|
|
IDENTIFICATION SERVEUR : 10.0.97.1 - CLIENT : 54.81.116.187 |
|
Voir le sujet précédent :: Voir le sujet suivant |
Auteur |
Message |
qkumba
Inscrit le: 29 Jan 2012 Messages: 171
|
Posté le: Ven 11 Avr 2014, 7:25 Sujet du message: Prince of Persia (Brřderbund, 1989) |
|
|
Surely, everyone knows Prince of Persia. The stunning hires run-and-jump game, with sword-fighting and some puzzle solving, by the author of Karateka.
The game came on two sides, entirely 18-sector tracks, and some other surprises, too. You rip the tracks to 16 sectors, make a loader and it doesn't boot.
You find a protection check, you patch it, and then it boots right into the title screen. You think that you're done, but then... no, you can't play any levels.
You find another protection check, you patch it, and then it boots into the first level. Now you're done for sure, right? No, you finish the first level, and then it resets to the title page.
You find yet another protection check, you patch it, and then it plays. Are you done yet? Maybe. ;-)
The existing cracks all made use of a third side to store the extra sectors. That's really quite lame. Finally, after 25 years, I rose to the challenge. There is now a two-side 16-sector version.
Next time, I'll show the boot process (including why the funny message on T00S0F) and the protection checks, and soon after I will discuss the custom loader that I used to fit everything in.
Derničre édition par qkumba le Sam 12 Avr 2014, 22:02; édité 1 fois |
|
Revenir en haut de page |
|
 |
amauget
Inscrit le: 06 Déc 2009 Messages: 954 Localisation: Nantes
|
Posté le: Ven 11 Avr 2014, 21:24 Sujet du message: |
|
|
Excellent Peter !
I remember playing this one with 2 drives, one disk in each.
The switching access between the 2 drives reminded me a Christmas tree.  _________________ Antony
Apple II forever |
|
Revenir en haut de page |
|
 |
qkumba
Inscrit le: 29 Jan 2012 Messages: 171
|
Posté le: Sam 12 Avr 2014, 22:02 Sujet du message: |
|
|
Funny, I was thinking the same thing recently. |
|
Revenir en haut de page |
|
 |
qkumba
Inscrit le: 29 Jan 2012 Messages: 171
|
Posté le: Mar 29 Avr 2014, 5:36 Sujet du message: |
|
|
Here we go. The first stage loader, and its protection routine.
Code: | byte_800: .BYTE 1
loc_801:
LDA #$60
STA loc_801
LDA #$9B
STA $4E ;looks fake but is really half of an address write...
LDX #$FF
STX $4FB
STX $3F3
STX $3F4 ;kill reset vector
STX $7831 ;fake!
STX $C000
STX $C002
STX $9FD8 ;fake!
STX $C004
STX $C00C
STX $C00E
STX $C081
TXS
JSR $FB2F
JSR $FC58
JSR $FE84
JSR $FE93
STA $DF35 ;fake!
JSR $FE89
STX $8492 ;fake!
LDX $2B
TXA
LSR A
LSR A
LSR A
LSR A
ORA #$C0
STA loc_864+2
LDA #$F
STA $50
loc_853:
LDY $50
LDA byte_86D,Y
STA $3D
LDA byte_87D,Y
BEQ loc_867
STA $27
INC $9FD8
loc_864:
JSR $5C ;self-mod to $Cx5C to read sectors
loc_867:
DEC $50
BNE loc_853
BEQ loc_88D
byte_86D: .BYTE 0, $D, $B, 9, 7, 5, 3, 1, $E, $C, $A, 8, 6, 4, 2, $F
byte_87D: .BYTE 0, 9, $A, $B, 0, $C, $D, $E, $30, $31, $32, $33, $34, $10, $11, $2F
;so sectors 1-3 go to $900-BFF
;sectors 5-7 go to $C00-EFF
;sectors 8-C go to $3000-34FF
;sectors D-E go to $1000-11FF
;and sector F goes to $2F00
loc_88D:
LDX #$E
loc_88F:
LDA byte_87D,X
BEQ loc_8B0
STA loc_89C+2
STA loc_8A2+2
LDY #0
loc_89C:
LDA $FF00,Y
EOR $2F00,Y ;decode using funny message (see below)
loc_8A2:
LDA $FF00,Y
EOR $7831 ;fake!
STA $7831 ;fake!
STA $3C ;fake!
INY
BNE loc_89C
loc_8B0:
DEX
BPL loc_88F
LDX $2B
STX $FD
JSR loc_906 ;detect 128kb Apple II
JSR sub_96C
LDA #0
STA $FF
JSR $D000
.BYTE 7, $A9 ;set prolog byte
JSR $D000
.BYTE 0, 1, 0 ;turn on drive 1
JSR $D000
.BYTE 2, 0, 1 ;seek track 1
JSR $D000
.BYTE $C3, $EE ;load 18 sectors to $EE00
JMP $EE00
loc_8DA:
LDA #$EE
STA $C005
LDA #9
STA $4F ;the other half from above
STA $C003
STA byte_800
LDA byte_C00
CMP #$EE
BNE loc_8FB
ASL byte_C00
LDA byte_800
CMP byte_C00
BEQ loc_8FC
loc_8FB:
CLC
loc_8FC:
STA $C004
STA $C002
RTS
.BYTE $34, $55, $99
loc_906:
STA $C081
LDA $FBB3
CMP #6
BNE loc_926
BIT $C017
BMI loc_926
LDX #$29
loc_917:
LDA loc_8DA,X
STA $180,X
DEX
BPL loc_917
JSR $180
BCS loc_926
RTS
loc_926:
LDX $2B
LDA $C088,X
JSR $FB2F
JSR $FC58
LDA #8
JSR $FB5B
LDY #0
loc_938:
LDA loc_94B,Y
loc_93B:
BEQ loc_93B
JSR $FDF0
CMP #$8D
BNE loc_948
LDA #4
STA $24
loc_948:
INY
BNE loc_938
loc_94B: .BYTE $8D, 'REQUIRES A //C OR //E WITH 128K',0
sub_96C:
BIT $C08B
BIT $C08B
LDA #$D0
LDX #$30
LDY #$40
STA 1
STX 3
STY 5
LDY #0
LDA #$24 ;BIT instruction
STA ($4E),Y ;write indirect using the address from above
STY 0
STY 2
STY 4
loc_98A:
LDA (2),Y
STA (0),Y
INY
BNE loc_98A
INC 3
INC 1
LDA 3
CMP 5
BNE loc_98A
loc_99B:
RTS ;self-mod to BIT instruction, allows to execute what's next
.BYTE $FF
LDA #$A
STA $F4
LDA #2
STA $4F ;another half of address construction
LDX $2B
LDA $C089,X
LDA $C08E,X
LDA #$41
STA $F6
LDA #$A
STA $F7
loc_9B5:
LDA #$80
STA $F5
loc_9B9:
DEC $F5
BEQ loc_A19
JSR sub_A49 ;read prolog
BCS loc_A19
LDA $F1
CMP #7 ;watch for sector 7
BNE loc_9B9
LDY #0
loc_9CA:
LDA $C08C,X
BPL loc_9CA
DEY
BEQ loc_A19
CMP #$D5
BNE loc_9CA
LDY #0
loc_9D8:
LDA $C08C,X
BPL loc_9D8
DEY
BEQ loc_A19
CMP #$E7
BNE loc_9D8
loc_9E4:
LDA $C08C,X
BPL loc_9E4
CMP #$E7
BNE loc_A19
loc_9ED:
LDA $C08C,X
BPL loc_9ED
CMP #$E7
BNE loc_A19
LDA $C08D,X
LDY #$10
BIT 6
loc_9FD:
LDA $C08C,X
BPL loc_9FD
DEY
BEQ loc_A19
CMP #$EE ;watching for D5 E7 E7 E7 ... EE
BNE loc_9FD
LDY #7
loc_A0B:
LDA $C08C,X
BPL loc_A0B
CMP ($F6),Y ;followed by the nibbles at loc_A41
BNE loc_A37
DEY
BPL loc_A0B
BMI loc_A1C
loc_A19:
JMP loc_A19 ;hang on failure
loc_A1C:
TYA
EOR #$79
LDX #6
DEX
STA $C000,X
STA ($4E),Y ;write $79 to $23B, this is important later
DEX
STA $C000,X
EOR #$ED
STA $239
EOR #$23
STA $4E
JMP loc_AA4
loc_A37:
LDY #$FF
TYA
DEC $F4
BEQ loc_A1C
JMP loc_9B5
loc_A41:
.BYTE $FC, $EE, $EE, $FC, $E7, $EE, $FC, $E7
sub_A49:
LDY #$FD
STY $F8
TYA
EOR #$C6 ;-> $3B
STA $4E ;the other half of address construction
loc_A52:
INY
BNE loc_A59
INC $F8
BEQ loc_A96
loc_A59:
LDA $C08C,X
BPL loc_A59
loc_A5E:
CMP #$D5
BNE loc_A52
NOP
loc_A63:
LDA $C08C,X
BPL loc_A63
CMP #$AA
BNE loc_A5E
LDY #3
loc_A6E:
LDA $C08C,X
BPL loc_A6E
CMP #$96
BNE loc_A5E
LDA #0
loc_A79:
STA $F9
loc_A7B:
LDA $C08C,X
BPL loc_A7B
ROL A
STA $F8
loc_A83:
LDA $C08C,X
BPL loc_A83
AND $F8
STA $F0,Y
EOR $F9
DEY
BPL loc_A79
TAY
NOP
CLC
RTS
loc_A96:
SEC
locret_A97:
RTS
loc_AA4: ;check for secret keys!
LDX $2B
LDA $C061
BPL locret_A97
LDA $C062 ;check for both buttons down
BPL locret_A97
LDA $C000
BPL locret_A97
BIT $C010 ;and a keypress
STA loc_AC5+1
LDY #$FD
loc_ABD:
INY
INY
INY
LDA byte_ADC,Y
BEQ locret_A97
loc_AC5:
CMP #$11 ;self-mod
BNE loc_ABD
LDA off_ADD,Y
STA 0
LDA off_ADD+1,Y
STA 1
BIT $C081
LDA $C088,X
JMP (0)
byte_ADC: .BYTE $FF ;DELETE
off_ADD:
.WORD loc_A98
.BYTE $A1 ;!
.WORD loc_D2A
.BYTE $8D ;RETURN
.WORD loc_C68
.BYTE $C0 ;@
.WORD loc_B29
.BYTE $DE ;^
.WORD loc_AEC
.BYTE 0 |
|
|
Revenir en haut de page |
|
 |
qkumba
Inscrit le: 29 Jan 2012 Messages: 171
|
Posté le: Mar 29 Avr 2014, 5:39 Sujet du message: |
|
|
and the funny message from T0S0F:
Code: | For further information on how to copy this product,
call Broderbund's Customer Service line at 1-415-492-3500
We here at Broderbund thank you for your support. |
The byte values of the text are used to decode the other sectors. If you change the message then it destroys the contents. Very funny. |
|
Revenir en haut de page |
|
 |
qkumba
Inscrit le: 29 Jan 2012 Messages: 171
|
Posté le: Mar 29 Avr 2014, 5:41 Sujet du message: |
|
|
Next time I will cover the in-game protection. Yes, there is more.
After defeating the boot-time protection, the game reaches the title screen, plays the demo, and you can even play the first level. It looks like it works.
However... |
|
Revenir en haut de page |
|
 |
Olivier
Inscrit le: 30 Déc 2011 Messages: 15
|
Posté le: Jeu 01 Mai 2014, 20:23 Sujet du message: |
|
|
Now that the source code has been released, I might go check if it's all there  |
|
Revenir en haut de page |
|
 |
qkumba
Inscrit le: 29 Jan 2012 Messages: 171
|
Posté le: Ven 02 Mai 2014, 17:50 Sujet du message: |
|
|
Olivier a écrit: | Now that the source code has been released, I might go check if it's all there  |
Ah, the source code. Such a trouble! It can build only the 3.5" version, so no copy protection (specifically, it's in the source code and is emitted in 5.25" mode, but someone deleted one line so it always fails and you can't play), and no encryption (so the funny message is absent). |
|
Revenir en haut de page |
|
 |
qkumba
Inscrit le: 29 Jan 2012 Messages: 171
|
Posté le: Jeu 15 Mai 2014, 5:30 Sujet du message: |
|
|
Here is the second (of three) protection routines.
This runs from aux memory, just to make it hard to find.
Code: | EBFE loc_EBFE:
EBFE LDY #$21
EC00 LDA #$63
EC02 JSR sub_ED02
EC05 JSR sub_ED15
EC08 byte_EC08: .BYTE $60, $38, $60, $18, $EA, $A8, $E7, $10, $88, $49, $45, 0, $40, $99, $48, $25
EC08 .BYTE $FB, $10, $C0, $8C, $BD, $48, $85, $2A, $FB, $10, $C0, $8C, $BD, $49, $85, 0
EC08 .BYTE $A9, $E7, $D0, $96, $C9, $FB, $10, $C0, $8C, $BD, 3, $A0, $F2, $D0, $AA, $C9
EC08 .BYTE $FB, $10, $C0, $8C, $BD, $EA, $F0, $D0, $D5, $C9, $FB, $10, $C0, $8C, $BD, $3D
EC08 .BYTE $F0, $48, $E6, 4, $D0, $C8, $48, $84, $FD, $A0, $60, $F1, $D0, $D, $E0, $E8
EC08 .BYTE $62, $54, $9D, $40, $94, $40, $B5, $62, $54, $BC, 0, $A2, $E7, $FC, $EE, $E7
EC08 .BYTE $FC, $EE, $EE, $FC, $63, $38, $4C, $B, $F0, $44, $C6, $60, $18, $BF, $FB, $9D
EC08 .BYTE $CD, $95, $2A, $BF, $FC, $9D, 0, $A9, $63, $BE, $20, $63, $9F, $4C, 3, $30
EC08 .BYTE $F4, $10, $88, 5, $D0, $46, $D1, $FB, $10, $C0, $8C, $BD, 7, $A0, $F4, $D0
EC08 .BYTE $EE, $C9, $14, $F0, $88, $FB, $10, $C0, $8C, $BD, 6, $24, $10, $A0, $C0, $8D
EC08 .BYTE $BD, $23, $D0, $E7, $C9, $FB, $10, $C0, $8C, $BD, $2C, $D0, $E7, $C9, $FB, $10
EC08 .BYTE $C0, $8C, $BD, $F4, $D0, $E7, $C9, $39, $F0, $88, $FB, $10, $C0, $8C, $BD, 0
EC08 .BYTE $A0, $F4, $D0, $D5, $C9, $47, $F0, $88, $FB, $10, $C0, $8C, $BD, 0, $A0, $F1
EC08 .BYTE $D0, 7, $C9, $41, $A5, $57, $B0, $63, $D0, $20, $5C, $F0, $45, $C6, $45, $85
EC08 .BYTE $80, $A9, $47, $85, $63, $A9, $46, $85, $B6, $A9, $C0, $8E, $BD, $C0, $89, $BD
EC08 .BYTE $FD, $A6, $44, $85, $A, $A9, $63, $BE, $20
ED01 .BYTE $20
ED02 sub_ED02:
ED02 STY 4
ED04 STA 5
ED06 LDY #0
ED08 LDX #$F9
ED0A
ED0A loc_ED0A:
ED0A DEX ;see this - the code is loaded backwards!
ED0B LDA byte_EC08,X
ED0E STA (4),Y
ED10 INY
ED11 BNE loc_ED0A
ED13 RTS
ED14 .BYTE $2C ;dummy byte to hide the jump
ED15
ED15 sub_ED15:
ED15 JMP (4) |
which decodes to almost the same routine as the boot protection.
the check is the same, but the behaviour is different for failure.
Code: | 6321 JSR sub_63BE ;save zero-page locations
6324 LDA #$A
6326 STA byte_44
6328 LDX byte_FD
632A LDA $C089,X
632D LDA $C08E,X
6330 LDA #$B6
6332 STA byte_46
6334 LDA #$63
6336 STA byte_47
6338
6338 loc_6338:
6338 LDA #$80
633A STA byte_45
633C
633C loc_633C:
633C DEC byte_45
633E BEQ loc_639C
6340 JSR sub_63D0
6343 BCS loc_639C
6345 LDA byte_41
6347 CMP #7
6349 BNE loc_633C
634B LDY #0
634D
634D loc_634D:
634D LDA $C08C,X
6350 BPL loc_634D
6352 DEY
6353 BEQ loc_639C
6355 CMP #$D5
6357 BNE loc_634D
6359 LDY #0
635B
635B loc_635B:
635B LDA $C08C,X
635E BPL loc_635B
6360 DEY
6361 BEQ loc_639C
6363 CMP #$E7
6365 BNE loc_635B
6367
6367 loc_6367:
6367 LDA $C08C,X
636A BPL loc_6367
636C CMP #$E7
636E BNE loc_639C
6370
6370 loc_6370:
6370 LDA $C08C,X
6373 BPL loc_6370
6375 CMP #$E7
6377 BNE loc_639C
6379 LDA $C08D,X
637C LDY #$10
637E BIT byte_6
6380
6380 loc_6380:
6380 LDA $C08C,X
6383 BPL loc_6380
6385 DEY
6386 BEQ loc_639C
6388 CMP #$EE
638A BNE loc_6380
638C LDY #7
638E
638E loc_638E:
638E LDA $C08C,X
6391 BPL loc_638E
6393 CMP ($46),Y
6395 BNE loc_639C
6397 DEY
6398 BPL loc_638E
639A BMI loc_639F
639C
639C loc_639C:
639C JMP loc_63AF
639F
639F loc_639F:
639F JSR sub_63BE |
here is the different part: on success, set a value in an aux zero page location.
this value is checked by the game later, instead of failing immediately.
Code: | 63A2 LDA #0
63A4 STA $BFFC,X
63A7 ROL A
63A8 STA $CD,X
63AA STA $BFFB,X
63AD CLC
63AE RTS
63AF loc_63AF:
63AF DEC byte_44
63B1 BEQ sub_63BE
63B3 JMP loc_6338
63B6 .BYTE $FC, $EE, $EE, $FC, $E7, $EE, $FC, $E7
63BE sub_63BE:
63BE LDX #0
63C0
63C0 loc_63C0:
63C0 LDY byte_6254,X
63C3 LDA $40,X
63C5 STY $40,X
63C7 STA byte_6254,X
63CA INX
63CB CPX #$D
63CD BNE loc_63C0
63CF RTS
63D0 sub_63D0:
63D0 LDY #$FD
63D2 STY byte_48
63D4
63D4 loc_63D4:
63D4 INY
63D5 BNE loc_63DB
63D7 INC byte_48
63D9 BEQ loc_6418
63DB
63DB loc_63DB:
63DB LDA $C08C,X
63DE BPL loc_63DB
63E0
63E0 loc_63E0:
63E0 CMP #$D5
63E2 BNE loc_63D4
63E4 NOP
63E5
63E5 loc_63E5:
63E5 LDA $C08C,X
63E8 BPL loc_63E5
63EA CMP #$AA
63EC BNE loc_63E0
63EE LDY #3
63F0
63F0 loc_63F0:
63F0 LDA $C08C,X
63F3 BPL loc_63F0
63F5 CMP #$96
63F7 BNE loc_63E0
63F9 LDA #0
63FB
63FB loc_63FB:
63FB STA byte_49
63FD
63FD loc_63FD:
63FD LDA $C08C,X
6400 BPL loc_63FD
6402 ROL A
6403 STA byte_48
6405
6405 loc_6405:
6405 LDA $C08C,X
6408 BPL loc_6405
640A AND byte_48
640C STA $40,Y
640F EOR byte_49
6411 DEY
6412 BPL loc_63FB
6414 TAY
6415 NOP
6416 CLC
6417 RTS
6418
6418 loc_6418:
6418 SEC
6419 RTS |
|
|
Revenir en haut de page |
|
 |
qkumba
Inscrit le: 29 Jan 2012 Messages: 171
|
Posté le: Mar 27 Mai 2014, 21:52 Sujet du message: |
|
|
and the final protection, which runs after the first level is completed.
It begins by generating an 8-bit decryption key, which is also used as the execution address.
Code: | 4C5A SEC
4C5B ROL A
4C5C CLC
4C5D ROL A
4C5E DEX
4C5F BNE loc_4C5A ;called with x > 4, to always construct a key of $AA
4C61 STA 4 ;holds the key, also half of a jump address later
4C63 JSR loc_4DF3
4C66 JMP loc_4E16
4C69 byte_4C69: .BYTE $27, $A2, $6A, $C, $57, $17, $23, $6A, $8A, $AD, 6, 3, $AA, $8A, $34, 1
4C69 .BYTE 3, $A0, $2F, $9E, $C, $57, $17, $24, $6A, 3, 1, $2F, $9D, 3, $E9, $2F
4C69 .BYTE $9C, 3, $2A, $2F, $9F, $6C, $9F, $5A, $F6, $8A, $F8, 1, $1A, $FD, $F, $9B
4C69 .BYTE $63, $AD, $7A, $5B, $A, $AA, $17, $26, $6A, $BA, $51, $22, $5A, $ED, $63, $7F
4C69 .BYTE $7A, $5E, $A, $AA, $17, $26, $6A, $BA, $51, $22, $5A, $93, $63, $4D, $7A, $5E
4C69 .BYTE $17, $26, $6A, $BA, $51, $63, $4D, $7A, $86, $17, $26, $6A, $BA, $51, $63, $4D
4C69 .BYTE $7A, $89, $17, $27, $6A, $A, $BA, $8E, $AC, $17, $26, $6A, $BA, $51, $22, $5A
4C69 .BYTE $BE, $63, $44, $7A, $5E, $A, $AD, $17, $26, $6A, $BA, $51, $7B, $9C, $7A, $AF
4C69 .BYTE $22, $BA, $5E, $9A, $A9, $E6, $96, 1, $8A, $AD, 6, $37, $42, $15, $DC, $F1
4C69 .BYTE $B2, $CA, $6C, $9E, $5A, $A1, $E6, $61, 0, $56, $44, $44, $56, $4D, $44, $56
4C69 .BYTE $4D, $8A, $AD, 6, $37, $42, $15, $CA, $A, $57, $2E, $92, $62, $7A, $AE, $4C
4C69 .BYTE $92, $5A, $97, $17, $26, $6A, $BA, $51, $63, $7F, $7A, $5A, $40, $17, $26, $6A
4C69 .BYTE $BA, $51, $63, 0, $7A, $58, $A, $A9, $17, $26, $6A, $BA, $51, $63, $3C, $7A
4C69 .BYTE $4D, 3, $AA, $2F, $93, $17, $26, $6A, $BA, $51, $80, $2F, $92, $17, $26, $6A
4C69 .BYTE $BA, $51, $8F, $92, $33, $9A, $AA, $EF, $93, $22, $BA, $4D, 2, $40, $B2, $CA
4C69 .BYTE $92, $CA, 3, $AE, $27, $62, $E, $6F, $55, $5A, $FC, 3, $AA, $27, $67, $E
4D69 byte_4D69: .BYTE $F, $55, $27, $6F, $E, $92, $47, $62, $E, $5A, $9F, $1A, $AC, $E3, $55, $4C
4D69 .BYTE $55, $3A, $AE, $C3, $54, $6C, $55, $67, $67, $E, $3A, $A9, 7, $67, $E, $63
4D69 .BYTE $A6, $1A, $AB, 2, $92, $8A, $44, 1, $13, $B3, 6, $8A, $56, 1, 7, $6F
4D69 .BYTE $E, $B2, $8A, $5A, 1, $13, $8F, 6, $8A, $56, 1, $44, $67, $E, $7A, $6A
4D69 .BYTE $8A, $56, 1, $B2, $F, $55, $83, $A9, $80, $AF, $57, 0, $17, $2A, $6A, $C
4D69 .BYTE $57, $CA, 8, $B8, $60, $7A, $57, $92, $43, $AB, $7A, $5C, $CA, 8, $AA, $16
4D69 .BYTE $E, $E, $1F, $9A, $3E, $9A, $37, $E, $E, $42, $4A, $8B, $7A, $5B, $CA, $AB
4D69 .BYTE $9A, $82, $8E, $8A, $B4, $B7, $B6, $B6, $B6, $B6, $B6, $DA, $86, $8C, $88, $B5
4D69 .BYTE $B4, $B7, $B6, $B6, $B6, $B6, $B6, $55, $A9, $20
4DF3 loc_4DF3:
4DF3 STA 5 ;the other half of the jump address ($AAAA)
4DF5 LDY #0
4DF7
4DF7 loc_4DF7:
4DF7 LDA byte_4C69,Y
4DFA EOR 4
4DFC STA (4),Y
4DFE INC 5
4E00 LDA byte_4D69,Y
4E03 EOR 4
4E05 STA (4),Y
4E07 DEC 5
4E09 INY
4E0A BNE loc_4DF7
4E0C LDA 4
4E0E EOR #$E6
4E10 STA 3 ;forms a $4C
4E12 JMP 3 ;where we find "JMP $AAAA" |
then the actual protection routine, same as before, except for what happens on success.
Code: | AAAA STA $C008
AAAD LDX $FD
AAAF LDA $C089,X ;turn on the drive
AAB2 JSR sub_AC07 ;save zero-page locations
AAB5 LDA #0
AAB7 JSR sub_AB9E ;seek track 0
AABA LDA #$A
AABC STA $34
AABE LDX $FD
AAC0 LDA $C08E,X
AAC3 LDA #$AB
AAC5 STA $37
AAC7 LDA #$43
AAC9 STA $36
AACB LDA #$80
AACD STA $35
AACF
AACF loc_AACF:
AACF DEC $35
AAD1 BEQ loc_AB2F
AAD3 JSR sub_AB52 ;read address prologue
AAD6 BCS loc_AB2F
AAD8 LDA $31
AADA CMP #7 ;watch for sector 7
AADC BNE loc_AACF
AADE LDY #0
AAE0
AAE0 loc_AAE0:
AAE0 LDA $C08C,X
AAE3 BPL loc_AAE0
AAE5 DEY
AAE6 BEQ loc_AB2F
AAE8 CMP #$D5
AAEA BNE loc_AAE0
AAEC LDY #0
AAEE
AAEE loc_AAEE:
AAEE LDA $C08C,X
AAF1 BPL loc_AAEE
AAF3 DEY
AAF4 BEQ loc_AB2F
AAF6 CMP #$E7
AAF8 BNE loc_AAEE
AAFA
AAFA loc_AAFA:
AAFA LDA $C08C,X
AAFD BPL loc_AAFA
AAFF CMP #$E7
AB01 BNE loc_AB2F
AB03
AB03 loc_AB03:
AB03 LDA $C08C,X
AB06 BPL loc_AB03
AB08 CMP #$E7
AB0A BNE loc_AB2F
AB0C LDA $C08D,X
AB0F LDY #$10
AB11 BIT 6
AB13
AB13 loc_AB13:
AB13 LDA $C08C,X
AB16 BPL loc_AB13
AB18 DEY
AB19 BEQ loc_AB2F
AB1B CMP #$EE ;D5 E7 E7 E7 ... EE
AB1D BNE loc_AB13
AB1F LDY #7
AB21
AB21 loc_AB21:
AB21 LDA $C08C,X
AB24 BPL loc_AB21
AB26 CMP ($36),Y ;and then the nibbles at $AB43
AB28 BNE loc_AB2F
AB2A DEY
AB2B BPL loc_AB21
AB2D BMI loc_AB32
AB2F
AB2F loc_AB2F:
AB2F JMP #$AA3C
AB32
AB32 loc_AB32:
AB32 JSR sub_AC07
AB35 STA $BFE8,X
AB38 ROR $5B,X ;set $7C to $80
AB3A CLC
AB3B RTS
AB3C loc_AB3C:
AB3C DEC $34
AB3E BEQ loc_AB4B
AB40 JMP loc_AACB
AB43 .BYTE $FC, $EE, $EE, $FC, $E7, $EE, $FC, $E7
AB4B loc_AB4B:
AB4B JSR sub_AC07
AB4E STA $BFE8,X
AB51 RTS |
the special thing is this line:
Code: | AB38 ROR $5B,X ;set $7C to $80 |
This is not checked until level 7! So you play almost all of the way through the game, thinking that the protections are all solved, and then it crashes. Funny. |
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 2928 Localisation: Le Chesnay, France
|
Posté le: Mer 28 Mai 2014, 12:12 Sujet du message: |
|
|
great explanations. the level 7 thing is interesting! that reminds me of skyfox and its protection check when you reached the clouds!
av |
|
Revenir en haut de page |
|
 |
cybernesto
Inscrit le: 01 Jan 2016 Messages: 3 Localisation: Germany
|
Posté le: Lun 30 Mai 2016, 20:00 Sujet du message: |
|
|
Hi Peter,
Does your 16 sector version work outside emulators? It does not work on my Apple IIc, either from an SDFloppy nor from diskettes written with ADT-Pro. Could it have the same glitch that was present in the ToyShop? |
|
Revenir en haut de page |
|
 |
qkumba
Inscrit le: 29 Jan 2012 Messages: 171
|
Posté le: Mar 31 Mai 2016, 17:01 Sujet du message: |
|
|
Hi Cybernesto,
It was working properly on a IIe, but still likely to be the same problem as for Toy Shop. I'll try to check that today. |
|
Revenir en haut de page |
|
 |
qkumba
Inscrit le: 29 Jan 2012 Messages: 171
|
|
Revenir en haut de page |
|
 |
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum Vous ne pouvez pas répondre aux sujets dans ce forum Vous ne pouvez pas éditer vos messages dans ce forum Vous ne pouvez pas supprimer vos messages dans ce forum Vous ne pouvez pas voter dans les sondages de ce forum
|
|