Disk Deprotection #2

By Richard Judd

Originally published in EUG #49

Examples of games that use the second version of disk protection are Superior Soccer (1989), Ballistix (1989) and Ricochet (1989).

Version 2

"Sector Read Fault" text appears in code. (Used 1989, 1989).

Find the file on the disk that contains the attributes below:

      [filename]    000400  000400  0000D9
                    start   execute length

If no file contains exactly these attributes, look for the one with the same length but a different loader address. For example:

Hostages usesFF0400 FF0400 0000D9
Pipemania and Vertigo (Play It Again Sam 16)useFF0900 FF0900 0000D9
Perplexity usesFF1100 FF1100 0000D9

With these, the offset is always the same. This means that 48 from the start address would mean 448, 948 or 1148 for the above titles.

To start with, type:

      >*LOAD [filename] <RETURN>

to put the code into memory. Then make a note of the PRINTed contents of the following addresses:

At memory address &408 is the number of sectors which the program will read to gather the protected file code. e.g. if the contents of &408 = &15, then the file length will be &1500.

At memory addresses &448 and &449 is the execute address (reversed) when all of the code is loaded from the disk. e.g. if the contents of &448 = &00 and &449 = &20 then the execute address of the code is &2000.

At memory addresses &45D and &45E is the start address (reversed) to start loading the code from the disk. e.g. if the contents of &45D = &00 and &45E = &15 then the start address of the code is &1500.

To stop the code from executing the protected file code, type:

      >?&447=&60 (Return from subroutine) <RETURN>

then to run the loader, type:

      >CALL&400 <RETURN>

This stops the program and returns the user to BASIC, whereby you can now save the data from the original, protected file to a blank disk (Not the original!). So, from the above example, the file had the following attributes:

      [filename]    001500  002000  001500
                    start   execute length

So from the prompt, type:

      >*SAVE [filename] 1500 +1500 2000

Once the one file has been recovered from the disk and saved, the game can be copied freely. *COPY all of the other files to a blank disk and the game should work.

Ricochet - Example of Version 2 Protection

Protected file = RICODE
Original file info = RICODE FF0400 FF0400 0000D9


Information in loader file:

      &408 = &53 (Length)
      &448 = &36 and &449 = &19 (Execute address - reversed)
      &45D = &03 and &45E = &11 (Start address - reversed)

      >CALL &400
      >*SAVE RICODE 0001103+5300 1939

De-protected file info = RICODE 001103 001936 005300

Happy hacking, and if anyone cares to send details of each disks 'spec's to EUG, we can publish a quick reference table in a later issue.

Dave E, EUG #49
Continue to DISK DEPROTECTION #3, EUG #50