toinet
Inscrit le: 15 Juin 2007
Messages: 326
Localisation: Paris, France
|
 Post� le: Mer 15 Ao� 2007, 18:06 Sujet du message: Zorro (Datasoft, 1985) |
 |
|
The authors of Conan have also written Zorro, an arcade game in the same vein which is also really fun to play with. You are Zorro and must defeat your ennemies.
PROTECTION TYPE
On a standard 16-sector disk:
- use of the first $13 ($00 to $12) tracks
- change of markers for tracks 1 and above: CA EE ED, DE AA EB, A9 BA F7, DE AA EB
- memory code is encrypted
BOOT TRACE
- 9600<C600.C6FFM
- 96FB: AD E8 C0 60
- 9600G
Let's examine the code at $0801:
- A jump to $8CA which decodes (LDA PHA LSR PLA ROR STA) data from $0804 to $08C9
- It then jumps to the decoded data at $0814
- It loads data from T0/S1 to T0/S6 from $8000 to $85FF
- At $089D, data is decoded and moved to $D000
- And then jumps to $D407
That is not an easy boot tracing, so we'll stop the program once data is loaded at $8000:
- 96FB: A9 00 8D 02 08 A9 98 8D 03 08 4C 01 08
- 9800: A9 60 8D DB 08 20 CA 08 A9 4C 8D 69 08 A9 59 8D 6A 08 A9 FF 8D 6B 08
- 9600G
We now have the coded data beginning at $8000. Now get the decoded data:
- 08B1: 60
- 02: 00 90 00 80
- 300: A0 00 20 9D 08 60
- 300G
We now have the decoded data beginning at $9000, let's analyse $9407 (equivalent to $D407):
- $D407 goes to $D438 then if it returns, it goes to $0C00 and finally jumps to $2000
- At $D438 data is loaded from the disk. The data to load (address, track, sector) are located in tables. X is used as an index in the table.
- Code at $D445 is executed if X=16, otherwise it is not.
- $D7 is zeroed. Data is read from $D4C4 twice then the read values are compared:
-> If they are different, $D7 is set to 1.
-> If values are equal, a RTS is performed.
It looks like a protection  Why not RTS once our init to $D7 has been done?
Please note that you will have to keep your decoded data in memory unless you want to recode your changes...
DISK COPY
- Launch Advanced Demuffin
- Copy track $00 only with standard markers
- Copy tracks $01 to $12 (or $13) with the following markers: CA EE DD (D5 AA 96), A9 BA F7 (D5 AA AD)
REMOVE THE PROTECTION
- Launch your favorite disk editor
- On track 0, sector 0: write your decoded $0800..$08FF boot 0
- On track 0, sectors 1 to 6: write your decoded data at $9000..$95FF
Going back to T0/S0
Tell the first jump to go to the already decoded data and do not decode the boot 2 data:
- T0/S0/1: 4C CA 08 => 4C 14 08
- T0/S0/A1: 48 4A 68 6A => EA EA EA EA (or 48 EA 68 EA)
Set our standard D5 AA 96 markers:
- T0/S2/91: 95 => D5
- T0/S2/9B: DD => AA
- T0/S2/A6: BB => 96
- T0/S2/23: 53 => D5
- T0/S2/2D: 75 => AA
- T0/S2/38: EF => AD
Tell the program the protection passed:
- T0/S5/49: A9 14 => 60 EA
Your backup copy is now available...
Toinet |
|
FAQ 
Rechercher 
Liste des Membres 
Groupes d'utilisateurs
S'enregistrer
Profil 
Se connecter pour v�rifier ses messages priv�s 
Connexion 
