D-Bug & Automation Forum | |
D-Bug & Automation Forum >> Coding >> Introduction to ST Hacking By Hank/Automation PT 1
http://d-bug.mooo.com/dbugforums/cgi-bin/yabb2/YaBB.pl?num=1172673889 Message started by Shw on 28.02.07 at 14:44:48 |
Title: Introduction to ST Hacking By Hank/Automation PT 1 Post by Shw on 28.02.07 at 14:44:48
;An introduction to cracking/68000 (c)1991 Hank of the Diskmap Crew.
;Please read this doc in medium resloution. ;Please read this doc in GENST2.PRG ;Start time 12:18 a.m. 6th August 1991. ;Finish time 03:08 p.m. 7th august 1991. ;A long while ago the ALIEN of the Pompey Pirates released a breif ;document about hacking particular types of protection on this ;wonderful machine, As with the ALIEN i am totally fed up with people ;asking "How do you crack oringinal sofware ?" - so here is a starters ;guide. ;Question 1: ;Do you know any 68000 assembler ? ;No ? - Buy the ATARI ST internals by abacus books œ25-00 tops. ;Read the paragraphs on the Gemdos,Bios,Xbios & the Exeption vectors ;then return to this document - Believe me it's easy !!. ;Ok you now know about the traps,exeption vectors & the status reg. ;Qestion 2: ;What vector is at address $10 ? ;Answer - Illegal intruction - Were you right ? ;Question 3: ;what is this trap function - clr.l -(sp) move.w #$20,-(sp) ;function number trap #1 addq.w #6,sp ;Answer - Supervisor mode. ;This trap is probabaly the most important out of all the traps as ;you have to enable supervisor mode to access all the hardware and ;the lower end of memory of the ATARI ST. ;Before going into supervisor mode your SR(status register) will be ;at $0300/8300 after it will be $2300/a300 if it is the later you ;are succesfully in super mode. ;Now a bit about the hardware. ;N.B. - all source code documentation in this file has been optom- ;ised with the ".w" on the end of the hardware or low end memory ;address i.e. $ffff8240.w, you may see this registor or any other ;documentated as $ff8240 or $ffff8240, dont panic it's the same reg. ;this optomisation saves 2 bytes on the later 2 examples. The later ;2 are also examples of "Lazy programing". ;The registers: ; $ffff8240.w ;color 0 ; $ffff8242.w ;color 1 ; $ffff825c.w ;color 15 ; $ffff825e.w ;color 16 ;These registers form the color pallette as you have probably guesed ;the next one afer $ffff8242.w would be $ffff8244.w and so on until ;$ffff825e.w - easy ? ; $ffff820a.w ;sync mode move.b #$00,$ffff820a.w ;60 Hz (American) move.b #$01,$ffff820a.w ;70 Hz (mono) move.b #$02,$ffff820a.w ;50 Hz (British) ; $ffff8260.w ;resolution move.b #$00,$ffff8260.w ;low res move.b #$01,$ffff8260.w ;med res move.b #$02,$ffff8260.w ;high res ; $ffff8001.w ;memory config ;don't mess!! ; $ffff8201.w ;high byte of the srceen addr ; $ffff8203.w ;low byte of the srceen addr move.b #$07,$ffff8201.w ;screen at move.b #$80,$ffff8203.w ;$78000 ; $fffffc02.w ;the keyboard move.b #$12,$fffffc02.w ;kill mouse move.b #$08,$fffffc02.w ;restore mouse ;you may also see this reg. addressed as:- lea $fffffc00.w,a0 ;reg. start in a0 ; move.b #num,2(a0) ;2+a0 = $fffffc02.w ; $ffff8800.w ;the psg reg. move.b #$0e,$ffff8800.w ;init psg (disk drive mode) ;when i am looking for a protection i normally search for this addr. ;e.g.:- move.w sr,-(sp) ;save status register or.w #$0700,sr ;$2700 on the sr - kill interupts move.b #$0e,$ffff8800.w ;init psg move.b $ffff8800.w,d1 ;get drive status move.b d1,d2 ;save old drive status and.b #$f8,d1 ;mask bits move.b d1,$ffff8802.w ;gi select move.w (sp)+,sr ;restore status register rts ;return from subroutine ;alernitaly you can address the psg as: move.l #$0e002500,$ffff8800.w ;read side 0 of the disk move.l #$0e002400,$ffff8800.w ;read side 1 of the disk move.l #$0e002700,$ffff8800.w ;de-select (turn off light) ;The MFP interupt registers. ; $fffffa01.w ;paralell port ; $fffffa03.w ; $fffffa23.w ; $fffffa25.w ;As with the color pallette regs. these regs. are addressed every ;2 bytes after each other. ;Only a byte may be poked in to each reg. as they are addressed ;on un-even boundaries. ;Most of the other hardware registers are documented in the Internals ;book. ;Op codes ;When cracking games the program normaly has to be modified using HEX ;here are some of the important HEX equlivelents of thier source code ;counterparts. ; NOP $4e71 ;no operation ; ILLEGAL $4afc ;illegal instruction ; RTS $4e75 ;return from subroutine ; RTE $4e73 ;return from exeption ; MOVEQ #0,D0 $7000 ;clr.l d0!! ; BRA $6000 ;branch always ;The above instructions are the ones i mostly use when cracking games ;How to modify memory is explaned later in the section on monst2. END OF PART 1 |
D-Bug & Automation Forum » Powered by YaBB 2.6.0! YaBB Forum Software © 2000-2024. All Rights Reserved. |