|
|
IDENTIFICATION SERVEUR : 10.14.20.119 - CLIENT : 3.236.175.108 |
|
Voir le sujet précédent :: Voir le sujet suivant |
Auteur |
Message |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3068 Localisation: Le Chesnay, France
|
Posté le: Lun 04 Avr 2016, 10:31 Sujet du message: Read and rhyme IIgs (Unicorn, 1988) |
|
|
#822 - This is a early eduware from Unicorn, kindly sent by 4am. Thanks to a great user interface with four different games, children will learn how to find rhyming words.
Protection type
The two disks can be copied but when the first is booted, a yellow-background pic displays: BAD DISK. It seems there are hidden bits or a track length somewhere.
How to copy
Use ZZCopy or Photonix II to copy both sides. Then, store them in a dry and safe place.
Let's follow the code
This is a SYS16 application, named RHYME.SYS16. It is a compiled program with three segments: CODE, GLOBALS, and ARRAYS. That is clear. Paths are hardcoded. In segment 3, there is a table of pointers to file names at $1EB. And there is one file named FSBAD. OK, that seems clear. That file is loaded if the protection fails.
Going back to the CODE segment, we find that parameter $F4 stores the index of the filename before ASL ASL it (or x4 because long is 32 bits) and getting the pointer from the above table.
Now, we'll look for the use of $F4. We find numerous calls (because parameters are sent through the stack and the direct page is set at the beginning of each call to the first parameter in the stack).
The one that interests us is at $174F. There is one parameter pushed onto the stack, then a call to $8614, then the result is stored at $F4 and a comparison is performed. If the result is zero, then the routine at $20FD is called, otherwise it goes to $1758 and calls $1BEE.
At $20FD, we find that the code loads the FSBAD file and performs an infinite loop (BRA to self, or 80 FE).
OK, we have found the check, the protection check address.
At $8614, after some analysis, we find the usual track length check. It returns with a 0 if this is a copy or #$FF if we have the original.
Hooray, we have it. We will now replace the JSL with a LDAL and that will be sufficient because the check is 0 or non-zero. Putting a LDAL will return a non zero value (not FF but non-zero) and that is sufficient. We know we will never have a zero value at $8614 otherwise it would be seen as a BRK opcode and the call would crash the program.
How to crack
Launch Block.Warden and...
Code: |
Prefix /RR1
Follow file RHYME.SYS16
At offset $799:22 -> AF
Write the block back onto disk
|
The disk images are at http://www.brutaldeluxe.fr/crack/
Reboot and... enjoy,
LoGo
4/2016
Some updates
The disk you will find contains RHYMEHDD.SYS16 and a readme file. I've disassembled, removed the protection and changed the two disk-check routines. Now, that version is HDD installable and runnable. |
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3068 Localisation: Le Chesnay, France
|
Posté le: Lun 04 Avr 2016, 10:31 Sujet du message: |
|
|
And some code
Code: |
The arrays
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
03/01C0: 2F5252312F ASC '/RR1/FSTR'00
03/01CA: 2F5252312F ASC '/RR1/FSVG'00
03/01D4: 2F5252312F ASC '/RR1/FSGOOD'00
03/01E0: 2F5252312F ASC '/RR1/FSBAD'00
03/01EB: C0010300 ADRL $000301C0
03/01EF: CA010300 ADRL $000301CA
03/01F3: D4010300 ADRL $000301D4
03/01F7: E0010300 ADRL $000301E0
03/01FB: 2F5252312F ASC '/RR1/FSSONG1'00
03/0208: 2F5252312F ASC '/RR1/UNIC.PC1'00
03/0216: 2F5252312F ASC '/RR1/TITLE.PC1'00
03/0225: 0100 DW $0001
03/0227: 4100 DW $0041
03/0229: 9100 DW $0091
03/022B: 5B00 DW $005B
03/022D: 0100 DW $0001
03/022F: 6500 DW $0065
03/0231: 9100 DW $0091
03/0233: 7F00 DW $007F
03/0235: 0100 DW $0001
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
The protection call
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
01/1739: F42612 PEA $1226
01/173C: 22F5A800 JSL $01A8F5
01/1740: 7A PLY
01/1741: 7A PLY
01/1742: 22F59D00 JSL $019DF5
01/1746: AD1A00 LDA $02001A ; Get memID
01/1749: 48 PHA
01/174A: 22148600 JSL $018614 ; Call protection
01/174E: 7A PLY
01/174F: 85F4 STA $F4 ; result in A
01/1751: A8 TAY
01/1752: D004 BNE $1758 ; Must be <>0
01/1754: 22FD2000 JSL $0120FD ; 00: bad disk
01/1758: 22EE1B00 JSL $011BEE ; FF: original
01/175C: 64F4 STZ $F4
01/175E: 826900 BRL $17CA
01/1761: A5F4 LDA $F4
01/1763: 0A ASL
01/1764: A20000 LDX #$0000
01/1767: DA PHX
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
The entry point of the protection
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
01/8614: 8B PHB ; The protection
01/8615: 08 PHP
01/8616: 4B PHK
01/8617: AB PLB
01/8618: 48 PHA
01/8619: 227E8600 JSL $01867E
01/861D: 68 PLA
01/861E: E230 SEP #$30
01/8620: A221 LDX #$21
01/8622: A001 LDY #$01
01/8624: 206086 JSR $8660 ; Read track
01/8627: B033 BCS $865C
01/8629: E0B0 CPX #$B0 ; Check length
01/862B: 98 TYA
01/862C: E91D SBC #$1D
01/862E: 902C BCC $865C
01/8630: E078 CPX #$78
01/8632: 98 TYA
01/8633: E91E SBC #$1E
01/8635: B025 BCS $865C
01/8637: A220 LDX #$20
01/8639: A001 LDY #$01
01/863B: 206086 JSR $8660 ; Read track
01/863E: B01C BCS $865C
01/8640: E040 CPX #$40 ; Check length
01/8642: 98 TYA
01/8643: E91F SBC #$1F
01/8645: 9015 BCC $865C
01/8647: E008 CPX #$08
01/8649: 98 TYA
01/864A: E920 SBC #$20
01/864C: B00E BCS $865C
01/864E: A9FF LDA #$FF ; Good disk
01/8650: 48 PHA
01/8651: 22228700 JSL $018722
01/8655: A900 LDA #$00 ; Bad disk
01/8657: EB XBA
01/8658: 68 PLA
01/8659: 28 PLP
01/865A: AB PLB
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
|
|
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3068 Localisation: Le Chesnay, France
|
Posté le: Lun 04 Avr 2016, 10:32 Sujet du message: |
|
|
And the Block.Warden view
Code: |
Block: $0352 (850) Volume name: RR1 Saturday 3-Apr-16 12:15
Prefix: /RR1/
Following: RHYME.SYS16, Type S16, Rel block 4, Byte $000799
(c) Q 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F Edit mode
1988ZSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Z 100: 00 00 E1 B0 03 A9 00 00 8F 02 00 02 7B 18 69 F9 ..a0.)......{.iy
b Z 110: 00 1B 2B 6B 0B 3B 38 E9 FB 00 5B 69 F4 00 1B F4 ..+k.;8i{.[it..t
B y Z 120: 28 00 F4 B8 00 F4 B8 00 22 0E CD 00 48 F4 23 00 (.t8.t8.".M.Ht#.
L Z 130: F4 1E 00 F4 94 00 F4 94 00 F4 C0 00 F4 C0 00 F4 t..t..t..t@.t@.t
O G Z 140: AB 00 F4 AB 00 F4 AE 00 F4 AE 00 A2 01 11 22 00 +.t+.t..t.."..".
C l Z 150: 00 E1 B0 03 A9 00 00 8F 02 00 02 68 7B 18 69 FB .a0.)......h{.i{
K e Z 160: 00 1B 2B 6B F1 00 10 00 00 F2 92 E0 00 00 0B 3B ..+kq....r.`...;
n Z 170: 38 E9 FB 00 5B 69 F2 00 1B F4 04 00 22 0B AA 00 8i{.[ir..t..".*.
W Z 180: 7A 22 68 A4 00 F4 00 00 F4 26 12 22 F5 A8 00 7A z"h$.t..t&."u(.z
A B Z 190: 7A 22 F5 9D 00 AD 1A 00 48>22<14 86 00 7A 85 F4 z"u..-..H"...z.t
R r Z 1A0: A8 D0 04 22 FD 20 00 22 EE 1B 00 64 F4 82 69 00 (P."} ."n..dt.i.
D e Z 1B0: A5 F4 0A A2 00 00 DA 48 A9 24 03 A2 24 03 22 91 %t."..ZH)$."$.".
E d Z 1C0: C3 00 A5 F4 0A 0A A2 00 00 DA 48 A9 10 03 A2 10 C.%t.."..ZH)..".
N o Z 1D0: 03 22 91 C3 00 A5 F4 0A 0A A2 00 00 DA 48 A9 F8 .".C.%t.."..ZH)x
n Z 1E0: 02 A2 F8 02 22 91 C3 00 A5 F4 0A 0A A2 00 00 DA ."x.".C.%t.."..Z
Z 1F0: 48 A9 EB 01 A2 EB 01 22 91 C3 00 68 FA 85 F6 86 H)k."k.".C.hz.v.
|
|
|
Revenir en haut de page |
|
 |
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum Vous ne pouvez pas répondre aux sujets dans ce forum Vous ne pouvez pas éditer vos messages dans ce forum Vous ne pouvez pas supprimer vos messages dans ce forum Vous ne pouvez pas voter dans les sondages de ce forum
|
|