Index du Forum
IDENTIFICATION SERVEUR : 51.77.218.174 - CLIENT : 3.81.29.254

 FAQFAQ   RechercherRechercher   Liste des MembresListe des Membres   Groupes d'utilisateursGroupes d'utilisateurs   S'enregistrerS'enregistrer 
 ProfilProfil   Se connecter pour vérifier ses messages privésSe connecter pour vérifier ses messages privés   ConnexionConnexion 

Star Thief (Cavalier Computer, 1981)

 
Poster un nouveau sujet   Répondre au sujet     Index du Forum -> PROTECTION MALEFIQUE
Voir le sujet précédent :: Voir le sujet suivant  
Auteur Message
toinet
Site Admin


Inscrit le: 15 Juin 2007
Messages: 3020
Localisation: Le Chesnay, France

MessagePosté le: Mer 24 Juil 2019, 17:41    Sujet du message: Star Thief (Cavalier Computer, 1981) Répondre en citant

#1017 - Star Thief is a fun game, written by Jim Nitchals, published by Cavalier Software. Prevent star thieves from stealing your pods. That is a one or two-player game. Applesauce disk image of Stephane Racle, kindly provided by 4am.

Disk structure
The disk cannot be copied. Locksmith Fast Disk Backup tells us that all sectors are not readable. When you listen carefully, only half of the disks contain data.
A further analysis shows what looks like a 13-sec DOS disk. From experience, data is loaded too quickly to match the 5x3 nibble encoding. It seems there are 4*4 nibbles in the data field.
Code:

T0-T11: D5AAB5/DEAA - B59ADE/FDFE
T12: D5AAB5/DEAA - D5AAAD/FDFE
T13: EMPTY
T14-T22: NO DATA


Protection type
The disk format is non standard as described above. There is a nibble check once the program is in RAM. It will prevent you from playing if you do not have the original disk.

Boot trace
Code:

Get boot 1:
CALL-151
9600<C600.C6FFM
96F8:4C DA FD
9600G
01

Result is:
0800: 01 A2 00 BD 00 08 9D 00
0808: 02 E8 D0 F7 4C 0F 02 A0
0810: AB 98 85 3C 4A 05 3C C9
0818: FF D0 09 C0 D5 F0 05 8A
0820: 99 00 08 E8 C8 D0 EA 84
0828: 3D 84 26 A9 03 85 27 A6
0830: 2B 20 5D 02 20 D1 02 A9
0838: A9 8D 1F 03 A9 02 8D 20
0840: 03 4C 01 03 00 00 00 00
0848: 00 00 00 00 00 00 00 00
0850: 00 00 00 00 00 00 00 00
0858: 00 00 00 00 00 18 08 BD
0860: 8C C0 10 FB 49 D5 D0 F7
0868: BD 8C C0 10 FB C9 AA D0
0870: F3 EA BD 8C C0 10 FB C9
0878: B5 F0 09 28 90 DF 49 AD
0880: F0 1F D0 D9 A0 03 84 2A
0888: BD 8C C0 10 FB 2A 85 3C
0890: BD 8C C0 10 FB 25 3C 88
0898: D0 EE 28 C5 3D D0 BE B0
08A0: BD A0 9A 84 3C BC 8C C0
08A8: 10 FB 59 00 08 A4 3C 88
08B0: 99 00 08 D0 EE 84 3C BC
08B8: 8C C0 10 FB 59 00 08 A4
08C0: 3C 91 26 C8 D0 EF BC 8C
08C8: C0 10 FB 59 00 08 D0 8D
08D0: 60 A8 A2 00 B9 00 08 4A
08D8: 3E CC 03 4A 3E 99 03 85
08E0: 3C B1 26 0A 0A 0A 05 3C
08E8: 91 26 C8 E8 E0 33 D0 E4
08F0: C6 2A D0 DE CC 00 03 D0
08F8: 03 60 00 00 4C 2D FF 00

Get boot 2:
9600<C600.C6FFM
96F8:A9 59 8D 42 08 A9 FF 8D 43 08 4C 01 08
9600G

Result is:
0300: 99 B9 00 08 0A 0A 0A 99
0308: 00 08 C8 D0 F4 A6 2B A9
0310: 09 85 27 AD CC 03 85 41
0318: 84 40 8A 4A 4A 4A 4A A9
0320: 02 85 3F A9 5D 85 3E 20
0328: 43 03 20 46 03 A5 3D 4D
0330: FF 03 F0 06 E6 41 E6 3D
0338: D0 ED 85 3E AD CC 03 85
0340: 3F E6 3F 6C 3E 00 A2 32
0348: A0 00 BD 00 08 4A 4A 4A
0350: 85 3C 4A 85 2A 4A 1D 00
0358: 09 91 40 C8 BD 33 08 4A
0360: 4A 4A 4A 26 3C 4A 26 2A
0368: 1D 33 09 91 40 C8 BD 66
0370: 08 4A 4A 4A 4A 26 3C 4A
0378: 26 2A 1D 66 09 91 40 C8
0358: 09 91 40 C8 BD 33 08 4A
0360: 4A 4A 4A 26 3C 4A 26 2A
0368: 1D 33 09 91 40 C8 BD 66
0370: 08 4A 4A 4A 4A 26 3C 4A
0378: 26 2A 1D 66 09 91 40 C8
0380: A5 2A 29 07 1D 99 09 91
0388: 40 C8 A5 3C 29 07 1D CC
0390: 09 91 40 C8 CA 10 B3 AD
0398: 99 08 4A 4A 4A 0D FF 09
03A0: 91 40 A6 2B 60 FF FF FF
03A8: FF FF FF FF FF FF FF FF
03B0: FF FF FF FF FF FF FF FF
03B8: FF FF FF FF FF FF FF FF
03C0: FF FF FF FF FF FF FF FF
03C8: FF FF FF FF 41 FF FF FF
03D0: FF FF FF FF FF FF FF FF
03D8: FF FF FF FF FF FF FF FF
03E0: FF FF FF FF FF FF FF FF
03E8: FF FF FF FF FF FF FF FF
03F0: FF FF FF FF FF FF FF FF
03F8: FF FF FF FF FF FF FF 06

Get boot 3:
We load the last loader at $4200 and then crash.
9600<C600.C6FFM
96F8:A9 00 8D 42 08 A9 95 8D 43 08 4C 01 08
9500:A9 00 8D A4 03 4C 01 03
9600G

Get boot 4:
We load the entire program in RAM and crash into the monitor once done.
CALL-151
9600<C600.C6FFM
96F8:A9 00 8D 42 08 A9 95 8D 43 08 4C 01 08
9500:A9 4C 8D 3C 03 A9 00 8D 3D 03 A9 B8 8D 3E 03 4C 01 03
B800:A9 4C 8D C2 42 A9 00 8D C3 42 A9 B9 8D C4 42 4C 00 42
B900:2C 51 C0 AD 00 C0 10 FB 2C 10 C0 4C 59 FF
9600G

Get boot 5:
We interrupt the loading of the program in RAM earlier because the real read routine is erased once the program is in memory.
CALL-151
9600<C600.C6FFM
96F8:A9 00 8D 42 08 A9 95 8D 43 08 4C 01 08
9500:A9 4C 8D 3C 03 A9 00 8D 3D 03 A9 B8 8D 3E 03 4C 01 03
B800:A9 4C 8D C2 42 A9 00 8D C3 42 A9 B9 8D C4 42 4C 00 42
B900:A9 85 8D 69 69 A9 FE 8D 6A 69 A9 4C 8D 6B 69 A9 59 8D 6C 69 A9 FF 8D 6D 69 A9 02 4C 01 68
9600G

At $FE, we have the value of Y = $94
We will see there is a nibble check (count of D5 on T11), the routine at $B900 patches the on-disk check to get that count, store it, then crash.

In RAM:
0000..00FF   zero page
0100..01FF   stack area
0200..1FFF   program
2000..41FF   HGR
4200..47FF   loader
5000..51FF   buffer for sectors
6000..80FF   rest of the program


How to make a real disk
You can boot a DOS 3.3 disk
Then you run the following code:
Code:

CALL-151
9600<C600.C6FFM
96F8:A9 00 8D 42 08 A9 95 8D 43 08 4C 01 08
9500:A9 4C 8D 3C 03 A9 00 8D 3D 03 A9 94 8D 3E 03 4C 01 03
9400:A9 4C 8D C2 42 A9 00 8D C3 42 A9 93 8D C4 42 4C 00 42
9300:A2 00 BD 00 00 9D 00 81
9308:BD 00 01 9D 00 82 BD 00
9310:02 9D 00 83 BD 00 03 9D
9318:00 84 BD 00 04 9D 00 85
9320:BD 00 05 9D 00 86 BD 00
9328:06 9D 00 87 BD 00 07 9D
9330:00 88 CA D0 CD 4C 59 FF
9600G

You have the program in memory and the area $0000..$07FF is copied to $8100..$88FF.
You can write a simple program to write the RAM contents on a 16-sec disk as from T1. I let that exercise to the reader.

How to normalize
Boot my copy disk
Launch Disk Fixer
On your normalized disk
Code:

The preferred change hereafter skips the last on-disk protection scheme and may help have the program run under ProDOS:
T7/S1/3B:BD F9 BF -> 4C D2 68
or if you want the on-disk protection check to be still run:
T7/S1/75:6C FF 00 -> 4C D2 68
or the complete thing to remove the false opcodes (B7 00):
T7/S1/6F:49 68 85 00 B7 00 6C FF 00 -> A9 68 85 00 EA EA 4C D2 68


Note that there is another indirect jump bug use in the program. As it is in the original loader at $4200 that we do not use anymore, I did not patch it.

The disk image is available at http://www.brutaldeluxe.fr/crack/

Reboot and... enjoy,
LoGo
7/2019
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé Visiter le site web de l'utilisateur
toinet
Site Admin


Inscrit le: 15 Juin 2007
Messages: 3020
Localisation: Le Chesnay, France

MessagePosté le: Mer 24 Juil 2019, 17:42    Sujet du message: Répondre en citant

The nibble check on-disk protection check:
Code:

00/692E: A9 D2        LDA #D2           ; the low pointer
00/6930: 85 FF        STA FF           
00/6932: A9 02        LDA #02           
00/6934: 8D 00 01     STA 0100         
00/6937: A2 E0        LDX #E0           
00/6939: A2 F0        LDX #F0           
00/693B: BD F9 BF     LDA BFF9,X        ; it is really LDA $C089,X
00/693E: A0 06        LDY #06           
00/6940: 20 A8 FC     JSR FCA8         
00/6943: 88           DEY               
00/6944: D0 FA        BNE 6940 {-06}   
00/6946: BD FC BF     LDA BFFC,X       
00/6949: 10 FB        BPL 6946 {-05}   
00/694B: C9 D5        CMP #D5           
00/694D: D0 F7        BNE 6946 {-09}   
00/694F: A0 00        LDY #00           
00/6951: BD FC BF     LDA BFFC,X       
00/6954: 10 FB        BPL 6951 {-05}   
00/6956: C8           INY               
00/6957: C9 D5        CMP #D5           
00/6959: D0 F6        BNE 6951 {-0A}   
00/695B: BD FC BF     LDA BFFC,X       
00/695E: 10 FB        BPL 695B {-05}   
00/6960: C8           INY               
00/6961: C9 D5        CMP #D5           
00/6963: D0 F6        BNE 695B {-0A}   
00/6965: BD F8 BF     LDA BFF8,X       
00/6968: 98           TYA               ; 94
00/6969: 38           SEC               ; -93
00/696A: ED 00 68     SBC 6800          ; =0000_0001
00/696D: 29 FC        AND #FC           ; %1111_1100
                ; %0000_0000
00/696F: 49 68        EOR #68           ; %0110_1000
00/6971: 85 00        STA 00            ; %0110_1000
00/6973: B7 00        LDA [00],Y        ; 68
00/6975: 6C FF 00     JMP (00FF)       

At $0000, we find $68
At $00FF, we find $7C
so, JMP ($00FF) goes to $68D2
The program relies on the 6502 bug where an indirect jump at a page boundary ($FF and $100) will jump to the address at $00 and $FF: there is no page cross. So, the program does not run on 65c02 machines because of that.
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé Visiter le site web de l'utilisateur
Montrer les messages depuis:   
Poster un nouveau sujet   Répondre au sujet     Index du Forum -> PROTECTION MALEFIQUE Toutes les heures sont au format GMT + 1 Heure
Page 1 sur 1

 
Sauter vers:  
Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas répondre aux sujets dans ce forum
Vous ne pouvez pas éditer vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum


Powered by phpBB © 2001, 2005 phpBB Group
Traduction par : phpBB-fr.com