|
|
IDENTIFICATION SERVEUR : 10.0.97.1 - CLIENT : 34.226.208.185 |
|
Voir le sujet précédent :: Voir le sujet suivant |
Auteur |
Message |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 2949 Localisation: Le Chesnay, France
|
Posté le: Ven 08 Sep 2017, 17:54 Sujet du message: Microtype IIgs (South-Western, 1989) |
|
|
#937 - The IIgs specific version of the keyboard learning program by South-Western Publishing. Cool!
Disk structure
This is a standard 3.5" ProDOS disk that can be copied apart from block 8. It is interesting to note that the catalog displays a set of 51 MicroType sub-folders only. That is weird!
How to copy
Use ZZCopy or Photonix II to copy your original disk TWICE. Then, store it in a dry and safe place.
Boot trace
When you boot your copy, the following message is displayed: "This diskette does not allow the making of a back-up copy."
So, I tried to catalog the disk. As the catalog was empty (I consider that 51 MicroType sub-folders means it is not the right main folder that is displayed, I browsed the entire disk to try locate the real volume folder. I found it at block $63B (pfew, that was long)
So, with Block.Warden, I read block #$63B, I saved it at block 2 and modified the first bytes (00 00 3C 06 -> 00 00 00 00) which contain the previous and next volume folder and then I played with my disk.
As it is a ProDOS disk, the boot process is ProDOS > BASIC.System (the first .SYSTEM file in the root directory) then STARTUP in our case. A read of the code loaded at $810 shows that it loads the BASIC1/HELLO file.
At line 10600, there is an init. The GSID file is loaded, a CALL 2073 is performed and if the result of PEEK(0)+PEEK(1)*258=18 we can go on, otherwise we display the "The diskette does not..." message.
So, what do we have at 2073 ($819): a jump to $924. There, the stack is preserved, X/Y (a pointer to the volume name) is passed to a routine at $00/3000 (that is the load address of the GSID file) and the return value (in A) is stored at addresses $00..$01. That is cool.
How to crack
We do not need to call the protection. We just need to bypass it and say that the return value is 18. So, we'll patch the STARTUP file only!
Launch Block.Warden
Insert the unmodified root directory copy (remember, I told you to copy it two times)
Change to Slot 5, drive 1
Read block #$44
At offset $12D:A0 00 00 22 -> A9 12 00 8F
Save the block back onto disk.
What I did is change the LDY #$0000 (A0 00 00) and JSL (22) with LDA #$0012 (A9 12 00) STAL (8F)
Exercise for the reader - One alternate crack could have been a change of the BASIC1/HELLO program at line 10640 by replacing the GOTO 10640 with a GOTO 11000...
How to normalize
As the root directory is moved to another block (#$63B instead of #$0002), I've decided to normalize the disk.
The actions performed:
1. Copy block #$63B at block #$0002,
2. Update the root directory pointers at offset $0000:00 00 00 00
3. Copy the files onto another disk
4. Replace the ProDOS 1.4 of the disk with a REAL ProDOS file system from Apple.
5. Done.
Why a REAL ProDOS file system? Because this is in that file that we have the routines to read the root directory. This is at two places and parameters are in X (high block pointer of the root directory) and A (low block pointer of the root directory). That is used at two places: offset $138C and $1933 of the ProDOS file. You can exercise and try the changes.
The disk images are available at http://www.brutaldeluxe.fr/crack/
Reboot and... enjoy,
LoGo
9/2017 |
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 2949 Localisation: Le Chesnay, France
|
Posté le: Ven 08 Sep 2017, 17:55 Sujet du message: |
|
|
Some code...
Code: |
The protection call
00/0924: A2 00 LDX #00
00/0926: BD 00 01 LDA 0100,X
00/0929: 9D 00 2F STA 2F00,X
00/092C: E8 INX
00/092D: D0 F7 BNE 0926 {-09}
00/092F: 18 CLC
00/0930: FB XCE
00/0931: C2 30 REP #30
00/0933: BA TSX
00/0934: 86 00 STX 00
00/0936: A9 FF 2E LDA #2EFF
00/0939: 1B TCS
00/093A: A2 57 09 LDX #0957
00/093D: A0 00 00 LDY #0000
00/0940: 22 00 30 00 JSL 003000 ; call protection check
00/0944: A6 00 LDX 00
00/0946: 9A TXS
00/0947: 85 00 STA 00
00/0949: 38 SEC
00/094A: FB XCE
00/094B: A2 00 LDX #00
00/094D: BD 00 2F LDA 2F00,X
00/0950: 9D 00 01 STA 0100,X
00/0953: E8 INX
00/0954: D0 F7 BNE 094D {-09}
00/0956: 60 RTS
|
|
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 2949 Localisation: Le Chesnay, France
|
Posté le: Ven 08 Sep 2017, 17:56 Sujet du message: |
|
|
The BASIC1/HELLO program
Code: |
WARNING
10500 GOSUB 100:LM = 3: & PRINT "The use of this software/data is gove
rned by the terms of a nonexclusive and nontransferable license agre
ement. The software/data may be used only on a single microcomputer
that is not part of a network ",LM,20,,,,LM,320,12
10510 & CONT "or multi-machine system. It may not be revised, transla
ted, converted, disassembled, or otherwise reverse engineered. You
may not copy, sell, license, lease, rent, loan, or otherwise distrib
ute or network the software/data."
10590 X = 3000: GOSUB 9000
10600 POKE KC,0: CALL 5 * 16 ^ 3 + 3: POKE 5 * 16 ^ 3,96
10610 PRINT D$"BLOAD GSID": CALL 2073: IF PEEK (0) + PEEK (1) * 256 =
18 THEN 11000
10620 GOSUB 100:X = 50:Y = 90:SH = 3: GOSUB 600
10630 & PRINT "This diskette does not allow the making of a back-up co
py.",30,30,,,,30,320 - 30,12
10640 GOTO 10640
11000 GOSUB 100:LM = 30
|
|
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 2949 Localisation: Le Chesnay, France
|
Posté le: Ven 08 Sep 2017, 17:56 Sujet du message: |
|
|
The Block.Warden view
Code: |
Block: $0044 (68) Volume name: ESI Thursday 8-Sep-17 10:52
Prefix: /ESI/
Following: STARTUP, Type BIN, Rel block 1, Byte $00012D
(c) Q 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F Edit mode
1988ZSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Z 100: A0 D2 C5 D3 D4 C1 D2 D4 AE 00 68 A8 68 A6 DF 9A RESTART..h(h&_.
b Z 110: 48 98 48 60 A2 00 BD 00 01 9D 00 2F E8 D0 F7 18 H.H`".=..../hPw.
B y Z 120: FB C2 30 BA 86 00 A9 FF 2E 1B A2 57 09-A0 00 00 {B0:..).."W. ..
L Z 130: 22-00 30 00 A6 00 9A 85 00 38 FB A2 00 BD 00 2F ".0.&....8{".=./
O G Z 140: 9D 00 01 E8 D0 F7 60 04 2F 45 53 49 2E 4D 49 43 ...hPw`./ESI.MIC
C l Z 150: 52 4F 54 59 50 45 47 53 AD 37 BE C9 08 D0 01 60 ROTYPEGS-7>I.P.`
K e Z 160: 8D 20 08 AD 36 BE 8D 1F 08 20 CD 09 A9 25 8D 36 . .-6>... M.)%.6
n Z 170: BE A9 08 8D 37 BE A9 62 8D F2 03 8D FB 03 8D FE >)..7>)b.r..{..~
W Z 180: 03 A9 08 8D F3 03 8D FC 03 8D FF 03 20 6F FB A2 .)..s..|... o{"
A B Z 190: 01 86 67 A2 56 86 68 A2 00 8E 00 56 86 76 A2 00 ..g"V.h"...V.v".
R r Z 1A0: BD BE 09 9D 00 02 F0 03 E8 10 F5 4C 03 BE AD C2 =>....p.h.uL.>-B
D e Z 1B0: C1 D3 C9 C3 B1 AF C8 C5 CC CC CF 8D 00 20 58 FC ASIC1/HELLO.. X|
E d Z 1C0: A9 0E 85 24 A9 0B 85 25 20 22 FC A2 00 BD E9 09 )..$)..% "|".=i.
N o Z 1D0: F0 06 20 ED FD E8 D0 F5 60 D0 EC E5 E1 F3 E5 A0 p. m}hPu`Please
n Z 1E0: F7 E1 E9 F4 AE 8D 00 00 00 00 00 00 00 00 00 00 wait............
Z 1F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
|
|
Revenir en haut de page |
|
 |
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum Vous ne pouvez pas répondre aux sujets dans ce forum Vous ne pouvez pas éditer vos messages dans ce forum Vous ne pouvez pas supprimer vos messages dans ce forum Vous ne pouvez pas voter dans les sondages de ce forum
|
|