Voir le sujet pr�c�dent :: Voir le sujet suivant |
Auteur |
Message |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mar 04 D�c 2007, 11:02 Sujet du message: Megabots (Neosoft, 1986) |
|
|
What kind of game is it? I still haven't understood the aim of it! What I like are the animations which are really well-made.
PROTECTION TYPE
- On a standard DOS 3.3 16-sector disk, tracks 1D and 1E cannot be copied
- There is a nibble check on an encrypted routine hidden in a BASIC program!
DISK COPY
Launch Advanced Demuffin
Copy tracks 0 to 1C and 1F to 22
Boot the disk... The game does not load...
BOOT TRACING
It is an easy one:
- Boot 1 at $0800 loads a standard RWTS at $B700..$BFFF
- Boot 2 loads DOS 3.3 into memory
- And then executes the HELLO program
I will discuss the protection in the next messages...
REMOVE THE PROTECTION
Launch your favorite disk editor
On T$18/S3/$12: 34 30 30 31 => 34 30 35 33
Reboot... Enjoy the game...
Toinet |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mar 04 D�c 2007, 11:30 Sujet du message: |
|
|
The code is an excerpt from the HELLO basic program. Note the CALL 4001 ($0FA1) on line . That is the call to the protection routine.
Code: |
10 PRINT CHR$ (4);"MAXFILES 1": REM "
HELLO
VER 1.0 1/6/86
COPYRIGHT 1986 NEOSOFT INC.
ALL RIGHTS RESERVED
20 LOMEM: 38695: DIM A$,FR%(12):TF% = 256:D$ = CHR$ (13) + CHR$ (4)
30 FOR J = 0 TO 4: READ FR%(J): NEXT : DATA 0,1236,2472,3826,5364
40 HOME : HGR : POKE - 16300,0: POKE - 16302,0: POKE - 16297,0: POKE - 16304,0: PRINT D$;"BLOAD PIC.FRONT PANEL,A$2000": CALL 4001
120 T1% = 249:GI% = 20736
130 PN% = 16384:PS% = PN% + 3:ME% = PS% + 3:GP% = ME% + 3:VO% = GP% + 3:WI% = VO% + 3:GK% = WI% + 3:RK% = GK% + 3:CK% = RK% + 3:ST% = CK% + 3:PP% = ST% + 3:AN% = PP% + 3
150 PRINT D$;"BLOAD DROIDS.OBJ0"
160 PRINT D$;"BLOAD ANAL.HELMET,A";GI%: CALL PS%,6
171 PRINT D$;"BLOAD PIC.X,A$2000"
|
We need to analyze the CALL 4001 and try to avoid the call to it:
- one method would be to edit the basic program and remove the instruction
- the second one would be to update the address to go to a RTS instead!
I like the second method... |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mar 04 D�c 2007, 11:34 Sujet du message: |
|
|
The following code is the routine located at $0FA1 (CALL 4001) which decodes the disk protection routine at $0EC5 and executes it at $0F65...
Code: |
*
* Megabots
* (c) 1986, Neosoft
*
* (k) 2007, LoGo
*
L0FA1 LDA #$0F
PHA
LDA #$64
PHA
LDA $08
STA L0FD6
LDA $09
STA L0FD7
LDA #$C5
STA $08
LDA #$0E
STA $09
LDA #$96
PHA
LDY #$00
L0FBE PLA
EOR ($08),Y
STA ($08),Y
PHA
INY
TYA
CMP #$F7
BNE L0FBE
PLA
LDA L0FD6
STA $08
LDA L0FD7
STA $09
RTS
L0FD6 DB $00
L0FD7 DB $00
|
Note that the routine ends with a RTS at decimal address 4053. We use that address to bypass the protection call ![Wink](images/smiles/icon_wink.gif) |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mar 04 D�c 2007, 11:36 Sujet du message: |
|
|
The code is the nibble check routine. A BNE is modified and if the right nibbles are not found, the routine jumps to $0F48 ending the normal process!
Code: |
*
* Megabots
* (c) 1986, Neosoft
*
* (k) 2007, LoGo
*
L0EC5 DB $08
DB $02
DB $01
DB $01
DB $00
L0ECA DB $00
L0ECB DB $00
DB $01
DB $60
DB $01
L0ECF DB $06
L0ED0 DB $AB
L0ED1 DB $AB
L0ED2 DB $AA
DB $AA
DB $FE
DB $FF
DB $96
DB $AA
DB $D5
DB $AD
DB $AA
DB $D5
DB $EB
DB $AA
DB $DE
L0EDF JSR $03E3
STY L0EFC+1
STA L0EFC+2
LDX #$04
L0EEA CLC
LDA L0EC5,X
ADC L0EFC+1
STA L0EFC+1
BCC L0EF9
INC L0EFC+2
L0EF9 LDA L0ECA,X
L0EFC STA |$0000
DEX
BPL L0EEA
JSR $03E3
JSR $03D9
RTS
L0F09 LDA $C0EE
L0F0C LDA $C0EC
BPL L0F0C
CMP #$FF
BNE L0F0C
L0F15 LDA $C0EC
BPL L0F15
CMP #$FF
BNE L0F0C
L0F1E LDA $C0EC
BPL L0F1E
CMP #$FF
BEQ L0F1E
LDX #$07
BPL L0F30
L0F2B LDA $C0EC
BPL L0F2B
L0F30 CMP L0ED1,X
BNE L0F0C
DEX
BNE L0F2B
LDX #$02
L0F3A LDA $C0EC
BPL L0F3A
CMP L0ECF,X
L0F42 BNE L0F0C ; MODIFIED TO L0F48
DEX
BNE L0F3A
RTS
L0F48 PLA
PLA
PLA
PLA
LDA $C0E8
SEI
LDA #$00
TAX
L0F53 STA L0F65,X
INX
BNE L0F53
L0F59 STA $0E53,X
DEX
BNE L0F59
DEC L0F59+2
JMP L0F59
L0F65 JSR L0EDF
LDA $C0EA
LDA $C0E9
LDA #$AB
STA L0ED1
LDA #$AF
STA L0ED0
JSR L0F09
LDA #$01
STA L0ECB
JSR L0EDF
LDA $C0E9
LDA #$04
STA L0F42+1 ; GOTCHA!
LDA #$AB
STA L0ED2
LDA #$AB
STA L0ED1
LDA #$AB
STA L0ED0
JSR L0F09
LDA $C0E8
RTS
|
|
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
|