007 Messages: 350 Localisation: Levallois-Perret / Le Mans
|
Post� le: Jeu 18 Oct 2007, 9:02 Sujet du message: |
|
|
toinet a �crit: | Deckard tells me my crack is not complete as the game may crash during a round. |
Pas un crash mais il me semble qu'il te fait perdre volontairement.
Il faut se taper le pseudo langage pour retrouver l'endroit o� il effectue en cours de jeu un controle sur les informations qu'il a collect�es au boot.
C'est fait expr�s: tu as l'impression que �a marche et ne sont p�nalis�s que ceux qui y jouent vraiment.
A ma connaissance (infos MCS et Mr.Z), ce jeu n'a jamais �t� d�plomb� correctement.
JM
ps: il y a aussi une version sp�cifique IIGS.
Derni�re �dition par Deckard le Jeu 18 Oct 2007, 16:32; �dit� 1 fois |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Jeu 18 Oct 2007, 15:02 Sujet du message: |
|
|
I have just re-read the Solo Flight thread where the protection routine is in the file named P.
There is one in Silent Service that is full of false opcodes and once decoded contains the same protection as Solo Flight...
Code: |
JSR $9508
PHP
PLA
STA $F7
RTS
|
I will update the "backup" procedure tonight...
Antoine |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Jeu 18 Oct 2007, 15:59 Sujet du message: |
|
|
Gotcha! The P file does not contain any false opcodes but swapped bytes.
Let me be clearer! The following code:
Code: |
JSR $9508
PHP
PLA
STA $F7
RTS
|
should be coded:
Code: |
20 08 95 08 68 85 F7 60
|
But the P file contains:
Code: |
08 20 08 95 85 68 60 F7
|
Then, if you really want to tell the P routine that you have an original disk, you should:
- clear the carry and
- return with A = 0
SECOND PROTECTION REMOVAL
Launch your favorite disk editor
- on T5/S7/C: 90 18 9A 0F => A9 18 60 00
We never know, we have a copy of the protection there:
- on T4/S7/C: 90 18 9A 0F => A9 18 60 00
I will validate that update tonight...
Toinet |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
Deckard
Inscrit le: 29 Mar 2007 Messages: 350 Localisation: Levallois-Perret / Le Mans
|
Post� le: Jeu 18 Oct 2007, 16:30 Sujet du message: |
|
|
Si tu veux faire une �tude des protections Microprose, tu peux d�ja lire le fichier int�ressant �crit par MCS sur D�plombage mode d'emploi 7:
http://boutillon.free.fr/Underground/Deplombage/Depme/Depme7/Depme7.html
Le crack est celui de CONFLICT IN VIETNAM mais il est aussi mentionn� Silent Service.
L'inversion des octets n'est que la 2nde protection. Le plus dur est apr�s...
Pseudo code: GSL SYSTEM-VS1.9 de chez GALFO SYSTEMS
A mon avis, il reste aussi des choses � faire sur le crack de Solo Flight...
JM |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Jeu 18 Oct 2007, 19:40 Sujet du message: |
|
|
Super int�ressant cet article sur le langage utilis�. Je pense qu'il reste aussi du boulot mais je suis tr�s surpris qu'il n'y ait pas de r�f�rence aux deux pistes contingues qui contiennent les m�mes codes.
Ne serait-ce point la mani�re de v�rifier l'original et la copie ? Je vais chercher...
antoine |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
|