toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Dim 12 Ao� 2007, 21:48 Sujet du message: Where in America's past is...? (Broderbund, 1992) |
|
|
This exciting game turns history into a fast-paced detective adventure. Join the ACME Detective Agency and chase the notorious Carmen Sandiego and her gang as they filch famous objects from America's past.
PROTECTION TYPE
On four 5.25 ProDOS disks or one 3.5 ProDOS:
- a password protection someplace...
DISK COPY
The disks are not copy-protected, they can be copied and are hard-drive installable.
GAME LOADING
- Boot front side of disk 1 (/CARMEN.AP),
- View the introduction
- Insert, when requested, front side of disk 2 (CARMEN.AP3)
- Play the game...
You notice that you do not require the /CARMEN.AP disk so that we believe that the password protection:
- has already been loaded into memory from the /CARMEN.AP disk or
- will be loaded from the /CARMEN.AP3 disk
As we are dealing with a standard ProDOS disk, let's view all values of the files with a ProDOS version of Copy II+
The C13 file is a text file of plenty of C strings (the ones that end with a 00). An excerpt of the file is to be found hereafter:
Code: | 0 ASC 'No warrant, no case. See you later...'00
1 ASC 'To: '00
2 ASC 8D'From: The Chief'8D8D00
3 ASC 'You always need a warrant before making an arrest. '
ASC 'You risk getting into a lot of trouble if you don'27't!'00
4 ASC 'Having the wrong warrant does us absolutely no good. '
ASC 'Please be more careful next time.'00
5 ASC 'Congratulations! You apprehended the crook!'00
6 ASC ' The goods were returned to '00
7 ASC 'One'00
8 ASC 'Two'00
9 ASC 'Three'00
A ASC 'Four'00
B ASC 'Five'00
C ASC 'Six'00
D ASC ' more '00
E ASC 'case'00
F ASC 'cases'00
10 ASC ' until your next promotion.'00
11 ASC 'You'27've earned yourself a promotion! '
ASC 'Before you can be promoted you have one '
ASC 'more clue to unravel.'00
12 ASC 'Use your copy of What Happened When to complete the following:'00
13 ASC 'Well done! You are now a '00
14 ASC 'Sorry, that'27's not the answer we have '
ASC 'here at ACME. Please try again.'00
15 ASC 'The elusive criminal was finally tracked '
ASC 'down by ACME'27's Agent '00
16 ASC 'Excellent work! You caught the head of '
ASC 'V.I.L.E., Carmen Sandiego!!'00
17 ASC 'You need to use your time more efficiently. '
ASC 'Time travel isn'27't cheap, you know!'00
18 ASC 'Are you ready for another case?'00 |
The numeric values are indexes and have been introduced for easier reading. The 11/12/13/14 indexes are part of the protection. We need to find some code on the disk that use those.
Please note that it is common to print out a C string with an index instead of its address. The routine that has to write out the string has to count the 00. When it reaches the right value, the string is displayed.
Now launch your favorite disk editor (mine is Disk Fixer ), set the ProDOS interleaving format, search for the following patterns:
- LDA #$13 (A9 13) or LDX #$13 (A2 13) or LDY #$13 (A0 13)
Repeat for the $12 and $14 values...
Gotcha! We find "A0 xx" patterns on track $15, sectors 5 and 6, they belong to the C12 file.
THE PROTECTION ROUTINE
Launch your favorite disassembler and assembler editor and get the following of the C12 file:
Code: | ...
STROUT = $B087
L9D8E LDY #$2E
JSR $0E01
INC $43
JSR L9F02
* 'You'27've earned yourself a promotion! '
* 'Before you can be promoted you have one '
* 'more clue to unravel.'00
LDY #$11
JSR STROUT
JSR LA18F
JSR L9F02
* 'Use your copy of What Happened When to complete the following:'00
LDY #$12 ; Before
L9DA5 JSR STROUT
JSR LA18F
LDA #$2C
JSR $B054
STA $73
LDA #$03 ; We have three tries
STA $74
L9DB6 JSR $B093 ; Protection loop
JSR $B084
LDA $73
LDX #$00
LDY #$78
JSR $B024
LDA #$0C
STA $26
LDA #$4F
JSR $B027
JSR $DC27
JSR L9FA6 ; ENTER STRING
PHP
INC $43
JSR $B093
JSR $B084
PLP
BCS L9E26 ; WRONG ANSWER
LDA $73
CMP #$14
BNE L9DF1
LDX #$8A
LDY #$A1
JSR L9F53 ; CHECK WORD
BCC L9DFD ; CORRECT ANSWER
LDA $73
L9DF1 LDX #$B2
LDY #$A0
JSR $B024
JSR L9F53 ; CHECK WORD
BCS L9E26 ; WRONG ANSWER
* THE ANSWER IS CORRECT, WE END HERE
L9DFD INC $19
INC $1A
JSR L9F02
* 'Well done! You are now a '00
LDY #$13 ; Well done!
JSR STROUT
CLC
LDA $19
ADC #$15
TAY
JSR $B08A
LDY #$3A
JSR STROUT
JSR L9F17
JSR LA1BB
JSR L9EAE
JSR LA195
JMP L9E65
L9E26 DEC $74
BNE L9E2D
JMP $1F00 ; END OF GAME I PRESUME!
* 'Sorry, that'27's not the answer we have '
* 'here at ACME. Please try again.'00
L9E2D LDY #$14 ; Sorry!
JSR STROUT
JSR LA18F
JMP L9DB6
L9E38 JSR L9F02
SEC
LDY $19
LDA L9F7D,Y
SBC $1A
STA $40
CLC
ADC #$06
TAY
JSR STROUT
LDY #$0D
JSR STROUT
LDY #$0E
LDA $40
CMP #$01
BEQ L9E5A
INY
L9E5A JSR STROUT
LDY #$10
JSR STROUT
JSR LA18F
L9E65 JSR L9F02
* 'Are you ready for another case?'00
LDY #$18
JSR STROUT
... |
The code above is the protection loop. It goes to $9DFD is the answer is correct, otherwise, it loops until your three tries are used. The routine at $9F53 checks the word entered and clears the carry it is so, otherwise it sets it.
Code: | * WORD COMPARISON
L9F53 STX $CE ; Word comparison
STY $CF
LDX #$00
LDY #$00
L9F5B LDA ($CE),Y
BEQ L9F79
STA $40
LDA $0C00,X
CMP #$61 ; a
BCC L9F6F
CMP #$7B ; z
BCS L9F6F
SEC
SBC #$20
L9F6F CMP $40 ; Are letters equal?
BNE L9F7B
INX
INY
CPY #$04
BCC L9F5B
L9F79 CLC ; Yes
RTS
L9F7B SEC ; No
RTS |
REMOVING THE PROTECTION
You have two ways to remove the protection:
The 1-byte method
Replace the SEC opcode at $9F7B with a CLC
The 3-bytes method
At the beginning of the protection routine, at $9DA5 replace the JSR $B087 (20 87 B0) with a JMP to $9DFD (4C FD 9D)
As I like to make minimal changes to the programs I "play" with, I will explain the first method:
- Launch ProDOS 8 and its friend Basic.System
- PREFIX /CARMEN.AP3
- BLOAD C12,A$1A00
- POKE 8059,24
- BSAVE C12,A$1A00
Your backup copy is now ready,
Toinet |
|
toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mer 15 Ao� 2007, 15:48 Sujet du message: |
|
|
Vu sur version HF, sur fichier C12 :
- le m�me changement SEC en CLC � la m�me adresse,
- routine diff�rente en $9FF8 :
version HackerForce : A2 04 86 72 18 60
version 2007 : A5 72 D0 02 38 60
Qui gagne, alors ?
Toinet |
|