Voir le sujet pr�c�dent :: Voir le sujet suivant |
Auteur |
Message |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mar 04 Mai 2010, 20:52 Sujet du message: Storybook Weaver IIgs series (MECC, 1991) |
|
|
In a series of 3, MECC provided students with a great desktop interface program to create books from the title page to the last page. Inclusion of pictures and several other elements (e.g. borders) is possible.
Nevertheless, each program is protected and displays an alert message "Please insert your Storybook Weaver Program diskette in any drive." and loops until the original diskette is inserted!
On a desktop program, such a protection *always* deals with a bad block to read. If the bad block cannot be read then the diskette is a copy.
Protection type
On-disk protection for "Make believe" and for "World of adventure". I cannot find my notes for the first in the series but IIRC, that's quite similar to the two others.
Protection removal
Make believe
- Launch Block Warden
- Read block $513
- At offset $62, change 90 (BCC) to 80 (BRA)
- Save the changes
World of adventure
- Launch Block Warden
- Read block $3B8
- At offset $10C, change 90 (BCC) to 80 (BRA)
- Save the changes
How to locate the protection?
Some clues were given above, let me summarize there:
- search for the string "Please insert your Storybook Weaver Program diskette in any drive." or
- search for the strings "Quit" or "OK" (but with generic strings that will not be easy to locate the right ones) or
- search for the _WaitCursor pattern as the curson icon is changed before the protection is called (true, that is visible)
- search for the READ_BLOCK pattern for P16: 22 00 00 E1 22 00
Once one of those or several of those is/are identified, the exact discovery of the entry point of the protection is easy to get:
- the READ_BLOCK is at $15D8
- the call to the previous routine is at $0FDB
- the previous one is called at $0F99
Gotcha...
The program code is the same in each program, making the removal quite easy once one is done. Launch your favorite S16 disassembler (mine is The Flaming Bird Disassembler), go to segment 6 (init) and jump to $0F94 and read below...
The next thread will display the original program protection. The programs can be found on the great Alex Lee's site "What is the Apple IIgs?"
Antoine
5/2010
Derni�re �dition par toinet le Mar 18 Mai 2010, 6:15; �dit� 2 fois |
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mar 04 Mai 2010, 20:52 Sujet du message: |
|
|
Code: |
*
* Segment 6 (init)
*
L0F94
* Check the PRODUCT.INFO file
* if there's something interesting there
* then bypass the protection (any ideas ?)
JSR L10D8
BCC L0F9E
* Check the blocks or call the protection
JSR L0FDB
BCS L0FA5
* If I am here, then I have an original (ahem)
L0F9E _DrawMenuBar
L0FA5 JSL L03018C
PHA
PHA
PEA $0001
_GetAddress
PLA
STAL L025F8A
PLA
STAL L025F8C
PEA $0000
PEA ^L0259CD
PEA L0259CD
_SetColorTable
JSR L14AF
_InitCursor
PLB
RTL
(cut cut)
*
* MAIN LOOP OF PROTECTION
*
* I read the blocks
* c=0, I have the original
L0FDB JSR L15D8
BCC L102D
* otherwise, loop loop loop loop
L0FE0 LDA #$0001
STA L1611
L0FE6 JSR L15D8
BCC L102D
INC L1611
CMP #$0010
BEQ L0FF8
CMP #$0011
BNE L0FE6
L0FF8 _InitCursor
PHA
PEA ^L102F
PEA L102F
PEA $0000
PEA $0000
_Alert
_WaitCursor
JSL L030074
PLA
CMP #$0001
BEQ L0FE0
* Quit was pressed
LDA #$FFFF
STAL L0258A1
SEC
RTS
L102D CLC
RTS
* Dialog Alert
L102F DW $003C ; Alert rect
DW $0021
DW $0078
DW $011B
DW $82B5 ; Alert ID
HEX 80 ; First stage byte
HEX 80 ; Second stage byte
HEX 80 ; Third stage byte
HEX 80 ; fourth stage byte
ADRL L107D ; Ptr to item template
ADRL L1065 ; Ptr to item template
ADRL L104D ; Ptr to item template
ADRL $00000000
* Default OK button
L104D DW $0001 ; Item ID
DW $002A ; Item rect
DW $00B7
DW $0037
DW $00F3
DW $000A ; Std button
ADRL L025F72 ; Item descriptor
DW $0000 ; Item value
DW $0000 ; Bit flag
ADRL $00000000 ; Ptr to color table
* Quit button
L1065 DW $0002 ; Item ID
DW $002A ; Item rect
DW $0074
DW $0037
DW $00B0
DW $000A ; Std button
ADRL L025F7C ; Item descriptor
DW $0000 ; Item value
DW $0000 ; Bit flag
ADRL $00000000 ; Ptr to color table
* Message
L107D DW $0003 ; Item ID
DW $0008 ; Item rect
DW $000F
DW $0026
DW $00FA
DW $800F ; Static text
ADRL L1095 ; Item descriptor
DW $0000 ; Item value
DW $0000 ; Bit flag
ADRL $00000000 ; Ptr to color table
L1095 STR 'Please insert your Storybook'0D'Weaver Program diskette in'0D'any drive.'
*
* THE PROTECTION
*
* I read block 9
* If I have a copy, then C=1 and OK
* If I have the original, then C=0 and OK
L15D8 LDA #$0009
STA L1617
JSL GSOS
DW $0022 ; READ_BLOCK
ADRL L1611
BCS L1610
* I must have a string on that block
LDX #$0013
L15ED LDA L161B,X
CMP L16FF,X
BNE L160F
DEX
DEX
BPL L15ED
* I read block 8
DEC L1617
JSL GSOS
DW $0022 ; READ_BLOCK
ADRL L1611
BCC L160F
CMP #$0027
BNE L160F
CLC
RTS
L160F SEC
L1610 RTS
L1611 DW $0000 ; device num
ADRL L16FF ; buffer ptr
L1617 DW $0008 ; block num
BRK $00
L161B ASC 'MECC'10
ASC 'Storybook Weaver'
DB $00
L16FF DB $00
DB $00
...
|
|
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mar 04 Mai 2010, 20:55 Sujet du message: |
|
|
Code: |
* Check the PRODUCT.INFO file
* if there's something interesting there
* then bypass the protection (any ideas ?)
JSR L10D8
BCC L0F9E
* Check the blocks or call the protection
JSR L0FDB
BCS L0FA5
* If I am here, then I have an original (ahem)
L0F9E _DrawMenuBar
|
The objective of our change from BCC (opcode $90) to BRA (opcode $80) is the get the following code:
Code: |
* Check the PRODUCT.INFO file
* if there's something interesting there
* then bypass the protection (any ideas ?)
JSR L10D8
BRA L0F9E
* The protection is now never called!
JSR L0FDB
BCS L0FA5
* If I am here, then LoGo was here :-)
L0F9E _DrawMenuBar
|
|
|
Revenir en haut de page |
|
![](templates/subSilver/images/spacer.gif) |
|