|
|
|
IDENTIFICATION SERVEUR : 51.83.10.137 - CLIENT : 3.229.142.175 |
|
| Voir le sujet précédent :: Voir le sujet suivant |
| Auteur |
Message |
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 3020
Localisation: Le Chesnay, France
|
 Posté le: Mer 24 Juil 2019, 17:41 Sujet du message: Star Thief (Cavalier Computer, 1981) |
 |
|
#1017 - Star Thief is a fun game, written by Jim Nitchals, published by Cavalier Software. Prevent star thieves from stealing your pods. That is a one or two-player game. Applesauce disk image of Stephane Racle, kindly provided by 4am.
Disk structure
The disk cannot be copied. Locksmith Fast Disk Backup tells us that all sectors are not readable. When you listen carefully, only half of the disks contain data.
A further analysis shows what looks like a 13-sec DOS disk. From experience, data is loaded too quickly to match the 5x3 nibble encoding. It seems there are 4*4 nibbles in the data field.
| Code: |
T0-T11: D5AAB5/DEAA - B59ADE/FDFE
T12: D5AAB5/DEAA - D5AAAD/FDFE
T13: EMPTY
T14-T22: NO DATA
|
Protection type
The disk format is non standard as described above. There is a nibble check once the program is in RAM. It will prevent you from playing if you do not have the original disk.
Boot trace
| Code: |
Get boot 1:
CALL-151
9600<C600.C6FFM
96F8:4C DA FD
9600G
01
Result is:
0800: 01 A2 00 BD 00 08 9D 00
0808: 02 E8 D0 F7 4C 0F 02 A0
0810: AB 98 85 3C 4A 05 3C C9
0818: FF D0 09 C0 D5 F0 05 8A
0820: 99 00 08 E8 C8 D0 EA 84
0828: 3D 84 26 A9 03 85 27 A6
0830: 2B 20 5D 02 20 D1 02 A9
0838: A9 8D 1F 03 A9 02 8D 20
0840: 03 4C 01 03 00 00 00 00
0848: 00 00 00 00 00 00 00 00
0850: 00 00 00 00 00 00 00 00
0858: 00 00 00 00 00 18 08 BD
0860: 8C C0 10 FB 49 D5 D0 F7
0868: BD 8C C0 10 FB C9 AA D0
0870: F3 EA BD 8C C0 10 FB C9
0878: B5 F0 09 28 90 DF 49 AD
0880: F0 1F D0 D9 A0 03 84 2A
0888: BD 8C C0 10 FB 2A 85 3C
0890: BD 8C C0 10 FB 25 3C 88
0898: D0 EE 28 C5 3D D0 BE B0
08A0: BD A0 9A 84 3C BC 8C C0
08A8: 10 FB 59 00 08 A4 3C 88
08B0: 99 00 08 D0 EE 84 3C BC
08B8: 8C C0 10 FB 59 00 08 A4
08C0: 3C 91 26 C8 D0 EF BC 8C
08C8: C0 10 FB 59 00 08 D0 8D
08D0: 60 A8 A2 00 B9 00 08 4A
08D8: 3E CC 03 4A 3E 99 03 85
08E0: 3C B1 26 0A 0A 0A 05 3C
08E8: 91 26 C8 E8 E0 33 D0 E4
08F0: C6 2A D0 DE CC 00 03 D0
08F8: 03 60 00 00 4C 2D FF 00
Get boot 2:
9600<C600.C6FFM
96F8:A9 59 8D 42 08 A9 FF 8D 43 08 4C 01 08
9600G
Result is:
0300: 99 B9 00 08 0A 0A 0A 99
0308: 00 08 C8 D0 F4 A6 2B A9
0310: 09 85 27 AD CC 03 85 41
0318: 84 40 8A 4A 4A 4A 4A A9
0320: 02 85 3F A9 5D 85 3E 20
0328: 43 03 20 46 03 A5 3D 4D
0330: FF 03 F0 06 E6 41 E6 3D
0338: D0 ED 85 3E AD CC 03 85
0340: 3F E6 3F 6C 3E 00 A2 32
0348: A0 00 BD 00 08 4A 4A 4A
0350: 85 3C 4A 85 2A 4A 1D 00
0358: 09 91 40 C8 BD 33 08 4A
0360: 4A 4A 4A 26 3C 4A 26 2A
0368: 1D 33 09 91 40 C8 BD 66
0370: 08 4A 4A 4A 4A 26 3C 4A
0378: 26 2A 1D 66 09 91 40 C8
0358: 09 91 40 C8 BD 33 08 4A
0360: 4A 4A 4A 26 3C 4A 26 2A
0368: 1D 33 09 91 40 C8 BD 66
0370: 08 4A 4A 4A 4A 26 3C 4A
0378: 26 2A 1D 66 09 91 40 C8
0380: A5 2A 29 07 1D 99 09 91
0388: 40 C8 A5 3C 29 07 1D CC
0390: 09 91 40 C8 CA 10 B3 AD
0398: 99 08 4A 4A 4A 0D FF 09
03A0: 91 40 A6 2B 60 FF FF FF
03A8: FF FF FF FF FF FF FF FF
03B0: FF FF FF FF FF FF FF FF
03B8: FF FF FF FF FF FF FF FF
03C0: FF FF FF FF FF FF FF FF
03C8: FF FF FF FF 41 FF FF FF
03D0: FF FF FF FF FF FF FF FF
03D8: FF FF FF FF FF FF FF FF
03E0: FF FF FF FF FF FF FF FF
03E8: FF FF FF FF FF FF FF FF
03F0: FF FF FF FF FF FF FF FF
03F8: FF FF FF FF FF FF FF 06
Get boot 3:
We load the last loader at $4200 and then crash.
9600<C600.C6FFM
96F8:A9 00 8D 42 08 A9 95 8D 43 08 4C 01 08
9500:A9 00 8D A4 03 4C 01 03
9600G
Get boot 4:
We load the entire program in RAM and crash into the monitor once done.
CALL-151
9600<C600.C6FFM
96F8:A9 00 8D 42 08 A9 95 8D 43 08 4C 01 08
9500:A9 4C 8D 3C 03 A9 00 8D 3D 03 A9 B8 8D 3E 03 4C 01 03
B800:A9 4C 8D C2 42 A9 00 8D C3 42 A9 B9 8D C4 42 4C 00 42
B900:2C 51 C0 AD 00 C0 10 FB 2C 10 C0 4C 59 FF
9600G
Get boot 5:
We interrupt the loading of the program in RAM earlier because the real read routine is erased once the program is in memory.
CALL-151
9600<C600.C6FFM
96F8:A9 00 8D 42 08 A9 95 8D 43 08 4C 01 08
9500:A9 4C 8D 3C 03 A9 00 8D 3D 03 A9 B8 8D 3E 03 4C 01 03
B800:A9 4C 8D C2 42 A9 00 8D C3 42 A9 B9 8D C4 42 4C 00 42
B900:A9 85 8D 69 69 A9 FE 8D 6A 69 A9 4C 8D 6B 69 A9 59 8D 6C 69 A9 FF 8D 6D 69 A9 02 4C 01 68
9600G
At $FE, we have the value of Y = $94
We will see there is a nibble check (count of D5 on T11), the routine at $B900 patches the on-disk check to get that count, store it, then crash.
In RAM:
0000..00FF zero page
0100..01FF stack area
0200..1FFF program
2000..41FF HGR
4200..47FF loader
5000..51FF buffer for sectors
6000..80FF rest of the program
|
How to make a real disk
You can boot a DOS 3.3 disk
Then you run the following code:
| Code: |
CALL-151
9600<C600.C6FFM
96F8:A9 00 8D 42 08 A9 95 8D 43 08 4C 01 08
9500:A9 4C 8D 3C 03 A9 00 8D 3D 03 A9 94 8D 3E 03 4C 01 03
9400:A9 4C 8D C2 42 A9 00 8D C3 42 A9 93 8D C4 42 4C 00 42
9300:A2 00 BD 00 00 9D 00 81
9308:BD 00 01 9D 00 82 BD 00
9310:02 9D 00 83 BD 00 03 9D
9318:00 84 BD 00 04 9D 00 85
9320:BD 00 05 9D 00 86 BD 00
9328:06 9D 00 87 BD 00 07 9D
9330:00 88 CA D0 CD 4C 59 FF
9600G
|
You have the program in memory and the area $0000..$07FF is copied to $8100..$88FF.
You can write a simple program to write the RAM contents on a 16-sec disk as from T1. I let that exercise to the reader.
How to normalize
Boot my copy disk
Launch Disk Fixer
On your normalized disk
| Code: |
The preferred change hereafter skips the last on-disk protection scheme and may help have the program run under ProDOS:
T7/S1/3B:BD F9 BF -> 4C D2 68
or if you want the on-disk protection check to be still run:
T7/S1/75:6C FF 00 -> 4C D2 68
or the complete thing to remove the false opcodes (B7 00):
T7/S1/6F:49 68 85 00 B7 00 6C FF 00 -> A9 68 85 00 EA EA 4C D2 68
|
Note that there is another indirect jump bug use in the program. As it is in the original loader at $4200 that we do not use anymore, I did not patch it.
The disk image is available at http://www.brutaldeluxe.fr/crack/
Reboot and... enjoy,
LoGo
7/2019 |
|
| Revenir en haut de page |
|
 |
toinet
Site Admin
Inscrit le: 15 Juin 2007
Messages: 3020
Localisation: Le Chesnay, France
|
| Posté le: Mer 24 Juil 2019, 17:42 Sujet du message: |
|
|
The nibble check on-disk protection check:
| Code: |
00/692E: A9 D2 LDA #D2 ; the low pointer
00/6930: 85 FF STA FF
00/6932: A9 02 LDA #02
00/6934: 8D 00 01 STA 0100
00/6937: A2 E0 LDX #E0
00/6939: A2 F0 LDX #F0
00/693B: BD F9 BF LDA BFF9,X ; it is really LDA $C089,X
00/693E: A0 06 LDY #06
00/6940: 20 A8 FC JSR FCA8
00/6943: 88 DEY
00/6944: D0 FA BNE 6940 {-06}
00/6946: BD FC BF LDA BFFC,X
00/6949: 10 FB BPL 6946 {-05}
00/694B: C9 D5 CMP #D5
00/694D: D0 F7 BNE 6946 {-09}
00/694F: A0 00 LDY #00
00/6951: BD FC BF LDA BFFC,X
00/6954: 10 FB BPL 6951 {-05}
00/6956: C8 INY
00/6957: C9 D5 CMP #D5
00/6959: D0 F6 BNE 6951 {-0A}
00/695B: BD FC BF LDA BFFC,X
00/695E: 10 FB BPL 695B {-05}
00/6960: C8 INY
00/6961: C9 D5 CMP #D5
00/6963: D0 F6 BNE 695B {-0A}
00/6965: BD F8 BF LDA BFF8,X
00/6968: 98 TYA ; 94
00/6969: 38 SEC ; -93
00/696A: ED 00 68 SBC 6800 ; =0000_0001
00/696D: 29 FC AND #FC ; %1111_1100
; %0000_0000
00/696F: 49 68 EOR #68 ; %0110_1000
00/6971: 85 00 STA 00 ; %0110_1000
00/6973: B7 00 LDA [00],Y ; 68
00/6975: 6C FF 00 JMP (00FF)
At $0000, we find $68
At $00FF, we find $7C
so, JMP ($00FF) goes to $68D2
The program relies on the 6502 bug where an indirect jump at a page boundary ($FF and $100) will jump to the address at $00 and $FF: there is no page cross. So, the program does not run on 65c02 machines because of that.
|
|
|
| Revenir en haut de page |
|
|
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum
Vous ne pouvez pas répondre aux sujets dans ce forum
Vous ne pouvez pas éditer vos messages dans ce forum
Vous ne pouvez pas supprimer vos messages dans ce forum
Vous ne pouvez pas voter dans les sondages de ce forum
|
|
FAQ 
Rechercher 
Liste des Membres 
Groupes d'utilisateurs
S'enregistrer
Profil 
Se connecter pour vérifier ses messages privés 
Connexion 
