----------------Rampage---------------- A 4am crack 2014-05-04 --------------------------------------- Rampage is a 1988 arcade game distributed by Activision, Inc. COPYA copies the original disk, but the copy does not work. It loads the (double hi-res!) title screen, then glitches out and reboots. The boot does not sound like DOS 3.3, ProDOS, or Pascal, and there is no evidence of any known file system on the disk. (I checked T11,S0F for signs of a DOS 3.3 catalog, then T00,S0B for ProDOS or Pascal.) With nothing else to go on, it's time for boot tracing. [S6D1=original disk] [S5D1=my work disk] ]PR#5 ... CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 My AUTOTRACE program can capture the boot0 code on T00,S00, boot1 code on T00,S00-09 if boot0 is close enough to DOS 3.3, and even the RWTS (again, if boot1 is close enough to DOS 3.3). In this case, it only got as far as boot0, which means this boot code is probably completely unlike DOS 3.3. AUTOTRACE relocates the boot0 code to $2800..$28FF so it can survive the reboot, so let's see what we have. ]CALL-151 *800<2800.28FFM *801L ; looks like we're going to be loading ; boot1 starting at $8000. (Normal DOS ; 3.3 boot0 code starts with a branch ; like this as a way of determining ; whether it's done its one-time ; initialization yet, but it checks for ; #$09 instead of #$80.) 0801- A5 27 LDA $27 0803- C9 80 CMP #$80 0805- B0 52 BCS $0859 ; Zero page $2B has the slot number x ; 16 at this point. Store it in $0100? ; Odd. Noted for future reference. 0807- A5 2B LDA $2B 0809- 8D 00 01 STA $0100 ; figure out where the sector read ; routine is in the disk controller ROM ; based on the slot number we booted ; from. If we're booting from slot 6, ; this will end up being $C65C. 080C- 4A LSR 080D- 4A LSR 080E- 4A LSR 080F- 4A LSR 0810- 09 C0 ORA #$C0 0812- 85 3F STA $3F 0814- 8D 3C 08 STA $083C 0817- A9 5C LDA #$5C 0819- 85 3E STA $3E ; never seen this before, but it seems ; to always be zero, therefore branch 081B- A0 A3 LDY #$A3 081D- B1 3E LDA ($3E),Y 081F- F0 30 BEQ $0851 ... ; loop to re-use the disk controller ; ROM routine to read the rest of track ; 0 into $8000..$8FFF 0851- A9 80 LDA #$80 0853- 85 27 STA $27 0855- A9 FF LDA #$FF 0857- 85 3D STA $3D 0859- A5 3D LDA $3D 085B- 18 CLC 085C- 69 01 ADC #$01 085E- C9 10 CMP #$10 0860- 90 06 BCC $0868 0862- C9 11 CMP #$11 0864- F0 07 BEQ $086D 0866- A9 01 LDA #$01 0868- 85 3D STA $3D 086A- 6C 3E 00 JMP ($003E) ; execution continues at code we just ; read in from one of the other sectors 086D- 4C 70 80 JMP $8070 OK, that looks like a good place to interrupt the boot process and see what's going on. *9600