Index du Forum
IDENTIFICATION SERVEUR : 213.186.33.87 - CLIENT : 74.109.56.191

 FAQFAQ   RechercherRechercher   Liste des MembresListe des Membres   Groupes d'utilisateursGroupes d'utilisateurs   S'enregistrerS'enregistrer 
 ProfilProfil   Se connecter pour v�rifier ses messages priv�sSe connecter pour v�rifier ses messages priv�s   ConnexionConnexion 

Two on two basketball (Activision, 1986)

 
Poster un nouveau sujet   R�pondre au sujet     Index du Forum -> PROTECTION MALEFIQUE
Voir le sujet pr�c�dent :: Voir le sujet suivant  
Auteur Message
toinet



Inscrit le: 15 Juin 2007
Messages: 326
Localisation: Paris, France
MessagePost� le: Mer 08 Ao� 2007, 10:16    Sujet du message: Two on two basketball (Activision, 1986) R�pondre en citant
Play basketball alone or with one friend. Practice the game or compete in a league. I have never been interested in playing basketball in the real world nor with my computer but the game is well made. Gamestar, a division of Activision, released the game in 1986.

PROTECTION TYPE
On a standard DOS 3.3 copyable diskette, the protection is a nibble count. The value read on the disk is used to perform calculations. If the value read is not correct, the disk reboots.

BOOT TRACE
- 9600<C600.C6FFM
- 96FB:4C 59 FF
- 9600G
=> a standard boot0 code is to be found at $0800
- 96FB:A9 4C 8D 4A 08 A9 59 8D 4B 08 A9 FF 8D 4C 08 4C 01 08
- 9600G
=> we have a standard RWTS from $B600 to $BFFF. A JMP is performed at $B700, entry point of the RWTS.

From $B700 to $B753, data is loaded into memory which has been previously cleared (not easing boot tracing) then a JMP $0C00 is performed at $B754.

At $0C00, the code is moved to $0300 and is executed. We have several data loading from the drive then code at $0800 is executed.

At $0800:
- the reset vector is set
- a JSR $0841 clears memory
- some data is loaded into memory
- the address $C5FF is pushed onto the stack
=> if we have a copy, a reboot is performed, otherwise, we unstack the values and go on with the game
- a JSR $0851 is performed
=> we find the protection here: the routine gets two nibbles from the disk, mix them and save the EORed result in $08BD (original value is $00)
- a JMP $08A7 is performed.
=> It clears the protection routine, check the value read and go on with the game is the value is correct, otherwise it reboots.

GET THE PROTECTION VALUE
We need to execute the code at $0C00 and grab the value read from the disk. The one that is then saved at $08BD:
- $0817: EA EA EA
- $0829: EA
- $0838: EA
- $083A: 4C 59 FF
- $084E: EA EA
- C00G
Boing! We are in the monitor...
- 8BD + return
=> The value saved is $55

REMOVE THE PROTECTION
The objective is to remove the call to the protection and force $08BD to hold the final value read from the original disk.
- Copy the disk with your favorite disk copier (aka Locksmith...)
- Launch your favorite sector editor (mine is Disk Fixer)
- On T0/SA/35: change 20 (JSR opcode) to 2C (BIT opcode)
- On T0/SA/BD: change 00 to 55
- Save the sector

Your backup copy is now available...

Toinet
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message priv� Visiter le site web de l'utilisateur
Montrer les messages depuis:   
Poster un nouveau sujet   R�pondre au sujet     Index du Forum -> PROTECTION MALEFIQUE Toutes les heures sont au format GMT + 1 Heure
Page 1 sur 1

 
Sauter vers:  
Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas r�pondre aux sujets dans ce forum
Vous ne pouvez pas �diter vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum


Powered by phpBB © 2001, 2005 phpBB Group
Traduction par : phpBB-fr.com