|
|
|
IDENTIFICATION SERVEUR : 10.0.97.65 - CLIENT : 54.226.58.177 |
|
| Voir le sujet précédent :: Voir le sujet suivant |
| Auteur |
Message |
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 2949
Localisation: Le Chesnay, France
|
 Posté le: Sam 16 Sep 2017, 12:12 Sujet du message: Alcazar The forgotten fortress (Activision, 1985) |
 |
|
#975 - At every corner. With every step. You strain your eyes and your ears. Through endless castles and countless chambers. Where is the jeweled throne? You search. But only find - what you least expect.
Disk structure
This is a nearly standard double-sided 16-sec disk. There are three tracks (8, 9, A) that cannot be read with Locksmith Fast Disk Backup.
Protection type
The three tracks have a non standard second epilog marker of the address field. So, we have
| Code: |
Side 1
T0-T7: can be copied
T8-TA: D5AA96 DExxEB D5AAAD DEAAEB
TB-T22: can be copied
Side 2
T0-T22: can be copied
|
How to copy
Boot my copy disk and launch Advanced Demuffin
| Code: |
Press P to bypass boot
Enter the monitor
B98B:18 60 EA
Press control-Y to re-enter
Copy both sides
|
A deeper analysis
You boot your copy and it fails to run. Why? Because the second epilog marker values are used to decypher code. So, we need to store the values and use them when needed.
We launch the bitcopier of Copy II Plus and edit the three tracks. We now know the needed values:
| Code: |
T8: AF
T9: BE
TA: CD
|
How to normalize
Boot my copy disk and launch Disk Fixer
| Code: |
Edit the following sectors:
T0/SA/BC:A5 03 -> A9 AF
T0/SA/D1:A5 03 -> A9 BE
T0/SA/E6:A5 03 -> A9 CD
|
See the thread below to understand the way the protection works. It patches the read data epilog routine, stores the read second epilog at zero page $3 and stores it in zero page addresses $0, $1, and $2 for the three tracks. Then, a routine at $4200 decyphers the data of the same tracks. If all goes well, the game will run fine.
The disk images are available at http://www.brutaldeluxe.fr/crack/
Reboot and... enjoy,
LoGo
9/2017 |
|
| Revenir en haut de page |
|
 |
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 2949
Localisation: Le Chesnay, France
|
| Posté le: Sam 16 Sep 2017, 12:12 Sujet du message: |
|
|
The routine that reads tracks and stores the epilog
| Code: |
----------- DISASSEMBLY MODE -----------
00AB:A2 10 LDX #$10
00AD:A0 08 LDY #$08
00AF:A9 00 LDA #$00
00B1:85 18 STA $18
00B3:A9 79 LDA #$79
00B5:85 19 STA $19
00B7:A9 00 LDA #$00
00B9:20 68 41 JSR $4168
00BC:A5 03 LDA $03 ; AF
00BE:85 00 STA $00
00C0:A2 10 LDX #$10
00C2:A0 09 LDY #$09
00C4:A9 00 LDA #$00
00C6:85 18 STA $18
00C8:A9 89 LDA #$89
00CA:85 19 STA $19
00CC:A9 00 LDA #$00
00CE:20 68 41 JSR $4168
00D1:A5 03 LDA $03 ; BE
00D3:85 01 STA $01
00D5:A2 10 LDX #$10
00D7:A0 0A LDY #$0A
00D9:A9 00 LDA #$00
00DB:85 18 STA $18
00DD:A9 99 LDA #$99
00DF:85 19 STA $19
00E1:A9 00 LDA #$00
00E3:20 68 41 JSR $4168
00E6:A5 03 LDA $03 ; CD
00E8:85 02 STA $02
|
|
|
| Revenir en haut de page |
|
|
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 2949
Localisation: Le Chesnay, France
|
| Posté le: Sam 16 Sep 2017, 12:14 Sujet du message: |
|
|
And the routine (at $4200) that decyphers the data based on the epilog markers read.
| Code: |
----------- DISASSEMBLY MODE -----------
0000:A0 00 LDY #$00
0002:98 TYA
0003:85 04 STA $04
0005:A9 79 LDA #$79
0007:85 05 STA $05
0009:A5 00 LDA $00
000B:45 01 EOR $01
000D:45 02 EOR $02
000F:51 04 EOR ($04),Y
0011:91 04 STA ($04),Y
0013:48 PHA
0014:C8 INY
0015:D0 08 BNE $001F
0017:E6 05 INC $05
0019:A5 05 LDA $05
001B:C9 A9 CMP #$A9
001D:F0 73 BEQ $0092
001F:68 PLA
0020:AA TAX
0021:A9 00 LDA #$00
0023:85 03 STA $03
0025:8A TXA
0026:0A ASL
0027:26 03 ROL $03
0029:26 03 ROL $03
002B:26 03 ROL $03
002D:0A ASL
002E:26 03 ROL $03
0030:26 03 ROL $03
0032:26 03 ROL $03
0034:AA TAX
0035:A5 02 LDA $02
0037:29 DB AND #$DB
0039:05 03 ORA $03
003B:85 02 STA $02
003D:A9 00 LDA #$00
003F:85 03 STA $03
0041:8A TXA
0042:0A ASL
0043:26 03 ROL $03
0045:26 03 ROL $03
0047:26 03 ROL $03
0049:0A ASL
004A:26 03 ROL $03
004C:26 03 ROL $03
004E:26 03 ROL $03
0050:0A ASL
0051:26 03 ROL $03
0053:26 03 ROL $03
0055:AA TAX
0056:A5 01 LDA $01
0058:29 6D AND #$6D
005A:05 03 ORA $03
005C:85 01 STA $01
005E:A9 00 LDA #$00
0060:85 03 STA $03
0062:8A TXA
0063:0A ASL
0064:26 03 ROL $03
0066:26 03 ROL $03
0068:26 03 ROL $03
006A:0A ASL
006B:26 03 ROL $03
006D:26 03 ROL $03
006F:26 03 ROL $03
0071:0A ASL
0072:26 03 ROL $03
0074:A5 00 LDA $00
0076:29 B6 AND #$B6
0078:05 03 ORA $03
007A:85 00 STA $00
007C:A9 00 LDA #$00
007E:85 03 STA $03
0080:18 CLC
0081:26 00 ROL $00
0083:26 01 ROL $01
0085:26 02 ROL $02
0087:26 03 ROL $03
0089:A5 00 LDA $00
008B:05 03 ORA $03
008D:85 00 STA $00
008F:4C 09 42 JMP $4209
0092:68 PLA
0093:60 RTS
|
|
|
| Revenir en haut de page |
|
|
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas répondre aux sujets dans ce forum
Vous ne pouvez pas éditer vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum
|
|
FAQ 
Rechercher 
Liste des Membres 
Groupes d'utilisateurs
S'enregistrer
Profil 
Se connecter pour vérifier ses messages privés 
Connexion 
