mirror of
https://github.com/a2-4am/passport.git
synced 2024-07-08 00:28:56 +00:00
540 lines
13 KiB
Plaintext
540 lines
13 KiB
Plaintext
;-------------------------------
|
|
; #EA
|
|
; patched RWTS and p-code madness
|
|
;
|
|
; module by qkumba
|
|
;-------------------------------
|
|
!zone {
|
|
bit gMode ; nothing to do here in verify-only mode
|
|
bpl .jmpexit
|
|
lda gIsEA ; only ever seen this protection
|
|
beq + ; on Electronic Arts titles
|
|
jmp .dostitles
|
|
.jmpexit
|
|
jmp .exit
|
|
|
|
+ ldy #40
|
|
jsr SearchTrack
|
|
!byte $8D,$6F,$BC ;STA $BC6F
|
|
!byte $8C,$70,$BC ;STY $BC70
|
|
!byte $A0,$20 ;LDY #$20
|
|
!byte $88 ;DEY
|
|
!byte $F0,$D7 ;BEQ -$D7
|
|
!byte $AD,$EC,$C0 ;LDA $C0EC
|
|
!byte $10,$FB ;BPL -$FB
|
|
!byte $49,$D5 ;EOR #$D5
|
|
!byte $D0,$F4 ;BNE -$F4
|
|
!byte $EA ;NOP
|
|
!byte $AD,$EC,$C0 ;LDA $C0EC
|
|
!byte $10,$FB ;BPL -$FB
|
|
!byte $C9,$BB ;CMP #$BB
|
|
!byte $D0,$F2 ;BNE -$F2
|
|
!byte $EA ;NOP
|
|
!byte $AD,$EC,$C0 ;LDA $C0EC
|
|
!byte $10,$FB ;BPL -$FB
|
|
!byte $C9,$CF ;CMP #$CF
|
|
!byte $D0,$E8 ;BNE -$E8
|
|
bcs +
|
|
pha
|
|
txa
|
|
clc
|
|
adc #27
|
|
tax
|
|
adc #10
|
|
sta .patch2+1
|
|
pla
|
|
pha
|
|
ldy #1
|
|
jsr modify
|
|
!byte $AA ;data prologue #2
|
|
.patch2
|
|
ldx #$D1
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $AD ;data prologue #3
|
|
|
|
+ ldy #13
|
|
jsr SearchTrack
|
|
!byte $03,$49 ;LDI #$05
|
|
!byte $01,$03,$65 ;JSRA $bc00
|
|
!byte $01,$03,$79 ;JSRA $a000
|
|
!byte $03,$4C ;LDI #$00
|
|
!byte $04,$EB,$19 ;LDA $c0e8
|
|
bcs +
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
ldy #1
|
|
jsr modify
|
|
!byte $04
|
|
+ ldy #15
|
|
jsr SearchTrack
|
|
;enciphered call to p-code as above
|
|
!byte $BF,$9F,$BE,$F6,$04,$2E,$9B,$DA
|
|
!byte $5A,$16,$DA,$30,$06,$45,$C2
|
|
bcs +
|
|
inx
|
|
ldy #1
|
|
jsr modify
|
|
!byte $EE ;enciphered jsra->lda to disable call
|
|
|
|
+ ldy #8
|
|
jsr SearchTrack
|
|
!byte $20,$10,$07 ;JSR $0710
|
|
!byte $A5,$56 ;LDA $56
|
|
!byte $D0,$A7 ;BNE -$A7
|
|
!byte $4C ;JMP $xxxx
|
|
bcs +
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
ldy #1
|
|
jsr modify
|
|
!byte $00 ;disable branch
|
|
|
|
+ ldy #15
|
|
jsr SearchTrack
|
|
!byte $03,$49 ;LDI #$05
|
|
!byte $01,$03,$65 ;JSRA $bc00
|
|
!byte $03,$4C ;LDI #$00
|
|
!byte $01,$03,$79 ;JSRA $a000
|
|
!byte $07,$01 ;SUB #$4d
|
|
!byte $0F,$F5,$70 ;BNE $a9f6
|
|
bcs +
|
|
pha
|
|
lda #s_tamper
|
|
jsr PrintByID
|
|
txa
|
|
adc #7
|
|
tax
|
|
adc #4
|
|
sta .patch3 + 1
|
|
pla
|
|
pha
|
|
ldy #1
|
|
jsr modify
|
|
!byte $04 ;new checksum value for sub
|
|
pla
|
|
.patch3
|
|
ldx #$D1
|
|
ldy #1
|
|
jsr modify
|
|
!byte $00 ;jsra->lda to disable call
|
|
;routine loops infinitely on failure
|
|
|
|
+ ldy #13
|
|
jsr SearchTrack
|
|
!byte $4C,$E7,$B2 ;JMP $B2E7
|
|
!byte $4C,$74,$B3 ;JMP $B374
|
|
!byte $00,$00 ;filler
|
|
!byte $C9,$CB ;CMP #$CB
|
|
!byte $D0,$7C ;BNE +$7C
|
|
!byte $60 ;RTS
|
|
bcs +
|
|
pha
|
|
lda #s_tamper
|
|
jsr PrintByID
|
|
txa
|
|
adc #11
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $00 ;disable branch
|
|
|
|
+ ldy #15
|
|
jsr SearchTrack
|
|
!byte $03,$49 ;LDI #$05
|
|
!byte $01,$03,$65 ;JSR $BC00
|
|
!byte $03,$4C ;LDI #$00
|
|
!byte $01,$03,$6C ;JSR $B500
|
|
!byte $07,$1C ;SUB #$50
|
|
!byte $0F,$78,$60 ;BNE $B97B
|
|
bcs +
|
|
pha
|
|
lda #s_tamper
|
|
jsr PrintByID
|
|
txa
|
|
adc #11
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $4C ;new checksum value for sub
|
|
|
|
+ ldy #14
|
|
jsr SearchTrack
|
|
!byte $78 ;SEI
|
|
!byte $20,$00,$D7 ;JSR $D700
|
|
!byte $C9,$4D ;CMP #$4D
|
|
!byte $F0,$06 ;BEQ +$06
|
|
!byte $20,$67,$67 ;JSR $6767
|
|
!byte $20,$AA,$BF ;JSR $BFAA
|
|
bcs +
|
|
pha
|
|
lda #s_tamper
|
|
jsr PrintByID
|
|
pla
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
ldy #1
|
|
jsr modify
|
|
!byte $00 ;new checksum value for cmp
|
|
|
|
+ ldy #9
|
|
jsr SearchTrack
|
|
!byte $20,$84,$6E ;JSR $6E84
|
|
!byte $A5,$11 ;LDA $11
|
|
!byte $C9,$52 ;CMP #$52
|
|
!byte $F0,$03 ;BEQ +$03
|
|
bcs +
|
|
pha
|
|
lda #s_tamper
|
|
jsr PrintByID
|
|
pla
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
ldy #1
|
|
jsr modify
|
|
!byte $50 ;new checksum value for cmp
|
|
|
|
+ ldy #7
|
|
jsr SearchTrack
|
|
!byte $20,$86,$6E ;JSR $6E86
|
|
!byte $C9,$52 ;CMP #$52
|
|
!byte $D0,$DB ;BNE -$DB
|
|
bcs +
|
|
pha
|
|
lda #s_tamper
|
|
jsr PrintByID
|
|
pla
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
ldy #1
|
|
jsr modify
|
|
!byte $50 ;new checksum value for cmp
|
|
|
|
+ ldy #12
|
|
jsr SearchTrack
|
|
!byte $20,$3E,$91 ;JSR $913E
|
|
!byte $20,$F3,$76 ;JSR $76F3
|
|
!byte $20,$00,$61 ;JSR $6100
|
|
!byte $4C,$94,$69 ;JMP $6994
|
|
bcs +
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
inx
|
|
ldy #1
|
|
jsr modify
|
|
!byte $2C ;JSR->BIT
|
|
|
|
+ ldy #23
|
|
jsr SearchTrack
|
|
;looks like garbage because it's enciphered
|
|
!byte $03,$5B ;LDI #$00
|
|
!byte $06,$FF,$97 ;STA $4ee4
|
|
!byte $1C,$E0,$8F ;JSRA $4ce3
|
|
!byte $05,$FB,$95 ;JSRA $4ce3
|
|
!byte $19,$E0,$88 ;JSRA $4ce3
|
|
!byte $05,$FE,$95 ;JSRA $4ce3
|
|
!byte $1B,$EB,$39 ;LDA $c0e8
|
|
!byte $04,$C6,$97 ;LDA $4ee4
|
|
bcs +
|
|
pha
|
|
txa
|
|
adc #21
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $C7 ;lda from known-zero instead
|
|
|
|
+ ldy #23
|
|
jsr SearchTrack
|
|
!byte $03,$4C ;LDI #$00
|
|
!byte $06,$E1,$DE ;STA $07e2
|
|
!byte $05,$CC,$DC ;JSRA $05cf
|
|
!byte $05,$CC,$DC ;JSRA $05cf
|
|
!byte $05,$CC,$DC ;JSRA $05cf
|
|
!byte $05,$CC,$DC ;JSRA $05cf
|
|
!byte $04,$EB,$19 ;LDA $c0e8
|
|
!byte $04,$E1,$DE ;LDA $07e2
|
|
bcs +
|
|
pha
|
|
txa
|
|
adc #21
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $E0 ;lda from known-zero instead
|
|
|
|
+ ldy #23
|
|
jsr SearchTrack
|
|
!byte $03,$4C ;LDI #$00
|
|
!byte $07,$E1,$DE ;STA $07e2
|
|
!byte $04,$CC,$DC ;JSRA $05cf
|
|
!byte $04,$CC,$DC ;JSRA $05cf
|
|
!byte $04,$CC,$DC ;JSRA $05cf
|
|
!byte $04,$CC,$DC ;JSRA $05cf
|
|
!byte $05,$EB,$19 ;LDA $c0e8
|
|
!byte $05,$E1,$DE ;LDA $07e2
|
|
bcs +
|
|
pha
|
|
txa
|
|
adc #21
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $E0 ;lda from known-zero instead
|
|
|
|
+ ldy #23
|
|
jsr SearchTrack
|
|
!byte $03,$4C ;LDI #$00
|
|
!byte $06,$E1,$E0 ;STA $39e2
|
|
!byte $05,$D3,$EE ;JSRA $37d0
|
|
!byte $05,$D3,$EE ;JSRA $37d0
|
|
!byte $05,$D3,$EE ;JSRA $37d0
|
|
!byte $05,$D3,$EE ;JSRA $37d0
|
|
!byte $04,$EB,$19 ;LDA $c0e8
|
|
!byte $04,$E1,$E0 ;LDA $39e2
|
|
bcs +
|
|
pha
|
|
txa
|
|
adc #21
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $E0 ;lda from known-zero instead
|
|
|
|
+ ldy #31
|
|
jsr SearchTrack
|
|
!byte $03,$4C ;LDI #$00
|
|
!byte $06,$E1,$7B ;STA $a2e2
|
|
!byte $03,$AB ;LDI #$e7
|
|
!byte $05,$02,$78 ;JSRA $a101
|
|
!byte $03,$AD ;LDI #$e1
|
|
!byte $05,$02,$78 ;JSRA $a101
|
|
!byte $03,$AB ;LDI #$e7
|
|
!byte $05,$02,$78 ;JSRA $a101
|
|
!byte $03,$A9 ;LDI #$e5
|
|
!byte $05,$02,$78 ;JSRA $a101
|
|
!byte $04,$EB,$19 ;LDA $c0e8
|
|
!byte $04,$E1,$7B ;LDA $a2e2
|
|
bcs +
|
|
pha
|
|
txa
|
|
adc #29
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $D1 ;lda from known-zero instead
|
|
|
|
+ ldy #16
|
|
jsr SearchTrack
|
|
!byte $49,$4E ;EOR #$4E
|
|
!byte $09,$2B ;ORA #$2B
|
|
!byte $48 ;PHA
|
|
!byte $A9,$04 ;LDA #$04
|
|
!byte $48 ;PHA
|
|
!byte $A5,$4F ;LDA $4F
|
|
!byte $45,$4F ;EOR $4F
|
|
!byte $18 ;CLC
|
|
!byte $E9,$00 ;SBC #$00
|
|
!byte $48 ;PHA
|
|
bcs +
|
|
pha
|
|
lda #s_tamper
|
|
jsr PrintByID
|
|
pla
|
|
inx
|
|
ldy #1
|
|
jsr modify
|
|
!byte $E8 ;new checksum value for eor
|
|
|
|
+ ldy #14
|
|
jsr SearchTrack
|
|
!byte $AD,$00,$05 ;LDA $0500
|
|
!byte $A2,$FF ;LDX #$FF
|
|
!byte $5D,$00,$05 ;EOR $0500,X
|
|
!byte $CA ;DEX
|
|
!byte $D0,$FA ;BNE *-4
|
|
!byte $C9,$A0 ;CMP #$A0
|
|
!byte $F0 ;BEQ *+xx
|
|
bcs +
|
|
pha
|
|
lda #s_tamper
|
|
jsr PrintByID
|
|
txa
|
|
adc #12
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $A1 ;new checksum value for eor
|
|
|
|
+ ldy #24
|
|
jsr SearchTrack
|
|
!byte $04,$4F,$D9 ;LDA $004c
|
|
!byte $0A,$03,$7B ;LDX ($a200,A)
|
|
!byte $10,$F1,$70 ;SUB $a9f2
|
|
!byte $06,$F1,$70 ;STA $a9f2
|
|
!byte $0C,$4F,$D9 ;INC $004c
|
|
!byte $07,$AC ;CMP #$e0
|
|
!byte $0F,$E5,$71 ;BNE $a8e6
|
|
!byte $04,$F1,$70 ;LDA $a9f2
|
|
!byte $07 ;CMP #$xx
|
|
bcs +
|
|
pha
|
|
lda #s_tamper
|
|
jsr PrintByID
|
|
txa
|
|
adc #24
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr compare
|
|
!byte $AB
|
|
bcs ++
|
|
ldy #1
|
|
jsr modify
|
|
!byte $BB ;new checksum value for eor
|
|
jmp +
|
|
++ ldy #1
|
|
jsr compare
|
|
!byte $DB
|
|
bcs ++
|
|
ldy #1
|
|
jsr modify
|
|
!byte $D4 ;new checksum value for eor
|
|
++
|
|
|
|
+ ldy #23
|
|
jsr SearchTrack
|
|
!byte $03,$4C ;LDI #$00
|
|
!byte $06,$E1,$7b ;STA $a2e2
|
|
!byte $05,$CC,$79 ;JSRA $a0cf
|
|
!byte $05,$CC,$79 ;JSRA $a0cf
|
|
!byte $05,$CC,$79 ;JSRA $a0cf
|
|
!byte $05,$CC,$79 ;JSRA $a0cf
|
|
!byte $04,$EB,$19 ;LDA $c0e8
|
|
!byte $04,$E1,$7b ;LDA $a2e2
|
|
bcs +
|
|
pha
|
|
txa
|
|
adc #21
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $E0 ;lda from known-zero instead
|
|
|
|
+ ldy #23
|
|
jsr SearchTrack
|
|
!byte $03,$9C ;LDI #$00
|
|
!byte $06,$31,$66 ;STA $bfe2
|
|
!byte $D5,$CC,$B4 ;JSRA $bdcf
|
|
!byte $05,$1C,$64 ;JSRA $bdcf
|
|
!byte $D5,$CC,$B4 ;JSRA $bdcf
|
|
!byte $05,$1C,$64 ;JSRA $bdcf
|
|
!byte $D4,$EB,$C9 ;LDA $c0e8
|
|
!byte $04,$31,$66 ;LDA $bfe2
|
|
bcs +
|
|
pha
|
|
txa
|
|
adc #21
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $30 ;lda from known-zero instead
|
|
|
|
+ ldy #14
|
|
jsr SearchTrack
|
|
!byte $58,$0D
|
|
!byte $F1,$5D
|
|
!byte $5A,$0D
|
|
!byte $74,$00
|
|
!byte $5C,$0D
|
|
!byte $5E,$00
|
|
!byte $5E,$0D
|
|
bcs .exit
|
|
pha
|
|
lda #s_tamper
|
|
jsr PrintByID
|
|
pla
|
|
inx
|
|
inx
|
|
ldy #1
|
|
jsr modify
|
|
!byte $F0 ;new checksum value for eor
|
|
|
|
+
|
|
|
|
.dostitles
|
|
lda gIsBoot0
|
|
bne .exit
|
|
|
|
ldy #23
|
|
jsr SearchTrack
|
|
!byte $09,$7A ;LDI #$00
|
|
!byte $06,$7E,$A3 ;STA $0ee2
|
|
!byte $08,$4D,$A1 ;JSRA $0cd1
|
|
!byte $08,$4D,$A1 ;JSRA $0cd1
|
|
!byte $08,$4D,$A1 ;JSRA $0cd1
|
|
!byte $08,$4D,$A1 ;JSRA $0cd1
|
|
!byte $07,$74,$6D ;LDA $c0e8
|
|
!byte $07,$7E,$A3 ;LDA $0ee2
|
|
bcs +
|
|
pha
|
|
txa
|
|
adc #21
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $7F ;lda from known-zero instead
|
|
|
|
+ ldy #13
|
|
jsr SearchTrack
|
|
!byte $A2,$04 ;LDX #$04
|
|
!byte $20,$4F,$1E ;JSR $1E4F
|
|
!byte $20,$00,$A6 ;JSR $A600
|
|
!byte $A5,$48 ;LDA $48
|
|
!byte $D0,$01 ;BNE +$01
|
|
!byte $60 ;RTS
|
|
bcs +
|
|
pha
|
|
txa
|
|
adc #11
|
|
tax
|
|
pla
|
|
ldy #1
|
|
jsr modify
|
|
!byte $00 ;disable branch
|
|
|
|
+
|
|
.exit
|
|
}
|