toinet
Inscrit le: 15 Juin 2007 Messages: 326 Localisation: Paris, France
|
Post� le: Mar 04 Sep 2007, 21:02 Sujet du message: Pinball construction set (Electronic Arts, 1983) |
|
|
Power. Pure, sheer and unadulterated. A nearly telepathic link between you and the machine. Here is the promise made good. Here is the reason why you bought a computer in the first place. It's been called the best program ever written for an 8-bit machine. Boot the disk and find out why.
DISK STRUCTURE
A standard 16-sector disk with the famous track-arcing protection on track 6.
BOOT TRACE
- 9600<C600.C6FFM
- 96FB: AD E8 C0 60
- 9600G
We get a standard boot0 code at $801 with an indirect jump to $B700.
- 96FB: A9 4C 8D 4A 08 A9 59 8D 4B 08 A9 FF 8D 4C 08 4C 01 08
- 9600G
We now have a standard RWTS from $B700 to $BFFF
The game loads parts of it from different tables:
$B762: 20 18 01 0D -> number of pages to load
$B766: 22 03 03 01 -> track
$B76A: 0F 07 08 0C -> sector
$B76E: 3F 1F 40 B5 -> high address in memory
Once parts are loaded, a JMP $1E00 is performed.
Call $B700 with X=$60 and change the JMP $1E00 to a JMP $FF59 (it is at address $B7E2)
At $1E00, we find a call to $1E36 where we find other tables to load data with X containing the index in the tables, then a JSR $1E7D is performed. From there, we have the following code:
Code: |
JSR $A600
LDA $48
BNE *+1
RTS
...
|
It looks like a protection. Let's see the tables to locate the code on the disk:
$1E65: 39 0A 08 0B 01 03 -> number of pages
$1E6B: 0B 0C 0D 0E 05 03 -> track
$1E71: 08 09 07 0A 00 0B -> sector
$1E77: A8 9E 9C 8F A5 A8 -> high address in memory
Let's load T3/SB ($A800), T3/SA ($A700) and T3/S9 ($A600)... What we find there is a set of LDA $C0EC / CMP �$B5 and so on... as well as our typical track-arcing protection code.
What we can do now is remove the call to the protection...
DISK COPY
Copy the entire disk with Locksmith 6.3. Do not pay attention to the read errors on track 6.
PROTECTION REMOVAL
- Launch Disk Fixer
- Edit T3/S6/8A: 20 00 A6 A5 48 => EA A9 00 85 48
- Save the sector back to disk
Alternative method:
- Launch Disk Fixer
- Edit T3/S9/0: A9 00 85 48 60
- Save the sector back to disk
Your backup copy is now ready,
Toinet |
|