:: Voir le sujet - Spirit of Excalibur IIgs (Virgin, 1990)


IDENTIFICATION SERVEUR : 10.14.20.153 - CLIENT : 3.238.174.50

FAQ

Rechercher

Liste des Membres

Groupes d'utilisateurs

S'enregistrer

Profil

Se connecter pour vérifier ses messages privés

Connexion

Spirit of Excalibur IIgs (Virgin, 1990)

Index du Forum -> PROTECTION MALEFIQUE

Voir le sujet précédent :: Voir le sujet suivant

Auteur

Message

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3076
Localisation: Le Chesnay, France

Posté le: Mer 18 Nov 2020, 19:46 Sujet du message: Spirit of Excalibur IIgs (Virgin, 1990)

#1039 - This is a role-playing game, hard to find. Alex Lee sent me the original disk images. Thank you, Alex.

Disk structure
The game comes on three copiable 3.5" DD disks. It runs under GS/OS and is autobootable.

Protection type
When you first play the game, you must check the map of Englande and answer to a question. You have two tries only. If you fail, the game hangs.

How to copy
Use ZZCopy or Photonix II to copy the three disks. Then, store them in a dry and safe place.

How to crack
Boot Block.Warden or any other ProDOS file utility

Code:

Prefix /SPIRIT1/SYSTEM
Follow file START
At offset $5EF7: 22 -> AF /* replace of JSL with a LDAL
Save the block onto disk

The disks are available at http://www.brutaldeluxe.fr/crack/

Reboot and... enjoy,
LoGo
11/2020

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3076
Localisation: Le Chesnay, France

Posté le: Mer 18 Nov 2020, 19:47 Sujet du message:

How to find what to crack: from the strings to the calling code

Code:

The password strings
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
07/C7EF: 506C656173 L07C7EF ASC 'Please look at your Map of EngI
07/C812: 706F737465 ASC 'poster. Enter the name of the I
07/C839: 6E65617265 ASC 'nearest the intersection of imI
07/C85F: 6C696E6573 ASC 'lines drawn between matching pI
07/C885: 7468657365 ASC 'these shield designs:'00
07/C89B: 5468617420 L07C89B ASC 'That was not correct. We hope I
07/C8C2: 656E6A6F79 ASC 'enjoyed your look at Spirit ofI
07/C8E9: 722E00 ASC 'r.'00
07/C8EC: 5468617420 L07C8EC ASC 'That was not correct. Please tI
07/C914: 596F752063 ASC 'You cannot command that force'I
07/C932: AB DB $AB
07/C933: 00 DB $00
07/C934: 7A DB $7A
07/C935: 00 DB $00
07/C936: 00 DB $00
07/C937: 01 DB $01
07/C938: A5 DB $A5
07/C939: 00 DB $00
07/C93A: 78 DB $78
07/C93B: 00 DB $00
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
:_

Where the "Please look" string is displayed
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
01/88AA: 226C3302 JSL $02336C
01/88AE: A8 TAY
01/88AF: 3B TSC
01/88B0: 18 CLC
01/88B1: 691C00 ADC #$001C
01/88B4: 1B TCS
01/88B5: 98 TYA
01/88B6: F40700 PEA ^L07C7EF
01/88B9: F4EFC7 PEA L07C7EF
01/88BC: F40000 PEA $0000
01/88BF: F40000 PEA $0000
01/88C2: F45000 PEA $0050
01/88C5: F4FA00 PEA $00FA
01/88C8: F40500 PEA $0005
01/88CB: F40A00 PEA $000A
01/88CE: A90100 LDA #$0001
01/88D1: F00A BEQ $88DD
01/88D3: A90100 LDA #$0001
01/88D6: F005 BEQ $88DD
01/88D8: A91E00 LDA #$001E
...
01/8BE5: 8DC700 STA $0500C7
01/8BE8: C220 REP #$20
01/8BEA: 82BE00 BRL $8CAB
01/8BED: 22658702 JSL $028765
01/8BF1: A5D5 LDA $D5
01/8BF3: 29FF00 AND #$00FF
01/8BF6: F042 BEQ $8C3A

* Second and final failure

01/8BF8: F40700 PEA ^L07C89B
01/8BFB: F49BC8 PEA L07C89B
01/8BFE: F40500 PEA $0005
01/8C01: F40000 PEA $0000
01/8C04: F41E00 PEA $001E
01/8C07: F40401 PEA $0104
01/8C0A: F40A00 PEA $000A
01/8C0D: F40A00 PEA $000A
01/8C10: A90000 LDA #$0000
01/8C13: F00A BEQ $8C1F
01/8C15: A90100 LDA #$0001
01/8C18: F005 BEQ $8C1F
01/8C1A: A9C0FF LDA #$FFC0
01/8C1D: 8003 BRA $8C22
01/8C1F: A90000 LDA #$0000
01/8C22: 48 PHA
01/8C23: A94079 LDA #$7940
01/8C26: FA PLX
01/8C27: 86FA STX $FA
01/8C29: 05FA ORA $FA
01/8C2B: 48 PHA
01/8C2C: 228B8002 JSL $02808B
01/8C30: A8 TAY
01/8C31: 3B TSC
01/8C32: 18 CLC
01/8C33: 691200 ADC #$0012
01/8C36: 1B TCS
01/8C37: 98 TYA
01/8C38: 8048 BRA $8C82

* The first failure

01/8C3A: F40700 PEA ^L07C8EC
01/8C3D: F4ECC8 PEA L07C8EC
01/8C40: F40000 PEA $0000
01/8C43: F40000 PEA $0000
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
:_

* We increment the number of tries - The end of the routine

01/8C82: E220 SEP #$20
01/8C84: E6D5 INC $D5
01/8C86: C220 REP #$20
01/8C88: A5D5 LDA $D5
01/8C8A: 29FF00 AND #$00FF
01/8C8D: 38 SEC
01/8C8E: E90200 SBC #$0002
01/8C91: 7003 BVS $8C96
01/8C93: 490080 EOR #$8000
01/8C96: 3003 BMI $8C9B
01/8C98: 8251FB BRL $87EC
01/8C9B: F40000 PEA $0000
01/8C9E: 2255C604 JSL $04C655
01/8CA2: 7A PLY
01/8CA3: F40000 PEA $0000
01/8CA6: 22A8BE04 JSL $04BEA8
01/8CAA: 7A PLY
01/8CAB: A8 TAY
01/8CAC: 7B TDC
01/8CAD: 18 CLC
01/8CAE: 69FB00 ADC #$00FB
01/8CB1: 1B TCS
01/8CB2: 98 TYA
01/8CB3: 2B PLD
01/8CB4: 6B RTL

* Where does the routine begin?

01/87D8: 0B PHD
01/87D9: 3B TSC
01/87DA: 38 SEC
01/87DB: E9FB00 SBC #$00FB
01/87DE: 5B TCD
01/87DF: 69D100 ADC #$00D1
01/87E2: 1B TCS
01/87E3: E220 SEP #$20
01/87E5: 64D5 STZ $D5
01/87E7: C220 REP #$20
01/87E9: 829C04 BRL $8C88
01/87EC: 22658702 JSL $028765
01/87F0: F41C00 PEA $001C
01/87F3: 22525102 JSL $025152
01/87F7: 7A PLY
01/87F8: E220 SEP #$20
01/87FA: 85D3 STA $D3
01/87FC: C220 REP #$20
01/87FE: F40000 PEA $0000
01/8801: F40000 PEA $0000

* Where is it called?

01/6063: D008 BNE $606D
01/6065: F40300 PEA $0003
01/6068: 22CD2501 JSL $0125CD
01/606C: 7A PLY
01/606D: ADC700 LDA $0500C7 ; skip protection?
01/6070: 29FF00 AND #$00FF
01/6073: C90000 CMP #$0000
01/6076: D004 BNE $607C
01/6078: 22D88701 JSL $0187D8 ; call protection
01/607C: A90100 LDA #$0001
01/607F: E220 SEP #$20
01/6081: 8DDB00 STA $0500DB
01/6084: C220 REP #$20
01/6086: A90100 LDA #$0001
01/6089: E220 SEP #$20
01/608B: 8D5F01 STA $05015F
01/608E: C220 REP #$20
01/6090: A90100 LDA #$0001
01/6093: 8D5B01 STA $05015B
01/6096: A90A5F LDA #$5F0A

The is the table of global variables. At $C7, we have the protection flag byte
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
05/0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 ................
05/0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/0050: 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c...............
05/0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/00A0: 00 00 00 00 00 00 00 00 00 00 00 00 63 06 00 01 ............c...
05/00B0: 02 03 48 02 94 02 15 00 00 00 00 00 00 04 00 00 ..H.............
05/00C0: F4 01 00 00 00 00 00>00 01<EE 00 F0 00 EE 00 00 t........n.p.n..
05/00D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/00E0: 00 00 00 00 00 00 00 D7 5A 07 00 00 00 00 00 00 .......WZ.......
05/00F0: 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 ................
05/0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
05/0120: 00 00 00 0A 01 01 00 00 00 00 00 00 00 00 00 00 ................
05/0130: 00 00 02 08 09 0E 17 04 0A 0C 0F 06 04 05 00 00 ................
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Interesting!
If we take $0500C7 as a byte, its default value is 0, and the protection is called
If we take $0500C8 as a word, its default value is <>0, and the protection not called
If so, at offset $6072: 00 -> FF

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3076
Localisation: Le Chesnay, France

Posté le: Mer 18 Nov 2020, 19:48 Sujet du message:

The Block Warden view

Code:

Block: $01CF (463) Volume name: SPIRIT1 Tuesday 18-Nov-20 7:30
Prefix: /SPIRIT1/SYSTEM/
Following: START, Type S16, Rel block 48, Byte $005EF7
(c) Q 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F Edit mode
1988ZSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Z 000: FF 00 D0 03 82 6D 00 A5 F4 29 FF 00 A2 00 00 F4 .P..m.%t)."..t
b Z 010: 00 00 F4 19 00 18 22 75 A0 00 A9 36 47 A2 00 00 ..t..."u .)6G"..
B y Z 020: 22 D0 9B 00 68 FA 85 F6 86 F8 A0 16 00 B7 F6 C9 "P..hz.v.x ..7vI
L Z 030: 5B 02 F0 2D A5 F4 29 FF 00 A2 00 00 F4 00 00 F4 [.p-%t)."..t..t
O G Z 040: 19 00 18 22 75 A0 00 A9 36 47 A2 00 00 22 D0 9B ..."u .)6G".."P.
C l Z 050: 00 68 FA 85 F6 86 F8 A0 16 00 B7 F6 C9 61 02 D0 .hz.v.x ..7vIa.P
K e Z 060: 13 F4 01 00 A5 F5 29 FF 00 48 F4 30 00 22 7F 3E .t..%u).Ht0.">
n Z 070: 00 7A 7A 7A E2 20 E6 F5 C2 20 A5 F5 29 FF 00 38 .zzzb fuB %u).8
W Z 080: E9 5C 00 D0 03 82 64 FF 70 03 49 00 80 30 03 82 i\.P..dp.I..0..
A B Z 090: 5A FF 7B 18 69 FB 00 1B 2B 6B 0B 3B 38 E9 FB 00 Z{.i{..+k.;8i{.
R r Z 0A0: 5B 69 F3 00 1B A9 01 00 E2 20 8D 5E 01 C2 20 22 [is..)..b .^.B "
D e Z 0B0: AC 57 00 22 8E 5D 00 A9 42 76 A2 00 00 8E AC 02 ,W.".].)Bv"...,.
E d Z 0C0: 8D AA 02 22 9C 6D 00 22 F1 75 00 22 5F 6E 00 A9 .*.".m."qu."_n.)
N o Z 0D0: 01 00 E2 20 8D 63 01 C2 20 AD AC 00 29 FF 00 C9 ..b .c.B -,.).I
n Z 0E0: 00 00 D0 08 F4 03 00 22 CD 25 00 7A AD C7 00 29 ..P.t.."M%.z-G.)
Z 0F0: FF 00 C9 00 00 D0 04>22<D8 87 00 A9 01 00 E2 20 .I..P."X..)..b

After

Z 000: FF 00 D0 03 82 6D 00 A5 F4 29 FF 00 A2 00 00 F4 .P..m.%t)."..t
b Z 010: 00 00 F4 19 00 18 22 75 A0 00 A9 36 47 A2 00 00 ..t..."u .)6G"..
B y Z 020: 22 D0 9B 00 68 FA 85 F6 86 F8 A0 16 00 B7 F6 C9 "P..hz.v.x ..7vI
L Z 030: 5B 02 F0 2D A5 F4 29 FF 00 A2 00 00 F4 00 00 F4 [.p-%t)."..t..t
O G Z 040: 19 00 18 22 75 A0 00 A9 36 47 A2 00 00 22 D0 9B ..."u .)6G".."P.
C l Z 050: 00 68 FA 85 F6 86 F8 A0 16 00 B7 F6 C9 61 02 D0 .hz.v.x ..7vIa.P
K e Z 060: 13 F4 01 00 A5 F5 29 FF 00 48 F4 30 00 22 7F 3E .t..%u).Ht0.">
n Z 070: 00 7A 7A 7A E2 20 E6 F5 C2 20 A5 F5 29 FF 00 38 .zzzb fuB %u).8
W Z 080: E9 5C 00 D0 03 82 64 FF 70 03 49 00 80 30 03 82 i\.P..dp.I..0..
A B Z 090: 5A FF 7B 18 69 FB 00 1B 2B 6B 0B 3B 38 E9 FB 00 Z{.i{..+k.;8i{.
R r Z 0A0: 5B 69 F3 00 1B A9 01 00 E2 20 8D 5E 01 C2 20 22 [is..)..b .^.B "
D e Z 0B0: AC 57 00 22 8E 5D 00 A9 42 76 A2 00 00 8E AC 02 ,W.".].)Bv"...,.
E d Z 0C0: 8D AA 02 22 9C 6D 00 22 F1 75 00 22 5F 6E 00 A9 .*.".m."qu."_n.)
N o Z 0D0: 01 00 E2 20 8D 63 01 C2 20 AD AC 00 29 FF 00 C9 ..b .c.B -,.).I
n Z 0E0: 00 00 D0 08 F4 03 00 22 CD 25 00 7A AD C7 00 29 ..P.t.."M%.z-G.)
Z 0F0: FF 00 C9 00 00 D0 04>AF<D8 87 00 A9 01 00 E2 20 .I..P./X..)..b

Revenir en haut de page

toinet
Site Admin

Inscrit le: 15 Juin 2007
Messages: 3076
Localisation: Le Chesnay, France

Posté le: Ven 20 Nov 2020, 18:23 Sujet du message:

On Alex Lee's site, there is a HDD compatible version, (differently) cracked by some French guy.

To apply the same crack, ie. the complete bypass of the password:

Code:

Launch Block Warden
Prefix /SPIRIT3/HDINSTALL.INFO/
Follow SPIRIT.SYS16
At offset $5FD8: 22 -> AF
Write the block onto disk

Block: $016A (362) Volume name: SPIRIT3 Thursday 20-Nov-20 6:21
Prefix: /SPIRIT3/HDINSTALL.INFO/
Following: SPIRIT.SYS16, Type S16, Rel block 48, Byte $005F08
(c) Q 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F Edit mode
1988ZSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Z 100: 29 FF 00 C9 00 00 D0 04>22<E9 87 00 A9 01 00 E2 ).I..P."i..)..b
b Z 110: 20 8D DB 00 C2 20 A9 01 00 E2 20 8D 5F 01 C2 20 .[.B )..b ._.B
B y Z 120: A9 01 00 8D 5B 01 A9 1B 5F A2 00 00 8E 67 01 8D )...[.)._"...g..
L Z 130: 65 01 AE 97 02 AD 95 02 85 F6 86 F8 A0 03 00 B7 e....-...v.x ..7
O G Z 140: F6 29 FF 00 C9 01 00 F0 18 F4 01 00 F4 06 00 F4 v).I..p.t..t..t
C l Z 150: 00 00 F4 51 58 22 86 CA 00 7A 7A 7A 7A 22 63 CC ..tQX".J.zzzz"cL
K e Z 160: 00 F4 00 00 F4 5B 01 22 F9 3B 00 7A 7A 22 C2 CC .t..t[."y;.zz"BL
n Z 170: 00 22 31 CD 00 22 75 5B 00 22 65 87 00 F4 E5 00 ."1M."u[."e..te.
W Z 180: F4 01 00 22 FE 3A 00 7A 7A F4 F8 00 F4 E7 00 22 t.."~:.zztx.tg."
A B Z 190: FE 3A 00 7A 7A 22 27 78 00 E2 20 9C DB 00 C2 20 ~:.zz"'x.b .[.B
R r Z 1A0: E2 20 9C 5F 01 C2 20 A9 01 00 E2 20 8D C2 00 C2 b ._.B )..b .B.B
D e Z 1B0: 20 E2 20 9C D6 00 C2 20 7B 18 69 FB 00 1B 2B 6B b .V.B {.i{..+k
E d Z 1C0: 0B 3B 38 E9 F9 00 5B 69 F2 00 1B AD ED 00 29 FF .;8iy.[ir..-m.)
N o Z 1D0: 00 F0 02 80 1F 22 65 87 00 A9 FF FF 8D 5B 01 A5 .p..."e..).[.%
n Z 1E0: FF C9 7B 00 D0 05 A9 01 00 85 FF A5 FF E2 20 8D I{.P.)...%b .
Z 1F0: D6 00 C2 20 A8 7B 18 69 F9 00 1B 98 2B 6B 0B 3B V.B ({.iy...+k.;

Revenir en haut de page

Montrer les messages depuis:

	Index du Forum -> PROTECTION MALEFIQUE	Toutes les heures sont au format GMT + 1 Heure
Page 1 sur 1

Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas répondre aux sujets dans ce forum
Vous ne pouvez pas éditer vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum