|
|
|
IDENTIFICATION SERVEUR : 51.77.218.160 - CLIENT : 18.232.51.69 |
|
| Voir le sujet précédent :: Voir le sujet suivant |
| Auteur |
Message |
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France
|
 Posté le: Jeu 27 Juin 2019, 22:40 Sujet du message: Gold Rush (Sentient Software, 1982) |
 |
|
#1003 - This is an arcade game. Collect gold, save it, until collectors come get it and give you money. A couple of enemies are on the screen, avoid them or you'll lose either your gold treasure or your life. Thanks to Stephane Racle for the Applesauce disk image grabbed through Woz A Day by 4am.
Protection type
That is a pure on-disk protection scheme. Using 4*4 encoded nibbles with 5 sectors per half-track. It loads fast and it difficult to copy.
Disk structure
As previously mentioned, there are half-tracks, 5 sectors per phase, 512 nibbles per sector. Header is DADEB5 for even phases, and DADEB6 for odd phases. No more, no less.
Boot trace
Boot your preferred machine with .woz support or emulator and...
| Code: |
9600<C600.C6FFM
96F8:20 DA FD 60
9600G
01
Boot 1 is now in memory at $0800.08FF
0800: 01 8D 54 C0 8D 50 C0 8D
0808: 52 C0 8D 57 C0 A9 20 85
0810: 01 A0 00 84 00 98 91 00
0818: C8 D0 FB E6 01 A5 01 29
0820: 1F D0 F2 A9 00 85 02 A9
0828: 04 85 03 A6 2B BD 8C C0
0830: 10 FB C9 DA D0 F7 BD 8C
0838: C0 10 FB C9 DE D0 EE BD
0840: 8C C0 10 FB C9 B5 D0 E5
0848: BD 8C C0 10 FB 38 2A 85
0850: 00 BD 8C C0 10 FB 25 00
0858: 91 02 C8 D0 EB E6 03 A5
0860: 03 C9 08 D0 E3 4C 00 04
0868: A2 05 A0 00 98 59 00 04
0870: C8 D0 FA EE 6F 08 CA D0
0878: F4 C9 E0 D0 A6 4C 00 04
0880: 00 00 00 00 00 00 00 00
0888: 00 00 00 00 00 00 00 00
0890: 00 00 00 00 00 00 00 00
0898: 00 00 00 00 00 00 00 00
08A0: 00 00 00 00 00 00 00 00
08A8: 00 00 00 00 00 00 00 00
08B0: 00 00 00 00 00 00 00 00
08B8: 00 00 00 00 00 00 00 00
08C0: 00 00 00 00 00 00 00 00
08C8: 00 00 00 00 00 00 00 00
08D0: 00 00 00 00 00 00 00 00
08D8: 00 00 00 00 00 00 00 00
08E0: 00 00 00 00 00 00 00 00
08E8: 00 00 00 00 00 00 00 00
08F0: 00 00 00 00 00 00 00 00
08F8: 00 00 00 00 00 00 00 00
Let's patch to load boot 2 at $1400 instead of $0400:
96F8:A9 14 8D 28 08 A9 18 8D 62 08 A9 59 8D 66 08 A9 FF 8D 67 08 4C 01 08
9600G
*beep*
Boot 2 is now at $1400..$17FF (original at $0400..$07FF)
1400: D8 A2 FF 9A A6 2B 8E FF
1408: 02 20 89 FE 20 93 FE A0
1410: 00 B9 7A 06 C9 EE F0 06
1418: 99 00 02 C8 D0 F3 AD 81
1420: C0 AD 81 C0 A0 00 84 00
1428: A9 D0 85 01 A9 00 91 00
1430: C8 D0 FB E6 01 D0 F7 A0
1438: 00 A9 F8 85 01 84 00 B1
1440: 00 91 00 C8 D0 F9 E6 01
1448: D0 F5 A9 00 8D FC FF A9
1450: 02 8D FD FF AD 80 C0 A9
1458: 00 8D F2 03 A9 02 8D F3
1460: 03 49 A5 8D F4 03 A9 4C
1468: 8D FB 03 A9 00 8D FC 03
1470: 8D FE 03 AD FF 02 4A 4A
1478: 4A 4A 18 69 C0 8D FD 03
1480: 8D FF 03 A9 00 85 1A 85
1488: 19 85 04 A4 1A B9 DF 05
1490: AE FF 02 20 5E 05 A4 1A
1498: B9 20 06 85 01 A9 00 85
14A0: 00 B9 3E 06 85 03 A0 00
14A8: 20 EA 04 E6 1A A4 1A B9
14B0: DF 05 AE FF 02 20 5E 05
14B8: A4 1A B9 20 06 85 01 A9
14C0: 00 85 00 B9 3E 06 85 03
14C8: A0 00 A9 B6 8D 04 05 20
14D0: EA 04 A9 B5 8D 04 05 E6
14D8: 1A E6 04 A5 04 C9 0F D0
14E0: AA AE FF 02 BD 88 C0 4C
14E8: 00 0B A0 00 BD 8C C0 10
14F0: FB C9 DD D0 F7 BD 8C C0
14F8: 10 FB C9 AA D0 EE BD 8C
1500: C0 10 FB C9 B5 D0 E5 BD
1508: 8C C0 10 FB 38 2A 85 02
1510: BD 8C C0 10 FB 25 02 91
1518: 00 C8 D0 EB E6 01 A5 01
1520: C5 03 D0 E3 A4 1A B9 20
1528: 06 8D 38 05 A9 00 8D 37
1530: 05 A2 05 A0 00 98 4D 00
1538: 08 EE 37 05 C8 D0 F7 EE
1540: 38 05 CA D0 F1 A4 1A D9
1548: 5C 06 D0 01 60 AE FF 02
1550: A4 1A B9 20 06 85 01 A9
1558: 00 85 00 4C EA 04 86 18
1560: 85 17 C5 19 F0 4F A9 00
1568: 85 15 A5 19 85 16 38 E5
1570: 17 F0 31 B0 06 49 FF E6
1578: 19 90 04 69 FE C6 19 C5
1580: 15 90 02 A5 15 C9 0C B0
1588: 01 A8 38 20 A8 05 B9 C7
1590: 05 20 B6 05 A5 16 18 20
1598: AA 05 B9 D3 05 20 B6 05
15A0: E6 15 D0 C6 20 B6 05 18
15A8: A5 19 29 03 2A 05 18 AA
15B0: BD 80 C0 A6 18 60 A2 11
15B8: CA D0 FD E6 11 D0 02 E6
15C0: 12 38 E9 01 D0 F0 60 01
15C8: 30 28 24 20 1E 1D 1C 1C
15D0: 1C 1C 1C 70 2C 26 22 1F
15D8: 1E 1D 1C 1C 1C 1C 1C 02
15E0: 03 04 05 06 07 08 09 0A
15E8: 0B 0C 0D 0E 0F 10 11 12
15F0: 13 14 15 16 17 18 19 1A
15F8: 1B 1C 1D 1E 1F 20 21 22
1600: 23 24 25 26 27 28 29 2A
1608: 2B 2C 2D 2E 2F 30 31 32
1610: 33 34 35 36 37 38 39 3A
1618: 3B 3C 3D 3E 3F 40 41 42
1620: 08 0D 12 17 1C 21 26 2B
1628: 30 35 3A 3F 44 49 4E 53
1630: 58 5D 62 67 6C 71 76 7B
1638: 80 85 8A 8F 94 99 0D 12
1640: 17 1C 21 26 2B 30 35 3A
1648: 3F 44 49 4E 53 58 5D 62
1650: 67 6C 71 76 7B 80 85 8A
1658: 8F 94 99 9E 13 F3 F2 B5
1660: 21 17 13 24 7A 48 02 69
1668: 58 7F 5A 75 79 31 F0 5F
1670: 7F 1E 00 BA 0B FC 3E F9
1678: EC 00 AD 30 C0 A2 FF 8A
1680: A8 88 D0 FD AD 30 C0 CA
1688: D0 F5 20 2F FB 20 58 FC
1690: A9 C4 8D 00 04 A9 CC 8D
1698: 01 04 A2 B8 A0 00 A9 08
16A0: 85 01 84 00 98 91 00 C8
16A8: D0 FB E6 01 CA D0 F6 AD
16B0: FF 02 4A 4A 4A 4A 18 69
16B8: C0 85 01 29 00 85 00 6C
16C0: 00 00 EE EE 00 00 00 00
16C8: 00 00 00 00 00 00 00 00
16D0: 00 00 00 00 00 00 00 00
16D8: 00 00 00 00 00 00 00 00
16E0: 00 00 00 00 00 00 00 00
16E8: 00 00 00 00 00 00 00 00
16F0: 00 00 00 00 00 00 00 00
16F8: 00 00 00 00 00 00 00 00
A rapid analysis shows it is easy to redirect the jump to boot 2 to an intermediary step to patch boot 2 before it is executed. The patch prevents the game from running once loaded in memory. If that succeeds, as the game is a one-pass load, we'll have won.
96F8:A9 80 8D 66 08 A9 02 8D 67 08 4C 01 08
0280:A9 59 8D E8 04 A9 FF 8D E9 04 4C 00 04
9600G
*beep*
Now, we have the entire game in memory from $0800 to $95FF.
Gotcha!
As I run on an Apple IIgs (don't ask me how I switched from OpenEmulator supporting .woz to Sweet16 w/no .woz support), I copied the program in memory:
10/800<00/800.9FFFM |
Then...
How to normalize
Format a DOS 3.3 disk
Then boot my copy disk
Launch Mobby-Disk II and
| Code: |
Ctrl-E + space + space and copy data from bank $10 to bank $00
00/4000<10/x800.(x+3)7FFM (eg. 00/4000<10/0800.37FFM)
Then Ctrl-Y
Tx: is the destination track
$x800 is the program address in bank $10
$x000 is the address where it should be copied in bank $00
$x0 is the cumulated number of pages
T1 - $0800 - $4000 - $10
T2 - $1800 - $5000 - $20
T3 - $2800 - $6000 - $30
T4 - $3800 - $4000 - $40
T5 - $4800 - $5000 - $50
T6 - $5800 - $6000 - $60
T7 - $6800 - $4000 - $70
T8 - $7800 - $5000 - $80
T9 - $8800 - $6000 - $90
TA - $9800 - $4000 - $96 -> TA/S5
|
but all TA is empty so, let's try $90 pages from $0800 to $97FF
Then I patched the DOS 3.3 boot 1 sector and T0/S1 to read the entire program from disk.
Infinite lives, please?
Yes, it was easy to find. You start with three lives, so search for A9 03 8D in memory and you find one that uses $0A33 to store it. Then, we search for CE 33 0A and we find two entries. The right one is at $13EE. Put a 2C or AD at $13EE and you'll become immmmooorrrtttaaalll.
| Code: |
00/13E2: 20 CA 1A JSR 1ACA
00/13E5: 20 CE 14 JSR 14CE
00/13E8: 20 D7 1D JSR 1DD7
00/13EB: 20 6D 17 JSR 176D
00/13EE: CE 33 0A DEC 0A33 ; lives-- (put AD 33 0A instead)
00/13F1: AD 33 0A LDA 0A33 ; if lives
00/13F4: C9 FF CMP #FF ; <0 then
00/13F6: F0 17 BEQ 140F {+17} ; I'm dead, otherwise
00/13F8: 20 4A 14 JSR 144A ; I'm still alive
00/13FB: A9 00 LDA #00
00/13FD: 8D 1E 09 STA 091E
00/1400: 20 61 15 JSR 1561
00/1403: 20 C2 16 JSR 16C2
00/1406: 20 FC 1C JSR 1CFC
00/1409: 20 F1 16 JSR 16F1
00/140C: 4C 71 11 JMP 1171
00/140F: 20 4D 1C JSR 1C4D
00/1412: A9 30 LDA #30
00/1414: 8D 1B 09 STA 091B
00/1417: EE D0 94 INC 94D0
|
The disk image is available at http://www.brutaldeluxe.fr/crack/
Reboot and... enjoy,
LoGo
6/2019
Dernière édition par toinet le Sam 29 Juin 2019, 21:39; édité 3 fois |
|
| Revenir en haut de page |
|
 |
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France
|
| Posté le: Jeu 27 Juin 2019, 22:41 Sujet du message: |
|
|
The original boot 1 code at T0/S0
| Code: |
*
* Gold Rush
*
* (c) 1982, Sentient Software
* (k) 2019, LoGo
mx %11
org $0800
lst off
*----------------------------
TXTCLR EQU $C050
MIXCLR EQU $C052
TXTPAGE1 EQU $C054
HIRES EQU $C057
*----------------------------
L0800 HEX 01
STA TXTPAGE1
STA TXTCLR
STA MIXCLR
STA HIRES
LDA #$20 ; clear HGR1
STA $01
LDY #$00
STY $00
L0815 TYA
L0816 STA ($00),Y
INY
BNE L0816
INC $01
LDA $01
AND #$1F
BNE L0815
L0823 LDA #$00 ; load at $0400
STA $02
LDA #$04
STA $03
LDX $2B
L082D LDA $C08C,X ; DADEB5
BPL L082D
CMP #$DA
BNE L082D
L0836 LDA $C08C,X
BPL L0836
CMP #$DE
BNE L082D
L083F LDA $C08C,X
BPL L083F
CMP #$B5
BNE L082D
L0848 LDA $C08C,X ; first 4*4 nibble
BPL L0848
SEC
ROL
STA $00
L0851 LDA $C08C,X ; second 4*4 nibble
BPL L0851
AND $00
STA ($02),Y
INY
BNE L0848
INC $03
LDA $03
CMP #$08 ; load until $0800
BNE L0848
JMP $0400 ; jump to next stage
*----------------------------
LDX #$05 ; not used here
LDY #$00 ; but it checksums
TYA ; the boot code
L086D EOR $0400,Y
INY
BNE L086D
INC L086D+2
DEX
BNE L086D
CMP #$E0
BNE L0823
JMP $0400
DS $80
|
|
|
| Revenir en haut de page |
|
|
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France
|
| Posté le: Jeu 27 Juin 2019, 22:42 Sujet du message: |
|
|
Boot 2 code that loads the game into memory
| Code: |
*
* Gold Rush
*
* (c) 1982, Sentient Software
* (k) 2019, LoGo
mx %11
org $0400
lst off
*----------------------------
SOFTEV EQU $03F2
PWREDUP EQU $03F4
NMILOC EQU $03FB
IRQLOC EQU $03FE
SPKR EQU $C030
RDBANK2 EQU $C080
ROMIN2 EQU $C081
INIT EQU $FB2F
HOME EQU $FC58
SETKBD EQU $FE89
SETVID EQU $FE93
RESETV EQU $FFFC
*----------------------------
L0400 CLD
L0401 LDX #$FF
TXS
LDX $2B
STX $02FF
JSR SETKBD
JSR SETVID
LDY #$00 ; copy reboot routine
L0411 LDA L067A,Y
CMP #$EE
BEQ L041E
STA $0200,Y
INY
BNE L0411
L041E LDA ROMIN2 ; clear ROM
LDA ROMIN2
LDY #$00
STY $00
LDA #$D0
STA $01
LDA #$00
L042E STA ($00),Y
INY
BNE L042E
INC $01
BNE L042E
LDY #$00 ; clear monitor ROM
LDA #$F8
STA $01
STY $00
L043F LDA ($00),Y
STA ($00),Y
INY
BNE L043F
INC $01
BNE L043F
LDA #$00 ; all vectors belong to $0200
STA RESETV
LDA #$02
STA RESETV+1
LDA RDBANK2
LDA #$00
STA SOFTEV
LDA #$02
STA SOFTEV+1
EOR #$A5
STA PWREDUP
LDA #$4C
STA NMILOC
LDA #$00
STA NMILOC+1
STA IRQLOC
LDA $02FF ; slot*16
LSR
LSR
LSR
LSR
CLC
ADC #$C0
STA NMILOC+2
STA IRQLOC+1
LDA #$00
STA $1A ; load index
STA $19
STA $04 ; number of passes
L048B LDY $1A
LDA L05DF,Y ; get phase to go
LDX $02FF
JSR L055E ; move arm
LDY $1A
LDA L0620,Y ; load address in RAM
STA $01
LDA #$00
STA $00
LDA L063E,Y ; end load address in RAM
STA $03
LDY #$00
JSR L04EA ; load data
INC $1A ; next phase
LDY $1A
LDA L05DF,Y ; get phase to go
LDX $02FF
JSR L055E ; move arm
LDY $1A
LDA L0620,Y ; load address in RAM
STA $01
LDA #$00
STA $00
LDA L063E,Y ; end load address in RAM
STA $03
LDY #$00
LDA #$B6 ; change 3rd marker
STA L0503+1
JSR L04EA ; load data
LDA #$B5 ; restore 3rd marker
STA L0503+1
INC $1A ; next phase
INC $04 ; next pass
LDA $04
CMP #$0F
BNE L048B
LDX $02FF ; drive motor off
LDA $C088,X
JMP $0B00 ; jump to game
L04EA LDY #$00
L04EC LDA $C08C,X ; DDAAB5
BPL L04EC
CMP #$DD
BNE L04EC
L04F5 LDA $C08C,X
BPL L04F5
CMP #$AA
BNE L04EC
L04FE LDA $C08C,X
BPL L04FE
L0503 CMP #$B5
BNE L04EC
L0507 LDA $C08C,X
BPL L0507
SEC
ROL
STA $02
L0510 LDA $C08C,X
BPL L0510
AND $02
STA ($00),Y
INY
BNE L0507
INC $01
LDA $01
CMP $03
BNE L0507
*----------------------------
* Data is loaded - Calc checksum
LDY $1A
LDA L0620,Y ; load address
STA L0536+2
LDA #$00
STA L0536+1
LDX #$05 ; 5 pages
LDY #$00
TYA
L0536 EOR $0800
INC L0536+1
INY
BNE L0536
INC L0536+2
DEX
BNE L0536
LDY $1A
CMP L065C,Y ; checksum table
BNE L054D ; not good, retry
RTS
L054D LDX $02FF ; reload data please
LDY $1A
LDA L0620,Y
STA $01
LDA #$00
STA $00
JMP L04EA
*----------------------------
* Move arm
L055E STX $18 ; move arm by phase
STA $17 ; or half-track
CMP $19 ; the only diff with the DOS 3.3
BEQ L05B5 ; move arm routine is the lack
LDA #$00 ; of the ASL on entry
STA $15
L056A LDA $19
STA $16
SEC
SBC $17
BEQ L05A4
BCS L057B
EOR #$FF
INC $19
BCC L057F
L057B ADC #$FE
DEC $19
L057F CMP $15
BCC L0585
LDA $15
L0585 CMP #$0C
BCS L058A
TAY
L058A SEC
JSR L05A8
LDA L05C7,Y
JSR L05B6
LDA $16
CLC
JSR L05AA
LDA L05D3,Y
JSR L05B6
INC $15
BNE L056A
L05A4 JSR L05B6
CLC
L05A8 LDA $19
L05AA AND #$03
ROL
ORA $18
TAX
LDA $C080,X
LDX $18
L05B5 RTS
L05B6 LDX #$11
L05B8 DEX
BNE L05B8
INC $11
BNE L05C1
INC $12
L05C1 SEC
SBC #$01
BNE L05B6
RTS
*----------------------------
* Wait for move arm
L05C7 HEX 01302824201E1D1C1C1C1C1C
L05D3 HEX 702C26221F1E1D1C1C1C1C1C
*----------------------------
* Phase list - only half is used
L05DF HEX 02030405060708090A0B0C0D0E0F1011
HEX 12131415161718191A1B1C1D1E1F2021
HEX 22232425262728292A2B2C2D2E2F3031
HEX 32333435363738393A3B3C3D3E3F4041
HEX 42
*----------------------------
* Load address
L0620 HEX 080D12171C21262B30353A3F44494E53
HEX 585D62676C71767B80858A8F9499
*----------------------------
* End load address
L063E HEX 0D12171C21262B30353A3F44494E5358
HEX 5D62676C71767B80858A8F94999E
* $0D - $08 - 1 = $05
* We can determine that 5 pages of 512 nibbles are loaded from disk
* per phase, that means 5 pages of 256 bytes.
*----------------------------
* Checksum list
L065C HEX 13F3F2B5211713247A480269587F5A75
HEX 7931F05F7F1E00BA0BFC3EF9EC00
*----------------------------
L067A LDA SPKR ; the reboot routine
LDX #$FF ; it is copied at $0200
L067F TXA
TAY
L0681 DEY
BNE L0681
LDA SPKR
DEX
BNE L067F
JSR INIT
JSR HOME
LDA #$C4
STA L0400
LDA #$CC
STA L0401
LDX #$B8
LDY #$00
LDA #$08
STA $01
STY $00
TYA
L06A5 STA ($00),Y
INY
BNE L06A5
INC $01
DEX
BNE L06A5
LDA $02FF
LSR
LSR
LSR
LSR
CLC
ADC #$C0
STA $01
AND #$00
STA $00
JMP ($0000)
DB $EE
DB $EE
DS $13C
|
|
|
| Revenir en haut de page |
|
|
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas répondre aux sujets dans ce forum
Vous ne pouvez pas éditer vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum
|
|
FAQ 
Rechercher 
Liste des Membres 
Groupes d'utilisateurs
S'enregistrer
Profil 
Se connecter pour vérifier ses messages privés 
Connexion 
