toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mer 07 Nov 2007, 18:38 Sujet du message: Mean 18 (Accolade, 1987) |
|
|
Golf so real you can feel the grass under your feet. Once you've mastered the Mean 18 courses, you can design your own with The Course Architect. And for those players with the ten all-time best scores, there's a permanent place in the Mean 18 Hall of Fame.
DISK STRUCTURE
That is a standard ProDOS 16 3.5 inch disk drive. It can be easily copied but there a few read errors. The game is not hard-drive installable due to the use of absolute prefixes.
PROTECTION TYPE
The unreadable blocks are checked. It there is a read error, the disk is an original, otherwise it is a copy.
BOOT-TRACING
Er, no. Disassembly instead with the use of the fabulous The Flaming Bird Disassembler (TFBD) written by Ferox from The Phoenix Corporation. Does somebody know how to contact him?
1st part: GOLF.SYS16
Launch TFBD and load GOLF.SYS16. There are four segments:
main
data
green
<no name>
The data segment contains the following strings:
Code: | 02/2AD3: Not original disk !
02/2AEA: Protection failed. |
Let's find where they are used... in segment 3, here is an excerpt from the routine:
Code: | 03/4E89: LDA $02139A
BNE $4E91
BRL $4EFF
4E91: LDA $02139A
CMP #$0001
BNE $4ECD
... |
Depending on the value of $02139A, the following message is displayed:
if 0, the disk is an original one, display "Play Golf or Arch"
if 1, display "Not original disk !"
above, display "Protection failed."
Let's now find where $02139A is used... in segment 1, main. Following is an excerpt of the routine:
Code: | 01/0127: JSL $040000
JSL $04002A
STA $02139A (it is the std $8D opcode)
JSL $040025 |
We have two ways of removing the protection:
remove the calls and the store of $02139A
force a store of $0000 to location $02139A
I have decided to use the first one. Let's now decide which tool to use to apply the protection removal:
BlockWarden or similar tool
a smartport call
I have chosen the smartport call with a /RAM5 disk
Protection removal
Copy GOLF.SYS16 to a clean /RAM5 (no data on it)
Launch Basic.System
Go to the monitor:
- 300: 20 0D C5 01 20 03 20 DA FD 60
- 320: 03 02 00 10 08 00 00
- 300G
00 - The previous code loads block 8 of the /RAM5 disk to $1000..$11FF
- 116C: 22 -> AF
- 1170: 22 -> AF
- 1174: 8D -> AD
- 1177: 22 -> AF
$116C is the entry point as the offset is $0127 + segment description.
- 303: 02
- 300G
00 - We have written block 8 back to disk
Return to the Finder, copy the file wherever you want and let's apply the same method for the Architect...
2nd part: ARCH
The same protection is used at the same memory locations (segment 1, offset $0127) but the calls and protection flag are different:
Code: | 01/0127: JSL $0305E8
JSL $030612
STA $020DDB (opcode $8D is used)
JSL $03060D |
Let's apply the same method as above...
Protection removal
Copy ARCH to a clean /RAM5 (no data on it)
Launch Basic.System
Go to the monitor:
- 300: 20 0D C5 01 20 03 20 DA FD 60
- 320: 03 02 00 10 08 00 00
- 300G
00 - The previous code loads block 8 of the /RAM5 disk to $1000..$11FF
- 116C: 22 -> AF
- 1170: 22 -> AF
- 1174: 8D -> AD
- 1177: 22 -> AF
$116C is the entry point as the offset is $0127 + segment description.
- 303: 02
- 300G
00 - We have written block 8 back to disk
Return to the Finder, copy the file wherever you want and your backup copy is ready...
Oh! My first IIgs protection removal
toinet |
|