toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mar 07 Ao� 2007, 22:40 Sujet du message: Ultima IV (Origin Systems, 1985) |
|
|
Quest of the Avatar by Lord British. Prepare yourself for a grand adventure: Ultima IV, sixteen times larger than Ultima III, is a milestone in computer gaming.
The Ultima series is the one that kept me awake during many nights. I have never had the Ultima IV original game but the others. Now, I have been able to remove the protection of Ultima II to Ultima V
Protection type
On our 'standard' DOS 3.3 diskette, we get:
- Disk check routine ($B800)
- Change of data markers (D5 AA AD/B5)
- RWTS is EORed with $8E
Boot trace
- 9600<C600.C6FFM
- 96FB:4C 59 FF
- 9600G
You get a nearly standard DOS 3.3 boot0 code at $0800. The JMP $B6F0 at $084A is different.
- 96FB:A9 59 8D 4B 08 A9 FF 8D 4C 08 4C 01 08
- 9600G
You now have the RWTS from $B600 to $BFFF
At $B6F0, zero page address $31 is set to $AA, $4E is set to $AD then a JMP $B700 is performed
At $B700, the code loops until $C000 and decode with EOR $8E the rest of the RWTS code... Let's reveal it:
- B701:1B
- B71A:60
- B700G
- B71A:8E
Enjoy the reading of the decoded RWTS: DOS 3.3 loading through $B793 using $B7B5 which goes to $BA00 and not the standard $BD00.
If you read the RWTS carefully, you will realize that the different routines have been reordered:
- The header field read routine is at $BE42 instead of $B944. It uses the $31 ZP value to read the D5 AA 96 disk values.
- The data field read routine is at $BDDC instead of $B8DE. It uses the $4E ZP value to read the D5 AA AD/B5 disk values.
etc.
At $B793 you read a JMP $B800 that is the first protection of the diskette: a nibble read comparison which fails with a copy Keep in mind you will need to remove that one...
The tricky RWTS
For those of you who speak DOS 3.3 RWTS fluently, you all know that your calls to $B7B5 or $BD00 must have the address of the RWTS parameter:
- in A (high address)
- in Y (low address)
With the one from Ultima IV, you must have the address of the RWTS parameter:
- in A (LOW address)
- in Y (HIGH address)
Funny but tricky
Disk copy
Launch Advanced Demuffin 1.4, press the B key to get the tricky RWTS
Go to the monitor and enter the following data to unEOR it:
- B701:1B
- B71A:60
- B700G
- B718:A2 60 8E => your RWTS is nearly finished...
- BA00:85 49 84 48
Now replace the comparison code of the read routines with our beloved code:
- BDEF:C5 31 => C9 AA
- BE3C:C5 31 => C9 AA
- BE5D:C5 31 => C9 AA
- BDFA:C5 4E => C9 AD
Advanced Demuffin routine at $1400 is your entry to the RWTS of the protected disk, change 4C 00 BD with 4C 00 BA there...
Copy T0/S0 to T2/S4 with standard markers (D5 AA 96, D5 AA AD)
Now update the comparison code of the read routines with:
- BDFA:C5 4E => C9 B5
Copy T2/S5 to T22/SF with markers D5 AA 96, D5 AA B5
Protection removal
As usual, my objective is to make minimal changes to the disk. The changes above will be limited to the removal of the disk check routine and the change of the data markers D5 AA AD/B5.
As stated previously, the disk check routine is called by $B793 at address $B800 => we must remove that one and keep in mind that our RWTS is EOR coded with the value $8E...
- Launch Disk Fixer
- Read track 0, sector 1
- At offset 93, change C2 8E 36 (aka JMP $B800) to 22 6B 39 (aka LDY $B7E5)
- Save the sector, that's it!
As stated previously, the data marker to read is located on the zero page at address $4E, 'valid' values are AD and B5. The data read routine is located at $BDDC, we must replace CMP $4E with CMP #$AD, let's do it now:
- Launch Disk Fixer
- Read track 0, sector 7
- At offset FA, change 4B C0 (aka CMP $4E) with 47 23 (CMP #$AD)
- Save the sector, that's it!
You now have your backup copy as the three other sides are not copy-protected (each file name contains control characters
Toinet |
|