|
|
|
IDENTIFICATION SERVEUR : 10.14.20.11 - CLIENT : 52.3.228.47 |
|
| Voir le sujet précédent :: Voir le sujet suivant |
| Auteur |
Message |
qkumba
Inscrit le: 29 Jan 2012
Messages: 176
|
 Posté le: Mer 30 Mai 2018, 21:05 Sujet du message: Bruce Lee (Datasoft, 1984) |
 |
|
A difficult platform game with Bruce Lee. Collect the lanterns and avoid the warriors as you progress through the levels to the treasure room.
We start with the standard DOS boot sector.
| Code: | 0800 01 .BYTE 1
0801 A5 27 LDA $27
0803 C9 09 CMP #$09
0805 D0 18 BNE $081F
0807 A5 2B LDA $2B
0809 4A LSR
080A 4A LSR
080B 4A LSR
080C 4A LSR
080D 09 C0 ORA #$C0
080F 85 3F STA $3F
0811 A9 5C LDA #$5C
0813 85 3E STA $3E
0815 18 CLC
0816 AD FE 08 LDA $08FE
0819 6D FF 08 ADC $08FF
081C 8D FE 08 STA $08FE
081F AE FF 08 LDX $08FF
0822 30 15 BMI $0839
0824 BD 4D 08 LDA $084D,X
0827 85 3D STA $3D
0829 CE FF 08 DEC $08FF
082C AD FE 08 LDA $08FE
082F 85 27 STA $27
0831 CE FE 08 DEC $08FE
0834 A6 2B LDX $2B
0836 6C 3E 00 JMP ($003E)
0839 EE FE 08 INC $08FE
083C EE FE 08 INC $08FE
083F 20 89 FE JSR $FE89
0842 20 93 FE JSR $FE93
0845 20 2F FB JSR $FB2F
0848 A6 2B LDX $2B
084A 6C FD 08 JMP ($08FD)
...
08FD 00 B6 .WORD $B600
08FF 02 .BYTE 2 |
It loads only two sectors, to $B700 and $B800. The other sectors on the track are not used.
| Code: | B700 A2 00 LDX #$00
B702 BD 00 B8 LDA $B800,X
B705 9D 00 02 STA $0200,X
B708 CA DEX
B709 D0 F7 BNE $B702
B70B A6 2B LDX $2B
B70D A9 1E LDA #$1E
B70F 20 15 B7 JSR $B715 ;seek
B712 4C 19 02 JMP $219 |
Copy some code to $200, seek to track $0F, and then run the copied code.
| Code: | 0219 A5 2B LDA $2B
021B 85 F4 STA $F4
021D 4A LSR
021E 4A LSR
021F 4A LSR
0220 4A LSR
0221 09 C0 ORA #$C0
0223 8D 18 02 STA $0218
0226 20 58 FC JSR $FC58
0229 A2 30 LDX #$30
022B BD 51 C0 LDA $C051,X
022E BD 51 C0 LDA $C051,X ;tricky way to reuse X
0231 B9 00 D0 LDA $D000,Y
0234 99 00 D0 STA $D000,Y
0237 88 DEY
0238 D0 F7 BNE $0231
023A EE 33 02 INC $0233
023D EE 36 02 INC $0236
0240 CA DEX
0241 D0 EE BNE $0231 |
Enable language card if it exists (the game runs differently in 48kb, 64kb, or 128kb).
| Code: | 0243 A9 00 LDA #$00
0245 8D F2 03 STA $03F2
0248 8D FC FF STA $FFFC
024B A9 02 LDA #$02
024D 8D F3 03 STA $3F3
0250 8D FD FF STA $FFFD
0253 49 A5 EOR #$A5
0255 8D F4 03 STA $03F4
0258 A2 07 LDX #$07
025A BD 79 C0 LDA $C079,X
025D 20 7E 02 JSR $027E |
Set some vectors and then request region 7. |
|
| Revenir en haut de page |
|
 |
qkumba
Inscrit le: 29 Jan 2012
Messages: 176
|
| Posté le: Mer 30 Mai 2018, 21:06 Sujet du message: |
|
|
| Code: | 027E 85 44 STA $44
0280 86 3F STX $3F
0282 84 3E STY $3E
0284 A6 F4 LDX $F4
0286 BD 89 C0 LDA $C089,X
0289 A9 40 LDA #$40
028B 20 A8 FC JSR $FCA8
028E A9 00 LDA #$00
0290 85 42 STA $42
0292 A9 60 LDA #$60
0294 85 43 STA $43
0296 A9 04 LDA #$04
0298 85 41 STA $41
029A BD 8C C0 LDA $C08C,X
029D 10 FB BPL $029A
029F C9 D5 CMP #$D5
02A1 D0 F7 BNE $029A
02A3 BD 8C C0 LDA $C08C,X
02A6 10 FB BPL $02A3
02A8 C9 BB CMP #$BB
02AA D0 EE BNE $029A
02AC BD 8C C0 LDA $C08C,X
02AF 10 FB BPL $02AC
02B1 C9 CC CMP #$CC
02B3 D0 E5 BNE $029A
02B5 BD 8C C0 LDA $C08C,X
02B8 10 FB BPL $02B5
02BA 2A ROL
02BB 85 40 STA $40
02BD BD 8C C0 LDA $C08C,X
02C0 10 FB BPL $02BD
02C2 25 40 AND $40
02C4 91 42 STA ($42),Y
02C6 C8 INY
02C7 D0 EC BNE $02B5
02C9 BD 8C C0 LDA $C08C,X
02CC 10 FB BPL $02C9
02CE C9 AD CMP #$AD
02D0 D0 C8 BNE $029A
02D2 E6 43 INC $43
02D4 C6 41 DEC $41
02D6 D0 DD BNE $02B5
02D8 A6 3F LDX $3F
02DA 20 00 60 JSR $6000
02DD A5 44 LDA $44
02DF A4 3E LDY $3E
02E1 A6 F4 LDX $F4
02E3 DD 88 C0 CMP $C088,X
02E6 60 RTS |
The region handler is loaded first. It's 4-and-4 encoded, one prologue of #$D5 #$BB #$CC, then four sectors with epilogue of #$AD in between and no more prologue.
| Code: | 6000 E0 07 CPX #$07
6002 D0 03 BNE $6007
6004 4C 64 62 JMP $6264
...
6264 AD B3 FB LDA $FBB3
6267 C9 06 CMP #$06
6269 F0 05 BEQ $6270 ;detect 64kb
...
6270 2C 83 C0 BIT $C083
6273 2C 83 C0 BIT $C083
6276 A2 00 LDX #$00
6278 BD 8A 62 LDA $628A,X
627B 9D 00 D0 STA $D000,X
627E BD 8A 63 LDA $638A,X
6281 9D 00 D1 STA $D100,X
6284 CA DEX
6285 D0 F1 BNE $6278
6287 4C 00 D0 JMP $D000 |
Copy the next stage code to $D000 and then run it.
| Code: | D000 8D 05 C0 STA $C005
D003 A9 09 LDA #$09
D005 8D 00 80 STA $8000
D008 A9 23 LDA #$23
D00A 8D 01 80 STA $8001
D00D 0E 00 84 ASL $8400
D010 0E 01 84 ASL $8401
D013 8D 04 C0 STA $C004
D016 8D 03 C0 STA $C003
D019 AD 00 80 LDA $8000
D01C C9 09 CMP #$09
D01E D0 0A BNE $D02A
D020 AD 01 80 LDA $8001
D023 C9 23 CMP #$23
D025 8D 02 C0 STA $C002
D028 F0 06 BEQ $D030
D02A 8D 02 C0 STA $C002
D02D 4C 6B 62 JMP $626B
D030 A2 0A LDX #$0A
D032 20 10 60 JSR $6010 |
Detect 128kb, and request region #$0A if so.
| Code: | 6010 8E 63 62 STX $6263
6013 AE 63 62 LDX $6263
6016 BD 37 62 LDA $6237,X ;track*2
6019 48 PHA
601A BD 42 62 LDA $6242,X ;first sector
601D 85 0B STA $0B
601F BD 4D 62 LDA $624D,X ;number of sectors
6022 A8 TAY
6023 BD 58 62 LDA $6258,X ;address
6026 AA TAX
6027 68 PLA
6028 20 B6 60 JSR $60B6 ;read
602B B0 E6 BCS $6013
602D A9 1E LDA #$1E
602F 4C 32 60 JMP $6032 ;seek |
The loader uses a table of regions that can be loaded.
If the read was okay, then the code seeks to track $0F again.
The reason for that comes later. We are not at the interesting part yet.
| Code: | 60B6 85 05 STA $05
60B8 86 07 STX $07
60BA A2 00 LDX #$00
60BC 86 06 STX $06
60BE 84 04 STY $04
60C0 A5 05 LDA $05
60C2 A6 F4 LDX $F4
60C4 DD 8E C0 CMP $C08E,X
60C7 DD 89 C0 CMP $C089,X
60CA 20 32 60 JSR $6032 ;seek
60CD 4C 00 61 JMP $6100 ;really read |
Still not interesting. |
|
| Revenir en haut de page |
|
|
qkumba
Inscrit le: 29 Jan 2012
Messages: 176
|
| Posté le: Mer 30 Mai 2018, 21:07 Sujet du message: |
|
|
| Code: | 6100 38 SEC
6101 BD 8C C0 LDA $C08C,X
6104 10 FB BPL $6101
6106 C9 96 CMP #$96
6108 D0 F6 BNE $6100
610A BD 8C C0 LDA $C08C,X
610D 10 FB BPL $610A
610F C9 AA CMP #$AA
6111 D0 F3 BNE $6106
6113 BD 8C C0 LDA $C08C,X
6116 10 FB BPL $6113
6118 C9 96 CMP #$96
611A D0 E4 BNE $6100
611C BD 8C C0 LDA $C08C,X
611F 10 FB BPL $611C
6121 C9 D5 CMP #$D5
6123 D0 DB BNE $6100
6125 BD 8C C0 LDA $C08C,X
6128 10 FB BPL $6125
612A C9 96 CMP #$96
612C D0 D2 BNE $6100
612E A4 0B LDY $0B
6130 A9 0D LDA #$0D
6132 85 02 STA $02
6134 BD 8C C0 LDA $C08C,X
6137 10 FB BPL $6134
6139 C9 AD CMP #$AD
613B D0 F7 BNE $6134
613D C6 02 DEC $02
613F BD 8C C0 LDA $C08C,X
6142 10 FB BPL $613F
6144 D9 BA 61 CMP $61BA,Y
6147 D0 EB BNE $6134
6149 F0 0E BEQ $6159
614B BD 8C C0 LDA $C08C,X
614E 10 FB BPL $614B
6150 C9 AD CMP #$AD
6152 D0 63 BNE $61B7
6154 BD 8C C0 LDA $C08C,X
6157 10 FB BPL $6154
6159 A9 75 LDA #$75
615B 85 03 STA $03
615D A0 00 LDY #$00
615F BD 8C C0 LDA $C08C,X
6162 10 FB BPL $615F
6164 2A ROL
6165 85 41 STA $41
6167 BD 8C C0 LDA $C08C,X
616A 10 FB BPL $6167
616C 25 41 AND $41
616E 85 01 STA $01
6170 45 03 EOR $03
6172 91 06 STA ($06),Y
6174 C8 INY
6175 BD 8C C0 LDA $C08C,X
6178 10 FB BPL $6175
617A 2A ROL
617B 85 41 STA $41
617D BD 8C C0 LDA $C08C,X
6180 10 FB BPL $617D
6182 25 41 AND $41
6184 85 03 STA $03
6186 45 01 EOR $01
6188 91 06 STA ($06),Y
618A C8 INY
618B D0 D2 BNE $615F
618D E6 07 INC $07
618F BD 8C C0 LDA $C08C,X
6192 10 FB BPL $618F
6194 2A ROL
6195 85 41 STA $41
6197 BD 8C C0 LDA $C08C,X
619A 10 FB BPL $6197
619C 25 41 AND $41
619E 45 03 EOR $03
61A0 D0 15 BNE $61B7
61A2 C6 04 DEC $04
61A4 F0 0F BEQ $61B5
61A6 C6 02 DEC $02
61A8 D0 A1 BNE $614B
61AA A9 00 LDA #$00
61AC 85 0B STA $0B
61AE E6 05 INC $05
61B0 E6 05 INC $05
61B2 4C C0 60 JMP $60C0
61B5 18 CLC
61B6 60 RTS |
This is the code to read sectors. Prologue is #$96 #$AA #$96 #$D5 #$96!
The routine counts how many sectors exist on the track by counting nibbles until the next #$AD is read.
Encoding is 4-and-4 again, so the maximum is 12 sectors.
The sectors are grouped into blocks that start with a unique nibble.
There are 16 unique nibbles reserved, so blocks could be as small as one sector, but it wasn't used like that.
Instead, some tracks have one block, other tracks have two. That's all.
The unique nibble lets the routine know which block is being read.
The sectors are also enciphered with an initial key of #$75 and the first nibble that is read, and then alternating between each pair of nibbles that is read.
The nice thing about this routine is that we can use it to read the entire disk, apart from track $00 and $0F (and tracks $1F-22 which are not formatted).
We could save all of those tracks and build an image, but it would still not boot. Why? Now we get interesting.
| Code: | D035 8D 05 C0 STA $C005
D038 A2 20 LDX #$20
D03A A0 00 LDY #$00
D03C B9 00 20 LDA $2000,Y
D03F 99 00 40 STA $4000,Y
D042 88 DEY
D043 D0 F7 BNE $D03C
D045 EE 3E D0 INC $D03E
D048 EE 41 D0 INC $D041
D04B CA DEX
D04C D0 EE BNE $D03C
D04E 8D 5E C0 STA $C05E
D051 8D 0D C0 STA $C00D
D054 8D 04 C0 STA $C004
D057 2C 50 C0 BIT $C050
D05A 2C 57 C0 BIT $C057
D05D 2C 55 C0 BIT $C055
D060 20 C6 61 JSR $61C6 |
In 128kb mode, display double-hires title screen, and then call another routine.
In other modes, that routine is called at a different time, but always called. What is it?
| Code: |
61C6 A9 01 LDA #$01
61C8 48 PHA
61C9 A6 F4 LDX $F4
61CB A0 06 LDY #$06
61CD A9 FF LDA #$FF
61CF 8D 35 62 STA $6235
61D2 48 PHA
61D3 BD 8C C0 LDA $C08C,X
61D6 10 FB BPL $61D3
61D8 C9 D5 CMP #$D5
61DA D0 F7 BNE $61D3
61DC BD 8C C0 LDA $C08C,X
61DF 10 FB BPL $61DC
61E1 C9 9B CMP #$9B
61E3 D0 F3 BNE $61D8
61E5 BD 8C C0 LDA $C08C,X
61E8 10 FB BPL $61E5
61EA C9 AB CMP #$AB
61EC D0 EA BNE $61D8
61EE BD 8C C0 LDA $C08C,X
61F1 10 FB BPL $61EE
61F3 C9 B2 CMP #$B2
61F5 D0 E1 BNE $61D8
61F7 BD 8C C0 LDA $C08C,X
61FA 10 FB BPL $61F7
61FC C9 9E CMP #$9E
61FE D0 D8 BNE $61D8
6200 BD 8C C0 LDA $C08C,X
6203 10 FB BPL $6200
6205 C9 BE CMP #$BE
6207 D0 CF BNE $61D8
6209 BD 8C C0 LDA $C08C,X
620C 10 FB BPL $6209
620E 88 DEY
620F D0 F8 BNE $6209
6211 EE 35 62 INC $6235
6214 D0 06 BNE $621C
6216 8D 36 62 STA $6236
6219 4C D8 61 JMP $61D8
621C CD 36 62 CMP $6236
621F D0 0B BNE $622C
6221 EE 35 62 INC $6235
6224 AD 35 62 LDA $6235
6227 C9 08 CMP #$08
6229 D0 AD BNE $61D8
622B 60 RTS
622C 68 PLA
622D 8D FE 63 STA $63FE
6230 68 PLA
6231 8D FF 63 STA $63FF
6234 60 RTS |
This code reads from track $0F and watches for prologue #$D5 #$9B #$AB #$B2 #$9E #$BE.
Then it reads six nibbles and saves the last one before reading again.
The next time that the six nibbles are read, the last one is checked against the saved one.
If the same one is seen eight times in a row, the game erases memory and reboots.
How can the same value change when it's read? The answer is weak bits.
The track has a sequence of zeroes in a row, and then the hardware will read random values each time.
One way to defeat the routine is to return immediately. The values in $63FE and $63FF are never checked.
A funnier way would be to write two copies of the prologue and six nibbles to two places on the same track, with a different value for the sixth nibble in each case.
Then the routine will see two different values and think that everything is okay. :-) |
|
| Revenir en haut de page |
|
|
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas répondre aux sujets dans ce forum
Vous ne pouvez pas éditer vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum
|
|
FAQ 
Rechercher 
Liste des Membres 
Groupes d'utilisateurs
S'enregistrer
Profil 
Se connecter pour vérifier ses messages privés 
Connexion 
