Silent Service (Microprose, 1985)

[toinet]

THE submarine simulation. A complex game by Microprose, specialists of air and sea simulations.

Deckard tells me my crack is not complete as the game may crash during a round. As I have not played the game intensively, that might come, who knows?


PROTECTION TYPE
It is a standard DOS3.3 16-sector diskette.


DISK COPY
- Launch Locksmith 6.3 fast disk backup
- Copy the disk
- or, alternatively, copy the disk with Advanced Demuffin (B942:18)


REMOVE THE PROTECTION
Launch your favorite disk editor
Remove the first protection routine
- T5/S9/3B: 4C 3D 02 => 4C 9D 02
Remove a copy of the protection routine !!!
- T4/S9/3B: 4C 3D 02 => 4C 9D 02

The next message contains the complete protection routine disassembly.


Your backup copy is now ready,

Toinet

[toinet]

That is the disassembly of file \\\\ which contains the protection. The code modifies itself.

The aim of the protection is to make an indirect jump to $0200 which goes to the next loading step or goes to the HARDWARE FAILURE message.

Code : Tout sélectionner

*
* MICROPROSE : SILENT SERVICE
*
* BOOT PROGRAM: \\\\
*

         ORG   $000200
         MX    %11
         LST   OFF

*
*
*

LB900    =     $B900

PWREDUP  EQU   $03F4
ROMIN2   EQU   $C081
LCBANK2  EQU   $C083

*
*
*

L0200    NOP              ; D0 eor EA = $3A
L0201    NOP              ; $DB or $02

         LDA   #$8E
         STA   $03D1
         LDA   #$03
         STA   $03D2
         LDA   #$82
         STA   $D6
         INC   PWREDUP
         LDA   LCBANK2
         LDA   $37
         CMP   #$BE
         BCS   L022A

         LDA   #>LB900
         STA   L0248+2
         STA   L0278+2
         STA   L0260+2
         STA   L0290+2

L022A    LDA   #$D0       ; D0 eor
         EOR   L0200      ; EA =
         STA   L0200      ; 3A

         LDX   #$60       ; turn drive on
         LDA   $C089,X
L0237    JMP   L023D      ; Why not jump to $029D ?
L023A    JMP   L02C2

*

L023D    LDA   $0478      ; track
         ASL
         STA   $0478
L0244    LDA   #$43
         LDX   #$60
L0248    JSR   $F9A0      ; B9A0

         LDA   $0478      ; track
         LSR
         STA   $0478
         ASL
         STA   $047E

         LDA   #$00       ; read
         STA   $2E
         LDA   $C08C,X
         LDA   $C08E,X
L0260    JSR   $F944      ; B944
         BCS   L02A5      ; read error !

*

         LDA   L0244+1
         LSR
         CMP   $2E
         BNE   L02B3
         LDA   $0478
         ASL
         STA   $0478
         LDA   #$44
         LDX   #$60
L0278    JSR   $F9A0      ; B9A0
         LDA   $0478
         LSR
         STA   $0478
         ASL
         STA   $047E
         LDA   #$00
         STA   $2E
         LDA   $C08C,X
         LDA   $C08E,X
L0290    JSR   $F944      ; B944
         BCS   L02A5      ; read error
         LDA   L0244+1
         LSR
         CMP   $2E
         BNE   L02B3

* Synchro is equal !

L029D    LDA   #$DB       ; $DB3A
         STA   L0201
         JMP   L02AA

*

L02A5    LDA   #>L0200    ; $023A -> HARDWARE FAILURE
         STA   L0201
L02AA    LDA   $C088,X
         LDA   ROMIN2
         JMP   L02BB

L02B3    LDA   #>L0200    ; $023A -> HARDWARE FAILURE
         STA   L0201
         JMP   L02AA

L02BB    LDY   #>L02CD
         LDA   #<L02CD
         JMP   (L0200)    ; Indirect jump

L02C2    LDY   #>L02DD    ; BOING
         LDA   #<L02DD
         JSR   $DB3A
L02C9    JMP   L02C9

         HEX   00
L02CD    ASC   84
         ASC   "BLOADG"8D
         ASC   84
         ASC   "BRUNA"8D00
L02DD    ASC   "HARDWARE FAILURE"00

[toinet]

Deckard tells me my crack is not complete as the game may crash during a round.

Pas un crash mais il me semble qu'il te fait perdre volontairement.

Il faut se taper le pseudo langage pour retrouver l'endroit où il effectue en cours de jeu un controle sur les informations qu'il a collectées au boot.

C'est fait exprès: tu as l'impression que ça marche et ne sont pénalisés que ceux qui y jouent vraiment.

A ma connaissance (infos MCS et Mr.Z), ce jeu n'a jamais été déplombé correctement.

JM

ps: il y a aussi une version spécifique IIGS.

[toinet]

I have just re-read the Solo Flight thread where the protection routine is in the file named P.

There is one in Silent Service that is full of false opcodes and once decoded contains the same protection as Solo Flight...

Code : Tout sélectionner

JSR $9508
PHP
PLA
STA $F7
RTS

I will update the "backup" procedure tonight...

Antoine

[toinet]

Gotcha! The P file does not contain any false opcodes but swapped bytes.

Let me be clearer! The following code:

Code : Tout sélectionner

JSR $9508
PHP
PLA
STA $F7
RTS

should be coded:

Code : Tout sélectionner

20 08 95 08 68 85 F7 60

But the P file contains:

Code : Tout sélectionner

08 20 08 95 85 68 60 F7

Then, if you really want to tell the P routine that you have an original disk, you should:
- clear the carry and
- return with A = 0

SECOND PROTECTION REMOVAL
Launch your favorite disk editor
- on T5/S7/C: 90 18 9A 0F => A9 18 60 00
We never know, we have a copy of the protection there:
- on T4/S7/C: 90 18 9A 0F => A9 18 60 00

I will validate that update tonight...

Toinet