Rob Northern Decrypted1
Rob Northern Decrypted #1 - Barbarian II (Palace)
------------------------------------------------------------------------------ RNC - BARBARIAN II (PALACE) TOS162DE last revision 2007/01/14 ------------------------------------------------------------------------------ $A892:[]bra.w $a916 ; (end_os) ------------------------------------------------------------------------------ $A896: 50 72 6F 74 65 63 74 69 6F 6E 20 28 43 29 31 39 Protection (C)19 $A8A6: 38 39 20 52 6F 62 20 4E 6F 72 74 68 65 6E 20 43 89 Rob Northen C $A8B6: 6F 6D 70 75 74 69 6E 67 2E 20 41 6C 6C 20 52 69 omputing. All Ri $A8C6: 67 68 74 73 20 52 65 73 65 72 76 65 64 2E 00 00 ghts Reserved... $A8D6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ $A8E6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ $A8F6: 00 00 00 00 00 00 00 00 FF FF FF FF 00 08 00 00 ................ $A906: 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 01 ................ ------------------------------------------------------------------------------ $A916:[]move.l a6,-(sp) $A918:[]lea.l $a896(pc),a6 $A91C:[]movem.l d0-d7/a0-a7,(a6) $A920:[]lea $40(a6),a6 $A924:[]move.l (sp)+,-$8(a6) $A928:[]move.l $4(sp),(a6)+ $A92C:[]pea $a93c(pc) $A930:[]move.l #$50004,-(sp) $A936:[]trap #$d ; Setexc - Illegal exception vector $A938:[]addq.l #$8,sp $A93A:[]illegal ------------------------------------------------------------------------------ $A93C:[]move.l d0,$10 ; restore Illegal exception vector $A942:[]move.l usp,a0 $A944:[]move.l a0,(a6)+ $A946:[]movem.l $a902(pc),d0-d4 $A94C:[]movem.l d0-d4,-(sp) $A950:[]move.l $4c6,$2(sp) ; _dskbufp $A958:[]trap #$e ; Floprd - boot sector $A95A:[]lea.l $14(sp),sp $A95E:[]movem.l $8,d0-d7 $A966:[]movem.l d0-d7,(a6) $A96A:[]lea.l $a9f6(pc),a0 $A96E:[]move.l a0,$10 ; new Illegal exception vector $A974:[]illegal ; Trace ON ------------------------------------------------------------------------------ dummy code ------------------------------------------------------------------------------ $A976:[]lea.l $a916(pc),a4 ; start address (see address exeption) $A97A:[]moveq.l #$0,d4 $A97C:[]moveq.l #$0,d5 $A97E:[]moveq.l #$0,d6 $A980:[]moveq.l #$0,d7 $A982:[]bra.w $a992 $A986:[]bra.w $a9c2 $A98A:[]bra.w $a9ee $A98E:[]bra.w $a99a $A992:[]bra.w $a99e $A996:[]bra.w $a9b2 $A99A:[]bra.w $a9be $A99E:[]bra.w $a9f2 $A9A2:[]bra.w $a986 $A9A6:[]bra.w $a9ae $A9AA:[]bra.w $a9ba $A9AE:[]bra.w $a9ca $A9B2:[]bra.w $a9ea $A9B6:[]bra.w $a9e6 $A9BA:[]bra.w $a9ce $A9BE:[]bra.w $a9a2 $A9C2:[]bra.w $a9a6 $A9C6:[]bra.w $aa64 ; skip this code $A9CA:[]bra.w $a9d2 $A9CE:[]bra.w $a98e $A9D2:[]bra.w $a9da $A9D6:[]bra.w $a98a $A9DA:[]bra.w $a996 $A9DE:[]bra.w $a9aa $A9E2:[]bra.w $a9b6 $A9E6:[]bra.w $a9d6 $A9EA:[]bra.w $a9e2 $A9EE:[]bra.w $a9c6 $A9F2:[]bra.w $a9de ------------------------------------------------------------------------------ new Illegal exception vector - Trace ON/OFF ------------------------------------------------------------------------------ $A9F6:[]movem.l d0/a0-a1,-(sp) $A9FA:[]lea.l $aa30(pc),a0 $A9FE:[]move.l a0,$24 ; new Trace vector $AA04:[]lea.l $abf4(pc),a0 $AA08:[]move.l a0,$20 ; new Privilege Violation vector $AA0E:[]addi.l #$2,$e(sp) $AA16:[]ori.b #$7,$c(sp) $AA1C:[]bchg #$7,$c(sp) ; Trace ON/OFF $AA22:[]lea.l $a904(pc),a1 $AA26:[]beq.s $aa42 $AA28:[]movea.l (a1),a0 $AA2A:[]move.l $4(a1),(a0) $AA2E:[]bra.s $aa56 ------------------------------------------------------------------------------ new Trace vector - encrypt/decrypt ------------------------------------------------------------------------------ $AA30:[]andi #$f8ff,sr $AA34:[]movem.l d0/a0-a1,-(sp) $AA38:[]lea.l $a904(pc),a1 $AA3C:[]movea.l (a1),a0 $AA3E:[]move.l $4(a1),(a0) ; encrypt previous $AA42:[]movea.l $e(sp),a0 $AA46:[]move.l a0,(a1) $AA48:[]move.l (a0),$4(a1) $AA4C:[]move.l -$4(a0),d0 $AA50:[]not.l d0 $AA52:[]swap d0 $AA54:[]eor.l d0,(a0) ; decrypt current $AA56:[]movem.l (sp)+,d0/a0-a1 $AA5A:[]rte ------------------------------------------------------------------------------ $AA5C: 00 00 00 00 00 00 00 00 ........ ------------------------------------------------------------------------------ code decryption loop #1 > $aa7c-$ad62 ------------------------------------------------------------------------------ $AA64:[]nop $AA66:[]eori.w #$2000,sr $AA6A:[]lea.l $aa7c(pc),sp ; < $AA6E:[]move.w #$173,d0 $AA72:[]move.w #$c44c,d1 $AA76:[]eor.w d1,(sp)+ $AA78:[]dbra d0,$aa76 $AA7C:[]lea.l $aa96(pc),sp ; < $AA80:[]move.w #$58,d0 $AA84:[]movem.w (sp)+,a0-a3 $AA88:[]exg a3,a0 $AA8A:[]exg a2,a1 $AA8C:[]movem.w a0-a3,-(sp) $AA90:[]addq.l #$8,sp $AA92:[]dbra d0,$aa84 $AA96:[]lea.l $aa64(pc),sp ; < d5 $AA9A:[]move.w #$bf,d0 $AA9E:[]add.l (sp)+,d5 $AAA0:[]dbra d0,$aa9E $AAA4:[]lea.l $aac2(pc),sp ; < $AAA8:[]move.w #$a7,d0 $AAAC:[]movep.w $0(sp),d1 $AAB0:[]movep.w $1(sp),d2 $AAB4:[]movep.w d1,$1(sp) $AAB8:[]movep.w d2,$0(sp) $AABC:[]addq.l #$4,sp $AABE:[]dbra d0,$aaac $AAC2:[]lea.l $aa64(pc),sp ; < d7 $AAC6:[]move.w #$bf,d0 $AACA:[]add.l (sp)+,d7 $AACC:[]dbra d0,$aaca $AAD0:[]lea.l $aae2(pc),sp ; < $AAD4:[]move.w #$140,d0 $AAD8:[]move.w (sp),d1 $AADA:[]not.w d1 $AADC:[]move.w d1,(sp)+ $AADE:[]dbra d0,$aad8 $AAE2:[]lea.l $aaf4(pc),sp ; < $AAE6:[]move.w #$137,d0 $AAEA:[]move.w #$4902,d1 $AAEE:[]add.w d1,(sp)+ $AAF0:[]dbra d0,$aaee $AAF4:[]lea.l $ab06(pc),sp ; < $AAF8:[]move.w #$12E,d0 $AAFC:[]move.w (sp),d1 $AAFE:[]ror.w #$3,d1 $AB00:[]move.w d1,(sp)+ $AB02:[]dbra d0,$aafc $AB06:[]lea.l $ab18(pc),sp ; < $AB0A:[]move.w #$125,d0 $AB0E:[]move.w #$A162,d1 $AB12:[]sub.w d1,(sp)+ $AB14:[]dbra d0,$ab12 $AB18:[]lea.l $ab2a(pc),sp ; < $AB1C:[]move.w #$11c,d0 $AB20:[]move.w (sp),d1 $AB22:[]rol.w #$3,d1 $AB24:[]move.w d1,(sp)+ $AB26:[]dbra d0,$ab20 $AB2A:[]lea.l $ab3c(pc),sp ; < $AB2E:[]move.w #$113,d0 $AB32:[]move.w #$ab7,d1 $AB36:[]add.w d1,(sp)+ $AB38:[]dbra d0,$ab36 $AB3C:[]lea.l $ab4e(pc),sp ; < $AB40:[]move.w #$10a,d0 $AB44:[]move.w #$d81f,d1 $AB48:[]eor.w d1,(sp)+ $AB4A:[]dbra d0,$ab48 $AB4E:[]lea.l $ab60(pc),sp ; < $AB52:[]move.w #$101,d0 $AB56:[]move.w #$1054,d1 $AB5A:[]add.w d1,(sp)+ $AB5C:[]dbra d0,$ab5a $AB60:[]eori.w #$2000,sr ------------------------------------------------------------------------------ load new exception vectors - kills debugger ------------------------------------------------------------------------------ $AB64:[]lea.l $ab80(pc),a0 ; new offsets $AB68:[]lea.l $8,a1 $AB6E:[]moveq.l #$7,d0 $AB70:[]moveq.l #$0,d1 $AB72:[]move.w (a0)+,d1 $AB74:[]add.l a4,d1 ; start address $AB76:[]move.l d1,(a1)+ $AB78:[]dbra d0,$ab70 $AB7C:[]bra.w $7a6b ; address error! > ac0c ------------------------------------------------------------------------------ $AB80: 0CF4 027A 00E0 0D34 0D74 08F2 02DE 011A ; offsets ------------------------------------------------------------------------------ new Address Error vector - calculated return addresses: [1]=ac0c [2]=ad76 [3]=aeb4 [4]=b22a [5]=b3ce ------------------------------------------------------------------------------ $AB90:[]move.w $6(sp),d0 $AB94:[]andi.w #$f000,d0 $AB98:[]cmp.w #$6000,d0 $AB9C:[]bne.s $aba4 $AB9E:[]lea.l $8(sp),sp $ABA2:[]bra.s $abc8 $ABA4:[]cmp.w #$8000,d0 $ABA8:[]bne.s $abba $ABAA:[]move.w (sp),$24(sp) $ABAE:[]move.l $2(sp),$26(sp) $ABB4:[]lea.l $24(sp),sp $ABB8:[]bra.s $abc8 $ABBA:[]move.w (sp),$1a(sp) $ABBE:[]move.l $2(sp),$1c(sp) $ABC4:[]lea.l $1a(sp),sp $ABC8:[]andi #$f8ff,sr $ABCC:[]movem.l d0/a0-a1,-(sp) $ABD0:[]addi.l #$2,$e(sp) ; $ABD8:[]movea.l $e(sp),a1 $ABDC:[]moveq.l #$0,d0 $ABDE:[]add.w (a4)+,d0 $ABE0:[]cmpa.l a1,a4 $ABE2:[]blt.s $abde $ABE4:[]subq.w #$2,d0 $ABE6:[]bclr #$0,d0 $ABEA:[]adda.l d0,a4 $ABEC:[]move.l a4,$e(sp) ; new return address $ABF0:[]bra.w $aa38 ------------------------------------------------------------------------------ new Privilege Violation vector ------------------------------------------------------------------------------ $abf4:[]bchg #$5,(sp) $abf8:[]addi.l #$4,$2(sp) $ac00:[]bra.w $aa30 ------------------------------------------------------------------------------ $AC04: 00 00 00 00 00 00 00 00 ........ ------------------------------------------------------------------------------ code decryption loop #2 > $ac3c- ------------------------------------------------------------------------------ $AC0C:[]ori.b #$0,d0 $AC10:[]ori.b #$0,d0 $AC14:[]ori.b #$0,d0 $AC18:[]eori.w #$2000,sr $AC1C:[]lea.l $ac0c(pc),sp ; < d5 $AC20:[]move.w #$a3,d0 $AC24:[]add.l (sp)+,d5 $AC26:[]dbra d0,$ac24 $AC2A:[]lea.l $ac3c(pc),sp ; < $AC2E:[]move.w #$12f,d0 $AC32:[]move.w #$e8f,d1 $AC36:[]sub.w d1,(sp)+ $AC38:[]dbra d0,loc_AC36 $AC3C:[]lea.l $ac5a(pc),sp ; < $AC40:[]move.w #$8f,d0 $AC44:[]movep.w $0(sp),d1 $AC48:[]movep.w $1(sp),d2 $AC4C:[]movep.w d1,$1(sp) $AC50:[]movep.w d2,$0(sp) $AC54:[]addq.l #$4,sp $AC56:[]dbra d0,$ac44 $AC5A:[]lea.l $ac6c(pc),sp ; < $AC5E:[]move.w #$117,d0 $AC62:[]move.w (sp),d1 $AC64:[]not.w d1 $AC66:[]move.w d1,(sp)+ $AC68:[]dbra d0,$ac62 $AC6C:[]lea.l $ac86(pc),sp ; < $AC70:[]move.w #$41,d0 $AC74:[]movem.w (sp)+,a0-a3 $AC78:[]exg a3,a0 $AC7A:[]exg a2,a1 $AC7C:[]movem.w a0-a3,-(sp) $AC80:[]addq.l #$8,sp $AC82:[]dbra d0,$ac74 $AC86:[]lea.l $ac98(pc),sp ; < $AC8A:[]move.w #$101,d0 $AC8E:[]move.w #$c6b9,d1 $AC92:[]sub.w d1,(sp)+ $AC94:[]dbra d0,$ac92 $AC98:[]lea.l $acaa(pc),sp ; < $AC9C:[]move.w #$f8,d0 $ACA0:[]move.w #$a1f9,d1 $ACA4:[]eor.w d1,(sp)+ $ACA6:[]dbra d0,$aca4 $ACAA:[]lea.l $acbc(pc),sp ; < $ACAE:[]move.w #$ef,d0 $ACB2:[]move.w (sp),d1 $ACB4:[]not.w d1 $ACB6:[]move.w d1,(sp)+ $ACB8:[]dbra d0,$acb2 $ACBC:[]lea.l $acd6(pc),sp ; < $ACC0:[]move.w #$37,d0 $ACC4:[]movem.w (sp)+,a0-a3 $ACC8:[]exg a3,a0 $ACCA:[]exg a2,a1 $ACCC:[]movem.w a0-a3,-(sp) $ACD0:[]addq.l #$8,sp $ACD2:[]dbra d0,$acc4 $ACD6:[]lea.l $ac0c(pc),sp ; < d4 $ACDA:[]move.w #$a3,d0 $ACDE:[]add.l (sp)+,d4 $ACE0:[]dbra d0,$acde $ACE4:[]lea.l $acf6(pc),sp ; < $ACE8:[]move.w #$d2,d0 $ACEC:[]move.w #$25c4,d1 $ACF0:[]eor.w d1,(sp)+ $ACF2:[]dbra d0,$acf0 $ACF6:[]lea.l $ad08(pc),sp ; < $ACFA:[]move.w #$c9,d0 $ACFE:[]move.w #$ac4d,d1 $AD02:[]add.w d1,(sp)+ $AD04:[]dbra d0,loc_AD02 $AD08:[]eori.w #$2000,sr ------------------------------------------------------------------------------ Exception Vectors Check - crashes on a real STE ! ------------------------------------------------------------------------------ $AD0C:[]lea.l $ad64(pc),a0 $AD10:[]moveq.l #$0,d0 $AD12:[]move.b (a0)+,d0 $AD14:[]beq.s $ad3a $AD16:[]lsl.l #$2,d0 $AD18:[]movea.l d0,a1 $AD1A:[]cmpi.l #$fc0000,(a1) $AD20:[]bge.s $ad10 $AD22:[]cmp.l #$b4,d0 $AD28:[]bne.s $ad32 $AD2A:[]cmpi.l #$300,(a1) $AD30:[]beq.s $ad10 $AD32:[]move.l $4,(a1) $AD38:[]bra.s $ad10 $AD3A:[]move.w $454,d0 $AD40:[]movea.l $456,a0 $AD46:[]tst.l (a0)+ $AD48:[]beq.s $ad5c $AD4A:[]cmpi.l #$fc0000,-$4(a0) $AD52:[]bge.s $ad5c $AD54:[]move.l $4,-$4(a0) $AD5C:[]subq.w #$1,d0 $AD5E:[]bne.s $ad46 $AD60:[]bra.w $d211 ; address error! > ad76 ------------------------------------------------------------------------------ $AD64: 19 1A 1B 1C 1D 1E 21 22 2D 2E ......!"-. $AD6E: 00 00 00 00 00 00 00 00 ........ ------------------------------------------------------------------------------ code decryption loop #3 > $ad9e- ------------------------------------------------------------------------------ $AD76:[]ori.b #$0,d0 $AD7A:[]ori.b #$0,d0 $AD7E:[]ori.b #$0,d0 $AD82:[]ori.b #$0,d0 $AD86:[]nop $AD88:[]eori.w #$2000,sr $AD8C:[]lea.l $ad9e(pc),sp ; < $AD90:[]move.w #$22e,d0 $AD94:[]move.w (sp),d1 $AD96:[]neg.w d1 $AD98:[]move.w d1,(sp)+ $AD9A:[]dbra d0,$ad94 $AD9E:[]lea.l $adb0(pc),sp ; < $ADA2:[]move.w #$225,d0 $ADA6:[]move.w #$1843,d1 $ADAA:[]add.w d1,(sp)+ $ADAC:[]dbra d0,$adaa $ADB0:[]lea.l $adc2(pc),sp ; < $ADB4:[]move.w #$21c,d0 $ADB8:[]move.w #$bb0b,d1 $ADBC:[]eor.w d1,(sp)+ $ADBE:[]dbra d0,$adbc $ADC2:[]lea.l $ade0(pc),sp ; < $ADC6:[]move.w #$106,d0 $ADCA:[]movep.w $0(sp),d1 $ADCE:[]movep.w $1(sp),d2 $ADD2:[]movep.w d1,$1(sp) $ADD6:[]movep.w d2,$0(sp) $ADDA:[]addq.l #$4,sp $ADDC:[]dbra d0,$adca $ADE0:[]lea.l $adf2(pc),sp ; < $ADE4:[]move.w #$204,d0 $ADE8:[]move.w (sp),d1 $ADEA:[]rol.w #$5,d1 $ADEC:[]move.w d1,(sp)+ $ADEE:[]dbra d0,$ade8 $ADF2:[]lea.l $ae0c(pc),sp ; < $ADF6:[]move.w #$7d,d0 $ADFA:[]movem.w (sp)+,a0-a3 $ADFE:[]exg a3,a0 $AE00:[]exg a2,a1 $AE02:[]movem.w a0-a3,-(sp) $AE06:[]addq.l #$8,sp $AE08:[]dbra d0,$adfa $AE0C:[]lea.l $ae1e(pc),sp ; < $AE10:[]move.w #$1ee,d0 $AE14:[]move.w (sp),d1 $AE16:[]rol.w #$7,d1 $AE18:[]move.w d1,(sp)+ $AE1A:[]dbra d0,$ae14 $AE1E:[]lea.l $ae30(pc),sp ; < $AE22:[]move.w #$1e5,d0 $AE26:[]move.w (sp),d1 $AE28:[]not.w d1 $AE2A:[]move.w d1,(sp)+ $AE2C:[]dbra d0,$ae26 $AE30:[]lea.l $ae42(pc),sp ; < $AE34:[]move.w #$1dc,d0 $AE38:[]move.w #$d671,d1 $AE3C:[]sub.w d1,(sp)+ $AE3E:[]dbra d0,$ae3c $AE42:[]lea.l $ae60(pc),sp ; < $AE46:[]move.w #$e6,d0 $AE4A:[]movep.w $0(sp),d1 $AE4E:[]movep.w $1(sp),d2 $AE52:[]movep.w d1,$1(sp) $AE56:[]movep.w d2,$0(sp) $AE5A:[]addq.l #$4,sp $AE5C:[]dbra d0,$ae4a $AE60:[]lea.l $ae72(pc),sp ; < $AE64:[]move.w #$1c4,d0 $AE68:[]move.w #$f6bc,d1 $AE6C:[]eor.w d1,(sp)+ $AE6E:[]dbra d0,$ae6c $AE72:[]eori.w #$2000,sr ------------------------------------------------------------------------------ Disable MFP Interrupts ------------------------------------------------------------------------------ $AE76:[]move.w #$5e16,d2 ; 0101 1110 0001 0110 $AE7A:[]moveq #$f,d1 $AE7C:[]rol.w #1,d2 $AE7E:[]bcc.s $ae94 $AE80:[]move.w d1,-(sp) ; save d1 $AE82:[]move.w d1,-(sp) $AE84:[]move.w #$1a,-(sp) $AE88:[]illegal ; Trace OFF $AE8A:[]trap #$e ; Jdisint $AE8C:[]illegal ; Trace ON $AE8E:[]lea.l $4(sp),sp $AE92:[]move.w (sp)+,d1 ; restore d1 $AE94:[]dbra d1,$ae7c $AE98:[]bra.w $5a0b ; address error! > aeb4 ------------------------------------------------------------------------------ $AE9C: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ $AEAC 00 00 00 00 00 00 00 00 ........ ------------------------------------------------------------------------------ code decryption loop #4 > $aed2- ------------------------------------------------------------------------------ $AEB4:[]eori.w #$2000,sr $AEB8:[]lea.l $aed2(pc),sp ; < $AEBC:[]move.w #$93,d0 $AEC0:[]movem.w (sp)+,a0-a3 $AEC4:[]exg a3,a0 $AEC6:[]exg a2,a1 $AEC8:[]movem.w a0-a3,-(sp) $AECC:[]addq.l #$8,sp $AECE:[]dbra d0,$aec0 $AED2:[]lea.l $aeb4(pc),sp ; < d5 $AED6:[]move.w #$12f,d0 $AEDA:[]add.l (sp)+,d5 $AEDC:[]dbra d0,$aeda $AEE0:[]lea.l $aef2(pc),sp ; < $AEE4:[]move.w #$241,d0 $AEE8:[]move.w (sp),d1 $AEEA:[]neg.w d1 $AEEC:[]move.w d1,(sp)+ $AEEE:[]dbra d0,$aee8 $AEF2:[]lea.l $af04(pc),sp ; < $AEF6:[]move.w #$238,d0 $AEFA:[]move.w #$c9c3,d1 $AEFE:[]sub.w d1,(sp)+ $AF00:[]dbra d0,$aefe $AF04:[]lea.l $af1e(pc),sp ; < $AF08:[]move.w #$8a,d0 $AF0C:[]movem.w (sp)+,a0-a3 $AF10:[]exg a3,a0 $AF12:[]exg a2,a1 $AF14:[]movem.w a0-a3,-(sp) $AF18:[]addq.l #$8,sp $AF1A:[]dbra d0,$af0c $AF1E:[]lea.l $af30(pc),sp ; < $AF22:[]move.w #$222,d0 $AF26:[]move.w #$3451,d1 $AF2A:[]eor.w d1,(sp)+ $AF2C:[]dbra d0,$af2a $AF30:[]lea.l $af42(pc),sp ; < $AF34:[]move.w #$219,d0 $AF38:[]move.w (sp),d1 $AF3A:[]not.w d1 $AF3C:[]move.w d1,(sp)+ $AF3E:[]dbra d0,$af38 $AF42:[]lea.l $af60(pc),sp ; < $AF46:[]move.w #$104,d0 $AF4A:[]movep.w $0(sp),d1 $AF4E:[]movep.w $1(sp),d2 $AF52:[]movep.w d1,$1(sp) $AF56:[]movep.w d2,$0(sp) $AF5A:[]addq.l #$4,sp $AF5C:[]dbra d0,$af4a $AF60:[]lea.l $af72(pc),sp ; < $AF64:[]move.w #$201,d0 $AF68:[]move.w #$5e4b,d1 $AF6C:[]sub.w d1,(sp)+ $AF6E:[]dbra d0,$af6c $AF72:[]lea.l $af84(pc),sp ; < $AF76:[]move.w #$1f8,d0 $AF7A:[]move.w (sp),d1 $AF7C:[]neg.w d1 $AF7E:[]move.w d1,(sp)+ $AF80:[]dbra d0,$af7A $AF84:[]lea.l $af96(pc),sp ; < $AF88:[]move.w #$1ef,d0 $AF8C:[]move.w #$a595,d1 $AF90:[]eor.w d1,(sp)+ $AF92:[]dbra d0,$af90 $AF96:[]lea.l $afb0(pc),sp ; < $AF9A:[]move.w #$77,d0 $AF9E:[]movem.w (sp)+,a0-a3 $AFA2:[]exg a3,a0 $AFA4:[]exg a2,a1 $AFA6:[]movem.w a0-a3,-(sp) $AFAA:[]addq.l #$8,sp $AFAC:[]dbra d0,$af9e $AFB0:[]eori.w #$2000,sr ------------------------------------------------------------------------------ main FDC - read sectors and compare counters + magic key ------------------------------------------------------------------------------ $AFB4:[]movea.l $4C6,a0 ; _dskbufp sector buffer $AFBA:[]moveq.l #$0,d0 $AFBC:[]moveq.l #$0,d1 $AFBE:[]moveq.l #$1,d2 $AFC0:[]bsr.w $b002 ; read sector and count $AFC4:[]beq.s $afba $AFC6:[]move.l d0,-(sp) ; save first sector counter $AFC8:[]moveq.l #$0,d0 $AFCA:[]moveq.l #$6,d2 $AFCC:[]bsr.w $b002 ; read sector and count $AFD0:[]beq.s $afc8 $AFD2:[]move.l (sp)+,d1 ; restore first sector counter $AFD4:[]sub.l d1,d0 $AFD6:[]bmi.s $affc ; skip on error $AFD8:[]mulu.w #$64,d0 $AFDC:[]divu.w d1,d0 $AFDE:[]cmp.b #3,d0 $AFE2:[]blt.s $affc ; skip on error $AFE4:[]moveq.l #$5,d1 $AFE6:[]moveq.l #$0,d0 $AFE8:[]add.l (a0)+,d0 $AFEA:[]rol.l #$1,d0 $AFEC:[]dbra d1,$afe8 $AFF0:[]lea.l $a8de(pc),a0 $AFF4:[]move.l d0,$1c(a0) ; magic key $AFF8:[]bra.w $b1f6 $AFFC:[]moveq.l #$0,d0 $AFFE:[]bra.w $b1f6 ------------------------------------------------------------------------------ FDC loop ------------------------------------------------------------------------------ $B002:[]movem.l d1-d7/a0-a1,-(sp) $B006:[]move.l d0,d5 $B008:[]move.l d1,d6 $B00A:[]move.l d2,d7 $B00C:[]st $43E ; flock $B012:[]bsr.w $b108 ; Drive select and load DMA address $B016:[]bpl.s $b020 $B018:[]bsr.w $b0e6 $B01C:[]tst.l d6 $B01E:[]beq.s $b026 $B020:[]bsr.w $b0ba $B024:[]bne.s $b018 $B026:[]bsr.w $b042 ; DMA sector read $B02A:[]bsr.w $b152 ; FDC end $B02E:[]clr.w $43E ; flock $B034:[]tst.w d0 $B036:[]beq.s $b03a $B038:[]moveq.l #$0,d1 $B03A:[]move.l d1,d0 $B03C:[]movem.l (sp)+,d1-d7/a0-a1 $B040:[]rts ------------------------------------------------------------------------------ DMA sector read ------------------------------------------------------------------------------ $B042:[]move.w #$84,$ff8606 $B04A:[]move.w d7,$ff8604 $B050:[]move.w #$90,$ff8606 $B058:[]move.w #$190,$ff8606 $B060:[]move.w #$90,$ff8606 $B068:[]move.w #$16,$ff8604 $B070:[]move.w #$80,$ff8606 $B078:[]lea $ff860b,a1 $B07E:[]moveq #$0,d1 $B080:[]move.l a0,d2 $B082:[]illegal ; Trace OFF $B084:[]move.w #$80,$ff8604 ; read sector $B08C:[]movep.w $0(a1),d0 $B090:[]cmp.w d0,d2 $B092:[]beq.s $b08c $B094:[]addi.l #$200,d2 $B09A:[]addq.l #$1,d1 $B09C:[]movep.w $0(a1),d0 $B0A0:[]cmp.w d0,d2 $B0A2:[]bne.s $b09a $B0A4:[]btst #$5,$fffa01 ; ready? $B0AC:[]bne.s $b0a4 $B0AE:[]illegal ; Trace ON $B0B0:[]bsr.w $b1da ; get FDC status $B0B4:[]andi.w #$10,d0 $B0B8:[]rts ------------------------------------------------------------------------------ FDC seek/restore ------------------------------------------------------------------------------ $B0BA:[]tst.l d6 $B0BC:[]beq.s $b0e6 $B0BE:[]move.w #$86,$ff8606 $B0C6:[]move.w d6,$ff8604 $B0CC:[]move.w #$14,d4 ; seek $B0D0:[]bsr.w $b18c ; FDC command $B0D4:[]bne.s $b0e4 $B0D6:[]move.l d5,d0 $B0D8:[]lsl.l #$2,d0 $B0DA:[]lea $a8fe,a1 $B0DE:[]move.l d6,$0(a1,d0.l) $B0E2:[]moveq.l #$0,d0 $B0E4:[]rts ------------------------------------------------------------------------------ $B0E6:[]moveq.l #$0,d4 ; restore $B0E8:[]bsr.w $b18c ; FDC command $B0EC:[]bmi.s $b104 ; skip $B0EE:[]btst #$2,d0 $B0F2:[]beq.s $b104 ; skip $B0F4:[]move.l d5,d0 $B0F6:[]lsl.l #$2,d0 $B0F8:[]lea $a8fe,a1 $B0FC:[]clr.l $0(a1,d0.l) $B100:[]moveq.l #$0,d0 $B102:[]rts $B104:[]moveq.l #$ffffffff,d0 $B106:[]rts ------------------------------------------------------------------------------ Drive select and load DMA address ------------------------------------------------------------------------------ $B108:[]move.l d5,d0 $B10A:[]addq.b #$1,d0 $B10C:[]lsl.b #$1,d0 $B10E:[]ori.w #$0,d0 $B112:[]eori.b #$7,d0 $B116:[]andi.b #$7,d0 $B11A:[]bsr.w $b16c ; Drive select $B11E:[]move.l a0,d0 $B120:[]move.b d0,$ff860d ; DMA low $B126:[]lsr.l #$8,d0 $B128:[]move.b d0,$ff860b ; DMA mid $B12E:[]lsr.l #$8,d0 $B130:[]move.b d0,$ff8609 ; DMA high $B136:[]move.l d5,d0 $B138:[]lsl.l #$2,d0 $B13A:[]move.w #$82,$ff8606 $B142:[]lea.l $a8fe(pc),a1 $B146:[]move.l $0(a1,d0.l),d0 $B14A:[]move.w d0,$ff8604 $B150:[]rts ------------------------------------------------------------------------------ FDC end ------------------------------------------------------------------------------ $B152:[]movem.l d0-d1,-(sp) $B156:[]move.w #$3a98,d0 $B15A:[]bsr.w $b1f0 ; wait d0 $B15E:[]move.b #$7,d0 $B162:[]bsr.w $b16c ; Drive deselect $B166:[]movem.l (sp)+,d0-d1 $B16A:[]rts ------------------------------------------------------------------------------ Drive select/deselect ------------------------------------------------------------------------------ $B16C:[]illegal ; Trace OFF $B16E:[]move.b #$e,$ff8800 $B176:[]move.b $ff8800,d1 $B17C:[]andi.b #$f8,d1 $B180:[]or.b d0,d1 $B182:[]move.b d1,$ff8802 $B188:[]illegal ; Trace ON $B18A:[]rts ------------------------------------------------------------------------------ FDC command in d4 ------------------------------------------------------------------------------ $B18C:[]move.w $440,d0 ; seekrate $B192:[]andi.w #$3,d0 $B196:[]or.b d0,d4 $B198:[]move.w #$80,$ff8606 $B1A0:[]move.w d4,$ff8604 $B1A6:[]move.l #$60000,d0 $B1AC:[]btst #$5,$fffa01 ; ready? $B1B4:[]beq.s $b1da $B1B6:[]subq.l #$1,d0 $B1B8:[]bne.s $b1ac $B1BA:[]bsr.w $b1c2 $B1BE:[]moveq.l #$ffffffff,d0 $B1C0:[]rts ------------------------------------------------------------------------------ FDC Force Interrupt ------------------------------------------------------------------------------ $B1C2:[]move.w #$80,$ff8606 $B1CA:[]move.w #$d0,$ff8604 $B1D2:[]move.w #$f,d0 $B1D6:[]bsr.w $b1f0 $B1DA:[]move.w #$80,$ff8606 $B1E2:[]moveq.l #$0,d0 $B1E4:[]move.w $ff8604,d0 $B1EA:[]andi.w #$1f,d0 $B1EE:[]rts ------------------------------------------------------------------------------ wait d0 ------------------------------------------------------------------------------ $B1F0:[]dbra d0,$b1f0 $B1F4:[]rts ------------------------------------------------------------------------------ $B1F6:[]add.l d0,d4 $B1F8:[]bra.w $7391 ; address error! > b22a ------------------------------------------------------------------------------ $B1FC: 00 00 00 00 .... $B200: 00 00 00 D8 .... . $B204: 00 00 00 00 .... ------------------------------------------------------------------------------ $B208:[]ori.w #$700,sr $B20C:[]move.b #$e,$ff8800 $B214:[]move.b $ff8800,d1 $B21A:[]andi.b #$f8,d1 $B21E:[]or.b d0,d1 $B220:[]move.b d1,$ff8802 $B226:[]bra.w $aa30 ------------------------------------------------------------------------------ code decryption loop #5 > $b250- ------------------------------------------------------------------------------ $B22A:[]ori.b #$0,d0 $B22E:[]ori.b #$0,d0 $B232:[]ori.b #$0,d0 $B236:[]ori.b #$0,d0 $B23A:[]eori.w #$2000,sr $B23E:[]lea.l $b250(pc),sp ; < $B242:[]move.w #$18a,d0 $B246:[]move.w #$ab9e,d1 $B24A:[]sub.w d1,(sp)+ $B24C:[]dbra d0,$b24a $B250:[]lea.l $b262(pc),sp ; < $B254:[]move.w #$181,d0 $B258:[]move.w (sp),d1 $B25A:[]not.w d1 $B25C:[]move.w d1,(sp)+ $B25E:[]dbra d0,$b258 $B262:[]lea.l $b274(pc),sp ; < $B266:[]move.w #$178,d0 $B26A:[]move.w #$4448,d1 $B26E:[]add.w d1,(sp)+ $B270:[]dbra d0,$b26e $B274:[]lea.l $b286(pc),sp ; < $B278:[]move.w #$16f,d0 $B27C:[]move.w (sp),d1 $B27E:[]not.w d1 $B280:[]move.w d1,(sp)+ $B282:[]dbra d0,$b27c $B286:[]lea.l $b298(pc),sp ; < $B28A:[]move.w #$166,d0 $B28E:[]move.w #$1fe1,d1 $B292:[]add.w d1,(sp)+ $B294:[]dbra d0,$b292 $B298:[]lea.l $b2aa(pc),sp ; < $B29C:[]move.w #$15d,d0 $B2A0:[]move.w (sp),d1 $B2A2:[]not.w d1 $B2A4:[]move.w d1,(sp)+ $B2A6:[]dbra d0,$b2a0 $B2AA:[]lea.l $b2bc(pc),sp ; < $B2AE:[]move.w #$154,d0 $B2B2:[]move.w #$7980,d1 $B2B6:[]eor.w d1,(sp)+ $B2B8:[]dbra d0,$b2b6 $B2BC:[]lea.l $b2da(pc),sp ; < $B2C0:[]move.w #$a2,d0 $B2C4:[]movep.w $0(sp),d1 $B2C8:[]movep.w $1(sp),d2 $B2CC:[]movep.w d1,$1(sp) $B2D0:[]movep.w d2,$0(sp) $B2D4:[]addq.l #$4,sp $B2D6:[]dbra d0,$b2c4 $B2DA:[]lea.l $b2f4(pc),sp ; < $B2DE:[]move.w #$4d,d0 $B2E2:[]movem.w (sp)+,a0-a3 $B2E6:[]exg a3,a0 $B2E8:[]exg a2,a1 $B2EA:[]movem.w a0-a3,-(sp) $B2EE:[]addq.l #$8,sp $B2F0:[]dbra d0,$b2e2 $B2F4:[]lea.l $b306(pc),sp ; < $B2F8:[]move.w #$12f,d0 $B2FC:[]move.w #$d85e,d1 $B300:[]eor.w d1,(sp)+ $B302:[]dbra d0,b300 $B306:[]lea.l $b22a(pc),sp ; < d7 $B30A:[]move.w #$CE,d0 $B30E:[]add.l (sp)+,d7 $B310:[]dbra d0,$b30e $B314:[]lea.l $b326(pc),sp ; < $B318:[]move.w #$11f,d0 $B31C:[]move.w (sp),d1 $B31E:[]not.w d1 $B320:[]move.w d1,(sp)+ $B322:[]dbra d0,$b31c $B326:[]eori.w #$2000,sr ------------------------------------------------------------------------------ code decryption with magic d4=CF0C3947 d5=854BBDA2 d6=00000000 d7=2FCA6534 ------------------------------------------------------------------------------ $B32A:[]add.l d4,d5 $B32C:[]add.l d5,d6 $B32E:[]add.l d6,d7 $B330:[]move.l d7,$7C ; store new magic 84225c1d $B336:[]lea $a916,a0 $B33A:[]move.w #$639,d0 $B33E:[]add.w (a0)+,d7 ; 8422eebf $B340:[]dbra d0,$b33e $B344:[]move.b d6,d5 $B346:[]addi.b #$16,d6 $B34A:[]lea.l $b58a(pc),a0 $B34E:[]move.l $b200(d0),d0 $B352:[]lsr.l #$2,d0 $B354:[]illegal ; Trace OFF $B356:[]lsl.l #$1,d7 $B358:[]btst d5,d7 $B35A:[]beq.s $b362 $B35C:[]btst d6,d7 $B35E:[]beq.s $b366 $B360:[]bra.s $b368 $B362:[]btst d6,d7 $B364:[]beq.s $b368 $B366:[]addq.l #$1,d7 $B368:[]add.l d7,(a0) $B36A:[]add.l (a0)+,d7 $B36C:[]subq.l #$1,d0 $B36E:[]bne.s $b356 $B370:[]illegal ; Trace ON $B372:[]bra.w $b37a ------------------------------------------------------------------------------ $B376: 00 00 00 00 .... ------------------------------------------------------------------------------ $B37A:[]lea.l $b58a(pc),a0 $B37E:[]cmpi.w #$601a,(a0) $B382:[]bne.s $b3c2 $B384:[]tst.w $1a(a0) $B388:[]bne.s $b3c2 $B38A:[]lea $1c(a0),a1 $B38E:[]movea.l a1,a2 $B390:[]adda.l $2(a0),a2 $B394:[]adda.l $6(a0),a2 $B398:[]adda.l $e(a0),a2 $B39C:[]pea $a892 $B3A0:[]move.l (sp)+,d2 $B3A2:[]move.l (a2)+,d0 $B3A4:[]beq.s $b3c2 $B3A6:[]moveq.l #$0,d1 $B3A8:[]add.l d2,$0(a1,d0.l) $B3AC:[]move.b (a2)+,d1 $B3AE:[]tst.b d1 $B3B0:[]beq.s $b3c2 $B3B2:[]add.l d1,d0 $B3B4:[]cmp.b #$1,d1 $B3B8:[]bne.s $b3a8 $B3BA:[]addi.l #$fd,d0 $B3C0:[]bra.s $b3ac $B3C2:[]bra.w $82E1 ; address error! > b3ce ------------------------------------------------------------------------------ $B3C6: 00 00 00 00 00 00 00 00 ........ ------------------------------------------------------------------------------ code decryption loop #6 > $b3f8- ------------------------------------------------------------------------------ $B3CE:[]ori.b #$0,d0 $B3D2:[]ori.b #$0,d0 $B3D6:[]ori.b #$0,d0 $B3DA:[]eori.w #$2000,sr $B3DE:[]lea.l $b3f8(pc),sp ; < $B3E2:[]move.w #$31,d0 $B3E6:[]movem.w (sp)+,a0-a3 $B3EA:[]exg a3,a0 $B3EC:[]exg a2,a1 $B3EE:[]movem.w a0-a3,-(sp) $B3F2:[]addq.l #$8,sp $B3F4:[]dbra d0,$b3e6 $B3F8:[]lea.l $b40a(pc),sp ; < $B3FC:[]move.w #$bf,d0 $B400:[]move.w #$1947,d1 $B404:[]add.w d1,(sp)+ $B406:[]dbra d0,$b404 $B40A:[]lea.l $b41c(pc),sp ; < $B40E:[]move.w #$b6,d0 $B412:[]move.w #$1e4a,d1 $B416:[]eor.w d1,(sp)+ $B418:[]dbra d0,$b416 $B41C:[]lea.l $b42e(pc),sp ; < $B420:[]move.w #$ad,d0 $B424:[]move.w #$ef6e,d1 $B428:[]sub.w d1,(sp)+ $B42A:[]dbra d0,$b428 $B42E:[]lea.l $b3ce(pc),sp ; < d5 $B432:[]move.w #$6e,d0 $B436:[]add.l (sp)+,d5 $B438:[]dbra d0,$b436 $B43C:[]lea.l $b44e(pc),sp ; < $B440:[]move.w #$9d,d0 $B444:[]move.w #$5aae,d1 $B448:[]add.w d1,(sp)+ $B44A:[]dbra d0,$b448 $B44E:[]lea.l $b46c(pc),sp ; < $B452:[]move.w #$46,d0 $B456:[]movep.w $0(sp),d1 $B45A:[]movep.w $1(sp),d2 $B45E:[]movep.w d1,$1(sp) $B462:[]movep.w d2,$0(sp) $B466:[]addq.l #$4,sp $B468:[]dbra d0,$b456 $B46C:[]lea.l $b47e(pc),sp ; < $B470:[]move.w #$85,d0 $B474:[]move.w (sp),d1 $B476:[]rol.w #$5,d1 $B478:[]move.w d1,(sp)+ $B47A:[]dbra d0,$b474 $B47E:[]lea.l $b3ce(pc),sp ; < d4 $B482:[]move.w #$6E,d0 $B486:[]add.l (sp)+,d4 $B488:[]dbra d0,$b486 $B48C:[]lea.l $b49e(pc),sp ; < $B490:[]move.w #$75,d0 $B494:[]move.w (sp),d1 $B496:[]not.w d1 $B498:[]move.w d1,(sp)+ $B49A:[]dbra d0,$b494 $B49E:[]lea.l $b4b8(pc),sp ; < $B4A2:[]move.w #$19,d0 $B4A6:[]movem.w (sp)+,a0-a3 $B4AA:[]exg a3,a0 $B4AC:[]exg a2,a1 $B4AE:[]movem.w a0-a3,-(sp) $B4B2:[]addq.l #$8,sp $B4B4:[]dbra d0,$b4a6 $B4B8:[]lea.l $b4ca(pc),sp ; < $B4BC:[]move.w #$5f,d0 $B4C0:[]move.w #$b1ee,d1 $B4C4:[]sub.w d1,(sp)+ $B4C6:[]dbra d0,$b4c4 $B4CA:[]eori.w #$2000,sr ------------------------------------------------------------------------------ $B4CE:[]lea.l $a892(pc),a0 $B4D2:[]move.l a0,$2(sp) $B4D6:[]movem.l $a896(pc),d0-d7/a0-a6 $B4DC:[]movem.l d0-d7/a0-a6,-(sp) $B4E0:[]movea.l $a8da(pc),a0 $B4E4:[]move.l a0,usp $B4E6:[]lea.l $b568(pc),a0 $B4EA:[]lea.l $3de,a2 $B4F0:[]move.w #$10,d0 $B4F4:[]move.w (a0)+,(a2)+ ; copy for exit $B4F6:[]dbra d0,$b4f4 $B4FA:[]lea.l $b58a(pc),a0 $B4FE:[]lea.l $a892,a1 $B502:[]movea.l a1,a2 $B504:[]adda.l $b200(pc),a2 $B508:[]suba.l a3,a3 $B50A:[]cmpi.w #$601a,(a0) $B50E:[]bne.s $b54e $B510:[]movea.l $a8d6(pc),a3 $B514:[]move.l $8(a3),d0 $B518:[]lea.l $b58a(pc),a1 $B51C:[]move.l $2(a1),$c(a3) $B522:[]add.l $c(a3),d0 $B526:[]move.l d0,$10(a3) $B52A:[]move.l $6(a1),$14(a3) $B530:[]add.l $14(a3),d0 $B534:[]move.l d0,$18(a3) $B538:[]move.l $a(a1),$1c(a3) $B53E:[]lea.l $b5a6(pc),a0 $B542:[]movea.l $8(a3),a1 $B546:[]movea.l $18(a3),a2 $B54A:[]movea.l $1c(a3),a3 $B54E:[]movem.l $a8de(pc),d0-d7 $B554:[]move.l $4,d0 $B55A:[]move.l d0,d1 $B55C:[]move.l d1,d6 $B55E:[]pea $3de $B564:[]illegal ; Trace OFF $B566:[]rts ; return to $3de ------------------------------------------------------------------------------ exit - $3de ------------------------------------------------------------------------------ $B568:[]move.w (a0)+,(a1)+ ; copy memory $B56A:[]cmpa.l a2,a1 $B56C:[]blt.s $b568 $B56E:[]adda.l a3,a2 $B570:[]cmpa.l a0,a2 $B572:[]blt.s $b576 $B574:[]movea.l a2,a0 $B576:[]clr.w (a1)+ ; clear memory $B578:[]cmpa.l a0,a1 $B57A:[]blt.s $b576 $B57C:[]movem.l d0-d7,$8 $B584:[]movem.l (sp)+,d0-d7/a0-a6 $B588:[]rte ------------------------------------------------------------------------------
Back to Assembly_language