toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mer 08 Ao� 2007, 10:16 Sujet du message: Two on two basketball (Activision, 1986) |
|
|
Play basketball alone or with one friend. Practice the game or compete in a league. I have never been interested in playing basketball in the real world nor with my computer but the game is well made. Gamestar, a division of Activision, released the game in 1986.
PROTECTION TYPE
On a standard DOS 3.3 copyable diskette, the protection is a nibble count. The value read on the disk is used to perform calculations. If the value read is not correct, the disk reboots.
BOOT TRACE
- 9600<C600.C6FFM
- 96FB:4C 59 FF
- 9600G
=> a standard boot0 code is to be found at $0800
- 96FB:A9 4C 8D 4A 08 A9 59 8D 4B 08 A9 FF 8D 4C 08 4C 01 08
- 9600G
=> we have a standard RWTS from $B600 to $BFFF. A JMP is performed at $B700, entry point of the RWTS.
From $B700 to $B753, data is loaded into memory which has been previously cleared (not easing boot tracing) then a JMP $0C00 is performed at $B754.
At $0C00, the code is moved to $0300 and is executed. We have several data loading from the drive then code at $0800 is executed.
At $0800:
- the reset vector is set
- a JSR $0841 clears memory
- some data is loaded into memory
- the address $C5FF is pushed onto the stack
=> if we have a copy, a reboot is performed, otherwise, we unstack the values and go on with the game
- a JSR $0851 is performed
=> we find the protection here: the routine gets two nibbles from the disk, mix them and save the EORed result in $08BD (original value is $00)
- a JMP $08A7 is performed.
=> It clears the protection routine, check the value read and go on with the game is the value is correct, otherwise it reboots.
GET THE PROTECTION VALUE
We need to execute the code at $0C00 and grab the value read from the disk. The one that is then saved at $08BD:
- $0817: EA EA EA
- $0829: EA
- $0838: EA
- $083A: 4C 59 FF
- $084E: EA EA
- C00G
Boing! We are in the monitor...
- 8BD + return
=> The value saved is $55
REMOVE THE PROTECTION
The objective is to remove the call to the protection and force $08BD to hold the final value read from the original disk.
- Copy the disk with your favorite disk copier (aka Locksmith...)
- Launch your favorite sector editor (mine is Disk Fixer)
- On T0/SA/35: change 20 (JSR opcode) to 2C (BIT opcode)
- On T0/SA/BD: change 00 to 55
- Save the sector
Your backup copy is now available...
Toinet |
|