Summer Games II (Epyx, 1985)

Eh oui ! Faire une sauvegarde n'est pas facile ! Conseils ici...
Répondre
toinet
Administrateur du site
Messages : 256
Enregistré le : ven. 8 déc. 2023 10:30

Summer Games II (Epyx, 1985)

Message par toinet »

Another Epyx, another desynchro, another great game with a poor protection.

A special crack for the FTA Wormz Party 2010 :-)


PROTECTION TYPE
On a standard DOS 3.3 diskette:
- Change of end markers (D5 AA 96, FF FF EB, D5 AA AD, FF FF EB)
- Desynchro on track 0

How do I check the marker values?
I use the Edit mode of Copy II plus, I read one track, analyze the data and go to the next track.


BOOT TRACE
Just to refresh one's memory:
- 9600<C600.C6FFM
- 96FB: AD E8 C0 4C 59 FF N 9600G
* Beep *
- 801L etc.
- Read the code, wonder what to do... See next messages.


DISK COPY
- Launch Advanced Demuffin
- Go to the monitor
- Change the end markers DE AA with FF FF
- Copy the disk
If you, then, boot the disk, it fails to do so as the desynchro has not been removed yet.

How do I change the end marker values?
- At $B930, enter 18 60. This is in the read data routine of the RWTS
- At $B98B, enter 18 60. The is in the read header routine of the RWTS
- CTRL-Y to go back to the monitor.


REMOVE THE DESYNCHRO
- Eight values are read from the disk (FC EE EE FC E7 EE FC E7)
- They are stored from $F0 to $F7
The protection routine just checks the values are read and are then compared. It ends with a CLC if the values were present or a SEC if not. The next two messages will display the boot 1 and the protection routines.

- Launch Disk Fixer
- Read T0/S0, at offset $39, replace 4C 00 15 with 20 5E 08
- Save T0/S0


Reboot and enjoy your working backup copy (and copy side 2 before :-))

Toinet
Haut
toinet
Administrateur du site
Messages : 256
Enregistré le : ven. 8 déc. 2023 10:30

Re: Summer Games II (Epyx, 1985)

Message par toinet »

The boot1 code, which needs to be stopped at $0839. I have to admit I don't remember if the opcode at $839 was $20 (JSR) or $4C (JMP) on the original I played with, sorry...

Code : Tout sélectionner


*
* Thank you, The Flaming Bird Disassembler
*

SOFTEV EQU $03F2
PWREDUP EQU $03F4
TXTSET EQU $C051
TXTPAGE1 EQU $C054
ROMIN2 EQU $C081
LCBANK1 EQU $C08B
INIT EQU $FB2F
HOME EQU $FC58
SETKBD EQU $FE89
SETVID EQU $FE93
RESETV EQU $FFFC

         ORG   $000800
         MX    %11

L0800    HEX   01

L0801    LDA   $27	; First call?
         CMP   #$09
         BNE   L081F
         LDA   $2B	; Yes, init all
         LSR
         LSR
         LSR
         LSR
         ORA   #$C0
         STA   $3F
         LDA   #$5C
         STA   $3E
         CLC
         LDA   L08FE
         ADC   L08FF
         STA   L08FE

L081F    LDX   L08FF	; All sectors loaded?
         BMI   L0839
         LDA   L084E,X
         STA   $3D
         DEC   L08FF
         LDA   L08FE
         STA   $27
         DEC   L08FE
         LDX   $2B
         JMP   ($003E)

*

L0839    JMP   $1500	; Go to next stage
         JMP   $D000

         JSR   SETKBD
         JSR   SETVID
         JSR   INIT
         LDX   $2B
         JMP   (L08FD)

         DB    $00

L084E    HEX   0102030405060708090A0B0C0D0E0F00

*

L085E    LDA   LCBANK1
         LDA   LCBANK1
         LDA   $2B
         LSR
         LSR
         LSR
         LSR
         ORA   #$C0
         STA   L08CE+2
         LDA   #$03
         STA   RESETV+1
         STA   SOFTEV+1
         EOR   #$A5
         STA   PWREDUP
         LDA   #$D0
         STA   RESETV
         STA   SOFTEV

         LDY   #$00	; Move $0900++ to $D000++
         STY   $F0
         STY   $F2
         LDA   #$09
         STA   $F1
         LDA   #$D0
         STA   $F3
         LDX   #$0F
L0894    LDA   ($F0),Y
         STA   ($F2),Y
         INY
         BNE   L0894
         INC   $F1
         INC   $F3
         DEX
         BNE   L0894
L08A2    LDA   $1300,Y	; Move $1300++ to $DB00
         STA   $DB00,Y
         INY
         BNE   L08A2

         LDA   $2B	; $03D0G will reboot
         STA   $D1FF
         LDA   #$00
         STA   $B6
         STA   $B7
         LDY   #$0F
L08B8    LDA   L08C2,Y
         STA   $03D0,Y
         DEY
         BPL   L08B8
         RTS

L08C2    LDA   ROMIN2	; A reboot routine
         JSR   HOME
         LDA   TXTSET
         LDA   TXTPAGE1
L08CE    JMP   $C600

L08D1    DS    $2C
L08FD    DB    $00
L08FE    DB    $09
L08FF    DB    $0E
Haut
toinet
Administrateur du site
Messages : 256
Enregistré le : ven. 8 déc. 2023 10:30

Re: Summer Games II (Epyx, 1985)

Message par toinet »

The protection routine at $1500. A standard desynchro from Epyx...

Code : Tout sélectionner


*---------------------------------------------------------*
*     Disassembled with The Flaming Bird Disassembler     *
*    (c) Phoenix corp. 1992,93  -  All rights reserved    *
*---------------------------------------------------------*

         TYP   BIN
         ORG   $001500
         MX    %11

L1500    LDX   #$00	; Save ZP
L1502    LDA   $00,X
         STA   $7000,X
         DEX
         BNE   L1502

         LDA   #$0A	; Number of retries
         STA   $50

         LDX   $2B	; Set read mode
         LDA   $C089,X
         LDA   $C08E,X

         LDA   #<L1596	; Ptr to desync data
         STA   $48
         LDA   >$1596
         STA   $48+1

L151E    LDA   #$80
         STA   $51
L1522    DEC   $51
         BEQ   L1590
         JSR   L159E	; Read header
         BCS   L1590
         LDA   $2E
         CMP   #$0F	; Sector $0F
         BNE   L1522

         LDY   #$00	; Now (de)sync me…
L1533    LDA   $C08C,X
         BPL   L1533
         DEY
         BEQ   L1590
         CMP   #$D5
         BNE   L1533
         LDY   #$00
L1541    LDA   $C08C,X
         BPL   L1541
         DEY
         BEQ   L1590
         CMP   #$E7	; 11100111
         BNE   L1541
L154D    LDA   $C08C,X
         BPL   L154D
         CMP   #$E7	; ..oops
         BNE   L1590
L1556    LDA   $C08C,X
         BPL   L1556
         CMP   #$E7	; ..oops
         BNE   L1590
         LDA   $C08D,X	; ..oops
         LDY   #$10
         BIT   $06	; timing
L1566    LDA   $C08C,X
         BPL   L1566
         DEY
         BEQ   L1590
         CMP   #$EE	; ..oops
         BNE   L1566

         LDY   #$07	; Compare the values
L1574    LDA   $C08C,X	; from the disk
         BPL   L1574
         CMP   ($48),Y	; with the desync data
         BNE   L1590	; ..different
         DEY		; ..same
         BPL   L1574

         LDX   #$00	; Restore ZP
L1582    LDA   $7000,X
         STA   $00,X
         DEX
         BNE   L1582
         JSR   $085E	; Call next step
         JMP   $D000	; This is an ORIGINAL

L1590    DEC   $50	; Next try
         BNE   L151E
         SEC		; Desync values not found
         RTS		; This is a COPY

* The values you have on the original disk

L1596    HEX   FCEEEEFCE7EEFCE7

* Read header routine

L159E    LDY   #$FD
         STY   $4A
L15A2    INY
         BNE   L15A9
         INC   $4A
         BEQ   L15E6
L15A9    LDA   $C08C,X
         BPL   L15A9
L15AE    CMP   #$D5
         BNE   L15A2
         NOP
L15B3    LDA   $C08C,X
         BPL   L15B3
         CMP   #$AA
         BNE   L15AE
         LDY   #$03
L15BE    LDA   $C08C,X
         BPL   L15BE
         CMP   #$96
         BNE   L15AE
         LDA   #$00
L15C9    STA   $4B
L15CB    LDA   $C08C,X
         BPL   L15CB
         ROL
         STA   $4A
L15D3    LDA   $C08C,X
         BPL   L15D3
         AND   $4A
         STA   |$002D,Y
         EOR   $4B
         DEY
         BPL   L15C9
         TAY
         NOP
         CLC
         RTS

L15E6    SEC
         RTS
Haut
Répondre

Retourner vers « PROTECTION MALEFIQUE »