|
|
|
IDENTIFICATION SERVEUR : 51.83.10.223 - CLIENT : 34.204.191.0 |
|
| Voir le sujet précédent :: Voir le sujet suivant |
| Auteur |
Message |
qkumba
Inscrit le: 29 Jan 2012
Messages: 176
|
 Posté le: Sam 28 Juil 2018, 2:04 Sujet du message: Snack Attack (Datamost, 1982) |
 |
|
A Pac-Man clone with different characters. It expands on the original by having a "safe" zone in the middle of the screen.
We start with a hybrid bootsector, which allows the disk to work on either a 5-and-3 drive or a 6-and-2 drive.
| Code: | 0801 LDX #$00
0803 LDA $0800,X
0806 STA $0200,X
0809 INX
080A BNE $0803
080C JMP $020F |
Copy the loader out of the way.
| Code: | 020F LDY #$AB
0211 TYA
0212 STA $3C
0214 LSR
0215 ORA $3C
0217 CMP #$FF
0219 BNE $0824
021B CPY #$D5
021D BEQ $0824
021F TXA
0220 STA $0800,Y
0223 INX
0224 INY
0225 BNE $0811
0227 STY $3D
0229 STY $26
022B LDA #$03
022D STA $27
022F LDX $2B
0231 JSR $025D
0234 JSR $02D1
0237 LDA #$A9
0239 STA $031F
023C LDA #$02
023E STA $0320
0241 JMP $0301 |
Load the next stage.
| Code: | 0301 LDA $0800,Y
0304 ASL
0305 ASL
0306 ASL
0307 STA $0800,Y
030A INY
030B BNE $0301
030D LDX $2B
030F LDA #$09
0311 STA $27
0313 LDA $03CC
0316 STA $41
0318 STY $40
031A TXA
031B LSR
031C LSR
031D LSR
031E LSR
031F LDA #$02
0321 STA $3F
0323 LDA #$5D
0325 STA $3E
0327 JSR $0343
032A JSR $0346
032D LDA $3D
032F EOR $03FF
0332 BEQ $033A
0334 INC $41
0336 INC $3D
0338 BNE $0327
033A STA $3E
033C LDA $03CC
033F STA $3F
0341 INC $3F
0343 JMP ($003E) |
Load RWTS to $B700+.
Now it gets interesting.
| Code: | B700 STX $B7E9
B703 STX $B7F7
B706 LDA #$01
B708 STA $B7F8
B70B STA $B7EA
B70E LDA $B7E0
B711 STA $B7E1 ;sector count for multi-sector load
B714 LDA #$00
B716 STA $B7EC ;track
B719 LDA $B7E2
B71C STA $B7ED ;sector
B71F LDA $B7E3
B722 STA $B7F1 ;address
...
B73D JSR $B793
B740 NOP
B741 JSR $FE93
B744 JSR $FE89
B747 JMP $800 |
It looks a multi-sector read and then running from $800. It's fake.
Let's see.
| Code: | B7E0 .BYTE $70 ;sector count, that looks real
...
B7E3 .BYTE $08 ;address $800, that looks real |
Nothing suspicious yet, but wait...
| Code: | BD00 STY $48
BD02 STA $49
BD04 LDY #$02
BD06 STY $06F8
BD09 LDY #$04
BD0B STY $04F8
BD0E LDY #$01
BD10 LDA ($48),Y
BD12 TAX
BD13 NOP
BD14 LDA $B7EC ;track
BD17 BNE $BD34
BD19 LDA #$B7
BD1B LDY #$09
BD1D STA ($48),Y
BD1F LDA #$01
BD21 STA $B7E1
BD24 BNE $BD34 |
If track is zero, replace the address with $B700, so the read will overwrite itself!
The call to $B793 continues from $B740 on return, but now $B740 looks like this:
| Code: | B740 JMP $B74A
...
B74A LDA #$A2
B74C STA $B73B
B74F LDA #$FF
B751 STA $B73C
B754 LDA #$9A
B756 STA $B73D
B759 LDA $FE93
B75C LDA $C081
B75F LDA $C081
B762 LDY #$00
B764 STA $0800,Y
B767 INY
B768 BNE $B764
B76A INC $B766
B76D LDA $B766
B770 CMP #$B7
B772 BNE $B762
B774 LDY #$00
B776 STA $D000,Y
B779 INY
B77A BNE $B776
B77C INC $B778
B77F LDA $B778
B782 BNE $B774
B784 JMP $B700 |
That erases all other memory and then runs $B700 again, which looks almost exactly like the previous one:
| Code: | B700 STX $B7E9
B703 STX $B7F7
B706 LDA #$01
B708 STA $B7F8
B70B STA $B7EA
B70E LDA $B7E0
B711 STA $B7E1 ;sector count for multi-sector load
B714 LDA #$00
B716 STA $B7EC ;track
B719 LDA $B7E2
B71C STA $B7ED ;sector
B71F LDA $B7E3
B722 STA $B7F1 ;address
B725 LDA #$01
B727 STA $B7F4
B72A TXA
B72B LSR
B72C LSR
B72D LSR
B72E LSR
B72F TAX
B730 LDA #$00
B732 STA $04F8,X
B735 STA $0478,X
B738 JSR $B793
B73B LDA #$38
B73D STA $B963
B740 JMP $B74A |
And then the same thing as before:
| Code: | B7E0 .BYTE $01 ;sector count, that looks real
...
B7E3 .BYTE $08 ;address $800, that looks real |
But again, the track is zero, so this read will also overwrite itself.
The call to $B793 continues from $B73B on return, but now $B73B looks like this:
| Code: | B73B LDA #$38
B73D STA $B963
B740 JMP $B759
...
B74A LDA $C050
B74D LDA $C052
B750 LDA $C054
B753 LDA $C057
B756 JMP $B700
B759 LDA $FE93
B75C LDA $C081
B75F LDA $C081
B762 LDY #$00
B764 STA $0800,Y
B767 INY
B768 BNE $B764
B76A INC $B766
B76D LDA $B766
B770 CMP #$B7
B772 BNE $B762
B774 LDY #$00
B776 STA $D000,Y
B779 INY
B77A BNE $B776
B77C INC $B778
B77F LDA $B778
B782 BNE $B774
B784 JMP $B74A |
That erases all other memory again, sets graphics mode, and then runs $B700 again, which is only slightly different now:
| Code: | B700 STX $B7E9
B703 STX $B7F7
B706 LDA #$01
B708 STA $B7F8
B70B STA $B7EA
B70E LDA $B7E0
B711 STA $B7E1 ;sector count for multi-sector load
B714 LDA #$04
B716 STA $B7EC ;track
B719 LDA $B7E2
B71C STA $B7ED ;sector
B71F LDA $B7E3
B722 STA $B7F1 ;address
B725 LDA #$01
B727 STA $B7F4
B72A TXA
B72B LSR
B72C LSR
B72D LSR
B72E LSR
B72F TAX
B730 LDA #0
B732 STA $04F8,X
B735 STA $0478,X
B738 JSR $B793
B73B LDA #$38
B73D STA $B963
B740 JMP $B759 |
Finally, we have the real code, but we're not done yet.
| Code: | B7E0 .BYTE $B0 ;sector count, that looks real
...
B7E3 .BYTE $08 ;address $800, for real |
There's just one thing. #$B0+#$08=#$B8. The multi-sector read will also overwrite $B700 again.
| Code: | B793 LDA $B7E5
B796 LDY $B7E4
B799 JSR $B7B5
B79C JMP $B759 |
That's how the multi-sector read escapes the loop. The function never returns, it just jumps to a new location.
| Code: | B759 JSR $FE93
B75C LDA $C081
B75F LDA $C081
B762 LDY #$00
B764 STA $D000,Y
B767 INY
B768 BNE $B764
B76A INC $B766
B76D LDA $B766
B770 BNE $B762
B772 LDY #$00
B774 LDA $A800,Y
B777 STA $0000,Y
B77A INY
B77B BNE $B774
B77D INC $B776
B780 INC $B779
B783 LDA $B779
B786 CMP #$08
B788 BNE $B774
B78A LDX #$FF
B78C TXS
B78D LDX $B7E9
B790 JMP $B700 |
Erase the language card memory again, replace the zpage, stack, keyboard buffer, page 3, and screen memory with content, and then run $B700 again.
| Code: |
B700 LDA $C08E,X
B703 LDA $C08C,X
B706 LDA $C08A,X
B709 LDA $C089,X
B70C LDA $C08C,X
B70F CMP $C08C,X
B712 BEQ $B70C
B714 STA $4E
B716 LDA $C088,X
|
Seed the random-number generator with a nibble from the disk.
It also affects the keyboard controls that are accepted.
| Code: | B719 LDY #$00
B71B STA $A800,Y
B71E STA $B800,Y
B721 INY
B722 BNE $B71B
B724 INC $B71D
B727 INC $B720
B72A LDA $B720
B72D CMP #$C0
B72F BNE $B71B
B731 LDA #$72
B733 STA $03F2
B736 LDA #$B7
B738 STA $03F3
B73B LDA #$12
B73D STA $03F4
B740 JMP ($0000) |
Erase the RWTS and run the game.
At this point we have the entire game in memory (0000-A7FF, but only $200-95FF and are few zpage locations are used). |
|
| Revenir en haut de page |
|
 |
aloysiuscoincoin
Inscrit le: 17 Mar 2018
Messages: 14
|
| Posté le: Sam 28 Juil 2018, 9:36 Sujet du message: |
|
|
Hi !
Funny trick (though not very optimized ^^'). I didn't get what in this protection scheme prevents the disk to be copied... what did I miss ?
 |
|
| Revenir en haut de page |
|
|
qkumba
Inscrit le: 29 Jan 2012
Messages: 176
|
| Posté le: Dim 29 Juil 2018, 0:24 Sujet du message: |
|
|
It's a disk in 13-sector format. That was the main obstacle.
Perhaps the prologues or epilogues were changed (I didn't check), but it didn't affect my technique because the RWTS can read the disk for me. |
|
| Revenir en haut de page |
|
|
aloysiuscoincoin
Inscrit le: 17 Mar 2018
Messages: 14
|
| Posté le: Dim 29 Juil 2018, 11:24 Sujet du message: |
|
|
OK, thanks for the answer.
 |
|
| Revenir en haut de page |
|
|
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas répondre aux sujets dans ce forum
Vous ne pouvez pas éditer vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum
|
|
FAQ 
Rechercher 
Liste des Membres 
Groupes d'utilisateurs
S'enregistrer
Profil 
Se connecter pour vérifier ses messages privés 
Connexion 
