|
|
IDENTIFICATION SERVEUR : 10.14.20.76 - CLIENT : 3.221.159.255 |
|
Voir le sujet précédent :: Voir le sujet suivant |
Auteur |
Message |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3062 Localisation: Le Chesnay, France
|
Posté le: Jeu 11 Juil 2019, 20:20 Sujet du message: Spider Raid (Insoft, 1982) |
|
|
#1009 - A game written in Forth using Paul Lutus' Charforth. You are a spider and you must do things... make webs I guess... Ahem... Anyone tell me what to do, please. Another original software owned by Stephane Racle, Applesauce disk image provided by 4am.
Disk structure
That is a non standard disk. No extra track but no data after T18. Nibbles seem 4*4 only.
Protection type
There are a couple but they are all linked. As the game loads fast, it uses 4*4 nibbles. The header markers are 92 93 95.
The last epilog marker in written in 40 cycles (instead of 32) and an extra nibble is read from disk DE AA/10 97. A sort of a desync.
Boot trace
As usual with one-pass loading programs, the idea is to interrupt the game once everything is loaded into memory and before it jumps to the game entry point.
Code: |
Get boot 1 in memory:
CALL-151
9600<C600.C6FFM
96F8:4C DA FD
9600G
01
0800: 01 8A 4A 4A 4A 4A 09 C0
0808: 8D FF BF A9 5C 8D FE BF
0810: A9 FF 8D CE 03 EE 00 08
0818: AD 00 08 C9 03 F0 03 6C
0820: FE BF 20 93 FE 20 89 FE
0828: AD 50 C0 AD 52 C0 AD 54
0830: C0 AD 57 C0 A9 08 85 01
0838: A9 04 85 03 A9 02 85 0D
0840: A0 00 84 00 84 02 B1 00
0848: 91 02 C8 D0 F9 C6 0D D0
0850: 03 4C 5A 04 E6 01 E6 03
0858: D0 EC A0 08 84 01 A0 7F
0860: 84 0D A0 00 84 00 A9 AA
0868: 91 00 C8 A9 D5 91 00 C8
0870: D0 F4 E6 01 C6 0D D0 EE
0878: A9 00 85 80 85 26 A9 07
0858: D0 EC A0 08 84 01 A0 7F
0860: 84 0D A0 00 84 00 A9 AA
0868: 91 00 C8 A9 D5 91 00 C8
0870: D0 F4 E6 01 C6 0D D0 EE
0878: A9 00 85 80 85 26 A9 07
0880: 85 27 A9 2E 85 10 20 E0
0888: 04 20 E0 04 20 15 05 C6
0890: 10 D0 F6 A9 08 85 01 A0
0898: 00 84 00 84 11 A5 11 51
08A0: 00 85 11 C8 D0 F7 E6 01
08A8: A5 01 C9 C0 F0 0B C9 18
08B0: D0 EB A9 20 85 01 4C 9D
08B8: 04 A5 11 C5 0C F0 14 20
08C0: DD FB A5 2B 4A 4A 4A 4A
08C8: 09 C0 85 01 A9 00 85 00
08D0: 6C 00 00 A6 2B A9 60 8D
08D8: EA 03 8E FF BF 4C 00 40
08E0: A4 80 A9 01 85 12 20 0D
08E8: 05 BD 80 C0 C8 20 0D 05
08F0: BD 81 C0 A9 40 20 A8 FC
08F8: C6 12 D0 EA 84 80 A6 2B
0900: BD 86 C0 BD 84 C0 BD 82
0908: C0 BD 80 C0 60 98 29 03
0910: 0A 05 2B AA 60 A9 05 85
0918: 0D A5 27 85 13 A6 2B BD
0920: 8C C0 10 FB C9 92 D0 F7
0928: BD 8C C0 10 FB C9 93 D0
0930: EE BD 8C C0 10 FB C9 95
0938: D0 E5 A0 FF BD 8C C0 10
0940: FB 0A 09 01 85 11 C8 D0
0948: 06 C6 0D F0 0E E6 27 BD
0950: 8C C0 10 FB 25 11 91 26
0958: 4C 3C 05 BD 8C C0 10 FB
0960: 25 11 85 0C BD 8C C0 10
0968: FB C9 CF D0 0A BD 8C C0
0970: 10 FB C9 DE D0 01 60 A5
0978: 13 85 27 4C 15 05 E2 EE
0980: 5F E2 A2 00 08 BD 00 02
0988: CD B2 E2 D0 01 E8 8E 5D
0990: E2 20 A4 D9 29 7F 59 84
0998: E0 C8 0A F0 02 68 08 90
09A0: F0 28 F0 20 B9 84 E0 D0
09A8: D6 00 00 00 00 00 00 00
09B0: 00 00 00 00 00 00 00 00
09B8: 00 00 00 00 00 00 00 00
09C0: 00 00 00 00 00 00 00 00
09C8: 00 00 00 00 00 00 00 00
09D0: 00 00 00 7F 7F 7F 7F 7F
09D8: 3F 00 00 40 7F 7F 7F 7F
09E0: 7F 1F 00 00 00 00 00 00
09E8: 00 00 00 00 00 00 00 00
09F0: 00 00 00 00 00 00 00 00
09F8: 00 00 00 7F 7F 7F 7F 7F
Get the loader in memory
CALL-151
9600<C600.C6FFM
96F8:A9 4C 8D 22 08 A9 59 8D 23 08 A9 FF 8D 24 08 4C 01 08
9600G
See above, there's page 9 now
Get the game in memory in one pass
CALL-151
9600<C600.C6FFM
96F8:A9 80 8D DE 08 A9 01 8D DF 08 4C 01 08
180:2C 51 C0 AD 00 C0 10 FB
9600G
=> Data from $800 to $9FFF
A repeated pattern from $A000..$A0FF until $BFFF
Once I had everything into memory, I saved the RAM contents and continued the work to locate a protection check. That one was easy as the use of the usual disk softswitches were visible ($C089, $C08C, $C088):
The Flaming Bird Disassembler Written by Ferox - (c) 1994 Phoenix corporation
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
00/9D2C: 203158 JSR $5831
00/9D2F: 4CEA9C JMP $9CEA
00/9D32: 206B5A JSR $5A6B
00/9D35: 205198 JSR $9851
00/9D38: 60 RTS
00/9D39: FD 99 DA $99FD
00/9D3B: C9CED4D2CF ASC "INTRO"
00/9D40: 20D455 JSR $55D4 ; CALL PROTECTION
00/9D43: 20F84C JSR $4CF8
00/9D46: 201750 JSR $5017 ; bad disassembly
00/9D49: 2C0020 BIT $2000 ; from here
00/9D4C: 1750 ORA [$50],Y
00/9D4E: 6E4020 ROR $2040
00/9D51: EC5B20 CPX $205B
00/9D54: 1750 ORA [$50],Y
00/9D56: 6E0020 ROR $2000
00/9D59: 1750 ORA [$50],Y
00/9D5B: 6F4020EC ADCL $EC2040
00/9D5F: 5B TCD
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
You'll discover the protection check later in that thread.
|
How to normalize
Once everything is into memory. Write the RAM contents onto disk (Mobby Disk II from my copy disk is really useful in that case). Then, use a standard RWTS to read all the sectors and jump to the game.
The disk image is available at http://www.brutaldeluxe.fr/crack/
Reboot and... enjoy,
LoGo
7/2019 |
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3062 Localisation: Le Chesnay, France
|
Posté le: Jeu 11 Juil 2019, 20:20 Sujet du message: |
|
|
The protection check code
Code: |
*
* The on-disk protection check
* File is OBJ.DISK.CHECK
*
L55CD DA L55C2
ASC "$LIST"
DOLLARLIST CLC ; THE PROTECTION CHECK
L55D5 LDX $BFFF
LDA $C089,X
LDA #$FF
STA L0200+$80
JSR ROM.WAIT
L55E3 DEC L0200+$80
BEQ L5610
L55E8 LDA $C08C,X
BPL L55E8
CMP #$DE
BNE L55E8
L55F1 LDA $C08C,X
BPL L55F1
CMP #$AA
BNE L55E8
PHA ; lose time (2 cycles)
PLA ; lose time (2 cycles)
LDA $C08C,X ; read a nibble
CMP #$08 ; we must be out of sync
BCS L55E3 ; a little bit
L5603 LDA $C08C,X ; if so
BPL L5603 ; read the hidden nibble
CMP #$97 ; if we have it
BNE L55E3 ; we
LDY RDBANK1,X ; turn the drive off
RTS ; and return
L5610 LDY RDBANK1,X ; we have a copy
LDA #$60 ; clear RAM
STA $01
LDY #$00
STY $00
L561B LDA #$00
STA ($00),Y
INY
BNE L561B
INC $01
LDA $01
CMP #$C0
BNE L561B
L562A JMP L562A ; and goes into an infinite loop
|
|
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3062 Localisation: Le Chesnay, France
|
Posté le: Jeu 11 Juil 2019, 20:22 Sujet du message: |
|
|
And the how-to crack consists of replacing the call to the protection check with a BIT opcode. The offset in RAM is $9D40.
Code: |
L9D39 DA L99FD
ASC "INTRO"
JSR DOLLARLIST ; Crack: put 2C here
JSR SETBASE16
JSR PUSHWORD
DA $002C
JSR PUSHWORD
|
...and you are done! |
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3062 Localisation: Le Chesnay, France
|
Posté le: Jeu 11 Juil 2019, 20:24 Sujet du message: |
|
|
A rare thing: the disk generator source code. The binary was on the disk, I made a source of it. It still needs to be tested and before I make the disk image available, I need to understand the use of the $Fxxx area, as if they were using a relocated DOS to create copies.
Code: |
*
* Spider Raid
* Disk Generator
*
* (c) 1982, Insoft
* (s) 2019, Brutal Deluxe Software
*
mx %11
org $1b00
lst off
*--- MASTER MAKER
* It requires a DOS 3.3 disk in drive 1
* and a DOS 3.3 formatted disk in drive 2
* Hum, it uses addresses in "ROM"
L1B00 JMP L1C0A ; MASTER MAKER
L1B03 LDA #$61
STA $04
LDA #$62
STA $05
LDA #$60
STA $06
LDA #$AA
STA $0F
JSR L1E23
LDA #$02
STA $0B
LDA #$00
STA $0A
JSR L1DC0
L1B21 LDA #$04
STA $0D
LDY #$30
LDA $C08D,X
LDA $C08E,X
BPL L1B32
JMP L1B32
L1B32 LDA #$FF
STA $C08F,X
ORA $C08C,X
CMP $00
L1B3C STA $C08D,X
ORA $C08C,X
NOP
NOP
DEY
BEQ L1B51
JSR L1B99
NOP
NOP
NOP
LDA #$FF
BNE L1B3C
L1B51 LDA #$92
JSR L1BE0
LDA #$93
JSR L1BDE
LDA #$95
JSR L1BDE
LDY #$00
L1B62 LDA ($00),Y
CPY $00
PHA
LSR
ORA #$AA
STA $C08D,X
CMP $C08C,X
PLA
ORA #$AA
INY
BNE L1B8A
DEC $0D
BNE L1B7C
BEQ L1B9A
L1B7C INC $01
STA $C08D,X
CMP $C08C,X
CMP $00
NOP
JMP L1B62
L1B8A JSR L1B99
STA $C08D,X
CMP $C08C,X
CMP $00
NOP
JMP L1B62
L1B99 RTS
L1B9A CMP $00
STA $C08D,X
CMP $C08C,X
LDA $0C
JSR L1BEA
LDA #$CF
JSR L1BE0
LDA #$DE
JSR L1BDE
LDA #$AA
JSR L1BDE
LDA #$97
JSR L1BDA
LDA #$FF
JSR L1BDE
LDA $C08E,X
LDA $C08C,X
INC $01
DEC $0E
BEQ L1BD4
INC $0B
JSR L1DC0
JMP L1B21
L1BD4 LDA $C088,X
JMP L1C1D
L1BDA NOP
NOP
NOP
NOP
L1BDE CMP $00
L1BE0 NOP
NOP
NOP
STA $C08D,X
ORA $C08C,X
RTS
L1BEA PHA
LSR
ORA $0F
CPY $00
CPY $00
STA $C08D,X
CMP $C08C,X
PLA
ORA #$AA
JSR L1C09
CMP $00
L1C00 NOP
STA $C08D,X
CMP $C08C,X
CMP $00
L1C09 RTS
*--- ENTRY POINT
L1C0A JSR HOME
LDY #$00
L1C0F LDA L1CBE,Y
INY
CMP #$A6
BEQ L1C1D
JSR COUT
JMP L1C0F
L1C1D JSR HOME
LDY #$00
L1C22 LDA L1D41,Y
INY
CMP #$A6
BEQ L1C30
JSR COUT1
JMP L1C22
L1C30 JSR RDKEY
CMP #$A0
BNE L1C30
LDA #$08
STA $01
LDY #$00
STY $00
STY $0C
L1C41 LDA $0C
EOR ($00),Y
STA $0C
INY
BNE L1C41
INC $01
LDA $01
CMP #$C0
BEQ L1C5D
CMP #$18
BNE L1C41
LDA #$20
STA $01
JMP L1C41
L1C5D LDA #$08
STA $01
LDA #$00
STA $00
LDA #$2E
STA $0E
LDA #$01 ; huh?
STA $F6FE ; did they have
LDA #$10 ; a relocated DOS?
STA $F6D1
LDA #$B5
STA $F09E
STA $F135
LDA #$D5
STA $F0A8
LDA #$04 ; format disk
STA L1DB7
LDA #>L1DAB
LDY #<L1DAB
JSR L03D9
LDA #$00 ; sector 0
STA L1DB0
LDA #$02 ; write command
STA L1DB7
LDA #<L1E57
STA L1DB3
LDA #>L1E57
STA L1DB3+1
LDA #>L1DAB
LDY #<L1DAB
JSR L03D9
LDA #$07 ; sector 7
STA L1DB0
LDA #>L1E57
CLC
ADC #$01
STA L1DB3+1
LDA #>L1DAB
LDY #<L1DAB
JSR L03D9
JMP L1B03
L1CBE ASC 8D8D8D8D8D
ASC " LOADING FILES..."8D84
ASC "BLOAD INSOFT.SCREEN,A$2000"8D84
ASC "BLOAD SPIDER RAID,A$4000"8D84
ASC "BLOAD CHR.SYS,A$800"8D84
ASC "BLOAD OBJ.DISK.CHECK,A$55D4"8D
ASC "&"
L1D41 ASC 8D8D8D
ASC " SPIDER RAID DISK GENERATOR"8D8D8D
ASC "INSERT A "020C010E0B
ASC " DISK IN SLOT 6, DRIVE 2"8D8D8D8D
ASC "PRESS "1310010305
ASC " TO BEGIN &"
L1DAB DB $01
DB $60
DB $02
DB $00
DB $00
L1DB0 DB $07
DA L1DBC
L1DB3 DA L1E57
DB $00
DB $00
L1DB7 DB $02
DB $03
DB $00
DB $60
DB $02
L1DBC DB $00
DB $01
DB $EF
DB $D8
L1DC0 SEC
LDA $0A
SBC $0B
BEQ L1E10
STA $09
LDA $0A
AND #$03
CLC
ROL
STA $07
LDA $09
BPL L1DE7
CLC
LDA $07
ADC #$03
CMP #$09
BNE L1DE0
LDA #$01
L1DE0 STA $08
INC $0A
JMP L1DF4
L1DE7 LDA $07
BNE L1DED
LDA #$08
L1DED SEC
SBC #$01
STA $08
DEC $0A
L1DF4 LDA $06
AND #$F0
ORA $07
TAX
L1DFB LDA $C080,X
L1DFE LDA $06
L1E00 AND #$F0
L1E02 ORA $08
TAX
LDA $C080,X
LDA #$42
JSR WAIT
JMP L1DC0
L1E10 LDA $06
AND #$F0
TAX
LDA $C080,X
LDA $C082,X
LDA $C084,X
LDA $C086,X
CLC
RTS
L1E23 PHP
LDA $05
CLC
ADC #$09
TAX
LDA $C080,X
LDA $05
AND #$F0
CLC
ADC #$09
TAX
LDA $C080,X
LDA $05
AND #$F0
TAX
LDA $C080,X
LDA $C082,X
LDA $C084,X
LDA $C086,X
PLP
RTS
NOP
L1E4C LDA #$FF
L1E4E SEC
SBC #$01
BNE L1E4E
DEY
BNE L1E4C
RTS
*--- This is T0/S0
L1E57 HEX 018A4A4A4A4A09C08DFFBFA95C8DFEBF
HEX A9FF8DCE03EE0008AD0008C903F0036C
HEX FEBF2093FE2089FEAD50C0AD52C0AD54
HEX C0AD57C0A9088501A9048503A902850D
HEX A00084008402B1009102C8D0F9C60DD0
HEX 034C5A04E601E603D0ECA0088401A07F
HEX 840DA0008400A9AA9100C8A9D59100C8
HEX D0F4E601C60DD0EEA90085808526A907
HEX 8527A92E851020E00420E004201505C6
HEX 10D0F6A9088501A00084008411A51151
HEX 008511C8D0F7E601A501C9C0F00BC918
HEX D0EBA92085014C9D04A511C50CF01420
HEX DDFBA52B4A4A4A4A09C08501A9008500
HEX 6C0000A62BA9608DEA038EFFBF4C0040
HEX A480A9018512200D05BD80C0C8200D05
HEX BD81C0A94020A8FCC612D0EA8480A62B
*--- This is the rest of the loader
L1F57 HEX BD86C0BD84C0BD82C0BD80C060982903
HEX 0A052BAA60A905850DA5278513A62BBD
HEX 8CC010FBC992D0F7BD8CC010FBC993D0
HEX EEBD8CC010FBC995D0E5A0FFBD8CC010
HEX FB0A09018511C8D006C60DF00EE627BD
HEX 8CC010FB251191264C3C05BD8CC010FB
HEX 2511850CBD8CC010FBC9CFD00ABD8CC0
HEX 10FBC9DED00160A51385274C1505E2EE
HEX 5FE2A20008BD0002CDB2E2D001E88E5D
HEX E220A4D9297F5984E0C80AF002680890
HEX F028F020B984E0D0D6
|
Derničre édition par toinet le Dim 14 Juil 2019, 6:49; édité 1 fois |
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3062 Localisation: Le Chesnay, France
|
Posté le: Jeu 11 Juil 2019, 20:25 Sujet du message: |
|
|
Last but not least, here is the loader source code at $400:
Code: |
*
* Spider Raid
* (c) 1982, Insoft
* (k) 2019, LoGo
*
mx %11
org $400
lst off
*----------------------------
MINKVERS EQU $BFFE
KVERSION EQU $BFFF
TXTCLR EQU $C050
MIXCLR EQU $C052
TXTPAGE1 EQU $C054
HIRES EQU $C057
BELL1 EQU $FBDD
WAIT EQU $FCA8
SETKBD EQU $FE89
SETVID EQU $FE93
*----------------------------
L0400 HEX 03 ; was 01 on entry
TXA
LSR
LSR
LSR
LSR
ORA #$C0
STA KVERSION
LDA #$5C
STA MINKVERS
LDA #$FF
STA $03CE
INC $0800
LDA $0800
CMP #$03
BEQ L0422
JMP (MINKVERS)
L0422 JSR SETVID
JSR SETKBD
LDA TXTCLR
LDA MIXCLR
LDA TXTPAGE1
LDA HIRES
LDA #$08 ; from $800 to $400
STA $01
LDA #$04
STA $03
LDA #$02
STA $0D
LDY #$00
STY $00
STY $02
L0446 LDA ($00),Y
STA ($02),Y
INY
BNE L0446
DEC $0D
BNE L0454
JMP L045A
L0454 INC $01
INC $03
BNE L0446
L045A LDY #$08 ; clear RAM
STY $01
LDY #$7F
STY $0D
LDY #$00
STY $00
L0466 LDA #$AA
STA ($00),Y
INY
LDA #$D5
STA ($00),Y
INY
BNE L0466
INC $01
DEC $0D
BNE L0466
LDA #$00 ; load data now
STA $80
STA $26
LDA #$07
STA $27
LDA #$2E
STA $10
JSR L04E0
L0489 JSR L04E0
JSR L0515
DEC $10
BNE L0489
LDA #$08
STA $01
LDY #$00
STY $00
STY $11
L049D LDA $11
EOR ($00),Y
STA $11
INY
BNE L049D
INC $01
LDA $01
CMP #$C0
BEQ L04B9
CMP #$18
BNE L049D
LDA #$20
STA $01
JMP L049D
L04B9 LDA $11
CMP $0C
BEQ L04D3
JSR BELL1
LDA $2B
LSR
LSR
LSR
LSR
ORA #$C0
STA $01
LDA #$00
STA $00
JMP ($0000)
L04D3 LDX $2B
LDA #$60
STA $03EA
STX KVERSION
JMP $4000 ; jump to game
L04E0 LDY $80 ; move arm
LDA #$01
STA $12
L04E6 JSR L050D
LDA $C080,X
INY
JSR L050D
LDA $C081,X
LDA #$40
JSR WAIT
DEC $12
BNE L04E6
STY $80
LDX $2B
LDA $C086,X
LDA $C084,X
LDA $C082,X
LDA $C080,X
RTS
L050D TYA
AND #$03
ASL
ORA $2B
TAX
RTS
L0515 LDA #$05 ; read data
STA $0D
LDA $27
STA $13
LDX $2B
L051F LDA $C08C,X
BPL L051F
CMP #$92
BNE L051F
L0528 LDA $C08C,X
BPL L0528
CMP #$93
BNE L051F
L0531 LDA $C08C,X
BPL L0531
CMP #$95
BNE L051F
LDY #$FF
L053C LDA $C08C,X
BPL L053C
ASL
ORA #$01
STA $11
INY
BNE L054F
DEC $0D
BEQ L055B
INC $27
L054F LDA $C08C,X
BPL L054F
AND $11
STA ($26),Y
JMP L053C
L055B LDA $C08C,X ; the epilog markers
BPL L055B
AND $11
STA $0C
L0564 LDA $C08C,X
BPL L0564
CMP #$CF
BNE L0577
L056D LDA $C08C,X
BPL L056D
CMP #$DE
BNE L0577
RTS
L0577 LDA $13
STA $27
JMP L0515
*--- Nada
HEX E2EE5FE2A20008BD0002CDB2E2D001E8
HEX 8E5DE220A4D9297F5984E0C80AF00268
HEX 0890F028F020B984E0D0D60000000000
HEX 00000000000000000000000000000000
HEX 00000000000000000000000000000000
HEX 00000000007F7F7F7F7F3F0000407F7F
HEX 7F7F7F1F000000000000000000000000
HEX 000000000000000000000000007F7F7F
HEX 7F7F
|
|
|
Revenir en haut de page |
|
 |
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum Vous ne pouvez pas répondre aux sujets dans ce forum Vous ne pouvez pas éditer vos messages dans ce forum Vous ne pouvez pas supprimer vos messages dans ce forum Vous ne pouvez pas voter dans les sondages de ce forum
|
|