toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mer 15 Ao� 2007, 18:02 Sujet du message: Lock'n'Chase (Mattel Electronics, 1982) |
|
|
I never thought Mattel had ever made software for the Apple II. That game is nice: nice graphics, nice animations, great interests in eating bullets (like Pac-Man) with doors closing/opening randomly.
PROTECTION TYPE
On a standard 16 sector diskette:
- pattern search
BOOT TRACE
Let's get our standard track 0, sector 0 code at $0800:
- 9600<C600.C6FFM
- 96FB:AD E8 C0 4C 59 FF
- 9600G
The code at $0801 loads other sectors from track 0 in the text area, then executes code at $0400, then goes back to the loading of the game.
The protection routine is at $063B and is called by $0633. Let's examine the routine at $063B, it is fun as it is full of opcodes to lose the boot tracing person
The following code is the one decoded by the Apple IIGS disassembler:
Code: |
BNE $05F9
BIT #$C0
LDA #$56
STA $11
BNE $0645
BNE $060C
ORA ($F0)
ORA $D0,S
ASL
BNE $0613
ORA ($D0),Y
ORA $A9
SBCL $D074D0,X
LDA $C08C,X
BPL $0655
BNE $065D
BNE $0627
CMP $F0,X
ORA $D0,S
SEP #$D0
LDA $C08C,X
BPL $0664
BNE $066C
BNE $0636
TAX
BEQ $0673
BNE $0645
BNE $0631
STY $10C0
XCE
BNE $067B
BNE $0645
STX $F0,Y
ORA $D0,S
CPY $D0
LDY #$0A
LDA $C08C,X
BPL $0684
BNE $068C
BNE $0656
SBCL $D003F0,X
LDA ($4C,S),Y
BEQ $0696
BNE $0654
STY $C9C0
PHP
BCS $0645
BNE $06A0
BNE $065E
STY $10C0
XCE
BNE $06A8
BNE $062E
BPL $0633
BNE $06B0
BEQ $06BF
BNE $066E
STY $10C0
XCE
BNE $06B8
BNE $06FE
BPL $068B
CPX $EAF0
BNE $0665
BPL $070B
RTS
|
Pretty hard to understand? The following code is our "decoded" disassembly:
Code: |
HEX D0
L063B LDA $C089,X
LDA #$56
STA $11
BNE L0645
HEX D0
L0645 DEC $12
BEQ L064C
BNE L0655
HEX D0
L064C DEC $11
BNE L0655
LDA #$FF ; end of loop, error is $FF
BNE L06C8
HEX D0
L0655 LDA $C08C,X
BPL L0655
BNE L065D
HEX D0
L065D CMP #$D5 ; $D5
BEQ L0664
BNE L0645
HEX D0
L0664 LDA $C08C,X
BPL L0664
BNE L066C
HEX D0
L066C CMP #$AA ; $AA
BEQ L0673
BNE L0645
HEX D0
L0673 LDA $C08C,X
BPL L0673
BNE L067B
HEX D0
L067B CMP #$96 ; $96
BEQ L0682
BNE L0645
HEX D0
L0682 LDY #$0A ; loop 10 times
L0684 LDA $C08C,X
BPL L0684
BNE L068C
HEX D0
L068C CMP #$FF ; $FF
BEQ L0693
BNE L0645
HEX 4C
L0693 BEQ L0696
HEX D0
L0696 LDA $C08C,X
CMP #$08 ; <$08
BCS L0645
BNE L06A0
HEX D0
L06A0 LDA $C08C,X
BPL L06A0
BNE L06A8
HEX D0
L06A8 STA $10 ; read value in $10
DEY
BNE L06B0
BEQ L06BF
HEX D0
L06B0 LDA $C08C,X ; read next value
BPL L06B0
BNE L06B8
HEX D0
L06B8 EOR $10 ; EOR
BNE L06A8
BEQ L06A8
HEX D0
L06BF LDA $10
EOR #$60
BNE L0645
BEQ L06C8 ; exit with $00
HEX D0
L06C8 RTS
|
From the previous code, it is clear that the return value is $00 if the disk is an original one and different from $00 if that is a copy.
Let's now replace the call to the protection:
Code: |
JSR $063B
CMP #$00
BEQ ORIGINAL
|
with
Code: |
LDA #$00
NOP
CMP #$00
BEQ ORIGINAL
|
DISK COPY
Launch Advanced Demuffin
Go to the monitor
- B942: 18
Press Ctrl-Y
Copy the disk
REMOVE THE PROTECTION
- Launch my favorite Disk Fixer 4.02 (my ProDOS version)
- On T0/S3/3: replace 20 3B 06 with A9 00 EA
- Save the sector back to disk
Neat crackers would have saved a value of $00 at $10 and would have returned from the protection routine with ACC=$00. A tip: at T0/S3/3B: A9 00 85 10 60
Your backup copy is now available,
Toinet |
|