| Author: | Lord Crass (guest: search) |
|---|---|---|
| Date: | Tue, May 17th, 2011 @ 00:27 ( . ) |
W.A.R. has a track sync protection. Checks sync between the following tracks: 32 -> 33 33 -> 34 34 -> 35 28 -> 29 29 -> 30 30 -> 31 When it lands on the destination track, it waits for sync and reads in the sector header to see what sector it is. This is stored in a table that ends up with 6 values. I haven't yet been able to determine what the values should be since the C64 side code appears to be a compiled basic of sorts. Reversing the interpreter is a bit time consuming. |
 | Author: | Nate (guest: search) |
|---|---|---|
| Date: | Tue, May 17th, 2011 @ 02:32 ( . ) |
Yeah, I spent a bit of time trying to crack it while on vacation. It's a difficult one or something is missing. Even with proper track sync, I still got the "this is a copy" message. It's hard to track down what is triggering that message due to the complications on the C64 side. I tought it was similar to Bride of Frankenstein, which I did crack. [link] |
 | Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Tue, May 17th, 2011 @ 03:35 ( . ) |
Peter do you have any idea when the game was dumped? I'll attempt to remaster it with -bf and -t and let you guys know if I get anywhere. I was able to get paradroid up and running on a real c64, but both tracks 38 and 39 need cleaning out before it will run on any emulator. Oh and I might just have a 1st gen. copy of sam laying around. |
| Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Tue, May 17th, 2011 @ 18:41 ( . ) |
I can't get it working, it must be reliant on something else as well as track sync. Good luck trying to figure this one out. |
| Author: | Lord Crass (guest: search) |
|---|---|---|
| Date: | Wed, May 18th, 2011 @ 00:54 ( . ) |
I'm plodding through the interpreter, but it's taking a long time and I've only got about a dozen or so instructions decoded. Do you have the original that you can obtain the correct sector table from? You should be able to get the table from the original using a cartridge that has a drive mon. When the sync check finishes, it will slide back to track 18 and turn on the LED. At this point if you use the cart freeze, go into the monitor and get $0568-$056D from the drive memory, you should see the sectors numbers it landed on. This can be a bit tricky because the drive is still running. The retro replay cart seems to do ok on this, but super snapshot hangs. |
| Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Wed, May 18th, 2011 @ 03:52 ( . ) |
Unfortunately, you're asking the wrong person, I have neither the the super snapshot cart or the original disk. btw: you've decoded 12 instructions, How many instructions are there altogether to decode? |
| Author: | Lord Crass (guest: search) |
|---|---|---|
| Date: | Wed, May 18th, 2011 @ 15:08 ( . ) |
Hopefully Nate or Pete has the original. I'm not sure how many instructions there are. When you look at the block of code that contains the compiled/interpreted program, you don't initially know which ones are opcodes and which are the operands. Once you start determining what each opcode does, you'll see how many operands it takes and the p-code starts falling into place. I see about 524 total bytes of p-code, which includes some data as well, such as the "COPY IS NOT PERMITTED" message. The Electronic Arts fat track loader is a svelte, efficient, specific-purpose interpreter compared to this thing. This one has stack, memory, and multiple registers. It occasionally makes calls into the C64's standard BASIC ROM as well as the kernel ROM (which actually makes it easier to determine the purpose of a given opcode). I can't find any distinguishing text about it, so I don't know if it's a generic compiler such as Blitz, or if it's a custom interpreter written for this title. I likely won't have to decode every instruction. Once I get enough of them figured out I should be able to see where it doing something with the values it reads in from the drive. Hopefully it's just a simple comparison and not some key for a decryption routine. I don't have a lot of spare time for this right now, so it might take some weeks to finish it off. |
| Author: | Nate (guest: search) |
|---|---|---|
| Date: | Fri, May 20th, 2011 @ 22:22 ( . ) |
I don't have the original. I was only working from the nib file. I'm glad to see it's a hard scheme, and I'm not just a dunce. :) |
| Author: | Lord Crass (guest: search) |
|---|---|---|
| Date: | Sat, May 21st, 2011 @ 01:04 ( . ) |
It's amazingly time consuming. I'm guessing this isn't a custom virtual machine, it's a commercial BASIC compiler since it has so many instructions. I'm up to 31 instructions now and some of them I've skimmed over poorly since the functions they delve into are quite large. It's hard to find motivation to put the kind of time required into this one since the game itself isn't very good, and this seems to be a one-off protection. It'd be nice if the knowledge gained from this could be used towards other titles, but it seems unlikely. |
| Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Sat, May 21st, 2011 @ 01:14 ( . ) |
Please don't give up on it though. |
| Author: | Lord Crass (guest: search) |
|---|---|---|
| Date: | Sat, May 21st, 2011 @ 01:15 ( . ) |
Come to think of it, an easier way to figure this one out is to write some simple BASIC code and compile it with some known BASIC compilers, then disassemble the generated code to see which one matches W.A.R.'s. Once you figure out what compiler was used, it's pretty straightforward to decompile the unknown tokens. |
| Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Sun, May 29th, 2011 @ 00:16 ( . ) |
rtl64, simon's basic, blitz compiler, and austro-comp. Those are the 4 basic compilers I am aware of. |
 | Author: | J Achernar (registered user: 36 posts ) |
|---|---|---|
| Date: | Sun, May 29th, 2011 @ 09:47 ( . ) |
Abacus Basic 64 compiler can compile to either p-code or machine language. Also, there are two different compilier/optimizers. However, at the beginning of the compiled executable there is text stating "1984 SYS 2078 BASIC 64 V1.03". |
| Author: | Lord Crass (guest: search) |
|---|---|---|
| Date: | Sun, Jan 29th, 2012 @ 15:17 ( . ) |
hyper active sent me a dump of this game with the track sync correct, and it works properly. Tested with Pete's version by just plugging in the correct 6 sector numbers after the protection check, and it passes, so there's no other oddities with this one. |
| Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Mon, Jan 30th, 2012 @ 22:00 ( . ) |
I still can't seem to remaster it though. Is it using some kind of skew protection? if so, do you know what the skew is? |
| Author: | Nate (guest: search) |
|---|---|---|
| Date: | Mon, Jan 30th, 2012 @ 23:44 ( . ) |
Good to hear. Can you post the .nib somewhere and the 6 expected values? Also, I'm curious about your partial disassembly if you still have it. |
| Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Tue, Jan 31st, 2012 @ 00:37 ( . ) |
the expected values are 0D 0B 09 01 02 02 |
 | Author: | Pete Rittwage (registered user: 558 posts ) |
|---|---|---|
| Date: | Tue, Jan 31st, 2012 @ 09:27 ( . ) |
On 01/31/2012 @ 00:37, hyper active wrote :
the expected values are 0D 0B 09 01 02 02 -- '09 01 02 02' is illegal GCR and will give back random values on a real 1541. It can't "expect" that sequence because it will never get it. |
| Author: | Lord Crass (guest: search) |
|---|---|---|
| Date: | Thu, Feb 02nd, 2012 @ 22:23 ( . ) |
It's not looking for GCR values. The track sync protection just records into the drive memory what sector it lands on when it moves from one track to the other. You wind up with a table in drive memory ($0568) of 6 sector numbers: 13, 12, 9, 1, 2, 2. The C64 retrieves these values and either compares them to hard-coded values, or uses them in a transform or key of some sort. I never got around to finishing off the analysis of the compiled basic, so I'm not entirely sure what it does with them. |
| Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Sat, Feb 04th, 2012 @ 02:52 ( . ) |
I've been trying to write back the tracks in question from the g64, but I'm not getting anywhere. Is there a special switch in nibwrite that I need to use? I've had a look at each track, and the sector header info is all messed up. For example, normal tracks start with a few sync marks and then 0x52, but track 29 starts with 4a 52 94 a5 29 and so on. and then there is a 04 at the end. How do I write these out properly? |
| Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Sat, Feb 04th, 2012 @ 14:55 ( . ) |
Oh. My. God. I got it working! Following a hunch, I Extracted the entire g64 into a bunch of raw tracks, then wrote back tracks 28-35 with the -b? -t switches. |
| Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Tue, Feb 07th, 2012 @ 20:14 ( . ) |
Update: this doesn't seem doable with a zoom floppy, only the lpt port interface. The zoom interface seems to want to align the tracks too far apart.... which presents a problem. I need to upgrade my machine. Do mobo manufacturers still make boards with onboard lpt ports? if not, we could be in serious trouble. |
| Author: | Nate (guest: search) |
|---|---|---|
| Date: | Wed, Feb 08th, 2012 @ 02:28 ( . ) |
ZF could handle this, code would just have to be written to compensate for the delay. Or use a 1571 or 1541 with IHS. |
| Author: | hyper active (registered user: 296 posts ) |
|---|---|---|
| Date: | Wed, Feb 08th, 2012 @ 14:10 ( . ) |
Oops, looks like I'm out of luck then, I don't know of anyone Here in Melbourne who could equip my 1541 drive with an IHS.... and I'm certainly not going to attempt it myself. |