|
|
IDENTIFICATION SERVEUR : 10.0.97.1 - CLIENT : 34.226.208.185 |
|
Voir le sujet précédent :: Voir le sujet suivant |
Auteur |
Message |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 2949 Localisation: Le Chesnay, France
|
Posté le: Mer 10 Fév 2016, 23:43 Sujet du message: Silpheed IIgs (Sierra, 1988) |
|
|
#721 - A great arcade game from Game Arts, the Japanese studio/partner of Sierra.
Protection type
This is a password protection, called off-disk protection. You have to enter the name of an enemy and if you provide the right answer (which is in the manual), then you can play. Otherwise, you quit the game, alas.
Some sort of reverse-engineering
The game loads, shows its great introduction and then a black screen appears. "Super dogfighter flight..." then "Type in the name of the enemy shown below"
That string is located in file GAMEPLAY, in segment 2 at $60BA. Called by segment $2B (named "protchec") called by segment 1 at offset $E6.
A variable at $022E30 is the flag of the protection result: 0 means bad answer ("copy") and <>0 (1 to be precise) means right answer ("original")
How to crack
Launch Block.Warden
Prefix /SILPHEED1
Follow file GAMEPLAY
At offset $126: 22 (JSL) -> AF (LDAL)
At offset $12A: AD (LDA) -> 8D (STA)
What do we do here? Instead of calling the protection check, we will store a non-zero value in the flag. So, we replace a call and load with a load and store. That's all and that works fine.
The disk image is at http://www.brutaldeluxe.fr/crack/
Reboot and... enjoy,
LoGo
2/2016 |
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 2949 Localisation: Le Chesnay, France
|
Posté le: Mer 10 Fév 2016, 23:46 Sujet du message: |
|
|
Some parts of the code and data of file GAMEPLAY
Code: |
We are in the arrays segment, where all the data is stored. We clearly see all the strings and pointers to the different items used by the protection.
02/6086: 2020205459 ASC ' TYPE IN THE NAME OF THE '00
02/60A2: 2020202020 ASC ' ENEMY SHOWN BELOW'00
02/60BA: 5355504552 ASC 'SUPER DOGFIGHTER FLIGHT SCHOOLI
02/60D9: 0000000000 DS $000A
02/60E3: 2020202020 ASC ' ' ; Where the user enters the answer
02/60EF: FFFFFFFFFF DS $0020,$FF
02/610F: 4B41494C45 ASC 'KAILE'00 ; List of enemies name
02/6115: 47494C414E ASC 'GILAN'00
02/611B: 4E415A414C ASC 'NAZALYS'00
02/6123: 474F4E4F53 ASC 'GONOSU'00
02/612A: 4441474152 ASC 'DAGAR'00
02/6130: 42554C554F ASC 'BULUOUWA'00
02/6139: 54414C4C45 ASC 'TALLES'00
02/6140: 4645495A45 ASC 'FEIZEL'00
02/6147: 4C415A454C ASC 'LAZEL'00
02/614D: 534154454C ASC 'SATELLITE'00
02/6157: 56454E4E4F ASC 'VENNON'00
02/615E: 504C554F41 ASC 'PLUOA'00
02/6164: 41544F4C41 ASC 'ATOLATAL'00
02/616D: 414E475553 ASC 'ANGUS'00
02/6173: 424F415244 ASC 'BOARDEAN'00
02/617C: 0F61 DA $610F ; Table of pointers
02/617E: 1561 DA $6115 ; of the enemies name
02/6180: 1B61 DA $611B
02/6182: 2361 DA $6123
02/6184: 2A61 DA $612A
02/6186: 3061 DA $6130
02/6188: 3961 DA $6139
02/618A: 4061 DA $6140
02/618C: 4761 DA $6147
02/618E: 4D61 DA $614D
02/6190: 5761 DA $6157
02/6192: 5E61 DA $615E
02/6194: 6461 DA $6164
02/6196: 6D61 DA $616D
02/6198: 7361 DA $6173
02/619A: B8110900 ADRL $000911B8 ; Table of pointers
02/619E: 67160900 ADRL $00091667 ; to the enemies code
02/61A2: 38010900 ADRL $00090138
02/61A6: BE1D0900 ADRL $00091DBE
02/61AA: 8F280900 ADRL $0009288F
02/61AE: 2A2D0B00 ADRL $000B2D2A
02/61B2: 452C0900 ADRL $00092C45
02/61B6: 00000B00 ADRL $000B0000
02/61BA: F2220B00 ADRL $000B22F2
02/61BE: 2E270B00 ADRL $000B272E
02/61C2: D11E0B00 ADRL $000B1ED1
02/61C6: 30250900 ADRL $00092530
02/61CA: EC340B00 ADRL $000B34EC
02/61CE: 62170B00 ADRL $000B1762
02/61D2: 8B100B00 ADRL $000B108B
Main segment. This is where the protection is called and this is what we replace. The JSL at $E6 and the LDA at $EA. Don't forget there is a header in each of the segments of an OMF file, that's why the offsets given in the first message differ from the ones here.
01/00E1: AD303E LDA $023E30 ; Was prot result OK?
01/00E4: D00C BNE $00F2
01/00E6: 2200002B JSL $2B0000 ; No, jump to it!
01/00EA: AD303E LDA $023E30 ; What is the result?
01/00ED: D003 BNE $00F2 ; <>0: OK
01/00EF: 4C3F02 JMP $023F ; =0, quit game
01/00F2: AD2C3E LDA $023E2C
01/00F5: D007 BNE $00FE
01/00F7: 22370014 JSL $140037
01/00FB: 4C0201 JMP $0102
01/00FE: 22E80014 JSL $1400E8
01/0102: 222C2311 JSL $11232C
01/0106: 645C STZ $5C
01/0108: 22BD0501 JSL $0105BD
01/010C: 8D5100 STA $020051
01/010F: A90100 LDA #$0001
01/0112: 8DF857 STA $0257F8
01/0115: 221F0312 JSL $12031F
01/0119: 22F0000F JSL $0F00F0
01/011D: AD063E LDA $023E06
Segment PROTCHECK
This is where the user enters his answer
2B/0000: 08 PHP ; Entry point of the
2B/0001: E220 SEP #$20 ; passowrd check
2B/0003: A00A00 LDY #$000A
2B/0006: A920 LDA #$20 ; Look at the name
2B/0008: 99E360 STA $0260E3,Y ; of the segment
2B/000B: 88 DEY
2B/000C: 10FA BPL $0008
2B/000E: C220 REP #$20
2B/0010: A95555 LDA #$5555
2B/0013: 8D853D STA $023D85
2B/0016: A91420 LDA #$2014
2B/0019: 8504 STA $04
2B/001B: A9BA60 LDA #$0260BA
2B/001E: 8500 STA $00
2B/0020: A90200 LDA #^$0260BA
2B/0023: 8502 STA $02
2B/0025: 22EB0618 JSL $1806EB
2B/0029: A9FFFF LDA #$FFFF
2B/002C: 8D853D STA $023D85
2B/002F: A95426 LDA #$2654
And this is where it is compared. The result of the comparison is stored in $5C.
2B/0187: 08 PHP
2B/0188: C220 REP #$20
2B/018A: ADDF60 LDA $0260DF
2B/018D: 0A ASL
2B/018E: 18 CLC
2B/018F: 697C61 ADC #$02617C ; requested Enemy
2B/0192: 856C STA $6C
2B/0194: B26C LDA ($6C)
2B/0196: 856C STA $6C
2B/0198: A9E360 LDA #$0260E3 ; my Enemy
2B/019B: 8560 STA $60
2B/019D: E220 SEP #$20
2B/019F: B26C LDA ($6C) ; end of string
2B/01A1: 1260 ORA ($60)
2B/01A3: F018 BEQ $01BD ; leave
2B/01A5: B26C LDA ($6C) ; now compare
2B/01A7: D260 CMP ($60)
2B/01A9: F003 BEQ $01AE ; letters match
2B/01AB: 4CB701 JMP $01B7 ; they differ, leave
2B/01AE: C220 REP #$20
2B/01B0: E660 INC $60
2B/01B2: E66C INC $6C
2B/01B4: 4C9D01 JMP $019D
2B/01B7: C220 REP #$20
2B/01B9: 645C STZ $5C ; letters entered differ
2B/01BB: 28 PLP ; NOP the two lines
2B/01BC: 6B RTL ; and you're good to play also
2B/01BD: C220 REP #$20 ; same string, we're good
2B/01BF: A90100 LDA #$0001
2B/01C2: 855C STA $5C
2B/01C4: 28 PLP
2B/01C5: 6B RTL
|
|
|
Revenir en haut de page |
|
 |
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum Vous ne pouvez pas répondre aux sujets dans ce forum Vous ne pouvez pas éditer vos messages dans ce forum Vous ne pouvez pas supprimer vos messages dans ce forum Vous ne pouvez pas voter dans les sondages de ce forum
|
|