Voir le sujet pr�c�dent :: Voir le sujet suivant |
Auteur |
Message |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mer 12 Nov 2008, 17:51 Sujet du message: Hold-Up (Infogrames, 1985) |
|
|
I will start a new thread dedicated to Hold-Up, a French adventure game written and protected by Emile Nguyen Van Huong.
Emile was well-known in the underground scene up to the mid-eighties, he was a good cracker and the level of the protection in Hold-Up is high.
He was helped in that task by the world-famous JPL (who is he?) and... let me ask a personal question: who is F. BERNARD ?
I have never seen such a high level of memory and on-disk protection. Try to change one byte in a load routine and you will get another data loaded into memory. That is fantastic...
As somebody's told me once: "it is not difficult, it takes time", I would correct: "It is quite difficult and takes a lot of time"
On-disk pointers, checksums everywhere, spiralling. Pffooouuuu.
I think I NOW have the right code of the boot1 and boot2 stages But I would like to thank Emile for the private message: "salut, if crack=1 then print "si toi vouloir deplomber ce soft alors insomnies certaines !" Proverbe terrien: un homme averti en vaut deux. un bit peut en cacher un autre."
Grreeeaaattttt.
Antoine
11/2008
Derni�re �dition par toinet le Dim 16 Nov 2008, 19:07; �dit� 1 fois |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
jvernet
Inscrit le: 18 Ao� 2007 Messages: 105
|
Post� le: Sam 15 Nov 2008, 22:53 Sujet du message: |
|
|
Good luck, alors, � te lire ! |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 8:20 Sujet du message: |
|
|
First of all, let me list the protections of the game. Note that only half of the program is loaded...
The PROTECTIONS
encoded bytes (boot 1 stage, $0800)
4*4 encoded nibbles (everywhere)
encode jump addresses into nibbles
nibble count (track $0)
reserved buffers usage (stack, keyboard, text areas)
...and there's more to come...
Boot STAGES
- boot1 loads at $0800..$08FF
- boot2 loads at $0400..$07FF
- boot3 moves at $0200..$02FF
- boot4 loads at $0400..$07FF
- boot5 loads at $4000..$BFFF
- (soon to come) boot6 loads at $0400..$3FFF
Memory USAGE
Once the program is in memory, memory usage is from $0400 to $BFFF.
antoine
11/2008
Derni�re �dition par toinet le Dim 16 Nov 2008, 8:57; �dit� 1 fois |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 8:28 Sujet du message: |
|
|
Boot1 stage / $0800..$08FF / Track 0 / Sector 0
The following code is the original boot 1 code which loads at $0800..$08FF:
Code: |
*
* Hold-Up
* (c) 1985, Infogrames
*
* (k) 2008, LoGo
*
org $800
mx %11
lst off
*-----------
L0800 HEX 01
STX $90 ; slot*16
LDX #$0F
LDA L0800,X
EOR $27 ; RAM ptr is $09
L080A STA L0800,X ; once T0/S0 was loaded
INX
BNE L080A+2
* The data to decode...
HEX 25F6C62588C92588C92507C9250BC925
HEX 0DC92501C9A0EB84FB0AA00184FA0A40
HEX AC84FD0AA9098DA88D988D35ABF693A0
HEX 09AB298F349835C1D9F2EF34C3D9FFAF
HEX 998C28255DC9255EC9255BC92559C9B4
HEX 85C919F240C7D9FEB485C919F2C0DAD9
HEX FAB485C919F2C09DD9E329C8018C2B29
HEX C8018C34116C2B8C2B9141B485C919F2
HEX 31238C29614C288C28AC34CC2BF918B4
HEX 85C919F22C29983541C1D9D6EF34D9D2
HEX B485C919F22C294C28D92EE7C9014509
HEX 0AB485C919F231238C29B485C919F22C
HEX 2969474E5C504C47295F484729415C46
HEX 47CEA9EB90090181D9F32926F245AFF3
HEX 29214A202940474F464E5B48444C5AA9
| [/code] |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 8:29 Sujet du message: |
|
|
Boot1 stage / $0800..$08FF / Track 0 / Sector 0
The following code is the decoded boot 1 code which loads at $0800..$08FF. The value of the key located at $27 is $09.
Code: |
*
* Hold-Up
* (c) 1985, Infogrames
*
* (k) 2008, LoGo
*
org $800
mx %11
lst off
*-----------
SOFTEV EQU $03F2
PWREDUP EQU $03F4
RDMAINRAM EQU $C002
WRMAINRAM EQU $C004
SETSTDZP EQU $C008
CLRALTCHAR EQU $C00E
TXTCLR EQU $C050
MIXCLR EQU $C052
TXTPAGE1 EQU $C054
HIRES EQU $C057
ROMIN2 EQU $C081
CLRROM EQU $CFFF
PWRUP EQU $FAA6
INIT EQU $FB2F
*-----------
L0800 HEX 01
STX $90
LDX #$0F
L0805 LDA L0800,X
EOR $27
STA L0800,X
INX
BNE L0805
* The data once decoded...
BIT CLRROM ; main RAM & co
BIT ROMIN2
BIT ROMIN2
BIT CLRALTCHAR
BIT RDMAINRAM
BIT WRMAINRAM
BIT SETSTDZP
LDA #<L08E2 ; reset vector
STA SOFTEV
LDA #>L08E2
STA SOFTEV+1
EOR #$A5
STA PWREDUP
LDY #$00
STY $A1
STY $91
STY $3C
LDX #$FF ; set stack pointer
TXS
LDA #$00 ; clear HGR page
LDX #$20
STX $3D
L0845 STA ($3C),Y
INY
BNE L0845
INC $3D
DEX
BNE L0845
LDX $90 ; slot*16
STA $21 ; checksum = 0
BIT TXTPAGE1 ; HGR
BIT HIRES
BIT MIXCLR
BIT TXTCLR
L085F LDA $C08C,X
BPL L085F
L0864 EOR #$CE ; 1st marker
BNE L085F
L0868 LDA $C08C,X
BPL L0868
CMP #$D3 ; 2nd marker
BNE L0864
L0871 LDA $C08C,X
BPL L0871
CMP #$94 ; 3rd marker
BNE L0864
JSR L08C1 ; read 2 4*4 nibbles
STA $22 ; nb pages
JSR L08C1 ; read 2 4*4 nibbles
STA $3D ; RAM
CLC
ADC $22 ; RAM ptr + nb pages
STA $22 ; = end of RAM ptr
TYA ; begin with 0
PHA
* Read 4*4 data
L088B LDA $C08C,X ; read one nibble
BPL L088B
SEC
ROL
STA $20 ; first 4*4 data
PLA
EOR $21 ; checksum
STA $21
LDA $3D ; End of buffer?
CMP $22
BEQ L08B0
L089F LDA $C08C,X ; Read second half 4*4
BPL L089F
AND $20
STA ($3C),Y ; save resulting byte
PHA ; use it for the checksum
INY ; on entry Y=0
BNE L088B
INC $3D ; next page
BNE L088B
* All data have been read
L08B0 LDA $C08C,X ; Get checksum
BPL L08B0
AND $20 ; 4*4
EOR $21 ; check checksum
BNE L08E2 ; Bad checksum
INC L08BE+2 ; If OK...
L08BE JMP $0300 ; ...jump to $0400
* Read nibble, return a byte
L08C1 LDA $C08C,X
BPL L08C1
SEC
ROL
STA $20
L08CA LDA $C08C,X
BPL L08CA
AND $20
RTS
* First message...
ASC 'NGUYEN VAN HUON'
ASC "G"
* Reset...
L08E2 LDY #$E2
L08E4 STA L0800,Y
DEY
BNE L08E4
JSR INIT
JMP PWRUP
* Second message...
ASC ' (C) INFOGRAMES'
ASC " "
|
|
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 8:32 Sujet du message: |
|
|
Original boot2 stage / $0400..$07FF / Track 0
Code: |
*
* Hold-Up
* (c) 1985, Infogrames
*
* (k) 2008, LoGo
*
org $400
mx %11
lst off
*-----------
SOFTEV EQU $03F2
PWREDUP EQU $03F4
AMPERV EQU $03F5
USRADR EQU $03F8
NMILOC EQU $03FB
IRQLOC EQU $03FE
TXTSET EQU $C051
TXTPAGE2 EQU $C055
ROMIN2 EQU $C081
LCBANK2 EQU $C083
CLRROM EQU $CFFF
PWRUP EQU $FAA6
INIT EQU $FB2F
HOME EQU $FC58
IRQV EQU $FFFE
L0100 = $0100
L0200 = $0200
L0300 = $0300
L0800 = $0800
*-----------
L0400 TSX ; $FF
INX ; $00
BNE L0437
TXA ; X=A=0
L0405 STA L0100,X ; clear stack + buffer
STA L0200,X
INX
BNE L0405
LDX #$60
STX $27
JSR L0763 ; $26 <= A=$00, X=$60, $0A <= Y=$00
L0415 LDA #$EE ; put $EE
STA ($26),Y ; from $6000
TYA ; to $BFFF
CLC ; step $10
ADC #$10
TAY
BNE L0415
INC $27
DEX
BNE L0415
LDX #$40 ; clear HGR
STX $27
LDX #$20
L042B STA ($26),Y
INY
BNE L042B
DEC $27
DEX
BNE L042B
BEQ L043A ; X=0
L0437 JMP PWRUP
L043A STA L0800 ; 0
BEQ L0440
INX
L0440 INX ; X=1
BNE L044F ; ...Go there
BEQ L0446
DB $24 ; BIT
L0446 DB $0A ; ASL or mask ;-)
INC L044C+2
BNE L044C
L044C JMP (SOFTEV)
*-----------
* Copy $0800..$08FF
* to $0200..$02FF
* Replace $08 with $02
L044F INC L0455
EOR L0400
L0455 CMP L0455 ; CD (CMP) -> CE (DEC) -> CD(CMP)
L0458 INY ; Y=0
BEQ L0474
LDA L0800,Y ; Get original boot1 code
ORA L0100,Y ; ORA with zeroes
EOR L0200,Y ; EOR with zeroes
STA L0200,Y ; Save result
CMP #$08 ; unless value is $08
BNE L0458
EOR L0446 ; 00001000 v 00001010 = 00000010
STA L0200,Y ; replace it with $02
JMP L0458 ; loop
*-----------
* Code to decipher
L0474 LDY #L0482-L0400
LDA L0400,Y
EOR L0400,X
STA L0400,Y
INX
INY
DB $D0 ; BNE
L0482 HEX 1B3E8E88344C8C26028E54D219C762AA
HEX 68228DBAAB48019B14D879EBE1422511
HEX 9A4610E059FD0AE7B2DB2CAA08C0000F
HEX B53ADA18E0029C54149C01D81DA8E865
HEX 240F7DF027A26B6FA6D8864E5BA37F74
HEX CC9DFBE2EF9FD43E3ED9BB20F31D6C93
HEX 5D5451D420449B479D4D6D0056D84E41
HEX 09F848F9CDF7A01DD8BAB9990181
L0500 DB $25
*-----------
LDA #$00 ; No wildcards
STA $03F0 ; could survive!!
STA SOFTEV
STA AMPERV+1
STA USRADR+1
STA NMILOC
STA IRQLOC
LDA #$03
STA $03F1
STA SOFTEV+1
STA AMPERV+2
STA USRADR+2
STA NMILOC+1
STA IRQLOC+1
EOR #$A5
STA PWREDUP
BIT TXTSET
STA TXTPAGE2
LDX #$D0 ; clear $D000..$FFFF
STX $22
BIT ROMIN2
BIT ROMIN2
L053E LDA ($21),Y
STA ($21),Y
INY
BNE L053E
INC $22
BNE L053E
STA LCBANK2
STA LCBANK2
LDA #$03
STA IRQV+1
LDA #$00
STA IRQV
TAX ; Copy reset code
TAY
L055B LDA L0591,Y
STA L0300,X
INX
INY
CPY #L05CA-L0591
BNE L055B
*-----------
LDY #$0B ; Patch load routine
LDA #$EA
L056B STA L0200+$53,Y
DEY
BNE L056B
TSX
LDY L0100,X
CPY $25
BNE L058E
LDA $FA78 ; $F8 11111000
EOR #$B1 ; $B1 10110001
STA $25 ; $49 01001001
BEQ L058E
EOR $25 ; $49 01001001
TAY ; $00
LDX $90
DEC $02C0 ; Bingo
STX CLRROM
RTS ; A=Y=0, X=60
L058E JMP L0300
*-----------
* The RESET code
L0591 LDY #$00 ; 300
LDA #$49 ; Infogrames
L0595 STA L0200,Y
STA $0400,Y
STA $0500,Y
STA $0600,Y
STA $0700,Y
INY
BNE L0595
STY $90 ; Clear all RAM
LDA #>L0800
STA $91
LDX #$B8
L05AF STA ($90),Y
INY
INY
BNE L05AF
INC $91
DEX
BNE L05AF
JSR INIT
JSR HOME
JMP $FAA9 ; ...END OF $300
ASC 'SALUT '
ASC "!"
L05CA ASC 'IF CRACK = 1 THEN PRINT "SI TOI VOULOIR '
ASC 'DEPLOMBE'
ASC "R"
ASC ' CE SOF'
ASC "T"
ASC ' ALORS INSOMNIES CERTAINES !'
ASC ""A2""
ASC 'Proverbe terrien:'
ASC " "
ASC 'UN HOMME AVERTI EN VAUT DEUX. UN BIT PEU'
ASC 'T EN CACHER UN AUTRE'
ASC "."
ASC ' '
ASC " "
ASC 'PROTECTION'
ASC ":"
ASC ' Emile NGUYEN VAN HUONG'
ASC " "
************
ASC 'avec la collaboration de J.P.L'
ASC "."
************
ASC 'HOLD-U'
ASC "P"
ASC ' COPYRIGHT 1985 PAR INFOGRAMES'
ASC "."
ASC ' '
ASC " "
ASC 'EOR PAGES,Y INY BNE EOR CMP LOC1 BNE BUG'
ASC 'GIN'
ASC "G"
ASC 'EOR $100,X INX BNE PAGE1 EOR LOC2 PHA BN'
ASC 'E PUTBU'
ASC "G"
*-----------
L0763 LDX #$60 ; Some hidden inits
STA $26
LDY #$00
STY $0A
RTS
DB $20
DB $03
DB $61
DB $20
DB $03
DB $85
DB $A6
DB $FA
DS $5C
*-----------
* UN GRAND MERCI A F.BERNARD
ASC ' '150E
ASC ' '0712010E04
ASC ' '0D05120309
ASC ' '01
ASC ' '06
ASC '.'0205120E011204
ASC ' '
DS 8
|
The question is: who is F. Bernard ? |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 8:33 Sujet du message: |
|
|
Decoded boot2 stage / $0400..$07FF / Track 0
Code: |
*
* Hold-Up
* (c) 1985, Infogrames
*
* (k) 2008, LoGo
*
org $400
mx %11
lst off
*-----------
SOFTEV EQU $03F2
PWREDUP EQU $03F4
AMPERV EQU $03F5
USRADR EQU $03F8
NMILOC EQU $03FB
IRQLOC EQU $03FE
TXTSET EQU $C051
TXTPAGE2 EQU $C055
ROMIN2 EQU $C081
LCBANK2 EQU $C083
CLRROM EQU $CFFF
PWRUP EQU $FAA6
INIT EQU $FB2F
HOME EQU $FC58
IRQV EQU $FFFE
L0100 = $0100
L0200 = $0200
L0300 = $0300
L0800 = $0800
*-----------
L0400 TSX ; $FF
INX ; $00
BNE L0437
TXA ; X=A=0
L0405 STA L0100,X ; clear stack + buffer
STA L0200,X
INX
BNE L0405
LDX #$60
STX $27
JSR L0763 ; $26 <= A=$00, X=$60, $0A <= Y=$00
L0415 LDA #$EE ; put $EE
STA ($26),Y ; from $6000
TYA ; to $BFFF
CLC ; step $10
ADC #$10
TAY
BNE L0415
INC $27
DEX
BNE L0415
LDX #$40 ; clear HGR
STX $27
LDX #$20
L042B STA ($26),Y
INY
BNE L042B
DEC $27
DEX
BNE L042B
BEQ L043A ; X=0
L0437 JMP PWRUP
L043A STA L0800 ; 0
BEQ L0440
INX
L0440 INX ; X=1
BNE L044F ; ...Go there
BEQ L0446
DB $24 ; BIT
L0446 DB $0A ; ASL or mask ;-)
INC L044C+2
BNE L044C
L044C JMP (SOFTEV)
*-----------
* Copy $0800..$08FF
* to $0200..$02FF
* Replace $08 with $02
L044F INC L0455
EOR L0400
L0455 CMP L0455 ; CD (CMP) -> CE (DEC) -> CD(CMP)
L0458 INY ; Y<>0
BEQ L0474
LDA L0800,Y ; Get original boot1 code
ORA L0100,Y ; ORA with zeroes
EOR L0200,Y ; EOR with zeroes
STA L0200,Y ; Save result
CMP #$08 ; unless value is $08
BNE L0458
EOR L0446 ; 00001000 v 00001010 = 00000010
STA L0200,Y ; replace it with $02
JMP L0458 ; loop
*-----------
* Code to decipher
L0474 LDY #L0481-L0400+1
L0476 LDA L0400,Y
EOR L0400,X
STA L0400,Y
INX
INY
L0481 BNE L0476
INC $02BD ; Bingo
LDA #$4C ; Bingo
STA $02BB
STY $02BC ; 00
INC $0265 ; Bingo
DB $2C
L0492 DA $024F ; Jump address
INC $02BD ; Bingo
*-----------
* The hidden nibble count
LDX $90
L0499 LDA $C08C,X
BPL L0499
EOR #$92 ; Find first $92
BNE L0499
L04A2 LDA $C08C,X
BPL L04A2
L04A7 LDA $C08C,X
BPL L04A7
L04AC LDA $C08C,X
BPL L04AC
CMP #$92 ; Find second $92
BEQ L04BF
INC $0110 ; and count nibbles
BNE L04AC
INC $0111
BNE L04AC
L04BF LDA #$00
STA PWREDUP
STA $03F1
TAY ; Y=00
STA $21 ; A=00
LDX #>L0800 ; Clear $0800..$08FF
STX $22
LDA #$A0 ; with SPACE
L04D0 STA ($21),Y
INY
BNE L04D0
INC $22
DEX
BNE L04D0
DEC $02C0 ; Bingo
JSR L04FB ; Another init
JMP (L0492) ; Next stage $024F...
*-----------
* Message from TSM = The SoftMan
ASC 'TSM FROM'
ASC " "
ASC ' FRANCE'
ASC " "
ASC 'LYON'
ASC " "
DB $19
DB $85
L04FB TSX
LDA $0100,X
STA $25
LDA #$00 ; No wildcards
STA $03F0 ; could survive!!
STA SOFTEV
STA AMPERV+1
STA USRADR+1
STA NMILOC
STA IRQLOC
LDA #$03
STA $03F1
STA SOFTEV+1
STA AMPERV+2
STA USRADR+2
STA NMILOC+1
STA IRQLOC+1
EOR #$A5
STA PWREDUP
BIT TXTSET
STA TXTPAGE2
LDX #$D0 ; clear $D000..$FFFF
STX $22
BIT ROMIN2
BIT ROMIN2
L053E LDA ($21),Y
STA ($21),Y
INY
BNE L053E
INC $22
BNE L053E
STA LCBANK2
STA LCBANK2
LDA #$03
STA IRQV+1
LDA #$00
STA IRQV
TAX ; Copy reset code
TAY
L055B LDA L0591,Y
STA L0300,X
INX
INY
CPY #L05CA-L0591
BNE L055B
*-----------
LDY #$0B ; Patch load routine
LDA #$EA
L056B STA L0200+$53,Y
DEY
BNE L056B
TSX
LDY L0100,X
CPY $25
BNE L058E
LDA $FA78 ; $F8 11111000
EOR #$B1 ; $B1 10110001
STA $25 ; $49 01001001
BEQ L058E
EOR $25 ; $49 01001001
TAY ; $00
LDX $90
DEC $02C0 ; Bingo
STX CLRROM
RTS ; A=Y=0, X=60
L058E JMP L0300
*-----------
* The RESET code
L0591 LDY #$00 ; 300
LDA #$49 ; Infogrames
L0595 STA L0200,Y
STA $0400,Y
STA $0500,Y
STA $0600,Y
STA $0700,Y
INY
BNE L0595
STY $90 ; Clear all RAM
LDA #>L0800
STA $91
LDX #$B8
L05AF STA ($90),Y
INY
INY
BNE L05AF
INC $91
DEX
BNE L05AF
JSR INIT
JSR HOME
JMP $FAA9 ; ...END OF $300
ASC 'SALUT '
ASC "!"
L05CA ASC 'IF CRACK = 1 THEN PRINT "SI TOI VOULOIR '
ASC 'DEPLOMBE'
ASC "R"
ASC ' CE SOF'
ASC "T"
ASC ' ALORS INSOMNIES CERTAINES !'
ASC ""A2""
ASC 'Proverbe terrien:'
ASC " "
ASC 'UN HOMME AVERTI EN VAUT DEUX. UN BIT PEU'
ASC 'T EN CACHER UN AUTRE'
ASC "."
ASC ' '
ASC " "
ASC 'PROTECTION'
ASC ":"
ASC ' Emile NGUYEN VAN HUONG'
ASC " "
************
ASC 'avec la collaboration de J.P.L'
ASC "."
************
ASC 'HOLD-U'
ASC "P"
ASC ' COPYRIGHT 1985 PAR INFOGRAMES'
ASC "."
ASC ' '
ASC " "
ASC 'EOR PAGES,Y INY BNE EOR CMP LOC1 BNE BUG'
ASC 'GIN'
ASC "G"
ASC 'EOR $100,X INX BNE PAGE1 EOR LOC2 PHA BN'
ASC 'E PUTBU'
ASC "G"
*-----------
L0763 LDX #$60 ; Some hidden inits
STA $26
LDY #$00
STY $0A
RTS
DB $20
DB $03
DB $61
DB $20
DB $03
DB $85
DB $A6
DB $FA
DS $5C
*-----------
* UN GRAND MERCI A F.BERNARD
ASC ' '150E
ASC ' '0712010E04
ASC ' '0D05120309
ASC ' '01
ASC ' '06
ASC '.'0205120E011204
ASC ' '
DS 8
|
Still no answer for F. Bernard ? And who is "JPL" ?????????????????? |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 8:36 Sujet du message: |
|
|
Original boot3 (boot 2b) stage / $0200..$02FF
That is a hack of the $0800..$08FF page which requires some updates (see next message)
Code: |
*
* Hold-Up
* (c) 1985, Infogrames
*
* (k) 2008, LoGo
*
org $200
mx %11
lst off
*-----------
SOFTEV EQU $03F2
PWREDUP EQU $03F4
RDMAINRAM EQU $C002
WRMAINRAM EQU $C004
CLRALTCHAR EQU $C00E
TXTCLR EQU $C050
MIXCLR EQU $C052
TXTPAGE1 EQU $C054
HIRES EQU $C057
ROMIN2 EQU $C081
CLRROM EQU $CFFF
PWRUP EQU $FAA6
INIT EQU $FB2F
*-----------
L0200 HEX 00
STX $90
LDX #$0F
L0205 LDA L0200,X
EOR $27
STA L0200,X
INX
BNE L0205
BIT CLRROM
BIT ROMIN2
BIT ROMIN2
BIT CLRALTCHAR
BIT RDMAINRAM
BIT WRMAINRAM
BIT RDMAINRAM
LDA #$E2
STA SOFTEV
LDA #$02
STA SOFTEV+1
EOR #$A5
STA PWREDUP
LDY #$00
STY $A1
STY $91
STY $3C
LDX #$FF
TXS
LDA #$00
LDX #$20
STX $3D
L0245 STA ($3C),Y
INY
BNE L0245
INC $3D
DEX
BNE L0245
LDX $90
STA $21
BIT TXTPAGE1
BIT HIRES
BIT MIXCLR
BIT TXTCLR
L025F LDA $C08C,X
BPL L025F
L0264 EOR #$CE
BNE L025F
L0268 LDA $C08C,X
BPL L0268
CMP #$D3
BNE L0264
L0271 LDA $C08C,X
BPL L0271
CMP #$94
BNE L0264
JSR L02C1
STA $22
JSR L02C1
STA $3D
CLC
ADC $22
STA $22
TYA
PHA
L028B LDA $C08C,X
BPL L028B
SEC
ROL
STA $20
PLA
EOR $21
STA $21
LDA $3D
CMP $22
BEQ L02B0
L029F LDA $C08C,X
BPL L029F
AND $20
STA ($3C),Y
PHA
INY
BNE L028B
INC $3D
BNE L028B
L02B0 LDA $C08C,X
BPL L02B0
AND $20
EOR $21
BNE L02E2
INC L02BE+2
L02BE JMP $0300
L02C1 LDA $C08C,X
BPL L02C1
SEC
ROL
STA $20
L02CA LDA $C08C,X
BPL L02CA
AND $20
RTS
ASC 'NGUYEN VAN HUON'
ASC "G"
L02E2 LDY #$E2
L02E4 STA L0200,Y
DEY
BNE L02E4
JSR INIT
JMP PWRUP
ASC ' (C) INFOGRAMES'
ASC " "
|
|
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 8:41 Sujet du message: |
|
|
Decoded boot3 (boot 2b) stage / $0200..$02FF
That is a hack of the $0800..$08FF page which requires some updates (see next message)
Code: |
*
* Hold-Up
* (c) 1985, Infogrames
*
* (k) 2008, LoGo
*
org $200
mx %11
lst off
*-----------
SOFTEV EQU $03F2
PWREDUP EQU $03F4
RDMAINRAM EQU $C002
WRMAINRAM EQU $C004
CLRALTCHAR EQU $C00E
TXTCLR EQU $C050
MIXCLR EQU $C052
TXTPAGE1 EQU $C054
HIRES EQU $C057
ROMIN2 EQU $C081
CLRROM EQU $CFFF
PWRUP EQU $FAA6
INIT EQU $FB2F
*-----------
* Refer to HU.0800.D
L0200 HEX 00
STX $90
LDX #$0F
L0205 LDA L0200,X
EOR $27 ; Was $09
STA L0200,X
INX
BNE L0205
BIT CLRROM
BIT ROMIN2
BIT ROMIN2
BIT CLRALTCHAR
BIT RDMAINRAM
BIT WRMAINRAM
BIT RDMAINRAM
LDA #$E2
STA SOFTEV
LDA #$02
STA SOFTEV+1
EOR #$A5
STA PWREDUP
LDY #$00
STY $A1
STY $91
STY $3C
LDX #$FF
TXS
LDA #$00
LDX #$20
STX $3D
L0245 STA ($3C),Y
INY
BNE L0245
INC $3D
DEX
BNE L0245
*-----------
* The real entry point
L024F LDX $90 ; A=0, X=60, Y=0
STA $21
BIT $EAEA
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
L025F LDA $C08C,X
BPL L025F
L0264 EOR #$CF ; Changed from #$CE
BNE L025F
L0268 LDA $C08C,X
BPL L0268
CMP #$D3
BNE L0264
L0271 LDA $C08C,X
BPL L0271
CMP #$94
BNE L0264
JSR L02C1 ; Get 4*4 byte
STA $22 ; nb pages
JSR L02C1 ; Get 4*4 byte
STA $3D ; RAM pointer
CLC
ADC $22
STA $22 ; end RAM pointer
TYA
PHA
L028B LDA $C08C,X
BPL L028B
SEC
ROL
STA $20
PLA
EOR $21
STA $21
LDA $3D ; End buffer?
CMP $22
BEQ L02B0
L029F LDA $C08C,X
BPL L029F
AND $20
STA ($3C),Y
PHA
INY
BNE L028B
INC $3D
BNE L028B
L02B0 LDA $C08C,X
BPL L02B0
AND $20
EOR $21 ; checksum
BNE L02E2
JMP $0400 ; Next stage (A=0, X=60, Y=0)
JMP $0100 ; Changed from $0300
*-----------
* Read 2 4*4
* Make 1 8
L02C1 LDA $C08C,X
BPL L02C1
SEC
ROL
STA $20
L02CA LDA $C08C,X
BPL L02CA
AND $20
RTS
*-----------
* The author
ASC 'NGUYEN VAN HUON'
ASC "G"
*-----------
* The reset
L02E2 LDY #$E2
L02E4 STA L0200,Y
DEY
BNE L02E4
JSR INIT
JMP PWRUP
*-----------
* Blah blah
ASC ' (C) INFOGRAMES'
ASC " "
|
One marker is changed and the next load stage is to be loaded.
Derni�re �dition par toinet le Dim 16 Nov 2008, 8:43; �dit� 1 fois |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 8:43 Sujet du message: |
|
|
Original boot4 stage / $0400..$07FF
Code: |
*
* Hold-Up
* (c) 1985, Infogrames
*
* (k) 2008, LoGo
*
org $400
mx %11
lst off
*-----------
* MUST BE SET:
* $0A: #$00
* $90: #$60
* $91: #$00
* $A1: #$00
*
*-----------
L0400 JMP L0428 ; Read data
L0403 JMP L0671 ; Move one track
L0406 JMP L0672 ; Move half track
*-----------
* Hello!
ASC ' PROTECTED BY NGUYEN VAN HUONG'
ASC " "
*-----------
* Read one track
L0428 LDX $90
LDA $C089,X
LDA #$00
STA $3E
INC $A1 ; track number (on entry: 0)
LDA $A1
JSR L0671 ; move to track
TSX
LDA $0100,X
STA $20
*-----------
* Set all markers
LDX $90 ; slot*16
LDY $0A ; marker index (on entry: 0)
LDA L0635,Y
STA $00
LDA L0635+1,Y
STA $05
LDA L0635+3,Y
STA $03
LDA #$D3 ; Oops ?
STA $04
LDA #$FF ; Oops ?
STA $09
TAY
L045A DEY
BNE L045D
L045D LDA $C08C,X
BPL L045D
L0462 CMP #$94 ; 1st marker
BNE L045A
L0466 LDA $C08C,X
BPL L0466
CMP $00 ; 2nd marker
BNE L0462
L046F LDA $C08C,X
BPL L046F
CMP #$96 ; 3rd marker
BNE L0462
L0478 LDA $C08C,X
BPL L0478
CMP #$94 ; 4th marker
BNE L0462
L0481 LDA $C08C,X
BPL L0481
CMP $05 ; 5th marker
BNE L0462
L048A LDA $C08C,X
BPL L048A
STA $01 ; read
NOP
L0492 LDA $C08C,X
BPL L0492
STA $02 ; read a marker
L0499 LDA $C08C,X
BPL L0499
L049E CMP $03 ; 6th marker
BNE L0462
L04A2 LDA $C08C,X
BPL L04A2
CMP #$D3 ; 7th marker
BNE L049E
L04AB LDA $C08C,X
BPL L04AB
CMP $02 ; compare with previously read
BNE L049E
SEC
ROL
STA $08
TSX
LDA $20
CMP $0100,X
BNE L051C
LDX $90
L04C2 LDA $C08C,X
BPL L04C2
CMP $01 ; compare with previously read
BNE L051C
AND $08 ; make a byte of it
STA $06 ; nb pages
L04CF LDA $C08C,X
BPL L04CF
SEC
ROL
STA $08
L04D8 LDA $C08C,X
BPL L04D8
AND $08
STA $3F ; RAM pointer
CLC
ADC $06
STA $06 ; end of RAM pointer
BEQ L051C
L04E8 LDA $C08C,X
BPL L04E8
CMP #$D3 ; another marker
BNE L051C
LDY #$00
STY $07 ; checksum
TYA
PHA
L04F7 LDA $C08C,X
BPL L04F7
SEC
ROL
STA $08
PLA
EOR $07
STA $07
LDA $3F ; did we reach the end ?
CMP $06
BEQ L0529
L050B LDA $C08C,X
BPL L050B
AND $08
STA ($3E),Y ; save
PHA
INY
BNE L04F7
INC $3F ; next pointer
BNE L04F7
*-----------
* Reset
L051C TSX
L051D STA $0100,X
STA $0200,X
INX
BNE L051D
JMP $0300
*-----------
L0529 LDA $C08C,X
BPL L0529
AND $08 ; get disk checksum
CMP $07 ; compare with ours
BNE L051C
NOP
L0535 LDA $C08C,X
BPL L0535
EOR $03 ; end marker
BNE L051C
L053E LDA $C08C,X
BPL L053E
EOR #$FE ; last marker
BNE L051C
*-----------
* next step
JSR L0559
STA $0A ; next marker index
JSR L0559
STA $3C ; where to go
JSR L0559
STA $3D ; where to go!
JMP ($003C)
*-----------
* Read 2 4*4
* Make 1 8
L0559 LDA $C08C,X
BPL L0559
SEC
ROL
STA $08
L0562 LDA $C08C,X
BPL L0562
AND $08
RTS
*-----------
* Blah blah
ASC 'Salut !!! jeunes pirates de l'27'espace int'
ASC 'ersideral,NOUS,PROTECTEURS DE L'27'UNIVERS,'
ASC 'vous conseillons de ne pa'
ASC "s"
ASC ' vous egarer dans le trou noir 22A3 BITS'
ASC ":"
ASC ' nuits blanches assurees et pains noirs '
ASC 'certains'
ASC ".N.V.H."
ASC 'E'
*-----------
* List of markers
L0635 HEX 9FAFBFEFEEDECEBEADBDCDED9BABBBCB
HEX B9D9E9F996A6B6F6B5E5F59FB2F2B3F3
HEX F797A7D7B5F5E5979E9D979ADCDBDAD9
HEX B4BABCBFF4F5FAE9EAEBE6E5
*-----------
* Move arm
L0671 ASL ; one track
L0672 STA $92 ; half track
CMP $91 ; is 0 on entry
BEQ L06C7
LDA #$00
STA $94
L067C LDA $91
STA $93
SEC
SBC $92
BEQ L06B6
BCS L068D
EOR #$FF
INC $91
BCC L0691
L068D ADC #$FE
DEC $91
L0691 CMP $94
BCC L0697
LDA $94
L0697 CMP #$0C
BCS L069C
TAY
L069C SEC
JSR L06BA
LDA L06D9,Y
JSR L06C8
LDA $93
CLC
JSR L06BC
LDA L06E5,Y
JSR L06C8
INC $94
BNE L067C
L06B6 JSR L06C8
CLC
L06BA LDA $91
L06BC AND #$03
ROL
ORA $90
TAX
LDA $C080,X
LDX $90
L06C7 RTS
*-----------
L06C8 LDX #$11
L06CA DEX
BNE L06CA
INC $9E
BNE L06D3
INC $9F
L06D3 SEC
SBC #$01
BNE L06C8
RTS
*-----------
L06D9 HEX 01302824201E1D1C1C1C1C1C
L06E5 HEX 702C26221F1E1D1C1C1C1C1C
*-----------
* Blah blah
ASC 'MERCI A CEUX QUI NOUS ONT ENCOURAGE A'
ASC " "
ASC 'DEVELOPPER DES SOFTS MADE IN FRANCE'
ASC " "
ASC 'DE HAUTE FIDELITE A TOUS POINTS DE VUE'
ASC "."
ASC ' LES AUTEURS ET INFOGRAMES'
ASC " "
ASC 'HOLD-UP:EMILE NGUYEN VAN HUONG'
ASC " "
ASC 'JEAN-DAVID BLANC CHRISTOPHE QUEANT'
ASC " "
DS $11
ASC ' COPYRIGHT 1985 INFOGRAMES'
ASC " "
DS $15
|
|
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 8:49 Sujet du message: |
|
|
What is noticeable? The game is still not in memory.
All previous messages are to be divided into two parts: the original code and the decoded one. I wanted to add the third version: my rewritten version which helps the ugly pirate to load the data into memory. But, as the messages are long, I will post them once at the end.
antoine
11/2008 |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 8:56 Sujet du message: |
|
|
Rewritten boot4 stage / $0400..$07FF
The objective is to let the code load the required data and quit once done. Several plenty short programs have been written to determine what is loaded where. That will be summarized at the end of the message.
At the end of that stage, we have the following memory usage:
- $4000..$5FFF: INFOGRAMES logo
- $6000..$BFFF: part of the program
Note: do not forget the $0100..$01FF memory space, there are critical values there (e.g. nibble count)
Code: |
*
* Hold-Up
* (c) 1985, Infogrames
*
* (k) 2008, LoGo
*
org $900
mx %11
lst off
myPTR = $fe
myNBPAGES = $fd
myEND = $fc
myJUMP = $fa
myINDEX = $f9
*-----------
* MUST BE SET:
* $0A: #$00
* $90: #$60
* $91: #$00
* $A1: #$00
*
*-----------
L0400 JMP L0428 ; Read data
L0403 JMP L0671 ; Move one track
L0406 JMP L0672 ; Move half track
*-----------
* Hello!
ASC ' PROTECTED BY NGUYEN VAN HUONG'
ASC " "
*-----------
* Read one track
L0428 ldx #$60
stx $90
LDX $90
LDA $C089,X
lda #0
sta $0a
sta $91
sta $a1
theLOOP LDA #$00
STA $3E
INC $A1 ; track number (on entry: 0)
LDA $A1
JSR L0671 ; move to track
TSX
LDA $0100,X
STA $20
*-----------
* Set all markers
LDX $90 ; slot*16
LDY $0A ; marker index (on entry: 0)
LDA L0635,Y
STA $00
LDA L0635+1,Y
STA $05
LDA L0635+3,Y
STA $03
LDA #$D3 ; Oops ?
STA $04
LDA #$FF ; Oops ?
STA $09
TAY
L045A DEY
BNE L045D
L045D LDA $C08C,X
BPL L045D
L0462 CMP #$94 ; 1st marker
BNE L045A
L0466 LDA $C08C,X
BPL L0466
CMP $00 ; 2nd marker
BNE L0462
L046F LDA $C08C,X
BPL L046F
CMP #$96 ; 3rd marker
BNE L0462
L0478 LDA $C08C,X
BPL L0478
CMP #$94 ; 4th marker
BNE L0462
L0481 LDA $C08C,X
BPL L0481
CMP $05 ; 5th marker
BNE L0462
L048A LDA $C08C,X
BPL L048A
STA $01 ; read
NOP
L0492 LDA $C08C,X
BPL L0492
STA $02 ; read a marker
L0499 LDA $C08C,X
BPL L0499
L049E CMP $03 ; 6th marker
BNE L0462
L04A2 LDA $C08C,X
BPL L04A2
CMP #$D3 ; 7th marker
BNE L049E
L04AB LDA $C08C,X
BPL L04AB
CMP $02 ; compare with previously read
BNE L049E
SEC
ROL
STA $08
TSX
LDA $20
CMP $0100,X
BNE L051C
LDX $90
L04C2 LDA $C08C,X
BPL L04C2
CMP $01 ; compare with previously read
BNE L051C
AND $08 ; make a byte of it
STA $06 ; nb pages
ldy $a1
sta $340,y
L04CF LDA $C08C,X
BPL L04CF
SEC
ROL
STA $08
L04D8 LDA $C08C,X
BPL L04D8
AND $08
STA $3F ; RAM pointer
sta $320,y
CLC
ADC $06
STA $06 ; end of RAM pointer
BEQ L051C
L04E8 LDA $C08C,X
BPL L04E8
CMP #$D3 ; another marker
BNE L051C
LDY #$00
STY $07 ; checksum
TYA
PHA
L04F7 LDA $C08C,X
BPL L04F7
SEC
ROL
STA $08
PLA
EOR $07
STA $07
LDA $3F ; did we reach the end ?
CMP $06
BEQ L0529
L050B LDA $C08C,X
BPL L050B
AND $08
STA ($3E),Y ; save
PHA
INY
BNE L04F7
INC $3F ; next pointer
BNE L04F7
*-----------
* Reset
L051C brk $1c
TSX
L051D STA $0100,X
STA $0200,X
INX
BNE L051D
JMP $0300
*-----------
L0529 LDA $C08C,X
BPL L0529
AND $08 ; get disk checksum
CMP $07 ; compare with ours
BNE L051C
NOP
L0535 LDA $C08C,X
BPL L0535
EOR $03 ; end marker
BNE L051C
L053E LDA $C08C,X
BPL L053E
EOR #$FE ; last marker
BNE L051C
*-----------
* next step
JSR L0559
STA $0A ; next marker index
JSR L0559
sta myJUMP
STA $3C ; where to go
JSR L0559
STA $3D ; where to go!
ldy $a1
lda $0a
sta $300,y
lda $3c
sta $360,y
lda $3d
sta $380,y
cmp #$04
bne theEND
jmp theLOOP
theEND lda $c0e8
jmp $ff59
JMP ($003C)
*-----------
* Read 2 4*4
* Make 1 8
L0559 LDA $C08C,X
BPL L0559
SEC
ROL
STA $08
L0562 LDA $C08C,X
BPL L0562
AND $08
RTS
*-----------
* Blah blah
ASC 'Salut !!! jeunes pirates de l'27'espace int'
ASC 'ersideral,NOUS,PROTECTEURS DE L'27'UNIVERS,'
ASC 'vous conseillons de ne pa'
ASC "s"
ASC ' vous egarer dans le trou noir 22A3 BITS'
ASC ":"
ASC ' nuits blanches assurees et pains noirs '
ASC 'certains'
ASC ".N.V.H."
ASC 'E'
*-----------
* List of markers
L0635 HEX 9FAFBFEFEEDECEBEADBDCDED9BABBBCB
HEX B9D9E9F996A6B6F6B5E5F59FB2F2B3F3
HEX F797A7D7B5F5E5979E9D979ADCDBDAD9
HEX B4BABCBFF4F5FAE9EAEBE6E5
*-----------
* Move arm
L0671 ASL ; one track
L0672 STA $92 ; half track
CMP $91 ; is 0 on entry
BEQ L06C7
LDA #$00
STA $94
L067C LDA $91
STA $93
SEC
SBC $92
BEQ L06B6
BCS L068D
EOR #$FF
INC $91
BCC L0691
L068D ADC #$FE
DEC $91
L0691 CMP $94
BCC L0697
LDA $94
L0697 CMP #$0C
BCS L069C
TAY
L069C SEC
JSR L06BA
LDA L06D9,Y
JSR L06C8
LDA $93
CLC
JSR L06BC
LDA L06E5,Y
JSR L06C8
INC $94
BNE L067C
L06B6 JSR L06C8
CLC
L06BA LDA $91
L06BC AND #$03
ROL
ORA $90
TAX
LDA $C080,X
LDX $90
L06C7 RTS
*-----------
L06C8 LDX #$11
L06CA DEX
BNE L06CA
INC $9E
BNE L06D3
INC $9F
L06D3 SEC
SBC #$01
BNE L06C8
RTS
*-----------
L06D9 HEX 01302824201E1D1C1C1C1C1C
L06E5 HEX 702C26221F1E1D1C1C1C1C1C
*-----------
* Blah blah
ASC 'MERCI A CEUX QUI NOUS ONT ENCOURAGE A'
ASC " "
ASC 'DEVELOPPER DES SOFTS MADE IN FRANCE'
ASC " "
ASC 'DE HAUTE FIDELITE A TOUS POINTS DE VUE'
ASC "."
ASC ' LES AUTEURS ET INFOGRAMES'
ASC " "
ASC 'HOLD-UP:EMILE NGUYEN VAN HUONG'
ASC " "
ASC 'JEAN-DAVID BLANC CHRISTOPHE QUEANT'
ASC " "
DS $11
ASC ' COPYRIGHT 1985 INFOGRAMES'
ASC " "
DS $15
|
As promised, what is where is when is how and (oops)?
Code: |
* Which phase (track * 2)
thePHASE HEX 00020406080A0C0E10121416181A1C1E
HEX 20000000000000000000000000000000
* Which track
theTRACK HEX 000102030405060708090A0B0C0D0E0F
HEX 10000000000000000000000000000000
* Where to load pages
theBUFFER HEX 00404850586068707880889098A0A8B0
HEX B8000000000000000000000000000000
* Number of pages to load
theNBPAGES HEX 00080808080808080808080808080808
HEX 08000000000000000000000000000000
* Where to go once pages are loaded
theLJUMP HEX 00000000000000000000000000000000
HEX 00000000000000000000000000000000
theHJUMP HEX 00040404040404040404040404040404
HEX 60000000000000000000000000000000
|
antoine
11/2008 |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
jvernet
Inscrit le: 18 Ao� 2007 Messages: 105
|
Post� le: Dim 16 Nov 2008, 9:08 Sujet du message: |
|
|
En gros, le syst�me de protection est plus gros que le programme � proteger lui m�me ![Laughing](images/smiles/icon_lol.gif) |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 16 Nov 2008, 19:22 Sujet du message: |
|
|
jvernet a �crit: | En gros, le syst�me de protection est plus gros que le programme � proteger lui m�me ![Laughing](images/smiles/icon_lol.gif) |
D�j� que la disquette doit �tre incopiable avec son spiralling, Emile cherche � d�courager le type qui veut suivre le programme (boot-tracing) � ses diff�rentes �tapes de chargement, je ne suis pas loin de craquer (avec 'qu')
La faiblesse de toute protection Apple II est dans son secteur 0 de sa piste 0 qui est toujours lisible, histoire de pouvoir booter. Bref, Emile en ajoute des couches pour, effectivement, avoir quasiment plus de code de protection que de code de programme
el toto |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
flaith
Inscrit le: 30 Ao� 2007 Messages: 30 Localisation: $300:20 58 FC 60
|
Post� le: Dim 16 Nov 2008, 20:03 Sujet du message: |
|
|
Rien qu'� lire le code �a commence � me faire mal au crane
Bon courage pour la suite et merci pour la red�couverte de l'Apple. _________________ Je suis sur de "rien", mais ne je suis pas sur du "tout". |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
|