hackzapple

Another D&D game from TSR HOBBIES.

PROTECTION TYPE
On a standard DOS 3.3 diskette with a standard RWTS:
- Change of markers: D5 AA 96, DE AA, D5 AA xx where xx depends on the track number,
- Change of sync nibble. Instead of FF, the sync nibble is DD.

DISK COPY
- Launch Advanced Demuffin 1.4
- Insert Dungeon in drive 1
- Insert a blank (volume 254) diskette in drive 2
- Press P to by-pass boot
- Copy tracks 0 to 4

The second step: the other tracks:

- Launch Advanced Demuffin 1.4
- Insert Dungeon in drive 1
- Re-use the same diskette in drive 2
- Press B to get the RWTS of the game
- Apply patch (see next message)
- Copy tracks 5 to $22 of the disk

REMOVE THE PROTECTION
Launch your favorite disk editor (mine is Disk Fixer 4)
- on track 0 / sector F / offset $C8: replace 20 with 4C
- save the sector back to disk

Your backup copy is now ready, enjoy that D&D game!

Toinet

Now the data markers per track:

Code : Tout sélectionner

MARKER
 	TRACK
F7 	00
F7 	01
F7 	02
F7 	03
F5 	04
F7 	05
F7 	06
B7 	07
F7 	08
B7 	09
F5 	0A
F5 	0B
F7 	0C
B7 	0D
F7 	0E
B7 	0F
F5 	10
F7 	11
F7 	12
B7 	13
F5 	14
B7 	15
F7 	16
B7 	17
F5 	18
F7 	19
F7	 1A
F5 	1B
F5 	1C
F7 	1D
F7 	1E
F7 	1F
F5 	20
F7 	21
B7	 22

And, now, for something completely different, the routine at $ADE0 that determines the marker value:

Code : Tout sélectionner

00E0:AC EC B7       LDY   $B7EC         
00E3:B9 00 F8       LDA   $F800,Y      get value from ROM
00E6:29 42          AND   #$42          
00E8:D0 02          BNE   $00EC         
00EA:A9 42          LDA   #$42          
00EC:09 B5          ORA   #$B5          
00EE:8D 5D B8       STA   $B85D        write data marker routine
00F1:8D FC B8       STA   $B8FC        read data marker routine
00F4:60             RTS

And, the routine at $AE10 which reads the sync nibbles before it jumps to the above routine:

Code : Tout sélectionner

0010:BD 8C C0       LDA   $C08C,X       
0013:10 FB          BPL   $0010         
0015:C9 D5          CMP   #$D5         Is that the data marker?
0017:F0 C7          BEQ   $FFE0        Go to $ADE0 
0019:C9 DD          CMP   #$DD         Or the sync nibble?  
001B:F0 F3          BEQ   $0010        Loop until... 
001D:4C CB BF       JMP   $BFCB        Return

And now, the routine at $BFC8. The crack just replaces the JSR with a JMP at offset $C8. Easy one

Code : Tout sélectionner

00C8:4C A0 B9       JSR   $B9A0         move arm
00CB:A0 0A          LDY   #$0A          read sync nibbles
00CD:BD 8C C0       LDA   $C08C,X       
00D0:10 FB          BPL   $00CD         
00D2:C9 DD          CMP   #$DD          a sort of nibble count
00D4:D0 F5          BNE   $00CB         
00D6:88             DEY                 
00D7:D0 F4          BNE   $00CD         
00D9:4C 10 AE       JMP   $AE10         if we're ready, set the marker

But, heh, where is that routine called? At two places:
1/ once the DOS is loaded in T0/S7, offset $41: 4C C8 BF
2/ after a RAM modification at T0/SE, offset $8B: 4C A0 B9

Next thread, please...

The following routine, let's call it "patch" is to be entered in the monitor:

Code : Tout sélectionner

B700: 20 A0 B9 A0 04 B1 48 A8 B9 00 F8 29 42 D0 02 A9 42 09 B5 8D FC B8 60
BE8B: 4C 00 B7

That patch takes the track number from the IOB table, moves the value in Y, reads the corresponding value from ROM and calculates the data marker value.

The second change patches the call to the MOVEARM routine by, at first, call our patch.

That is the main core to copy tracks 5 to $22.

Enjoy,

Antoine
9/2010

hackzapple

Dungeon (TSR, 1980-1982)

Dungeon (TSR, 1980-1982)

Re: Dungeon (TSR, 1980-1982)

Re: Dungeon (TSR, 1980-1982)