D-Bug & Automation Forum
D-Bug & Automation Forum >> Coding >> Introduction to ST Hacking By Hank/Automation PT 1

Message started by Shw on 28.02.07 at 14:44:48

Title: Introduction to ST Hacking By Hank/Automation PT 1
Post by Shw on 28.02.07 at 14:44:48
;An introduction to cracking/68000 (c)1991 Hank of the Diskmap Crew.

;Please read this doc in medium resloution.
;Please read this doc in GENST2.PRG
;Start time 12:18 a.m. 6th August 1991.
;Finish time 03:08 p.m. 7th august 1991.

;A long while ago the ALIEN of the Pompey Pirates released a breif
;document about hacking particular types of protection on this
;wonderful machine, As with the ALIEN i am totally fed up with people
;asking "How do you crack oringinal sofware ?" - so here is a starters

;Question 1:
;Do you know any 68000 assembler ?
;No ? - Buy the ATARI ST internals by abacus books œ25-00 tops.
;Read the paragraphs on the Gemdos,Bios,Xbios & the Exeption vectors
;then return to this document - Believe me it's easy !!.

;Ok you now know about the traps,exeption vectors & the status reg.

;Qestion 2:
;What vector is at address $10 ?
;Answer - Illegal intruction - Were you right ?

;Question 3:
;what is this trap function -

     clr.l      -(sp)
     move.w      #$20,-(sp)            ;function number
     trap      #1
     addq.w      #6,sp

;Answer - Supervisor mode.
;This trap is probabaly the most important out of all the traps as
;you have to enable supervisor mode to access all the hardware and
;the lower end of memory of the ATARI ST.
;Before going into supervisor mode your SR(status register) will be
;at $0300/8300 after it will be $2300/a300 if it is the later you
;are succesfully in super mode.

;Now a bit about the hardware.
;N.B. - all source code documentation in this file has been optom-
;ised with the ".w" on the end of the hardware or low end memory
;address i.e. $ffff8240.w, you may see this registor or any other
;documentated as $ff8240 or $ffff8240, dont panic it's the same reg.
;this optomisation saves 2 bytes on the later 2 examples. The later
;2 are also examples of "Lazy programing".

;The registers:

;      $ffff8240.w                  ;color 0
;      $ffff8242.w                  ;color 1
;      $ffff825c.w                  ;color 15
;      $ffff825e.w                  ;color 16

;These registers form the color pallette as you have probably guesed  
;the next one afer $ffff8242.w would be $ffff8244.w and so on until
;$ffff825e.w - easy ?

;      $ffff820a.w                  ;sync mode
     move.b      #$00,$ffff820a.w      ;60 Hz      (American)
     move.b      #$01,$ffff820a.w      ;70 Hz      (mono)
     move.b      #$02,$ffff820a.w      ;50 Hz      (British)

;      $ffff8260.w                  ;resolution
     move.b      #$00,$ffff8260.w      ;low res
     move.b      #$01,$ffff8260.w      ;med res
     move.b      #$02,$ffff8260.w      ;high res

;      $ffff8001.w                  ;memory config
;don't mess!!

;      $ffff8201.w                  ;high byte of the srceen addr
;      $ffff8203.w                  ;low byte of the srceen addr

     move.b      #$07,$ffff8201.w      ;screen at
     move.b      #$80,$ffff8203.w      ;$78000

;      $fffffc02.w                  ;the keyboard

     move.b      #$12,$fffffc02.w      ;kill mouse
     move.b      #$08,$fffffc02.w      ;restore mouse

;you may also see this reg. addressed as:-

     lea      $fffffc00.w,a0            ;reg. start in a0
;      move.b      #num,2(a0)            ;2+a0 = $fffffc02.w

;      $ffff8800.w                  ;the psg reg.

     move.b      #$0e,$ffff8800.w      ;init psg (disk drive mode)

;when i am looking for a protection i normally search for this addr.


     move.w      sr,-(sp)            ;save status register
     or.w      #$0700,sr            ;$2700 on the sr - kill interupts      
     move.b      #$0e,$ffff8800.w      ;init psg
     move.b      $ffff8800.w,d1            ;get drive status
     move.b      d1,d2                  ;save old drive status
     and.b      #$f8,d1                  ;mask bits
     move.b      d1,$ffff8802.w            ;gi select
     move.w      (sp)+,sr            ;restore status register
     rts                        ;return from subroutine

;alernitaly you can address the psg as:

     move.l      #$0e002500,$ffff8800.w      ;read side 0 of the disk
     move.l      #$0e002400,$ffff8800.w      ;read side 1 of the disk
     move.l      #$0e002700,$ffff8800.w      ;de-select (turn off light)

;The MFP interupt registers.

;      $fffffa01.w                  ;paralell port      
;      $fffffa03.w

;      $fffffa23.w
;      $fffffa25.w

;As with the color pallette regs. these regs. are addressed every
;2 bytes after each other.
;Only a byte may be poked in to each reg. as they are addressed
;on un-even boundaries.  

;Most of the other hardware registers are documented in the Internals

;Op codes
;When cracking games the program normaly has to be modified using HEX
;here are some of the important HEX equlivelents of thier source code

;      NOP            $4e71            ;no operation
;      ILLEGAL            $4afc            ;illegal instruction
;      RTS            $4e75            ;return from subroutine
;      RTE            $4e73            ;return from exeption
;      MOVEQ #0,D0      $7000            ;clr.l      d0!!
;      BRA            $6000            ;branch always

;The above instructions are the ones i mostly use when cracking games
;How to modify memory is explaned later in the section on monst2.


D-Bug & Automation Forum » Powered by YaBB 2.6.0!
YaBB Forum Software © 2000-2021. All Rights Reserved.