Started by gef, 04:12, 03 April 10
0 Members and 1 Guest are viewing this topic.
Quote from: gef on 04:12, 03 April 10 [...] The patch allows you to trace through any Z80 code and is based on two important facts: * The R register is changing deterministically among subsequent commands. * The state of the IFF (Interrupt flag) is actually possible to be found with a "LD I,A" or so. [...] b) Do LD I,A and then branch according the Overflow flag (AFAI remember), [...]
Quote from: gef on 14:18, 03 April 10 I have obviously been influenced by the Intel mnemonics rather than AT&T over the years! http://en.wikipedia.org/wiki/X86_assembly_language#Syntax
Quote from: Cholo on 22:48, 04 April 10Thanks for posting. This pretty much answers one of my oldest still lasting questions:1. how did people hack those tape protections before the multifaces showed up and2. how did the programmers compile a protection like that.Back in the 90's i did manage to read 2 books on machine code and did get fairly fluid in assembler. Even tho as a teenager i had a hard time seen the "big picture" in mc/assem. Did try to dissassemble and later singlestep into a couple of tape protections, but came to a loss on how to continue. Knew there had to be a trick to it of cause. If it was just lack of knowledge and/or/of additional hardware i didnt know.Seems like i know at least the theory how to get into a protection and i assume a similar trick can be used to compile one too.
Quote from: arnoldemu on 09:10, 05 April 10I used another trick for hacking tapes to disc but this only works well for 128k machines and you need a reset switch.
Quote from: Gryzor on 10:12, 05 April 10But how are you sure the loader won't overwrite your cloning code?
Quote from: arnoldemu on 09:10, 05 April 10I used another trick for hacking tapes to disc but this only works well for 128k machines and you need a reset switch.You setup the 2nd 64k ram to be a mirror of the 1st.You switch to it and load the game.Many times the loader will run and the computer will effectively reset, but the loader is now decoded in the 2nd bank of ram.Quote from: arnoldemu on 10:31, 05 April 10The code copies the lower and upper jumpblocks and firmware data.So that it is almost like having a virtual machine in the 2nd 64k.
Quote from: arnoldemu on 10:31, 05 April 10The code copies the lower and upper jumpblocks and firmware data.So that it is almost like having a virtual machine in the 2nd 64k.
Quote from: OCT on 15:40, 05 April 10I understand you use a program to copy over the RAM to the second bank.There's yet another trick that involves a little hardware hack, which has the advantage of being undetectable by software:On a 6128, you use a toggle switch to exchange the two bank-select lines, plus a button to ground READY (a.k.a. /WAIT) on the Expansion Port.Once the loading and decoding is done, hit the button to temporarily freeze the Z80 in its tracks, switch the memory banks and then release the freeze button. If the machine won't already reset on its own, hit the reset button (conveniently also located on the expansion port, as in my "CPC Brake" which also featured slow-motion. There you are in the other bank, ready to switch in and save the 4*16k pages via the usual MEMORY &3FFF:OUT &7F00,&C4 etc. (leaving you just the task of figuring out the jump point and maybe writing a loader to run on 64k machines as well).
Quote from: arnoldemu on 19:14, 05 April 10Nice.I never thought to use hardware to help.Is this info on the wiki? because it would be useful to have it there.
Quote from: Cholo on 22:48, 04 April 10Thanks for posting. This pretty much answers one of my oldest still lasting questions:1. how did people hack those tape protections before the multifaces showed up and2. how did the programmers compile a protection like that.[...]
Quote from: gef on 03:56, 06 April 10I can answer #2 quite well for the cases I have encountered:a) Some trivial cases were (XOR) code transformation trickery, _without_ using R register.b) The most commonly found titles had one or two invocations of loops using the R register.c) The titles that were bound to become commercial success would use some annoying tricks: c1. using features of the magnetic media, that were characteristic of that particular game c2. multiple nested XOR-decoding loops using R register in a back-to-back fashion
Quote from: OCT on 22:11, 05 April 10Since copyright subsists in these materials as a matter of law, I cannot republish them,
Quote from: Gryzor on 09:54, 06 April 10Copyright issues? What are you talking about? I can publish it if you want, I don't think we should be exactly scared someone will come after us for hacking (again) a game from 1985...
Quote from: OCT on 10:28, 06 April 10I wonder what the code was that allowed you to page in the whole 4*16k of second-bank memory without hardware help.AFAIK the OUT &7F00,&C4+page would only show 16k at a time at &4000 to &7FFF, which is an uncommon location for loaders.
10 addr=&c00020 READ a$:IF a$="*" then call &c000 elsepoke addr,val("&"+a$):addr=addr+1:goto 2030 data 01,c4,7f,ed,49,21,00,00,11,00,40,01,00,40,ed,b0,01,c6,7f,ed,49,21,00,80,11,00,40,01,00,40,ed,b0,01,c0,7f,ed,49,c9,*
ld bc,&7fc4out (c),cld hl,0ld de,&4000ld bc,&4000ldirld bc,&7fc6out (c),cld hl,&8000ld de,&4000ld bc,&4000ldirld bc,&7fc0out (c),cret
Quote from: arnoldemu on 10:55, 06 April 10type:OUT &7F00,&C2[...] now the z80 is executing code entirely from 2nd 64k bank
Quote from: OCT on 10:52, 06 April 10I'm not into cracking protections at all, nor scared for that matter - it's just that the author and photographer of a (really nice BTW) writeup on the CPC6128 hardware modification does hold rights to it
dskdump -itype floppy -otype dsk -iside 0 -idstep /dev/fd0 BankSwap.dsk
Quote from: arnoldemu on 09:19, 06 April 10Yes indeed.Speedlock protection had about 80 of these XOR type loops. Then it tried to detect the multiface. It was a beast of a protection and always changing.I too was about 13/14, when I was converting tapes to discs. I did this mostly because the disc games were so expensive.
Quote from: arnoldemu on 09:19, 06 April 10I never tried using Pyradev. First I used the very poor Amsoft assembler (MONA etc). With it's terrible input and line numbers. Then I moved onto Maxam (I had a strange chip on a PCB which connected to the back of the computer. I've not seen another since and I've since sold this.)I never really found a debugger that I could get on with on the CPC.
Page created in 0.120 seconds with 49 queries.