toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mar 21 Ao� 2007, 7:23 Sujet du message: Air-Sim 3 (Mind Systems, 1983) |
|
|
Helicopter simulator which requires the manual if you want to take off
PROTECTION TYPE
On a standard 16-sector disk:
- Tracks 0 to 2 are normal tracks
- Tracks 3 to A are non standard tracks (not copiable)
- Tracks B and above are standard tracks
BOOT TRACE
- 9600<C600.C6FFM
- 96FB: AD E8 C0 60
- 9600G
We get our standard code at $0800..$08FF which loads a RWTS from $3700 to $3FFF
It, then, jumps to $3700 and seems to load the DOS 3.3 kernel.
It ends by jumping at $1B03
The code there loads data from $0400 to $0BFF, the code is loaded froml track $10, sector $0. It is moved to $5C00..$5FFF and a final jump to $5CC6 is performed.
At $5CC6 we have the read routines that will load tracks 3 to A into memory. The code uses the standard RWTS to move the disk arm and then passes the hand to the track read routines.
The main loop is at $5D24. It uses the index at $5C2B (from 0 to 7, equivalent to tracks 3 to A)
Once the program is loaded. Memory locations $7700..$77FF is copied to $0000..$00FF (the zero page) and an indirect jump to $36..$37 is executed. We will later find the values 00 6C meaning a jump to $6C00
DISK COPY
The normal tracks
- Launch Advanced Demuffin
- Copy tracks 0 to 2 and tracks B to 22 with standard markers
The non standard tracks
Then, reboot and trace your disk. At $3F92, replace 4C 00 08 with 4C 59 FF and executes a call to $3700 with X=$60.
Then, at $0823, replace 4C C6 5C with 4C 59 FF and execute $0800. The main read routines are now located at their final address.
At $5D40, replace 6C 36 00 with 4C 59 FF and execute $5CC6. The program will now be loaded into memory.
The memory organization is now the following:
- $0800..$1FFF: main program
- $2000..$5BFF: read routines buffer
- $5C00..$5FFF: read routines
- $6000..$B6FF: main program
- $B700..$BFFF: standard RWTS
What I have done is copy the complete bank 00 to another bank of my IIgs memory and copy back the tracks to a standard disk:
- Track 3: $0800..$17FF
- Track 4: $1800..$1FFF
- Track 5: $6000..$6FFF
- Track 6: $7000..$7FFF
- Track 7: $8000..$8FFF
- Track 8: $9000..$9FFF
- Track 9: $A000..$AFFF
- Track A: $B000..$B6FF
We now have to rewrite the read routines...
REMOVE PROTECTION
Now that our disk is readable and copiable, we must rewrite the read routines located in $5CC6..$5FFF. The code is located on track $10, from sectors 4 to 7. We will use the standard RWTS to read data.
The code is similar to:
Code: |
LDA #$01
STA $B7F4
LDA #$00
STA $B7ED
STA $B7F0
LDA #$03
LDX #$08
LDY #$18
JSR READ
LDA #$05
LDX #$60
LDY #$57
JSR READ
LDY #$00
LDA $7700,Y
STA $0000,Y
INY
BNE *-9
JMP ($0036)
|
And the READ routine is:
A: Track to begin with
X: Hi-Ptr to buffer in RAM
Y: Number of pages to load
Code: |
STA $B7EC
STX $B7F1
STY $5C27
LDA #$00
STA $B7ED
]LP LDA #$B7
LDY #$E8
JSR $B7B5
INC $B7F1
INC $B7ED
LDA $B7ED
CMP #$10
BNE OK
LDA #$00
STA $B7ED
INC $B7EC
OK DEC $5C27
BNE ]LP
RTS
|
That's it! Reboot and enjoy the game. The disk noise is normal as the text page is copied over by the welcome page.
Your backup copy is now ready,
Toinet |
|