:: Voir le sujet - Accolade Comics (Accolade, 1987)


IDENTIFICATION SERVEUR : 51.83.8.70 - CLIENT : 3.233.221.149

FAQ

Rechercher

Liste des Membres

Groupes d'utilisateurs

S'enregistrer

Profil

Se connecter pour vérifier ses messages privés

Connexion

Accolade Comics (Accolade, 1987)

Index du Forum -> PROTECTION MALEFIQUE

Voir le sujet précédent :: Voir le sujet suivant

Auteur

Message

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France

Posté le: Ven 05 Juil 2019, 18:11 Sujet du message: Accolade Comics (Accolade, 1987)

#1005 - An interesting game where you play a detective and must take decisions to solve a case. All is displayed with comic strips. Pretty nice.

Disk structure
There are 6 16-sec sides and the first one has an uncopiable track (T22).

Protection type
As I wrote above, the last track of side A is not copiable. An analysis with the nibble editor of Copy II Plus shows an empty track, with 6x2 encoded nibbles, all 96. Standard header and data values: D5AA96/DEAA, D5AAAD/DEAA) but what is interesting is that the track info in the header field shows the same values for T21 and T22, ie. BA AB, the 4*4 value for $21. T22 should have contained BB AA, the 4*4 value for $22.

It looks like the fat track used in Electronic Arts titles but it is simpler in the sense that T22 here can we written with a standard Disk II drive.

How to copy
Use Locksmith Fast Disk Backup from my copy disk and copy side A. We don't care about T22 as the nibble analysis has shown that the track is empty, 16 sectors full of 0s.

Now, boot the copied disk, let the demo begin and you'll get stuck during the title animation. So, there's a check somewhere.

How to crack
Using Disk Fixer, perform the following changes on side A to get a bootable disk. The complete analysis will be in the other messages in that thread.

Code:

First protection check ends with
A2 E1 A0 EA 4C 06 08
T5/S2/68:1E -> 06
T5/S2/77:0F -> 00

Second protection check ends with
A2 F3 A0 F5 4C 06 08
T5/S3/1E:1E -> 06
T5/S3/26:D0 -> F0

Third protection check ends with
A2 F3 A0 F5 4C 06 08
T5/S0/AF:1E -> 06
T5/S0/B7:D0 -> F0

The disk image is available at http://www.brutaldeluxe.fr/crack/

Reboot and... enjoy,
LoGo
6/2019

Dernière édition par toinet le Ven 05 Juil 2019, 20:44; édité 1 fois

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France

Posté le: Ven 05 Juil 2019, 18:16 Sujet du message:

The disassembly of the different protection checks (one during the title animation, two at game start but using the same protection check as the title animation one)

Code:

1ST PROTECTION CHECK BEFORE
----------- DISASSEMBLY MODE -----------
0063:A2 E1 LDX #$E1
0065:A0 EA LDY #$EA
0067:20 1E 08 JSR $081E ; execute
006A:AD 70 02 LDA $0270
006D:08 PHP
006E:A2 E1 LDX #$E1
0070:A0 EA LDY #$EA
0072:20 06 08 JSR $0806
0075:28 PLP
0076:D0 0F BNE $0087 ; branch on copy
0078:68 PLA
0079:8D 79 20 STA $2079
007C:68 PLA
007D:8D 7A 20 STA $207A
0080:A2 F5 LDX #$F5
0082:A0 D0 LDY #$D0
0084:4C 06 08 JMP $0806
0087:A2 F5 LDX #$F5
0089:A0 D0 LDY #$D0
008B:20 06 08 JSR $0806
008E:20 FD 08 JSR $08FD
0091:A2 D1 LDX #$D1
0093:A0 A1 LDY #$A1

1ST PROTECTION CHECK AFTER
----------- DISASSEMBLY MODE -----------
0063:A2 E1 LDX #$E1
0065:A0 EA LDY #$EA
0067:20 06 08 JSR $0806 ; unpack
006A:AD 70 02 LDA $0270
006D:08 PHP
006E:A2 E1 LDX #$E1
0070:A0 EA LDY #$EA
0072:20 06 08 JSR $0806
0075:28 PLP
0076:D0 00 BNE $0078 ; always branch
0078:68 PLA
0079:8D 79 20 STA $2079
007C:68 PLA
007D:8D 7A 20 STA $207A
0080:A2 F5 LDX #$F5
0082:A0 D0 LDY #$D0
0084:4C 06 08 JMP $0806
0087:A2 F5 LDX #$F5
0089:A0 D0 LDY #$D0
008B:20 06 08 JSR $0806
008E:20 FD 08 JSR $08FD
0091:A2 D1 LDX #$D1
0093:A0 A1 LDY #$A1

2ND PROTECTION CHECK BEFORE
----------- DISASSEMBLY MODE -----------
0019:A2 F3 LDX #$F3
001B:A0 F5 LDY #$F5
001D:20 1E 08 JSR $081E ; execute
0020:EE 1F 1F INC $1F1F
0023:AD 1F 1F LDA $1F1F
0026:D0 0A BNE $0032 ; branch on original
0028:AD 1F 1F LDA $1F1F
002B:0D 1E 1F ORA $1F1E
002E:C9 F1 CMP #$F1
0030:D0 A7 BNE $FFD9
0032:A2 E6 LDX #$E6
0034:A0 E7 LDY #$E7
0036:20 06 08 JSR $0806
0039:60 RTS
003A:A2 08 LDX #$08
003C:2A ROL
003D:66 FF ROR $FF
003F:CA DEX
0040:D0 FA BNE $003C
0042:A5 FF LDA $FF
0044:60 RTS

2ND PROTECTION CHECK AFTER
----------- DISASSEMBLY MODE -----------
0019:A2 F3 LDX #$F3
001B:A0 F5 LDY #$F5
001D:20 06 08 JSR $0806 ; unpack
0020:EE 1F 1F INC $1F1F
0023:AD 1F 1F LDA $1F1F
0026:F0 0A BEQ $0032 ; branch always
0028:AD 1F 1F LDA $1F1F
002B:0D 1E 1F ORA $1F1E
002E:C9 F1 CMP #$F1
0030:D0 A7 BNE $FFD9
0032:A2 E6 LDX #$E6
0034:A0 E7 LDY #$E7
0036:20 06 08 JSR $0806
0039:60 RTS
003A:A2 08 LDX #$08
003C:2A ROL
003D:66 FF ROR $FF
003F:CA DEX
0040:D0 FA BNE $003C
0042:A5 FF LDA $FF
0044:60 RTS

3RD PROTECTION CHECK BEFORE
----------- DISASSEMBLY MODE -----------
00AA:A2 F3 LDX #$F3
00AC:A0 F5 LDY #$F5
00AE:20 1E 08 JSR $081E ; execute
00B1:EE 1F 1F INC $1F1F
00B4:AD 1F 1F LDA $1F1F
00B7:D0 0A BNE $00C3 ; branch on original
00B9:AD 1F 1F LDA $1F1F
00BC:0D 1E 1F ORA $1F1E
00BF:C9 F1 CMP #$F1
00C1:D0 9D BNE $0060
00C3:A2 E6 LDX #$E6
00C5:A0 E7 LDY #$E7
00C7:20 06 08 JSR $0806
00CA:60 RTS

3RD PROTECTION CHECK AFTER
----------- DISASSEMBLY MODE -----------
00AA:A2 F3 LDX #$F3
00AC:A0 F5 LDY #$F5
00AE:20 06 08 JSR $0806 ; unpack
00B1:EE 1F 1F INC $1F1F
00B4:AD 1F 1F LDA $1F1F
00B7:F0 0A BEQ $00C3 ; branch always
00B9:AD 1F 1F LDA $1F1F
00BC:0D 1E 1F ORA $1F1E
00BF:C9 F1 CMP #$F1
00C1:D0 9D BNE $0060
00C3:A2 E6 LDX #$E6
00C5:A0 E7 LDY #$E7
00C7:20 06 08 JSR $0806
00CA:60 RTS

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France

Posté le: Ven 05 Juil 2019, 18:17 Sujet du message:

I kept digging on the game data to understand how the catalog was built. I found out a long list of titles that matched the X/Y values passed to codes in page 8 (we'll see those later on)

Code:

----------------------------------------
Ty X Y -Len- Tr Se ??
----------------------------------------
$00: 0E 00 01 00 01 03 00 00 N@A@AC@@ ; catalog
$08: 0E 00 02 00 01 03 01 00 N@B@ACA@ ; catalog
$10: 0E 00 03 00 01 03 02 00 N@C@ACB@ ; catalog
$18: 0E 00 04 00 01 03 03 00 N@D@ACC@ ; catalog
$20: 02 53 47 00 01 03 0F 00 BSG@ACO@ ;
$28: 3F 84 86 00 20 21 00 00 ?..@ !@@ ; protection
$30: 03 AA B1 EC 00 05 08 F1 C*1,@EH1 ;
$38: 03 AA B2 62 01 05 09 DD C*2"AEI]
$40: 03 AA B3 5E 02 05 0B 3F C*3^BEK?
$48: 03 AA B4 D8 00 05 0D 9D C*4X@EM.
$50: 03 AA B5 CE 01 05 0E 75 C*5NAEN5
$58: 03 AA B6 FE 02 06 00 43 C*6>BF@C
$60: 03 AA B7 51 00 03 05 F1 C*7Q@CE1
$68: 03 AA B8 F5 01 06 03 41 C*85AFCA
$70: 03 AA B9 B9 01 06 05 36 C*99AFE6
$78: 03 AA C1 13 02 06 06 EF C*ASBFF/
$80: 03 AA C2 7E 00 06 09 02 C*B>@FIB
$88: 1C B4 B0 FF 02 0C 05 BE \40?BLE>
$90: 1C B4 B1 D1 04 0E 03 94 \41QDNC.
$98: 1C B4 B2 73 03 0E 08 6A \423CNH*
$A0: 1C B4 B3 77 05 1E 07 ED \437E^G-
$A8: 1C B4 B4 B7 06 08 0C D9 \447FHLY
$B0: 1C B4 B5 92 00 09 03 90 \45.@IC.
$B8: 1C B4 B6 E9 04 09 04 22 \46)DID"
$C0: 1C B4 B7 2B 04 0E 0F 9A \47+DNO.
$C8: 1C B4 B8 C0 04 0F 05 54 \48@DOET
$D0: 1C B4 B9 E9 05 0F 0A 14 \49)EOJT
$D8: 1C B5 B1 D9 04 0B 04 17 \51YDKDW
$E0: 1C B5 B2 44 05 12 08 68 \52DERH(
$E8: 1C B5 B3 AD 03 12 0D AC \53-CRM,
$F0: 1C B5 B4 0D 03 13 01 59 \54MCSAY
$F8: 1C B5 B5 20 03 13 04 66 \55 CSD&
$00: 1C B5 B6 F5 03 13 07 86 \565CSG.
$08: 1C B5 B7 51 03 13 0B 7B \57QCSK;
$10: 1C B5 B8 87 07 13 0E CC \58.GSNL
$18: 1C B5 B9 29 05 14 06 53 \59)ETFS
$20: 1C B6 B0 88 04 14 0B 7C \60.DTK<
$28: 1C B6 B1 31 03 0A 09 1D \611CJI]
$30: 1C B6 B2 AE 02 07 04 79 \62.BGD9
$38: 1C B6 B3 CB 04 07 07 27 \63KDGG'
$40: 1C B6 C1 7C 04 03 06 42 \6A<DCFB
$48: 1C B7 C1 2A 03 03 0A BE \7A*CCJ>
$50: 1C B8 C1 1F 04 04 00 00 \8A_DD@@
$58: 1C B9 C1 2D 04 04 04 1F \9A-DDD_
$60: 0C C1 EE 17 10 1A 02 34 LA.WPZB4
$68: 0F C2 D1 83 14 0C 08 BD OBQ.TLH=
$70: 0C C2 E1 78 04 12 00 00 LB!8DR@@
$78: 0F C4 C4 AA 15 1E 0D 64 ODD*U^M$
$80: 0F C4 D4 18 02 0A 0E 95 ODTXBJN.
$88: 09 C8 F3 6A 03 0B 00 AD IH3*CK@-
$90: 1C CE B0 64 03 0F 0F FD \N0$COO=
$98: 1C CE B1 0D 05 15 00 04 \N1MEU@D
$A0: 1C CE B2 BD 03 0E 0B DD \N2=CNK]
$A8: 1C CE B3 CB 04 15 08 CD \N3KDUHM
$B0: 1C CE B4 5F 04 08 00 59 \N4_DH@Y
$B8: 1C CE B5 8C 05 0B 0E B6 \N5.EKN6
$C0: 1C CE B6 54 06 0D 0D 40 \N6TFMM@
$C8: 1C CE B7 F7 04 11 04 95 \N77DQD.
$D0: 1C CE B8 67 03 16 02 8F \N8'CVB.
$D8: 1C CE B9 E2 02 0B 0B D4 \N9"BKKT
$E0: 1C CE C1 CF 02 0A 05 B4 \NAOBJE4
$E8: 1C CE C2 EC 04 11 09 8C \NB,DQI.
$F0: 1C CE C3 D3 03 17 00 95 \NCSCW@.
$F8: 1C CE C4 81 06 17 04 68 \ND.FWD(
$00: 1C CE C5 E4 02 0B 08 F0 \NE$BKH0
$08: 1C CE C6 4E 05 17 0A E9 \NFNEWJ)
$10: 1C D0 D6 73 0A 10 03 61 \PV3JPC!
$18: 07 D1 A1 76 03 06 09 80 GQ!6CFI.
$20: 07 D2 A1 7E 02 09 0F 2B GR!>BIO+
$28: 0C D4 E1 53 06 08 06 4C LT!SFHFL
$30: 09 D4 F0 4D 00 05 00 DD IT0M@E@]
$38: 1C D7 C9 06 08 04 08 4C \WIFHDHL
$40: 1C D7 CA B9 01 06 0F C1 \WJ9AFOA
$48: 1C D7 CB 54 06 19 0B E0 \WKTFYK`
$50: 1C D8 B0 02 04 18 03 6B \X0BDXC+
$58: 1C D8 B1 64 06 18 07 6D \X1$FXG-
$60: 1C D8 B2 EC 07 18 0D D1 \X2,GXMQ
$68: 1C D8 B3 B6 04 15 0D 98 \X36DUM.
$70: 09 E1 EA 67 03 0A 02 4D I!*'CJBM
$78: 09 E1 ED 9A 0A 1D 04 BD I!-.J]D=
$80: 09 E2 F4 41 01 05 06 F8 I"4AAEF8
$88: 09 E3 EA 85 00 06 0E 62 I#*.@FN"
$90: 09 E3 F4 AC 01 05 03 52 I#4,AECR
$98: 09 E4 D0 B6 01 07 01 7A I$P6AGA:
$A0: 09 E4 EC CD 00 03 0D E8 I$,M@CM(
$A8: 09 E6 E7 8B 00 05 00 52 I&'.@E@R
$B0: 09 E6 F3 37 03 10 0D D4 I&37CPMT
$B8: 0F E8 D0 A2 06 16 05 F6 O(P"FVE6
$C0: 09 E9 E9 7D 00 05 05 DC I))=@EE\
$C8: 09 E9 F0 68 01 06 0C FA I)0(AFL:
$D0: 09 EC F6 A4 00 07 03 D5 I,6$@GCU
$D8: 09 ED F6 A5 00 07 03 30 I-6%@GC0
$E0: 0C F0 F4 A5 0E 1C 02 97 L04%N\B.
$E8: 0C F0 F7 4C 10 1B 02 4B L07LP[BK
$F0: 09 F2 E2 96 08 1D 0F 57 I2".H]OW
$F8: 09 F2 F2 9F 00 05 06 59 I22.@EFY
$00: 09 F3 C7 D2 00 05 01 52 I3GR@EAR
$08: 09 F3 D2 7B 01 03 04 76 I3R;ACD6
$10: 09 F3 F1 F6 06 20 03 0E I316F CN
$18: 09 F3 F5 67 03 07 0C F2 I35'CGL2
$20: 09 F5 D0 7B 00 05 02 24 I5P;@EB$
$28: 09 F5 EC 76 01 0A 0C 4E I5,6AJLN
$30: 09 F5 F0 8B 01 08 04 C1 I50.AHDA
$38: 09 F5 F3 DA 00 06 0E E7 I53Z@FN'
$40: 00 00 00 00 00 00 00 00 @@@@@@@@
$48: 00 00 00 00 00 00 00 00 @@@@@@@@
$50: 00 00 00 00 00 00 00 00 @@@@@@@@
$58: 00 00 00 00 00 00 00 00 @@@@@@@@
$60: 00 00 00 00 00 00 00 00 @@@@@@@@
$68: 00 00 00 00 00 00 00 00 @@@@@@@@
$70: 00 00 00 00 00 00 00 00 @@@@@@@@
$78: 00 00 00 00 00 00 00 00 @@@@@@@@
----------------------------------------

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France

Posté le: Ven 05 Juil 2019, 18:19 Sujet du message:

The boot trace helped me in identifying the RWTS, how sectors were loaded and where:

Code:

28C THAT IS A RWTS...
28D SLOT*16
290 TRACK    02
291 SECTOR-1 $3D 09 0A 10 10
294 RAM_L $26 30    30    00
295 RAM_H-1 $27 C0 21 7A 74 15
296
297 NB_SEC-1    08 01 06 14 0C
298 COMMAND    01    (1) (2) (3)

(1) $2000 moveD to $0300
(2) reads through RWTS
(3) reads through RWTS and jumps to $300

T/S are both read in descending order
Standard interleaving order

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22
00 02 08 64
01 B8 09 65
02 B9 0A 66
03 BA 0B 67
04 BB 0C 68
05 BC 0D 69
06 BD 0E 6A
07 BE 0F 6B
08 BF 10 6C
09 20 11 6D
0A 74 12 6E
0B 75 13 6F
0C 76 60 70
0D 77 61 71
0E 78 62 72
0F 79 63 73

----------- DISASSEMBLY MODE -----------
0300:A9 00 LDA #$00
0302:20 93 FE JSR $FE93
0305:20 89 FE JSR $FE89
0308:A2 02 LDX #$02
030A:BD 83 03 LDA $0383,X
030D:9D F2 03 STA $03F2,X
0310:CA DEX
0311:10 F7 BPL $030A
0313:2C 83 C0 BIT $C083
0316:2C 83 C0 BIT $C083
0319:20 15 08 JSR $0815
031C:A2 61 LDX #$61
031E:A0 6D LDY #$6D
0320:20 06 08 JSR $0806
0323:A9 16 LDA #$16
0325:48 PHA
0326:A8 TAY
0327:B9 6A 03 LDA $036A,Y
032A:AA TAX
032B:B9 6B 03 LDA $036B,Y
032E:A8 TAY
032F:20 00 08 JSR $0800
0332:68 PLA

2C 0 CHECKSUM
2D 1 SECTOR
2E 2 TRACK
2F 3 VOLUME

------------- DISK SEARCH --------------

$08/$0E-$2F $11/$0F-$71 $13/$0E-$E2
$14/$06-$E5

A18 FOR COMMAND
CHECK CODE AT $1295 WHICH SETS PARAMS FOR THE RWTS
CALLED AT T1/S8/CF, ADDRESS IS $10CF
WHICH IS CALLED AT
1/0/1B -> 081B
1/4/2D -> RWTS AT $0A4C
1/4/D5 -> RWTS AT $0A52
1/4/E3 -> RWTS AT $0A4C

BEFORE IT CRASHES $4..$5 IS SET TO $955A
955A 0    TRACK
955B 1    SECTOR
955C 2    RAML
955D 3    RALH
955E 4    NB_SEC
955F 5    COMMAND

WHICH IS T6/SB AT $12E0

10/D @ 13E0
10/F @ F388
10/E @ F288
11/1 @ 13E0
1B/2 @ 13E0
1C/0 @ EFC5
1B/F @ EEC5
1B/E @ EDC5
1B/D @ ECC5
1B/C @ EBC5
1B/B @ EAC5
1B/A @ E9C5
1B/9 @ E8C5
1B/8 @ E7C5
1B/7 @ E6C5
1B/6 @ E5C5
1B/5 @ E4C5
1B/4 @ E3C5
1B/3 @ E2C5
1C/2 @ 13E0
1D/0 @ EA20
1C/F @ E920
L

The Flaming Bird Disassembler Written by Ferox - (c) 1994 Phoenix corporation
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
00/0300: A900 L0300 LDA #$00
00/0302: 2093FE JSR SETVID
00/0305: 2089FE JSR SETKBD
00/0308: A202 LDX #$02
00/030A: BD8303 L030A LDA L0383,X
00/030D: 9DF203 STA $03F2,X
00/0310: CA DEX
00/0311: 10F7 BPL L030A
00/0313: 2C83C0 BIT LCBANK2
00/0316: 2C83C0 BIT LCBANK2
00/0319: 201508 JSR $0815
00/031C: A261 LDX #$61
00/031E: A06D LDY #$6D
00/0320: 200608 JSR $0806
00/0323: A916 LDA #$16
00/0325: 48 L0325 PHA
00/0326: A8 TAY
00/0327: B96A03 LDA L036A,Y
00/032A: AA TAX
00/032B: B96B03 LDA L036A+1,Y
00/032E: A8 TAY
00/032F: 200008 JSR $0800
00/0332: 68 PLA
00/0333: 38 SEC
00/0334: E902 SBC #$02
00/0336: 10ED BPL L0325
00/0338: A9A0 LDA #$A0
00/033A: 48 PHA
00/033B: A902 LDA #$02
00/033D: 48 PHA
00/033E: A97C LDA #$7C
00/0340: 48 PHA
00/0341: A903 LDA #$03
00/0343: 48 PHA
00/0344: A2E3 LDX #$E3
00/0346: A0EA LDY #$EA
00/0348: 201E08 JSR $081E
00/034B: A2E3 LDX #$E3
00/034D: A0EA LDY #$EA
00/034F: 200608 JSR $0806
00/0352: A900 LDA #$00
00/0354: 48 PHA
00/0355: 208603 JSR L0386
00/0358: A9D1 LDA #$D1
00/035A: 48 PHA
00/035B: A9A1 LDA #$A1
00/035D: 48 PHA
00/035E: A901 LDA #$01
00/0360: 48 PHA
00/0361: 208603 JSR L0386
00/0364: 2C81C0 BIT ROMIN2
00/0367: 4C69FF JMP MONZ
00/036A: D1A1 L036A HEX D1A1
00/036C: E3F4 HEX E3F4
00/036E: F3F1 HEX F3F1
00/0370: F5EC HEX F5EC
00/0372: F5F0 HEX F5F0
00/0374: E4D0 HEX E4D0
00/0376: F3D2 HEX F3D2
00/0378: F2F2 HEX F2F2
00/037A: ECF6 HEX ECF6
00/037C: E4EC HEX E4EC
00/037E: E9E9 HEX E9E9
00/0380: EDF6 HEX EDF6
00/0382: 00 DB $00
00/0383: 03E0 L0383 DA $E003
00/0385: 45 DB $45
00/0386: A2F3 L0386 LDX #$F3
00/0388: A0F1 LDY #$F1
00/038A: 4C1E08 JMP $081E

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France

Posté le: Ven 05 Juil 2019, 18:24 Sujet du message:

There were numerous calls to page 8, so I had to disassemble the beast and understand what the different calls were doing

Code:

*---------------------------------------------------------*
* Disassembled with The Flaming Bird Disassembler *
* (c) Phoenix corp. 1992,93 - All rights reserved *
*---------------------------------------------------------*

TYP BIN

ORG $000800
MX %11
L0800 JMP L0AF9
L0803 JMP L0AFC
L0806 JMP L10B7
L0809 JMP L10BA
L080C JMP L10BD
L080F JMP L10C0
L0812 JMP L10C3
L0815 JMP L10C6
L0818 JMP L10CC
L081B JMP L10CF
L081E JMP L10D2
L0821 JMP L10D5
L0824 JMP L10D8
L0827 JMP L10DB
L082A JMP L10DE

DB $00
DB $00
DB $00
JMP $6B6D
JMP $6B72
JMP $6BFC
JMP $6C43
JMP $6C74
JMP $6CA4
JMP $6CAD
JMP $76D4
JMP $774A
JMP $6CBF
JMP $6CBB
JMP $6D46
RTS

BRK $00
RTS

BRK $00
RTS

BRK $00
RTS

BRK $00
RTS

BRK $00
JMP $6DA5
JMP $6DD1
RTS

BRK $00
JMP $6E30
RTS

BRK $00
JMP $6D8B
JMP $6FA0
RTS

BRK $00
RTS

BRK $00
JMP $6FBF
JMP $708D
JMP $70C1
JMP $7156
JMP $719F
JMP $71CD
JMP $71FD
JMP $720D
JMP $7212
JMP $721F
JMP $7291
JMP $7270
JMP $73FA
JMP $721B
RTS

BRK $00
RTS

BRK $00
DB $48
DB $29
JMP $7528
JMP $7629
JMP $7692
JMP $774A
JMP $76D4
JMP $77C0
JMP $78E0
JMP $78EB
JMP $792B
JMP $78F8
JMP $7936
JMP $7942
JMP $794E
JMP $7934
JMP $7964

DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
L08FD JMP L0DAB

L0900 DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
L09F9 DB $4C
L09FA DB $F1
L09FB DB $43
L09FC DB $4C
L09FD DB $CB
L09FE DB $11
L09FF DB $4C
L0A00 DB $46

L0A01 DB $12 ; 09
L0A02 DB $4C ; E1
L0A03 DB $47 ; EA
L0A04 DB $12 ; length low
L0A05 DB $4C ; length high
L0A06 DB $48 ; 99
L0A07 DB $12 ; B4

L0A08 DB $4C
L0A09 DB $49
L0A0A DB $12
DB $01
L0A0C DB $01
DB $60
L0A0E DB $01
DB $00
L0A10 DB $12
L0A11 DB $4C
DA L0A1D
L0A14 DA $2F4C
DB $13
DB $4C
L0A18 DB $EE
L0A19 DB $13
L0A1A DB $4C
L0A1B DB $EF
L0A1C DB $13
L0A1D DB $00
DB $01
DB $EF
DB $D8
DB $00
DB $60
DB $01
L0A24 DB $48
L0A25 DB $98
L0A26 DB $48
L0A27 DB $8E
L0A28 DB $2B
L0A29 DB $0A
L0A2A DB $8C
L0A2B DB $2C
L0A2C DB $0A
L0A2D DB $20
L0A2E DB $9B
L0A2F DB $12
L0A30 DB $A9
L0A31 DB $00
L0A32 DB $8D
L0A33 DB $31
L0A34 DB $0A
L0A35 DB $A0
DB $F3
DB $B1
DB $04
DB $C8
L0A3A DB $CD
DB $2B
DB $0A
DB $D0
DB $07
DB $B1
DB $04
L0A41 DB $CD
L0A42 DB $2C
L0A43 DB $0A
DB $0E
DB $00
DB $01
DB $00
DB $01
DB $03
DB $00
DB $00
L0A4C DB $EA
L0A4D DB $A0
L0A4E DB $00
L0A4F DB $B1
DB $01
DB $01
L0A52 DB $C8
L0A53 DB $11
L0A54 DB $04
L0A55 DB $F0
L0A56 DB $0C
DB $01
L0A58 DB $04
L0A59 DB $85
L0A5A DB $05
L0A5B DB $86
L0A5C DB $04
L0A5D DB $EE

L0A5E DB $31 ; final RAM address low ($2004)
L0A5F DB $0A ; final RAM address high

L0A60 DB $4C ; offset low ($0077)
L0A61 DB $03 ; offset high

L0A62 DB $11 ; jump to address low ($9555)
L0A63 DB $38 ; jump to address high

DB $6D
DB $7D
DB $79
DB $2D
DB $3D
DB $39
DB $0E
DB $1E
DB $2C
DB $CD
DB $DD
DB $D9
DB $EC
DB $CC
DB $CE
DB $DE
DB $4D
DB $5D
DB $59
DB $EE
DB $FE
DB $4C
DB $6C
DB $20
DB $AD
DB $BD
DB $B9
DB $AE
DB $BE
DB $AC
DB $BC
DB $4E
DB $5E
DB $0D
DB $1D
DB $19
DB $2E
DB $3E
DB $6E
DB $7E
DB $ED
DB $FD
DB $F9
DB $8D
DB $9D
DB $99
DB $8E
L0A93 DB $8C
DB $0A
DB $18
DB $D8
DB $58
DB $B8
DB $CA
DB $88
DB $E8
DB $C8
DB $40
DB $60
DB $38
DB $F8
DB $78
DB $AA
DB $A8
DB $BA
DB $4A
DB $EA
DB $48
DB $08
DB $68
DB $28
DB $2A
DB $6A
DB $8A
DB $9A
DB $98
L0AB0 DB $00 ; COPIED TO 900
L0AB0+1 DB $00
DB $00
DB $00
DB $0D
DB $A1
DB $B0
DB $F9
DB $00
DB $00
DB $09
DB $01
DB $D3
DB $D3
DB $E7
DB $09
DB $F9
DB $09
DB $01
DB $E7
DB $A1
DB $00
DB $01
DB $00
DB $1F
DB $01
DB $A6
DB $B1
DB $00
DB $20
DB $00
DB $20
DB $01
DB $A6
DB $B2
DB $00
DB $20
DB $00
DB $40
DB $01
DB $D3
DB $D3
DB $28
DB $00
DB $00
DB $60
DB $01
DB $D3
DB $D3
DB $20
DB $1A
DB $30
DB $60
DB $01
DB $D3
DB $D3
DB $28
DB $00
DB $00
DB $80
DB $01
DB $49
DB $4F
DB $00
DB $18
DB $00
DB $B8
DB $00
DB $00
DB $00
DB $00
DB $00
DB $00
L0AF9 JMP L0AFF ; from $0800
L0AFC JMP L0D23

L0AFF LDA $06 ; from $0800
PHA
LDA $07
PHA
TXA
PHA
TYA
PHA
JSR L10BA ; find entry
BCS L0B13
LDA #$00
JMP L0D12 ; exit with no err

L0B13 CPX #$00
BNE L0B28
CPY #$01
BNE L0B28
LDY #$01
LDA #$44
STA $04
LDA #$0A
STA $05
JMP L0B95

L0B28 LDA #$00
STA L0A5B
L0B2D LDA L0A5B
PHA
CLC
ADC #$01
TAY
LDX #$00
JSR L0AFF
PLA
STA L0A5B
BCC L0B43
JMP L0B84

L0B43 PLA
STA L0A26
TAX
PLA
STA L0A25
PHA
TXA
PHA
LDY #$FA
LDA #$01
STA L0A5C
L0B56 LDA ($04),Y
DEY
ORA ($04),Y
BEQ L0B75
INY
SEC
LDA L0A26
SBC ($04),Y
TAX
DEY
LDA L0A25
SBC ($04),Y
BCC L0B75
BNE L0B8A
TXA
BNE L0B8A
JMP L0B95

L0B75 LDA #$00
STA L0A5C
TYA
SEC
SBC #$07
TAY
BCC L0B84
JMP L0B56

L0B84 SEC
LDA #$02
JMP L0D12

L0B8A LDA L0A5C
BEQ L0B84
INC L0A5B
JMP L0B2D

L0B95 INY
INY
LDA ($04),Y
STA L09F9
INY
LDA ($04),Y
STA L09FA
TYA
SEC
SBC #$04
CLC
ADC $04
STA $06
LDA #$00
ADC $05
STA $07
LDA $06
PHA
LDA $07
PHA
JSR L0DA8
PLA
STA $07
PLA
STA $06
BCC L0BC5
JMP L0D12

L0BC5 LDA $06
PHA
LDA $07
PHA
JSR L0DA2
LDA L09FF
STA $04
LDA L0A00
STA $05
PLA
STA $07
PLA
STA $06
LDY #$00
L0BE0 LDA ($06),Y
STA ($04),Y
INY
CPY #$05
BCC L0BE0
LDA L09FD
STA ($04),Y
INY
LDA L09FE
STA ($04),Y
LDA L09FC
BEQ L0BFC
JSR L0DA5
L0BFC LDY #$05
LDA ($06),Y
STA L0A4C
INY
LDA ($06),Y
STA L0A4D
INY
LDA ($06),Y
PHA
LDA L09FD
STA $04
LDA L09FE
STA $05
PLA
STA L0A58
LDA #$00
STA L0A5D
SEC
SBC L0A58
STA L0A59
BEQ L0C73
LDX #$4C
LDY #$0A
JSR L10CF
BCC L0C35
JMP L0D12

L0C35 LDA L0A4E
STA L0C65+1
LDA L0A4F
STA L0C65+2
SEC
LDA $04
SBC L0A58
STA $04
LDA $05
SBC #$00
STA $05
LDY L0A58
LDX L0A59
LDA L09FA
BNE L0C62
CPX L09F9
BCC L0C62
LDX L09F9
L0C62 STX L0A5D
L0C65 LDA L0C65,Y
STA ($04),Y
INY
DEX
BNE L0C65
INC $05
INC L0A4D
L0C73 SEC
LDA L09F9
SBC L0A5D
STA L09F9
LDA L09FA
SBC #$00
STA L09FA
TAY
LDA L0A4D
CMP #$10
AND #$0F
STA L0A53
LDA L0A4C
ADC #$00
STA L0A52
STY L0A56
TYA
CLC
ADC L0A53
PHA
AND #$0F
STA L0A4D
PLA
LSR
LSR
LSR
LSR
CLC
ADC L0A52
STA L0A4C
LDA $04
STA L0A54
LDA $05
STA L0A55
TYA
CLC
ADC $05
STA $05
LDA L09FA
SEC
SBC L0A56
STA L09FA
LDA L0A56
BEQ L0CDA
LDX #$52
LDY #$0A
JSR L10CF
BCS L0D12
L0CDA LDX L09F9
BEQ L0D02
LDX #$4C
LDY #$0A
JSR L10CF
BCS L0D12
LDA L0A4E
STA L0CF9+1
LDA L0A4F
STA L0CF9+2
LDY #$00
LDX L09F9
L0CF9 LDA L0CF9,Y
STA ($04),Y
INY
DEX
BNE L0CF9
L0D02 LDA L09FD
STA $04
LDA L09FE
STA $05
LDA #$00
CLC
JMP L0D12

L0D12 STA L0A5A
PLA
TAY
PLA
TAX
PLA
STA $07
PLA
STA $06
LDA L0A5A
RTS

L0D23 STA L0A27
STX L0A28
STY L0A29
PLA
TAX
PLA
TAY
PLA
STA L09FA
PLA
STA L09F9
TYA
PHA
TXA
PHA
LDX L0A28
LDY L0A29
JSR L10BA
BCS L0D4A
SEC
BCS L0DA1
L0D4A JSR L0DA8
BCS L0DA1
JSR L0DA2
LDA L09FF
STA $04
LDA L0A00
STA $05
LDY #$02
LDA L0A29
STA ($04),Y
DEY
LDA L0A28
STA ($04),Y
DEY
LDA #$02
STA ($04),Y
LDY #$03
LDA L09F9
STA ($04),Y
INY
LDA L09FA
STA ($04),Y
INY
LDA L09FD
PHA
STA ($04),Y
LDA L09FE
INY
STA ($04),Y
PHA
CLC
LDA L09FC
BEQ L0D92
JSR L0DA5
L0D92 PLA
STA $05
PLA
STA $04
LDX L0A28
LDY L0A29
LDA L0A27
L0DA1 RTS
L0DA2 JMP L0DAE
L0DA5 JMP L0EB3
L0DA8 JMP L0F73
L0DAB JMP L10AE

L0DAE LDA $06
PHA
LDA $07
PHA
LDA #$00
STA L09FC
JSR L10C9
LDA #$00
STA L0A31
L0DC1 LDY #$F3
L0DC3 LDA ($04),Y
INY
ORA ($04),Y
BNE L0DD8
TYA
TAX
SEC
SBC #$08
TAY
BCS L0DC3
LDY #$04
CLC
JMP L0E16

L0DD8 SEC
INY
INY
INY
LDA ($04),Y
SBC L09FD
INY
LDA ($04),Y
SBC L09FE
BCS L0E0C
CPY #$F2
BCS L0DF2
INY
CLC
JMP L0E16

L0DF2 LDY #$00
LDA ($04),Y
INY
ORA ($04),Y
BNE L0DFC
DB $00
L0DFC LDA ($04),Y
TAX
DEY
LDA ($04),Y
STA $04
STX $05
INC L0A31
JMP L0DC1

L0E0C TYA
SEC
SBC #$0C
TAY
BCS L0DC3
LDY #$04
CLC
L0E16 STY L0A32
BCS L0E29
TYA
CLC
ADC $04
STA L09FF
LDA #$00
ADC $05
STA L0A00
L0E29 LDY #$F2
LDX #$00
L0E2D LDA ($04),Y
STA L0A33,X
INY
INX
CPX #$07
BNE L0E2D
LDA $04
CLC
ADC #$07
STA $06
LDA $05
ADC #$00
STA $07
LDY #$F1
CPY L0A32
BCC L0E56
L0E4C LDA ($04),Y
STA ($06),Y
DEY
CPY L0A32
BCS L0E4C
L0E56 LDY L0A32
LDX #$00
L0E5B LDA L0A3A,X
STA ($04),Y
INY
INX
CPX #$07
BCC L0E5B
LDA L0A34
ORA L0A35
BEQ L0E8D
LDX #$06
L0E70 LDA L0A33,X
STA L0A3A,X
DEX
BPL L0E70
LDY #$00
LDA ($04),Y
TAX
INY
LDA ($04),Y
STA $05
STX $04
INC L0A31
LDY #$04
JMP L0E16

L0E8D LDY #$F3
LDA ($04),Y
INY
ORA ($04),Y
BEQ L0EAB
LDA $04
STA L0A42
LDA $05
STA L0A43
LDA L0A31
STA L0A41
LDA #$01
STA L09FC
L0EAB CLC
PLA
STA $07
PLA
STA $06
RTS

L0EB3 LDX #$00
L0EB5 LDA L09FD,X
PHA
LDA L09F9,X
PHA
LDA $04,X
PHA
LDA L09FF,X
PHA
INX
CPX #$02
BNE L0EB5
LDA #$F9
STA L09F9
LDA #$00
STA L09FA
JSR L0F73
BCC L0EDB
JMP L0F5E

L0EDB LDA L0A43
STA $05
LDA L0A42
STA $04
LDA L0A41
STA L0A31
LDY #$00
LDA L09FD
STA ($04),Y
INY
LDA L09FE
STA ($04),Y
LDA L09FD
STA $04
LDA L09FE
STA $05
INC L0A31
LDY #$03
LDA L0A43
STA ($04),Y
DEY
LDA L0A42
STA ($04),Y
LDA #$00
DEY
STA ($04),Y
DEY
STA ($04),Y
LDY #$04
L0F1C STA ($04),Y
INY
CPY #$F9
BNE L0F1C
LDA L0A31
PHA
JSR L0DAE
LDA L09FF
STA $04
LDA L0A00
STA $05
PLA
CLC
ADC #$B0
LDY #$02
STA ($04),Y
DEY
LDA #$A1
STA ($04),Y
DEY
LDA #$0D
STA ($04),Y
LDY #$03
LDA #$F9
STA ($04),Y
INY
LDA #$00
STA ($04),Y
INY
LDA L09FD
STA ($04),Y
LDA L09FE
INY
STA ($04),Y
CLC
L0F5E LDX #$01
L0F60 PLA
STA L09FF,X
PLA
STA $04,X
PLA
STA L09F9,X
PLA
STA L09FD,X
DEX
BPL L0F60
RTS

L0F73 JSR L10C9
SEC
LDA L09F9
SBC #$00
LDA L09FA
SBC #$02
L0F81 BCS L0F86
JMP L1030

L0F86 JSR L10C9
L0F89 LDY #$00
LDA ($04),Y
INY
ORA ($04),Y
BEQ L0F9F
LDA ($04),Y
TAX
DEY
LDA ($04),Y
STA $04
STX $05
JMP L0F89

L0F9F LDA #$FF
STA L0A2F
STA L0A30
L0FA7 LDY #$F3
L0FA9 LDA ($04),Y
INY
ORA ($04),Y
BNE L0FB9
TYA
SEC
SBC #$08
TAY
BCS L0FA9
BCC L1001
L0FB9 INY
INY
INY
LDA ($04),Y
DEY
DEY
CLC
ADC ($04),Y
STA L0A2D
INY
LDA ($04),Y
INY
INY
ADC ($04),Y
STA L0A2E
BCS L0FEF
SEC
LDA L0A2F
SBC L0A2D
TAX
LDA L0A30
SBC L0A2E
BCC L0FEF
CMP L09FA
BCC L0FEF
BNE L1014
TXA
CMP L09F9
BCS L1014
L0FEF LDA ($04),Y
STA L0A30
DEY
LDA ($04),Y
STA L0A2F
TYA
SEC
SBC #$0B
TAY
BCS L0FA9
L1001 LDY #$02
LDA ($04),Y
TAX
INY
LDA ($04),Y
STA $05
STX $04
ORA $04
BEQ L102B
JMP L0FA7

L1014 SEC
LDA L0A2F
SBC L09F9
STA L09FD
LDA L0A30
SBC L09FA
STA L09FE
L1027 CLC
LDA #$00
L102A RTS

L102B SEC
LDA #$03
BCS L102A
L1030 LDA #$00
STA L0A2F
LDA #$09
STA L0A30
L103A LDY #$05
L103C LDA ($04),Y
INY
ORA ($04),Y
BNE L104E
TYA
CLC
ADC #$06
TAY
CMP #$F9
BCC L103C
BCS L1098
L104E INY
INY
INY
INY
LDA ($04),Y
PHA
DEY
LDA ($04),Y
SEC
SBC L0A2F
TAX
PLA
SBC L0A30
CMP L09FA
BEQ L106A
BCS L106F
BCC L107E
L106A CPX L09F9
BCC L107E
L106F LDA L0A2F
STA L09FD
LDA L0A30
STA L09FE
JMP L1027

L107E LDA ($04),Y
DEY
DEY
CLC
ADC ($04),Y
STA L0A2F
INY
LDA ($04),Y
INY
INY
ADC ($04),Y
STA L0A30
INY
INY
CPY #$F9
BCC L103C
L1098 LDY #$00
LDA ($04),Y
TAX
INY
LDA ($04),Y
STA $05
STX $04
ORA $04
BEQ L10AB
JMP L103A
L10AB JMP L102B

L10AE LDA L0F81
EOR #$20
STA L0F81
RTS
L10B7 JMP L10E1
L10BA JMP L11BB
L10BD JMP L1236
L10C0 JMP L1237
L10C3 JMP L1238
L10C6 JMP L1239
L10C9 JMP L128B
L10CC JMP L1294
L10CF JMP L1295
L10D2 JMP L131F
L10D5 JMP L13DE
L10D8 JMP L13DF
L10DB JMP L13DF
L10DE JMP L13DF

L10E1 TXA
PHA
TYA
PHA
L10E5 STX L0A2B
STY L0A2C
JSR L128B
LDA #$00
STA L0A31
L10F3 LDY #$F3
L10F5 LDA ($04),Y
INY
CMP L0A2B
BNE L1104
LDA ($04),Y
CMP L0A2C
BEQ L112E
L1104 TYA
SEC
SBC #$08
TAY
BCS L10F5
LDY #$00
LDA ($04),Y
TAX
INY
ORA ($04),Y
BEQ L1121
LDA ($04),Y
STA $05
STX $04
INC L0A31
JMP L10F3

L1121 SEC
LDA #$01
L1124 STA L112B+1
PLA
TAY
PLA
TAX
L112B LDA #$00
RTS

L112E LDA $04
STA L1143+1
LDA $05
STA L1143+2
DEY
DEY
TYA
CLC
ADC #$07
TAX
L113F CPX #$F9
BCS L114C
L1143 LDA L1143,X
STA ($04),Y
INY
INX
BNE L113F
L114C TYA
CLC
ADC $04
STA L118A+1
STA L1179+1
LDA #$00
ADC $05
STA L1179+2
STA L118A+2
LDY #$00
LDA ($04),Y
TAX
INY
ORA ($04),Y
BEQ L1186
INC L0A31
LDA ($04),Y
STA $05
STX $04
LDY #$04
LDX #$00
L1177 LDA ($04),Y
L1179 STA L1179,X
INY
INX
CPX #$07
BNE L1177
LDY #$06
BNE L112E
L1186 LDA #$00
LDX #$06
L118A STA L118A,X
DEX
BPL L118A
LDY #$04
LDA ($04),Y
BNE L11B5
DEY
LDA ($04),Y
TAX
DEY
LDA ($04),Y
STA $04
STX $05
LDY #$00
TYA
STA ($04),Y
INY
STA ($04),Y
LDX #$A1
LDA L0A31
CLC
ADC #$B0
TAY
JMP L10E5

L11B5 LDA #$00
CLC
JMP L1124

L11BB STA L0A2A
STX L0A2B ; D1
STY L0A2C ; A1
STX L0A25 ; D1
STY L0A26 ; A1
JSR L128B ; points to $0900
L11CD LDY #$05
L11CF LDA ($04),Y
INY
CMP L0A25 ; is it D1?
BNE L11DE
LDA ($04),Y
CMP L0A26 ; is it A1?
BEQ L11FD
L11DE TYA
CLC
ADC #$06
TAY
CMP #$F9
BCC L11CF
LDY #$00
LDA ($04),Y
TAX
INY
LDA ($04),Y
TAY
BNE L11F6
CPX #$00
BEQ L122C
L11F6 STY $05
STX $04
JMP L11CD

L11FD DEY    ; found it
DEY    ; Y is now 5 + 1 - 2 = 4
LDX #$00 ; copy 7 bytes
L1201 LDA ($04),Y
STA L0A01,X
INY
INX
CPX #$07
BNE L1201
TYA    ; 4 + 7 - 7
SEC
SBC #$07
CLC
ADC $04
STA L0A08 ; points to entry low
LDA #$00
ADC $05
STA L0A09 ; points to entry high
LDA L0A06 ; where to load in RAM low
STA $04
LDA L0A07 ; where to load in RAM high
STA $05
LDA #$00
CLC
BCC L122F
L122C LDA #$01
SEC
L122F LDX L0A2B ; restore X
LDY L0A2C ; restore Y
RTS
L1236 RTS
L1237 RTS
L1238 RTS

L1239 PHA
TXA
PHA
TYA
PHA
LDX #$00
L1240 LDA L0AB0,X
STA L0900,X
INX
CPX L09FB
BNE L1240
LDA #$00
L124E CPX #$F9
BEQ L1258
STA L0900,X
INX
BNE L124E
L1258 LDA #$00
PHA
LDA #$01
PHA
LDX #$00
LDY #$FF
JSR L0AFC
LDA $04
STA L0A4E
LDA $05
STA L0A4F
LDA #$01
STA L0A0E
STA L0A0A
STA L0A1C
LDA #$60
STA L0A1B
LDA #$00
STA L0A1A
PLA
TAY
PLA
TAX
PLA
CLC
RTS

L128B LDA #$00
STA $04
LDA #$09
STA $05
RTS
L1294 RTS

L1295 LDA $04
PHA
LDA $05
PHA
STX $04
STY $05
LDY #$00
LDA ($04),Y
STA L0A10
INY
LDA ($04),Y
STA L0A11
INY
LDA ($04),Y
STA L0A14
INY
LDA ($04),Y
STA L0A14+1
INY
LDA ($04),Y
STA L0A24
INY
LDA ($04),Y
INY
STA L0A18
LDA L0A24
SEC
SBC #$01
PHA
CLC
ADC L0A14+1
STA L0A14+1
PLA
CLC
ADC L0A11
STA L0A11
L12DB LDA L0A11
CMP #$10
BCC L12ED
SBC #$10
STA L0A11
INC L0A10
JMP L12DB

L12ED LDA #$0A
LDY #$0C
SEI
JSR $BD00
CLI
LDA #$00
STA $48
BCS L1315
DEC L0A14+1
DEC L0A11
BPL L130C
LDA #$0F
STA L0A11
DEC L0A10
L130C DEC L0A24
BEQ L1314
JMP L12ED

L1314 CLC
L1315 PLA
STA $05
PLA
STA $04
LDA L0A19
RTS

L131F STA L0A27 ; save parms
STX L0A28
STY L0A29
JSR L0AF9
BCC L132E
RTS

L132E LDY #$03 ; get final RAM address + offset
L1330 LDA ($04),Y
STA L0A5E,Y
DEY
BPL L1330
LDX #$02
LDY #$00
LDA $04
CLC
ADC #$04
STA ($04),Y
STA L0A62,Y
PHP
CMP L0A5E
BNE L134D
DEX
L134D PLP
PHA
INY
LDA |$0004,Y
ADC #$00
STA ($04),Y
STA L0A62,Y
CMP L0A5F
BNE L1360
DEX
L1360 STA $05
PLA
STA $04
TXA
BEQ L137A
LDA $06
PHA
LDA $07
PHA
L136E LDY #$00
LDA ($04),Y
BNE L1386
PLA
STA $07
PLA
STA $06
L137A LDX L0A28
LDY L0A29
LDA L0A27
JMP (L0A62) ; execute code now

L1386 LDX #$30
L1388 CMP L0A63,X
BEQ L13A7
DEX
BNE L1388
LDX #$1C
L1392 CMP L0A93,X
BEQ L13DA
DEX
BNE L1392
LDA #$02
L139C CLC
ADC $04
STA $04
BCC L136E
INC $05
BCS L136E
L13A7 INY
SEC
LDA ($04),Y
SBC L0A5E
STA $06
INY
LDA ($04),Y
SBC L0A5F
STA $07
SEC
LDA L0A60
SBC $06
LDA L0A61
SBC $07
BCC L13D6
LDA $06
CLC
ADC L0A62
DEY
STA ($04),Y
LDA $07
ADC L0A63
INY
STA ($04),Y
L13D6 LDA #$03
BNE L139C
L13DA LDA #$01
BNE L139C
L13DE DB $00
L13DF RTS

That is how I understood that calls to $081E would execute code somewhere in memory and a couple of other calls. But, still no visible protection check...

Code:

$0800 find 0AF9 0AFF (which finally goes to 10BA)
$0809 find2 10BA
$081E move 10D2 131F execute
$0806 repack? 10B7 10E1

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France

Posté le: Ven 05 Juil 2019, 18:28 Sujet du message:

So, I decided to browse memory by entering the control panel of the IIgs and found out interesting code at $9555:

Code:

00/9555: A2 E1 LDX #E1
00/9557: A0 EA LDY #EA
00/9559: 20 00 08 JSR 0800
00/955C: 20 09 08 JSR 0809
00/955F: AD 04 0A LDA 0A04 67
00/9562: 85 FB STA FB
00/9564: AD 75 02 LDA 0275 8D
00/9567: 85 FF STA FF
00/9569: AD 05 0A LDA 0A05 03
00/956C: 85 FC STA FC
00/956E: A9 00 LDA #00
00/9570: 38 SEC
00/9571: E5 FB SBC FB
00/9573: 85 FB STA FB = 99
00/9575: A9 00 LDA #00
00/9577: E5 FC SBC FC
00/9579: 85 FC STA FC = FC
00/957B: A0 00 LDY #00
00/957D: 98 TYA
00/957E: 18 CLC
00/957F: 71 04 ADC (04),Y it looks like hidden code
00/9581: 91 04 STA (04),Y to the evil pirate I am!!
00/9583: C8 INY
00/9584: D0 02 BNE 9588 {+02}
00/9586: E6 05 INC 05
00/9588: E6 FB INC FB
00/958A: D0 F1 BNE 957D {-0F}
00/958C: E6 FC INC FC
00/958E: D0 ED BNE 957D {-13}
00/9590: A2 E1 LDX #E1
00/9592: A0 EA LDY #EA
00/9594: 20 1E 08 JSR 081E execute somewhere
00/9597: AD 70 02 LDA 0270 take the result
00/959A: 08 PHP
00/959B: A2 E1 LDX #E1
00/959D: A0 EA LDY #EA
00/959F: 20 06 08 JSR 0806 recode the same program
00/95A2: 28 PLP get the result
00/95A3: D0 0F BNE 95B4 {+0F} and branch on copy
00/95A5: 68 PLA
00/95A6: 8D CA 95 STA 95CA
00/95A9: 68 PLA
00/95AA: 8D CB 95 STA 95CB
00/95AD: A2 F5 LDX #F5
00/95AF: A0 D0 LDY #D0
00/95B1: 4C 06 08 JMP 0806
00/95B4: A2 F5 LDX #F5
00/95B6: A0 D0 LDY #D0
00/95B8: 20 06 08 JSR 0806
00/95BB: 20 FD 08 JSR 08FD ; 0DAB > 10AE > change page
00/95BE: A2 D1 LDX #D1
00/95C0: A0 A1 LDY #A1
00/95C2: 20 06 08 JSR 0806
00/95C5: 20 1E 08 JSR 081E
00/95C8: 60 RTS

So, I looked for all calls to $081E and tried a couple of changes.

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France

Posté le: Ven 05 Juil 2019, 18:31 Sujet du message:

So, I changed some code in the sector holding the check to determine where the code was executed. If you read the disassembly of $81E, the indirect jump address is located at $0A62..$0A63 and this is where we find our first protection check:

Code:

As one can see, on exit of the routine, we either have the carry clear or set and we also reload the program at $806. That is why I performed the first change in the first message of the thread. Instead of calling $81E, let's call $806 and simulate the return values. Gotcha!

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France

Posté le: Ven 05 Juil 2019, 18:33 Sujet du message:

I then checked the other calls to $81E (and trust me, there are numerous, I changed some code to stop when $81E was called and display the values of $A62..$A63. Pfew, that was long)

The other protection lies at $AA93. It performs the same check of the 4*4 nibble value of T22 (which must be the value of T21)

Code:

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3043
Localisation: Le Chesnay, France

Posté le: Ven 05 Juil 2019, 18:37 Sujet du message:

If one looks at the protection check code, they slightly changed the addresses of the standard Disk II softswitches. Instead of using $C089,X, they used $BFF9,X. A clever way to hide the code.

I knew Computist issue 82, page 20, had a crack for the title. I did not want to check what they did prior to cracking the title. If I had known, I would have used their technique Wink

Code:

7/E/36:1C -> 18
A/3/8E:F7 -> D7
IT IS SEC CHANGED TO CLC

They simply replaced the encoded value of a SEC (see the two previous messages for the SEC) and put the encoded equivalent of CLC.

The advantage of what was done is: less bytes changed. The drawback, if I can say so, is that they still call the protection checks. Mine has more bytes to change but skip the protection calls.

Pfew, that was a tough one!

Revenir en haut de page

Montrer les messages depuis:

	Index du Forum -> PROTECTION MALEFIQUE	Toutes les heures sont au format GMT + 1 Heure
Page 1 sur 1

Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas répondre aux sujets dans ce forum
Vous ne pouvez pas éditer vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum