|
|
|
IDENTIFICATION SERVEUR : 10.14.20.76 - CLIENT : 3.221.159.255 |
|
| Voir le sujet précédent :: Voir le sujet suivant |
| Auteur |
Message |
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 3062
Localisation: Le Chesnay, France
|
 Posté le: Jeu 09 Aoû 2018, 17:46 Sujet du message: Sabotage (On-Line Systems, 1981) |
 |
|
#995 - Sabotage by Mark Allen, one of the first filecrack I ever played on the Apple II. Disk image by Stephane Racle.
Disk structure
The disk is a standard DOS 3.2 (13-sec disk). It can be read, copied. It shows no sign of on-disk protection.
Protection type
But there is one. If you copy the disk (DOS 3.2 to DOS 3.2 or to DOS 3.3), the HELLO file is run, it loads the BANNER file and BRUNS the SABOTAGE file that hangs. When you look at the loading address of SABOTAGE (the game), it is at $1D00. That address is one largely used by On-Line Systems / Sierra to put their protection scheme: a nibble check thing.
How to copy
We'll put the file onto a standard DOS 3.3 slave diskette. Perform the following operations:
- Insert a DOS 3.3 Master disk in drive 1 and boot it
- Insert a blank disk in drive 2 and type INIT HELLO,D2
- RUN CONVERT13,D1
- Insert the Sabotage disk in drive 1
- Perform a copy (wildcard is '=') of the 4 files from S6,D1 to S6,D2
You're done.
How to normalize
Now, boot my copy disk and launch Disk Fixer, we still have the DOS 3.3 version of Sabotage in drive 2. Now put it in drive 1 and perform the following change:
- Press D to display the catalog, follow file SABOTAGE
- At offset $50: FF 1D => 1E 1D, or
- Another option: at offset $22: 60 -> EA
- Save the sector
You're done
The disk image is available at http://www.brutaldeluxe.fr/crack/
Reboot and... enjoy,
LoGo
8/2018 |
|
| Revenir en haut de page |
|
 |
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 3062
Localisation: Le Chesnay, France
|
| Posté le: Jeu 09 Aoû 2018, 17:47 Sujet du message: |
|
|
The Disk fixer view. The data to change are within '-', choose the option to crack it.
| Code: |
-------------- DISK EDIT ---------------
TRACK $14/SECTOR $08/VOLUME $FE/BYTE $50
----------------------------------------
$00: 00 1D 00 37 A2 20 BD 7A @]@7" =:
$08: 22 95 20 CA 10 F8 BA CA ". JP8:J
$10: CA CA CA 9A A0 00 B9 4C JJJ. @9L
$18: 1D 9D 01 01 E8 C8 C0 04 ].AA(H@D
$20: D0 F4-60-A9 04 85 01 A9 P4`)D.A)
$28: 78 85 00 A2 08 A9 34 A0 8.@"H)4
$30: 07 49 65 18 69 92 91 00 GI%X)..@
$38: 88 10 F6 CA F0 0F 48 A5 .P6J0OH%
$40: 00 18 69 80 85 00 68 90 @X)..@(.
$48: E6 E6 01 B0 E2 18 90 04 &&A0"X.D
$50:-FF 1D-1E 1D A9 EA A2 50 ?]^])*"P
$58: 9D 00 1D CA D0 FA A9 5F .@]JP:)_
$60: 85 79 A9 7F 85 7B A0 00 .9)?.; @
$68: 84 78 84 7A A2 40 B1 78 .8.:"@18
$70: 91 7A C8 D0 F9 C6 79 C6 .:HP9F9F
$78: 7B CA D0 F2 EE 63 42 A2 ;JP2.#B"
----------------------------------------
BUFFER 0/SLOT 6/DRIVE 2/MASK OFF/NORMAL
DOS3.3:SABOTAGE /$00
----------------------------------------
COMMAND :
|
|
|
| Revenir en haut de page |
|
|
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 3062
Localisation: Le Chesnay, France
|
| Posté le: Jeu 09 Aoû 2018, 17:59 Sujet du message: |
|
|
The first part of the code at $1D00, a funny way to play with the stack to call routines (and the protection check at $1E00)
| Code: |
Put code at $20, there's a RAM protection check there.
As we did not modify anything there, we can leave it.
00/1D00: A2 20 LDX #20
00/1D02: BD 7A 22 LDA 227A,X
00/1D05: 95 20 STA 20,X
00/1D07: CA DEX
00/1D08: 10 F8 BPL 8002 ;-08=
00/1D1F: A9 04 LDA #04
Play with the stack pointer to
00/1D0A: BA TSX
00/1D0B: CA DEX
00/1D0C: CA DEX
00/1D0D: CA DEX
00/1D0E: CA DEX
00/1D0F: 9A TXS
00/1D10: A0 00 LDY #00
00/1D12: B9 4C 1D LDA 1D4C,Y
00/1D15: 9D 01 01 STA 0101,X
00/1D18: E8 INX
00/1D19: C8 INY
00/1D1A: C0 04 CPY #04
00/1D1C: D0 F4 BNE 8012 ;-0C=
00/1D1E: 60 RTS ; The return pulls the stack and
...jumps to the address at $101..$102 which is $1DFF, so it jumps to $1E00
where the on-disk protection check is (coded as usual)
It we have an original, we go back here (at $103..$104, we have $1D1E, so we jump at $1D1F)
We put a key value in the text screen, it is checked later. So keep it.
00/801F: A9 04 LDA #04
00/8021: 85 01 STA 01
00/8023: A9 78 LDA #78
00/8025: 85 00 STA 00
00/8027: A2 08 LDX #08
00/8029: A9 34 LDA #34 ; $34
00/802B: A0 07 LDY #07
00/802D: 49 65 EOR #65 ; $65
00/802F: 18 CLC
00/8030: 69 92 ADC #92 ; $92 which is???
00/8032: 91 00 STA (00),Y
00/8034: 88 DEY
00/8035: 10 F6 BPL 802D ;-0A=
00/8037: CA DEX
00/8038: F0 0F BEQ 8049 ;+0F=
00/803A: 48 PHA
00/803B: A5 00 LDA 00
00/803D: 18 CLC
00/803E: 69 80 ADC #80
00/8040: 85 00 STA 00
00/8042: 68 PLA
00/8043: 90 E6 BCC 802B ;-1A=
00/8045: E6 01 INC 01
00/8047: B0 E2 BCS 802B ;-1E=
00/8049: 18 CLC
00/804A: 90 04 BCC 8050 ;+04=
The return addresses in the stack
That is what I patched
00/804C: FF 1D 1E 1D SBC 1D1E1D,X
Clear the above code
00/8050: A9 EA LDA #EA
00/8052: A2 50 LDX #50
00/8054: 9D 00 1D STA 1D00,X
00/8057: CA DEX
00/8058: D0 FA BNE 8054 ;-06=
... and continue
|
|
|
| Revenir en haut de page |
|
|
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 3062
Localisation: Le Chesnay, France
|
| Posté le: Sam 13 Juil 2019, 18:23 Sujet du message: |
|
|
13/Jul/2019 - Allen Greene on the Apple II Enthusiasts group on Facebook found out that there were a deleted file on the original disk of Sabotage: SOCCER.
I dug the original disk image, made another DOS 3.2 to DOS 3.3 conversion with Advanced Demuffin 1.4. Then, I undeleted the SOCCER binary file. It loads at $4000 and was intact.
Protection type
Check of nibbles on T0/S0.
How to crack
Follow file SOCCER, at sector offset $E, at byte offset $3B, change 20 00 51 with 2C 00 51.
Note that the game runs on 6502 machines only.
How to use
Boot the disk at http://www.brutaldeluxe.fr/crack/ (On-Line Systems - Sabotage with Soccer - cracked.dsk). At the DOS 3.3 prompt, press CTRL-C, then BRUN SOCCER.
Reboot and... enjoy,
LoGo
7/2019
| Code: |
The code that decyphers the protection check:
00/5100: 4C 05 51 JMP 5105
00/5103: 00 5B BRK 5B
00/5105: A0 00 LDY #00
00/5107: AD 03 51 LDA 5103
00/510A: 85 00 STA 00
00/510C: AD 04 51 LDA 5104
00/510F: 85 01 STA 01
00/5111: A2 00 LDX #00
00/5113: BD 25 51 LDA 5125,X
00/5116: E8 INX
00/5117: E0 20 CPX #20
00/5119: D0 02 BNE 511D ;+02=
00/511B: A2 00 LDX #00
00/511D: 51 00 EOR (00),Y
00/511F: 91 00 STA (00),Y
00/5121: 88 DEY
00/5122: D0 EF BNE 5113 ;-11=
00/5124: 60 RTS
The protection check
00/5B00: A9 00 LDA #00
00/5B02: 48 PHA
00/5B03: 28 PLP
00/5B04: A9 00 LDA #00
00/5B06: 8D EB B7 STA B7EB
00/5B09: A9 01 LDA #01
00/5B0B: 8D F4 B7 STA B7F4
00/5B0E: A9 00 LDA #00
00/5B10: 8D EC B7 STA B7EC
00/5B13: A9 00 LDA #00
00/5B15: 8D ED B7 STA B7ED
00/5B18: A0 E8 LDY #E8
00/5B1A: A9 B7 LDA #B7
00/5B1C: 20 00 BD JSR BD00
00/5B1F: 20 65 B9 JSR B965 ; where it reads nibbles
00/5B22: A5 2E LDA 2E
00/5B24: F0 01 BEQ 5B27 ;+01=
00/5B26: 00 BRK
00/5B27: AD 2D 00 LDA 002D
00/5B2A: D0 F3 BNE 5B1F ;-0D=
00/5B2C: A0 05 LDY #05
00/5B2E: A9 00 LDA #00
00/5B30: 8D B6 5B STA 5BB6
00/5B33: 98 TYA
00/5B34: 48 PHA
00/5B35: 20 A6 5B JSR 5BA6
00/5B38: AD 2D 00 LDA 002D
00/5B3B: 68 PLA
00/5B3C: A8 TAY
00/5B3D: AD 2D 00 LDA 002D
00/5B40: 99 B7 5B STA 5BB7,Y
00/5B43: 88 DEY
00/5B44: D0 ED BNE 5B33 ;-13=
00/5B46: BD 88 C0 LDA C088,X
00/5B49: A9 01 LDA #01
00/5B4B: 8D F4 B7 STA B7F4
00/5B4E: A9 02 LDA #02
00/5B50: 8D EC B7 STA B7EC
00/5B53: A9 00 LDA #00
00/5B55: 8D F0 B7 STA B7F0
00/5B58: A9 91 LDA #91
00/5B5A: 8D F1 B7 STA B7F1
00/5B5D: A9 0C LDA #0C
00/5B5F: 8D ED B7 STA B7ED
00/5B62: A9 00 LDA #00
00/5B64: 8D EB B7 STA B7EB
00/5B67: A0 E8 LDY #E8
00/5B69: A9 B7 LDA #B7
00/5B6B: 20 00 BD JSR BD00
00/5B6E: B0 0E BCS 5B7E ;+0E=
00/5B70: A0 05 LDY #05
00/5B72: B9 B7 5B LDA 5BB7,Y
00/5B75: D9 00 91 CMP 9100,Y
00/5B78: D0 04 BNE 5B7E ;+04=
00/5B7A: 88 DEY
00/5B7B: D0 F5 BNE 5B72 ;-0B=
00/5B7D: 60 RTS
00/5B7E: A0 16 LDY #16
00/5B80: B9 90 5B LDA 5B90,Y
00/5B83: 99 03 00 STA 0003,Y
00/5B86: 98 TYA
00/5B87: D0 03 BNE 5B8C ;+03=
00/5B89: 4C 03 00 JMP 0003
00/5B8C: 88 DEY
00/5B8D: 4C 80 5B JMP 5B80
00/5B90: A0 00 LDY #00
00/5B92: A9 50 LDA #50
00/5B94: 85 00 STA 00
00/5B96: A9 00 LDA #00
00/5B98: 85 01 STA 01
00/5B9A: 91 00 STA (00),Y
00/5B9C: E6 00 INC 00
00/5B9E: D0 FA BNE 5B9A ;-06=
00/5BA0: E6 01 INC 01
00/5BA2: F0 F6 BEQ 5B9A ;-0A=
00/5BA4: D0 F4 BNE 5B9A ;-0C=
00/5BA6: AD B6 5B LDA 5BB6
00/5BA9: 18 CLC
00/5BAA: 69 02 ADC #02
00/5BAC: 8D B6 5B STA 5BB6
00/5BAF: 20 1E BA JSR BA1E
00/5BB2: 20 65 B9 JSR B965
00/5BB5: 60 RTS
00/5BB6: 00 00 BRK 00
00/5BB8: 00 00 BRK 00
00/5BBA: 00 00 BRK 00
00/5BBC: 00 00 BRK 00
|
|
|
| Revenir en haut de page |
|
|
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas répondre aux sujets dans ce forum
Vous ne pouvez pas éditer vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum
|
|
FAQ 
Rechercher 
Liste des Membres 
Groupes d'utilisateurs
S'enregistrer
Profil 
Se connecter pour vérifier ses messages privés 
Connexion 
