| Voir le sujet pr�c�dent :: Voir le sujet suivant |
| Auteur |
Message |
toinet
Inscrit le: 15 Juin 2007
Messages: 326
Localisation: Paris, France
|
 Post� le: Sam 01 D�c 2007, 22:09 Sujet du message: Earl Weaver Baseball (Mirage Graphics Inc., 1989) |
 |
|
Play a full game of baseball with the advice of Earl Weaver.
I have to admit that I do not understand the rules of baseball. What I have understood is that the game disk was copiable but not fully playable due to the password protection which limits the number of innings to three instead of nine if your answer is not the right one!
PROTECTION TYPE
A password protection. Enter a ticket number depending on three parameters (place, row and seat). If you fail three times, the game play is limited.
REMOVE THE PROTECTION
Launch your favorite disk editor
On T16/SD/3C, change 4C 9B BD => EA A9 1B
Save the sector back to disk
REVERSE BOOT-TRACING
That has been a tough crack because of the way the code handles pointers and strings. Instead of tracing the program from the beginning, I did it the other way: whatever your answer is, if you fail three times, the game is loaded and displays a message: "Building Park..."
What I have to do is to locate that string in memory... $61D7
Then, find where that address is used... $7D52 :
| Code: |
LDA #$D7
LDY #$61
JSR $DE6A
|
The remaining task is to understand the previous code and locate the protection routine. Such info is given in the two next messages...
Enjoy,
Toinet
Derni�re �dition par toinet le Dim 02 D�c 2007, 0:22; �dit� 2 fois |
|
| Revenir en haut de page |
|
 |
toinet
Inscrit le: 15 Juin 2007
Messages: 326
Localisation: Paris, France
|
| Post� le: Sam 01 D�c 2007, 22:11 Sujet du message: |
|
|
The following code is the main program routine which calls the protection. That is interesting to note that the protection can be bypassed by changing the value of a byte.
| Code: |
*
* Earl Weaver Baseball
* (c) 1989, Mirage Graphics, Inc.
*
* (k) 2007, LoGo
*
mx %11
org $7D03
lst off
*
*
*
L7D03 LDX #$00 ; Load Protection Data
LDY #$04 ; at $0400
JSR $D4F4
LDA $6A36
CMP #$04
BCS L7D17
INC $708E
JSR $7D8E
L7D17 LDA #<L7D23 ; Execute code at $7D23
LDY #>L7D23
INC $6856
LDX #$01
JMP $8CCC
L7D23 JSR $8AAB
LDA #$FF
STA $7072
LDA #$57 ; Set $5A..$5B to $6857
LDY #$68
JSR $A459
LDY #$00
LDA ($5A),Y
BNE L7D4F ; Bypass protection
LDA #<L7D3F ; Otherwise execute it!
LDY #>L7D3F
JMP $BD9B ; GO TO THE PROTECTION
L7D3F TAY ; Return from the protection
DEY ; with A=1B, right password
LDX #$00
L7D43 LDA $A513,Y
STA $FECC,X
INX
INY
CPX #$0F
BCC L7D43
L7D4F JSR $A015 ; Clear Screen
LDA #$D7 ; Display "Building Park..."
LDY #$61
JSR $DE6A
* ... The program continues...
|
Derni�re �dition par toinet le Dim 02 D�c 2007, 0:23; �dit� 1 fois |
|
| Revenir en haut de page |
|
|
toinet
Inscrit le: 15 Juin 2007
Messages: 326
Localisation: Paris, France
|
| Post� le: Sam 01 D�c 2007, 22:12 Sujet du message: |
|
|
The following routine is the main protection routine with the 3-tries loop... The program returns #$1B in the accumulator is the answer was right 
| Code: |
*
* Earl Weaver Baseball
* (c) 1989, Mirage Graphics, Inc.
*
* (k) 2007, LoGo
*
mx %11
org $BD7F
lst off
*
*
*
LBD7F DB $39
DB $3A
DB $3B
LBD82 DB $00
LBD83 DB $00
LBD84 DB $00
DB $3C
LBD86 DB $00
DB $00
DB $00
DB $00
LBD8A DB $00
DB $00
DB $00
DB $00
LBD8E DB $00
LBD8F DB $00
DB $00
DB $00
LBD92 DB $00
LBD93 DB $00
DB $00
DB $00
LBD96 DB $00
LBD97 DB $00
DB $00
DB $00
LBD9A DB $00
*
* Entry point of the protection
*
* Clear the screen
* Display all the messages
LBD9B STA $61FB
STY $61FC
JSR $DE89
LDA #$03
STA $4006
LDY #$13
LDA #$00
LBDAD STA LBD86,Y
DEY
BPL LBDAD
LDA #$18
JSR LBD69
STX LBD82
STX LBD86
LDA #$18
JSR LBD69
STX LBD8A
TXA
CLC
ADC #$18
STA LBD83
LDA #$09
JSR LBD69
STX LBD8E
TXA
CLC
ADC #$30
STA LBD84
LDA LBD86
CMP LBD8A
BCS LBDE7
CLC
ADC #$18
LBDE7 SEC
SBC LBD8A
STA LBD92
LDA LBD92
STA $D007
STA $D003
LDA LBD93
STA $D008
STA $D004
JSR $D139
LDA $D00B
STA LBD96
LDA $D00C
STA LBD97
LDA LBD8E
STA $D007
STA $D003
LDA LBD8F
STA $D008
STA $D004
JSR $D139
LDA $D00B
CLC
ADC LBD96
STA LBD96
LDA $D00C
ADC LBD97
STA LBD97
LDA LBD92
CLC
ADC LBD96
STA LBD96
LDA #$00
ADC LBD97
STA LBD97
LDA LBD96
SEC
SBC LBD8E
STA LBD96
LDA LBD97
SBC #$00
STA LBD97
LDA #$25
CLC
ADC LBD96
STA LBD96
LDA #$00
ADC LBD97
STA LBD97
LDA #$2D
LDY #$00
JSR $74F0
LDA #$00 ; Try number
STA LBD9A
* Protection input loop
LBE78 LDA #$01
LDX LBD9A
BEQ LBE81
LDA #$00
LBE81 STA $78
LBE83 LDY $78
LDA LBD7F,Y
JSR LBEBA
INC $78
LDA $78
CMP #$07
BCC LBE83
LDA #$00
STA $68B8
JMP LBF56
LBE9B JSR LBEF7 ; Check input
BEQ LBEB5
INC LBD9A ; Next try...
LDA LBD9A
CMP #$03
BCC LBE78
LDA $FE96 ; Failed three times...
AND #$7F
CLC
ADC #$01
JMP ($61FB)
LBEB5 LDA #$1B ; Input is correct!
JMP ($61FB) ; End of protection
*
LBEBA STA $77
LDA $78
CLC
ADC #$09
TAX
LDY #$05
CLC
JSR $42AF
JSR LBECE
JMP $DE6A
LBECE LDA #$00
LDY #$04
JSR $A459
LDY #$FF
STY $76
LBED9 INC $76
LDA $76
CMP $77
BEQ LBEF2
LBEE1 LDY #$00
LDA ($5A),Y
PHP
LDX #$5A
LDA #$01
JSR $7697
PLP
BNE LBEE1
BEQ LBED9
LBEF2 LDA $5A
LDY $5B
RTS
* Check the word entered
LBEF7 LDA #$00
STA $D019
STA $D01A
STA $D016
LDA #$57
STA $D017
LDA #$01
STA $D018
LDA $DFC2
STA $D013
LDA $DFC3
STA $D014
LDA $DFC4
STA $D015
JSR $D1EF
LDA $D01B
STA $DFC2
LDA $D01C
STA $DFC3
LDA #$57
STA $D017
LDA #$01
STA $D018
LDA LBD96
STA $D013
LDA LBD97
STA $D014
JSR $D307
LDA $D01B ; The real comparison goes here!
CMP $DFC2
BEQ LBF4F
RTS
LBF4F LDA $D01C
CMP $DFC3
RTS
*
LBF56 INC $68B8
LDA $68B8
CMP #$01
BNE LBF6A
LDA #$1B
JSR $7911
LDA #$10
STA $66AB
LBF6A JSR $A0B8
LDA $66AB
CMP #$0D
BEQ LBF75
RTS
LBF75 LDA #$D3
LDY #$67
STA $64
STY $65
LDY #$00
LBF7F LDA ($64),Y
BEQ LBF8A
CMP #$20
BEQ LBF8A
INY
BPL LBF7F
LBF8A LDA #$00
STA ($64),Y
STA $DFC4
TYA
PHA
SEC
SBC #$04
CLC
ADC $64
STA $64
LDA #$00
ADC $65
TAY
LDA $64
JSR $DA17
PLA
CMP #$05
BCS LBFAD
JMP LBE9B
LBFAD SEC
SBC #$05
TAY
INY
LDA #$00
STA $67D3,Y
DEY
LDA $DFC3
PHA
LDA $DFC2
PHA
TYA
PHA
LDA #$D3
LDY #$67
JSR $DA17
LDA $DFC2
LDX #$10
LDY #$27
JSR $D1A1
STA $DFC2
STX $DFC3
STY $DFC4
PLA
PLA
CLC
ADC $DFC2
STA $DFC2
PLA
ADC $DFC3
STA $DFC3
LDA #$00
ADC $DFC4
STA $DFC4
JMP LBE9B
DB $00
STX $B39B
LDA #$09
JMP $B385
|
|
|
| Revenir en haut de page |
|
|
toinet
Inscrit le: 15 Juin 2007
Messages: 326
Localisation: Paris, France
|
| Post� le: Sam 01 D�c 2007, 22:13 Sujet du message: |
|
|
And for curious people, the protection data loaded at $0400:
| Code: |
*
* Earl Weaver Baseball
* (c) 1989, Mirage Graphics, Inc.
*
* (k) 2007, LoGo
*
mx %11
org $0400
lst off
*
* For easier reading, first character has
* been rewritten, it had Hi-bit set
*
L0400 ASC 'FENWAY '
ASC 'PARK'00
ASC 'YANKEE '
ASC 'STADIUM'00
ASC 'ASTRODOME'00
ASC 'POLO '
ASC 'GROUNDS'00
ASC 'FORBES '
ASC 'FIELD'00
ASC 'WRIGLEY '
ASC 'FIELD'00
ASC 'TIGER '
ASC 'STADIUM'00
ASC 'BALTIMORE '
ASC 'STADIUM'00
ASC 'BUSCH '
ASC 'STADIUM'00
ASC 'CANDLESTICK '
ASC 'PARK'00
ASC 'COMISKY '
ASC 'PARK'00
ASC 'DODGER '
ASC 'STADIUM'00
ASC 'EBBETS '
ASC 'FIELD'00
ASC 'METROPOLITAN '
ASC 'STDM'00
ASC 'L.A. '
ASC 'COLISEUM'00
ASC 'SHEA '
ASC 'STADIUM'00
ASC 'MACK '
ASC 'STADIUM'00
ASC 'CROSLEY '
ASC 'FIELD'00
ASC 'RFK STADIUM'00
ASC 'SPORTSMAN'27'S '
ASC 'PARK'00
ASC 'COLT '
ASC 'STADIUM'00
ASC 'JARRY '
ASC 'PARK'00
ASC 'BRAVES '
ASC 'FIELD'00
ASC 'GRIFFITH '
ASC 'STDM'00
*
ASC 'ROW '
ASC "AC"
ASC ' '
ASC 'SEAT 21'00
ASC 'ROW '
ASC "DW"
ASC ' '
ASC 'SEAT 54'00
ASC 'ROW '
ASC "KM"
ASC ' '
ASC 'SEAT 90'00
ASC 'ROW '
ASC "TX"
ASC ' '
ASC 'SEAT 10'00
ASC 'ROW '
ASC "NB"
ASC ' '
ASC 'SEAT 52'00
ASC 'ROW '
ASC "ST"
ASC ' '
ASC 'SEAT 17'00
ASC 'ROW '
ASC "PD"
ASC ' '
ASC 'SEAT 74'00
ASC 'ROW '
ASC "HK"
ASC ' '
ASC 'SEAT 29'00
ASC 'ROW '
ASC "VZ"
ASC ' '
ASC 'SEAT 62'00
ASC 'ROW '
ASC "ED"
ASC ' '
ASC 'SEAT 37'00
ASC 'ROW '
ASC "BB"
ASC ' '
ASC 'SEAT 43'00
ASC 'ROW '
ASC "LM"
ASC ' '
ASC 'SEAT 15'00
ASC 'ROW '
ASC "IQ"
ASC ' '
ASC 'SEAT 98'00
ASC 'ROW '
ASC "CR"
ASC ' '
ASC 'SEAT 31'00
ASC 'ROW '
ASC "GG"
ASC ' '
ASC 'SEAT 25'00
ASC 'ROW '
ASC "WA"
ASC ' '
ASC 'SEAT 36'00
ASC 'ROW '
ASC "OS"
ASC ' '
ASC 'SEAT 68'00
ASC 'ROW '
ASC "JE"
ASC ' '
ASC 'SEAT 81'00
ASC 'ROW '
ASC "FA"
ASC ' '
ASC 'SEAT 76'00
ASC 'ROW '
ASC "XC"
ASC ' '
ASC 'SEAT 53'00
ASC 'ROW '
ASC "UJ"
ASC ' '
ASC 'SEAT 22'00
ASC 'ROW '
ASC "MF"
ASC ' '
ASC 'SEAT 64'00
ASC 'ROW '
ASC "QV"
ASC ' '
ASC 'SEAT 83'00
ASC 'ROW '
ASC "RD"
ASC ' '
ASC 'SEAT 49'00
*
ASC 'BLEACHER'00
ASC 'LUXURY '
ASC 'BOX'00
ASC 'LEFT '
ASC 'FIELD'00
ASC 'LOWER '
ASC 'DECK'00
ASC 'GRANDSTAND'00
ASC 'RESERVED'00
ASC 'RIGHT '
ASC 'FIELD'00
ASC 'UPPER '
ASC 'DECK'00
ASC 'DUGOUT'00
ASC 'INCORRECT NUMBER...'
ASC 'TRY AGAIN'00
ASC 'PLEASE FIND YOUR SEASON TICKET'00
ASC 'PASS NUMBER FOR THESE TICKETS:'00
ASC 'ENTER '
ASC 'NUMBER: '00
HEX 01010101010101010101010101010101
HEX 01010101010101010101010101010101
HEX 01010101010101010101010101010101
HEX 01010101010101010101010101010101
HEX 01010101010101010101010101010101
HEX 01010101010101010101010101010101
HEX 01010101010101
|
|
|
| Revenir en haut de page |
|
|
|
FAQ 
Rechercher 
Liste des Membres 
Groupes d'utilisateurs
S'enregistrer
Profil 
Se connecter pour v�rifier ses messages priv�s 
Connexion 
