-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgameloader.s
4143 lines (3412 loc) · 271 KB
/
gameloader.s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
;------------------------------------------- BATMAN ---------------------------------------------------
; This is the main game loader for the Batman game. It is the first file loaded by the game
; bootloader.
;
; Build Relative (debugging/emulation)
; ------------------------------------
; It can be assembled and executed/debugged in an emulator up to a point.
; The code crashes when the disk is inserted and it starts to lead data over the executable in memory.
; This can be seen as the display becomes corrupted and then starts throwing exceptions.
; The code is not intended to be run as a relative program in memory.
;
; Build Absoute
; -------------
; - I have added a build task called 'build-absolute' which when used with the 'BUILD_ABSOLUTE_BIN'
; conditional assembly flag below will hopefully assemble a raw binary file (i.e. no hunks etc)
; this output should then be suitable to load directly to address 0x800 for execution.
; - The problrm is that the linker doesn't linke the output, the gameloader.o file produced looks
; like a raw file. I can't stop the linker running so we get a linker error when running this
; task currently.
; - I don't appear to be able to change the output filename either with the -o <filename> arg
; so the output file in the build directory is still called 'gameloader.o'
; - Very f@*king frustrating at the moment.
;------------------------------------------------------------------------------------------------------
;---------- Includes ----------
INCDIR "include"
INCLUDE "hw.i"
;---------- Const ----------
;Interrupt status flags for variable $0000209A.B
DSKBLK_FINISHED equ $0 ; set by level 1 interrupt handler but unused.
BLIT_FINISHED equ $1 ; set by level 3 interrupt handler but unused.
TIMERA_FINISHED equ $2 ; set by level 2 intergrupt hander.
DISK_INDEX1 equ $3 ; set by level 6 interrupt handler (disk write trigger - both must be set to 0 & CIAB FLG interrupt)
DISK_INDEX2 equ $4 ; set by level 6 interrupt handler (disk write trigger - both must be set to 0 & CIAB FLG interrupt)
section BATMAN,code_c
;opt o- ; no optimisations
BUILD_ABSOLUTE_BIN SET 1 ; Uncomment this to build absolute raw binary
IFD BUILD_ABSOLUTE_BIN
org $800 ; org code at address $00000800 - original start address
ENDC
;------------------------------------------ BATMAN entry point ----------------------------------------
;-- Main Game Loader, entry point from the 'RTS' in the bool block code.
;-- immediately calls the 'load_loading_screen' jump table entry.
;--
;-- $2AD6 - The disk file table, held on 3rd sector of track 0, loaded in to this address.
;-- - See documentation on the File Table structure:
;--
;-- $7C7FC - The top/end address of the load buffer,
;-- The loader loads files into memory in blocks below this address.
;-- e.g. the titlepic.iff raw file is loaded into $6FB06 and ends at $7C7FC - Length $CCF6
;-- the titleprg.iff raw file is loaded into $59766 and ends at $6FB05 - Length 163A0
;-- Once the files are loaded, the loader then processes the iff files and relocates
;-- them in memory etc.
;--
;--
;-- Things to note about the loader:-
;-- 1) Each set of load parameters (batch of files) can only load one IFF GFX file per batch.
;-- This is because the loader automatically copies the bitplane data to an area of memory
;-- between $00007700 and $13F00 (max 5 bitplanes, each bitplane size 10K each)
;-- 50K max GFX data loaded in from and image.iff file.
;--
;-- 2) Other files in the loader parameters have .iff extensions, they have block types of 'HUFF'
;-- This I assume is a compressed Huffman encoding. Not sure what application would have been
;-- used to create these files (maybe an internal tool?)
;--
;-- 3) There are a couple of unused, small blocks of memory.
;-- These are either genuinely unused, or maybe stores for global data
;-- used by the game to track state across levels or across multiple
;-- game plays.
;-- i.e. Lives, Energy, Level counts, High Scores etc.
;-- I've tagged these up with the following labels:
;-- - unused_globals_1
;-- - unused_globals_2
;-- - cp_mfm_buffer - Copy Protection Buffer, data is read in here which may be accessed by the game.
;--
;--
;--
batman_start ; original routine address $00000800
bra.b jump_table ; Calls $0000081C - jmp_load_screen (addr: $00000800)
; This will get overwritten by the stack during loading
unused_globals_1
dc.w $0000, $22BA, $0000, $0000 ; Unused memory, the stack will grown down over this.
dc.w $0000, $0000, $0000, $0000 ;
dc.w $0000, $0000, $0000, $0000 ;
dc.w $0000 ;
stack ; Top of Loader Stack, (re)set each time a game section is loaded. (addr:$0000081C)
jump_table ; Start of jump table for loading and executing the game sections. (original addr:$0000081C)
bra.w load_loading_screen ; Calls $00000838 - Load Loading Screen (instruction addr:$0000081C)
bra.w load_title_screen2 ; Calls $00000948 - Load Title Screen2 (instruction addr:$00000820)
bra.w load_level_1 ; Calls $000009C8 - Load Level 1 - Axis Chemicals (instruction addr:$00000824)
bra.w load_level_2 ; Calls $00000A78 - Load Level 2 - Bat Mobile (instruction addr:$00000828)
bra.w load_level_3 ; Calls $00000B28 - Load Level 3 - Bat Cave Puzzle (instruction addr:$0000082C)
bra.w load_level_4 ; Calls $00000B90 - Load Level 4 - Batwing Parade (instruction addr:$00000830)
bra.w load_level_5 ; Calls $00000C40 - Load Level 5 - Cathedral (instruction addr:$00000834)
;---------------------- load loading screen ------------------------
;-- load the batman loading.iff and display it for 5 seconds.
;-- then, jump to load the title screen.
even
load_loading_screen ; original routine address: $00000838
LEA.l stack,A7 ; stack address $0000081C
BSR.W init_system ; calls $00001F26 - init_system
BSR.W detect_available_drives ; calls $00001B4A - detect which disk drives are connected
MOVE.L #$0007C7FC,ld_loadbuffer_top ; store loader parameter: addr $7C7FC - the Top of the Load Buffer
MOVE.L #$00002AD6,ld_relocate_addr ; maybe the address that the loading screen iff file is placed into, $00000CF0 (** SET BUT UNUSED **) ; addr $02AD6 - address of disk file table
LEA.L lp_loading_screen(PC),A0 ; addr $008C8 - address of the load parameter block (files to load for the loading screen section)
BSR.W loader ; calls $00000CFC - Load/Process files & Copy Protection
; clear out color palette
LEA.L CUSTOM,A6
LEA.L COLOR00(A6),A0
MOVE.L #$0000001F,D0 ; loop counter = 31 + 1
.clearloop CLR.W (A0)+ ; Clear Colour Pallete Registers (instruction addr $0000086C)
DBF.W D0,.clearloop
; display loading screen (5 seconds)
MOVE.W #$0000,BPL1MOD(A6) ; clear bit-plane modulos
MOVE.W #$0000,BPL2MOD(A6) ; clear bit-plane modulos
MOVE.W #$0038,DDFSTRT(A6) ; standard data fetch start for low-res 320 wide screen
MOVE.W #$00D0,DDFSTOP(A6) ; startard data fetch stop for low-res 320 wide screen
MOVE.W #$2C81,DIWSTRT(A6) ; standard window start position for 320x256 pal screen
MOVE.W #$2CC1,DIWSTOP(A6) ; standard window end position for 320x256 pal screen
MOVE.W #$5200,BPLCON0(A6) ; 5 bit-planes, COLOR_ON = 1
LEA.L copper_list(PC),A0 ; Get Copper List 1 address. addr: $00001490
MOVE.L A0,COP1LC(A6) ; Set Copper 1 Pointer
LEA.L copper_endwait(PC),A0 ; Get Copper List 2 address. addr: $00001538
MOVE.L A0,COP2LC(A6) ; Set copper 2 Pointer
MOVE.W A0,COPJMP2(A6) ; Strobe COPJMP2 to run empty list, will revert to copper 1 on next frame.
MOVE.W #$8180,DMACON(A6) ; Enable DMA - BPLEN, COPEN
; display loading screen for 5 seconds.
CLR.W ciab_tb_20ms_tick ; reset CIAB Timer B, ticker count
.timerwait CMP.W #$00FA,ciab_tb_20ms_tick ; wait for 250 x 20 ms = 5,000ms - $0000223A
BCS.B .timerwait
BRA.B load_title_screen1 ; addr: $0000090E
;------------ loading screen loading parameters -------------
lp_loading_screen ; original data address: $000008C8
.diskname_offset dc.w .diskname-.diskname_offset ; byte offset to diskname string, original value = $0020
.file1_name_offset dc.w .filename1-.file1_name_offset ; byte offset to filename string, original value = $002E
.file1_reloc_addr dc.l $00000000 ; Loading.iff relocation address, original value = $00000000,
; GFX images are loaded into $00007700 by routine 'process_iff_body'
.file1_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file1_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file2_name_offset dc.w .filename2-.file2_name_offset ; byte offset to filename string, original value = $002B
.file2_reloc_addr dc.l $0007C7FC ; relocation address (bytes startaddress) $7C800
.file2_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file2_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
dc.w $0000 ; end of files marker.
.diskname dc.b "BATMAN MOVIE 0"
.filename1 dc.b "LOADING IFF" ; real gfx iff file - reloc $7700 (bitplane addresses)
.filename2 dc.b "PANEL IFF" ; iff - huff encoded - reloc $7C7FC
;---------------------- load title screen 1 & 2------------------------
;-- called on first load, after the loading screen.
;-- 1) starts the title screen (without the end game joker laugh etc)
;-- 2) starts the title screen (with joket laugh)
load_title_screen1 ; original routine address: $0000090E
LEA.L stack,A7 ; stack address $0000081C
BSR.W init_system ; L00001F26
MOVE.L #$0007C7FC,ld_loadbuffer_top ; store loader parameter: addr $7C7FC - the Top of the Load Buffer
MOVE.L #$00002AD6,ld_relocate_addr ; $00000CF0 (** SET BUT UNUSED **) ; addr $02AD6 - address of disk file table
LEA.L lp_title_screen(PC),A0 ; get title screen load parameters address
BSR.W loader ; calls $00000CFC - Load/Process files & Copy Protection
MOVE.W #$7fff,INTENA(A6) ; disable interrupts
MOVE.W #$1fff,DMACON(A6) ; disable all dma
MOVE.W #$2000,SR ; set supervisor mode bit
JMP $0001c000 ; title screen start (on load)
load_title_screen2 ; original routine address: $00000948
LEA.L stack,A7 ; Stack Address $0000081C
BSR.W init_system ; L00001F26
MOVE.L #$0007C7FC,ld_loadbuffer_top ; store loader parameter: addr $7C7FC - the Top of the Load Buffer
MOVE.L #$00002AD6,ld_relocate_addr ; $00000CF0 (** SET BUT UNUSED **) ; addr $02AD6 - address of disk file table
LEA.L lp_title_screen(PC),A0 ; get title screen load parameters address
BSR.W loader ; calls $00000CFC - Load/Process files & Copy Protection
MOVE.W #$7fff,INTENA(A6) ; disable interrupts
MOVE.W #$1fff,DMACON(A6) ; disable all dma
MOVE.W #$2000,SR ; set supervisor mode bit
JMP $0001c004 ; title screen start (on end of a game)
;------------ title screen loading parameters -------------
lp_title_screen: ; title screen loader parameters. addr: $00000982
.diskname_offset dc.w .diskname-.diskname_offset ; byte offset to diskname string, original value = $0020
.file1_name_offset dc.w .filename1-.file1_name_offset ; byte offset to filename string, original value = $002E
.file1_reloc_addr dc.l $00003FFC ; TITLEPRGIFF - relocation address, original value = $00003FFC ($00004000)
.file1_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file1_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file2_name_offset dc.w .filename2-.file2_name_offset ; byte offset to filename string, original value = $002B
.file2_reloc_addr dc.l $0003F236 ; TITLEPICIFF - relocation address, original value = $0003F236 ($0003F23A)
.file2_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file2_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
dc.w $0000 ; end of files marker.
.diskname dc.b "BATMAN MOVIE 0" ; BATMAN MOVIE 0 - $42,$41,$54,$4D,$41,$4E,$20,$4D,$4F,$56,$49,$45,$20,$20,$20,$30
.filename1 dc.b "TITLEPRGIFF" ; TITLEPRGIFF - $54,$49,$54,$4C,$45,$50,$52$,47,$49,$46,$46
.filename2 dc.B "TITLEPICIFF" ; TITLEPICIFF - $54,$49,$54,$4C,$45,$50,$49,$43,$49,$46,$46
;---------------------- load level1 - axis chemicals ------------------------
load_level_1 ; original routine address: $000009C8
LEA.L stack,A7 ; stack address $0000081C
BSR.W init_system ; L00001F26
MOVE.L #$0007C7FC,ld_loadbuffer_top ; store loader parameter: addr $7C7FC - the Top of the Load Buffer
MOVE.L #$00002AD6,ld_relocate_addr ; $00000CF0 (** SET BUT UNUSED **) ; addr $02AD6 - address of disk file table
LEA.L lp_level_1(PC),A0 ; get level 1 load parameters address
BSR.W loader ; calls $00000CFC - Load/Process files & Copy Protection
MOVE.W #$7fff,INTENA(A6) ; disable all interrupts
MOVE.W #$1fff,DMACON(A6) ; disable all dma
MOVE.W #$2000,SR ; set supervisor mode bit
JMP $00003000 ; level 1 start
;------------ level 1 loading parameters -------------
lp_level_1 ; level 1 loader parameters. addr: $00000A00
.diskname_offset dc.w .diskname-.diskname_offset ; byte offset to diskname string, original value = $003C
.file1_name_offset dc.w .filename1-.file1_name_offset ; byte offset to filename string, original value = $004A
.file1_reloc_addr dc.l $00002FFC ; CODE1 IFF - relocation address, original value = $00002FFC ($00003000)
.file1_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file1_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file2_name_offset dc.w .filename2-.file2_name_offset ; byte offset to filename string, original value = $0047
.file2_reloc_addr dc.l $00007FFC ; MAPGR IFF - relocation address, original value = $00007FFC, ($00008000)
.file2_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file2_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file3_name_offset dc.w .filename3-.file3_name_offset ; byte offset to filename string, original value = $0044
.file3_reloc_addr dc.l $00010FFC ; BATSPR1 IFF - relocation address, original value = $00010FFC, ($00011000)
.file3_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file3_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file4_name_offset dc.w .filename4-.file4_name_offset ; byte offset to filename string, original value = $0041
.file4_reloc_addr dc.l $00047FE4 ; CHEM IFF - relocation address, original value = $00047FE4, ($00047FE8)
.file4_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file4_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
dc.w $0000 ; end of files marker.
.diskname dc.b "BATMAN MOVIE 0" ; BATMAN MOVIE 0 - $42,$41,$54,$4D,$41,$4E,$20,$4D,$4F,$56,$49,$45,$20,$20,$20,$30
.filename1 dc.b "CODE1 IFF" ; CODE1 IFF - $43,$4F,$44,$45,$31,$20,$20,$20,$49,$46,$46
.filename2 dc.b "MAPGR IFF" ; MAPGR IFF - $4D,$41,$50,$47,$52,$20,$20,$20,$49,$46,$46
.filename3 dc.b "BATSPR1 IFF" ; BATSPR1 IFF - $42,$41,$54,$53,$50,$52,$31,$20,$49,$46,$46
.filename4 dc.B "CHEM IFF" ; CHEM IFF - $43,$48,$45,$4D,$20,$20,$20,$20,$49,$46,$46 ;M IFF
;---------------------- load level 2 - bat mobile ------------------------
load_level_2 ; original routine address: $00000A78
LEA.L stack,A7 ; stack address $0000081C
BSR.W init_system ; L00001F26
MOVE.L #$0007C7FC,ld_loadbuffer_top ; store loader parameter: addr $7C7FC - the Top of the Load Buffer
MOVE.L #$00002AD6,ld_relocate_addr ; $00000CF0 (** SET BUT UNUSED **) ; addr $02AD6 - address of disk file table
LEA.L lp_level_2(PC),A0 ; get level 2 load parameters address
BSR.W loader ; calls $00000CFC - Load/Process files & Copy Protection
MOVE.W #$7fff,INTENA(A6) ; disable all interrupts
MOVE.W #$1fff,DMACON(A6) ; disable all dma
MOVE.W #$2000,SR ; set supervisor mode bit
JMP $00003000 ; level 2 start
;------------ level 2 loading parameters -------------
lp_level_2 ; level 2 loader parameters. addr: $00000AB0
.diskname_offset dc.w .diskname-.diskname_offset ; byte offset to diskname string, original value = $003C
.file1_name_offset dc.w .filename1-.file1_name_offset ; byte offset to filename string, original value = $004A
.file1_reloc_addr dc.l $00002FFC ; CODE IFF - relocation address, original value = $00002FFC ($00003000)
.file1_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file1_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file2_name_offset dc.w .filename2-.file2_name_offset ; byte offset to filename string, original value = $0047
.file2_reloc_addr dc.l $0001FFFC ; DATA IFF - relocation address, original value = $0001FFFC, ($00020000)
.file2_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file2_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file3_name_offset dc.w .filename3-.file3_name_offset ; byte offset to filename string, original value = $0044
.file3_reloc_addr dc.l $0002A416 ; DATA2 IFF - relocation address, original value = $0002A416, ($0002A41A)
.file3_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file3_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file4_name_offset dc.w .filename4-.file4_name_offset ; byte offset to filename string, original value = $0041
.file4_reloc_addr dc.l $00068F7C ; MUSIC IFF - relocation address, original value = $00068F7C, ($00068F80)
.file4_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file4_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
dc.w $0000 ; end of files marker.
.diskname dc.b "BATMAN MOVIE 1" ; BATMAN MOVIE 1 - $42,$41,$54,$4D,$41,$4E,$20,$4D,$4F,$56,$49,$45,$20,$20,$20,$31
.filename1 dc.b "CODE IFF" ; CODE IFF - $43,$4F,$44,$45,$20,$20,$20,$20,$49,$46,$46
.filename2 dc.b "DATA IFF" ; DATA IFF - $44,$41,$54,$41,$20,$20,$20,$20,$49,$46,$46
.filename3 dc.b "DATA2 IFF" ; DATA2 IFF - $44,$41,$54,$41,$32,$20,$20,$20,$49,$46,$46
.filename4 dc.B "MUSIC IFF" ; MUSIC IFF - $4D,$55,$53,$49,$43,$20,$20,$20,$49,$46,$46
;---------------------- load level 3 - bat cave puzzle ------------------------
load_level_3 ; original routine address: $00000B28
LEA.L stack,A7 ; stack address $0000081C
BSR.W init_system ; L00001F26
MOVE.L #$0007C7FC,ld_loadbuffer_top ; store loader parameter: addr $7C7FC - the Top of the Load Buffer
MOVE.L #$00002AD6,ld_relocate_addr ; $00000CF0 (** SET BUT UNUSED **) ; addr $02AD6 - address of disk file table
LEA.L lp_level_3(PC),A0 ; get level 3 load parameters address
BSR.W loader ; calls $00000CFC - Load/Process files & Copy Protection
MOVE.W #$7fff,INTENA(A6) ; disable all interrupts
MOVE.W #$1fff,DMACON(A6) ; disable all dma
MOVE.W #$2000,SR ; set supervisor mode bit
JMP $0000d000 ; level 3 start
;------------ level 3 loading parameters -------------
lp_level_3 ; level 3 loader parameters. addr: $00000B62
.diskname_offset dc.w .diskname-.diskname_offset ; byte offset to diskname string, original value = $0012
.file1_name_offset dc.w .filename1-.file1_name_offset ; byte offset to filename string, original value = $0020
.file1_reloc_addr dc.l $00003FFC ; CODE IFF - relocation address, original value = $00003FFC ($00004000)
.file1_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file1_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
dc.w $0000 ; end of files marker.
.diskname dc.b "BATMAN MOVIE 1" ; BATMAN MOVIE 1 - $42,$41,$54,$4D,$41,$4E,$20,$4D,$4F,$56,$49,$45,$20,$20,$20,$31
.filename1 dc.b "BATCAVE IFF" ; BATCAVE IFF - $20,$31,$42,$41,$54,$43,$41,$56,$45,$20,$49,$46,$46,$00
dc.b 0 ; pad byte
;---------------------- load level 4 - batwing parade ------------------------
load_level_4 ; original routine address: $00000B90
LEA.L stack,A7 ; stack address $0000081C
BSR.W init_system ; L00001F26
MOVE.L #$0007C7FC,ld_loadbuffer_top ; store loader parameter: addr $7C7FC - the Top of the Load Buffer
MOVE.L #$00002AD6,ld_relocate_addr ; $00000CF0 (** SET BUT UNUSED **) ; addr $02AD6 - address of disk file table
LEA.L lp_level_4(PC),A0 ; get level 4 load parameters address
BSR.W loader ; calls $00000CFC - Load/Process files & Copy Protection
MOVE.W #$7fff,INTENA(A6) ; disable all interrupts
MOVE.W #$1fff,DMACON(A6) ; disable all dma
MOVE.W #$2000,SR ; set supervisor mode bit
JMP $00003002 ; level 4 start
;------------ level 4 loading parameters -------------
lp_level_4 ; level 4 loader parameters. addr: $00000BC8
.diskname_offset dc.w .diskname-.diskname_offset ; byte offset to diskname string, original value = $003C
.file1_name_offset dc.w .filename1-.file1_name_offset ; byte offset to filename string, original value = $004A
.file1_reloc_addr dc.l $00002FFC ; CODE IFF - relocation address, original value = $00002FFC ($00003000)
.file1_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file1_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file2_name_offset dc.w .filename2-.file2_name_offset ; byte offset to filename string, original value = $0047
.file2_reloc_addr dc.l $0001FFFC ; DATA IFF - relocation address, original value = $0001FFFC, ($00020000)
.file2_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file2_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file3_name_offset dc.w .filename3-.file3_name_offset ; byte offset to filename string, original value = $0044
.file3_reloc_addr dc.l $0002A416 ; DATA4 IFF - relocation address, original value = $0002A416, ($0002A41A)
.file3_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file3_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file4_name_offset dc.w .filename4-.file4_name_offset ; byte offset to filename string, original value = $0041
.file4_reloc_addr dc.l $00068F7C ; MUSIC IFF - relocation address, original value = $00068F7C, ($00068F80)
.file4_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file4_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
dc.w $0000 ; end of files marker.
.diskname dc.b "BATMAN MOVIE 1" ; BATMAN MOVIE 1 - $42,$41,$54,$4D,$41,$4E,$20,$4D,$4F,$56,$49,$45,$20,$20,$20,$31
.filename1 dc.b "CODE IFF" ; CODE IFF - $43,$4F,$44,$45,$20,$20,$20,$20,$49,$46,$46
.filename2 dc.b "DATA IFF" ; DATA IFF - $44,$41,$54,$41,$20,$20,$20,$20,$49,$46,$46
.filename3 dc.b "DATA4 IFF" ; DATA4 IFF - $44,$41,$54,$41,$34,$20,$20,$20,$49,$46,$46
.filename4 dc.b "MUSIC IFF" ; MUSIC IFF - $4D,$55,$53,$49,$43,$20,$20,$20,$49,$46,$46
;---------------------- load level 5 - cathedral ------------------------
load_level_5 ; original routine address: $00000C40
LEA.L stack,A7 ; stack address $0000081C
BSR.W init_system ; L00001F26
MOVE.L #$0007C7FC,ld_loadbuffer_top ; store loader parameter: addr $7C7FC - the Top of the Load Buffer
MOVE.L #$00002AD6,ld_relocate_addr ; $00000CF0 (** SET BUT UNUSED **) ; addr $02AD6 - address of disk file table
LEA.L lp_level_5(PC),A0 ; level 5 load parameters address
BSR.W loader ; calls $00000CFC - Load/Process files & Copy Protection
MOVE.W #$7fff,INTENA(A6) ; disable all interrupts
MOVE.W #$1fff,DMACON(A6) ; disable all dma
MOVE.W #$2000,SR ; set supervisor mode bit
JMP $00003000 ; level 5 start
;------------ level 5 loading parameters -------------
lp_level_5 ; level 5 loader parameters. addr: $00000C78
.diskname_offset dc.w .diskname-.diskname_offset ; byte offset to diskname string, original value = $003C
.file1_name_offset dc.w .filename1-.file1_name_offset ; byte offset to filename string, original value = $004A
.file1_reloc_addr dc.l $00002FFC ; CODE5 IFF - relocation address, original value = $00002FFC ($00003000)
.file1_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file1_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file2_name_offset dc.w .filename2-.file2_name_offset ; byte offset to filename string, original value = $0047
.file2_reloc_addr dc.l $00007FFC ; MAPGR2 IFF - relocation address, original value = $00007FFC, ($00008000)
.file2_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file2_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file3_name_offset dc.w .filename3-.file3_name_offset ; byte offset to filename string, original value = $0044
.file3_reloc_addr dc.l $00010FFC ; BATSPR1 IFF - relocation address, original value = $00010FFC, ($00011000)
.file3_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file3_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
.file4_name_offset dc.w .filename4-.file4_name_offset ; byte offset to filename string, original value = $0041
.file4_reloc_addr dc.l $00047FE4 ; CHURCH IFF - relocation address, original value = $00047FE4, ($00047FE8)
.file4_byte_length dc.l $00000000 ; file length in bytes, populated by the loader
.file4_loadbuf_addr dc.l $00000000 ; file load buffer start address, populated by the loader (before file depack/relocation)
dc.w $0000 ; end of files marker.
.diskname dc.b "BATMAN MOVIE 0" ; BATMAN MOVIE 0 - $42,$41,$54,$4D,$41,$4E,$20,$4D,$4F,$56,$49,$45,$20,$20,$20,$30
.filename1 dc.b "CODE5 IFF" ; CODE5 IFF - $43,$4F,$44,$45,$35,$20,$20,$20,$49,$46,$46
.filename2 dc.b "MAPGR2 IFF" ; MAPGR2 IFF - $4D,$41,$50,$47,$52,$32,$20,$20,$49,$46,$46
.filename3 dc.b "BATSPR1 IFF" ; BATSPR1 IFF - $42,$41,$54,$53,$50,$52,$31,$20,$49,$46,$46
.filename4 dc.b "CHURCH IFF" ; CHURCH IFF - $43,$48,$55,$52,$43,$48,$20,$20,$49,$46,$46
;----------------------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------------------
; GAME LOADER & FILE PROCESSOR/RELOCATOR
;----------------------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------------------
;------------------------------ loader data/parameters ------------------------------
;-- loader parameters and data store
;-- starts at relocated address $00000CF0
;-- $CF0 - File Relocation Address
;-- $CF4 - Top/End of Loaded Files Buffer
;-- files are loaded below this address, kinda like a file stack
;-- when all files are loaded they are then processed and relocated
;-- also by the loader.
;-- $CF8 - Holds the File Table Memory Address Pointer (set in loader)
ld_relocate_addr ; addr $00000CF0 - file relocation address (misused by code external to the loader)
dc.l $00000000
ld_loadbuffer_top ; addr $00000CF4
dc.l $00000000 ; ptr to load buffer end/top of memory (file are loaded below this address sequentially)
ld_filetable ; addr $00000CF8
dc.l $00000000 ; ptr to disk file table addess (disk directory, file names, length & start sectors)
;---------------------------------- loader ---------------------------------------
;-- the main call made to load a game section into memory.
;-- loads and decodes files into memory buffer, then processes the files and
;-- relocates them, finally hands off to the copy protection.
;-- the copy protection man-handles the stack to return to the called of loader()
;--
; IN: A0 - load parameter block base address.
; IN: 00000CF4.l - Top/end of Load buffer in memory ($7C7FC)
; IN: 00000CF0.l - (** SET BUT UNUSED **) Disk File Table Contents ($2AD6) for all loading sections.
;
loader ; original routine addr $00000CFC
MOVEM.L D0-D7/A0-A6,-(A7)
CLR.W ld_load_status ; $00001B08 ; clear 'load status' word
MOVE.L #$00002AD6,ld_filetable ; store file table address
MOVE.L #$00002CD6,ld_decoded_track_ptr ; decoded track buffer address
MOVE.L #$000042D6,ld_mfmencoded_track_ptr ; mfm encoded track buffer address
TST.W (A0) ; test first load parameter value
BEQ.W .end_load_files ; end load if = 0 - just check copy protection? ; jmp $00000D6E
.check_disk
MOVEA.L A0,A1 ; copy file parameter block base address
ADDA.W (A1)+,A0 ; A0 = ptr to disk name string e.g. "BATMAN MOVIE 0"
MOVE.L A1,-(A7) ; A1 = ptr to first filename structure.
BSR.W load_filetable ; $000015DE ; Load File Table $2AD6 & Check Disk Name
BEQ.B .correct_disk ; $00000D38 ; Z = 1 - correct disk in the drive
BSR.W wait_for_correct_disk ; - else wait for correct disk to be inserted, $000013B2
.correct_disk
MOVEA.L (A7),A0 ; A0 = ptr to first filename structure. (CCR not affected)
LEA.L $0007c7fc,A6 ; Top/End of loaded files buffer
CLR.W ld_load_status ; $00001B08 ; clear 'load status' word
BSR.W load_file_entries ; call $00001652 - load files (A0 = first file entry)
MOVEA.L (A7)+,A0 ; A0 = ptr to first filename structure. (CCR not affected)
BNE.B .end_load_files ; Z=0 - error, jmp $00000D6E
.process_files_loop
TST.W (A0) ; A0 = ptr to 1st file entry loaded. Test for file to process
BEQ.B .end_load_files ; Test First File Entry data value, if null jmp $00000D6E
MOVE.L A0,-(A7)
MOVE.L $0002(A0),ld_relocate_addr ; $00000CF0 = ld_relocate_addr, file relocation address (from file entry table)
MOVE.L $0006(A0),D0 ; D0 = File Length
MOVEA.L $000a(A0),A0 ; A0 = File Address
BSR.W process_file ; call $000016E0
MOVEA.L (A7)+,A0
LEA.L $000e(A0),A0
BRA.B .process_files_loop ; jmp $00000D4E ; process next file
.end_load_files ; original address: $00000D6E
MOVE.W ld_drive_number,D0 ; $00001AFC
BSR.W drive_motor_off ; calls $00001B7A
LEA.L $00bfd100,A0 ; CIAB PRB - as a base register
.vbwait1 ; Vertical Blank Wait 1
CLR.W frame_counter ; Clear frame counter
.wait_frame1
TST.W frame_counter ; Compare Frame Counter with 0
BEQ.B .wait_frame1 ; loop until next VERTB interrupt
MOVE.B #$00,$0900(A0) ; CIAB - Clear TODHI
MOVE.B #$00,$0800(A0) ; CIAB - Clear TODMID
MOVE.B #$00,$0700(A0) ; CIAB - Clear TODLOW
.vbwait2 ; Vertical Blank Wait 2
CLR.W frame_counter ; $00002144
.wait_frame2
TST.W frame_counter
BEQ.B .wait_frame2 ; loop until next VERTB interrupt
MOVE.L #$00000000,D0 ; CIAB - Read TOD value
MOVE.B $0900(A0),D0 ; CIAB - Read TODHI
ASL.L #$00000008,D0 ; CIAB - shift bits
MOVE.B $0800(A0),D0 ; CIAB - Read TODMID
ASL.L #$00000008,D0 ; CIAB - shift bits
MOVE.B $0700(A0),D0 ; CIAB - Read TODLOW
CMP.L #$00000115,D0 ; Compare value in TOD with #$115 (277 scan lines, TOD tick is synced to Horizontal Sync)
.infinite_loop
BCS.B .infinite_loop ; A check for execution speed between .vbwait1 & .vbwait2
; or the number of scan lines (maybe fail for NTSC?)
; infinite loop if D0 < 277
; - PAL 312.5 scanlines
; - NTSC 262.5 scan lines
BRA.W copy_protection_init1 ; instruction addr: $00000DC6 - jump to copy protection $00000E82
; NB - Copy Protectionn modifies the stack to return
; to where 'loader' was called from.
;----------------------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------------------
; COPY PROTECTION (Rob Northen)
;----------------------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------------------
;------------- copy protection - mfm and decode buffer ---------------
;-- data is read in from the protected track 'manually' and stored
;-- here mfm encoded. It is later decoded in place (half size)
cp_mfm_buffer ; original address $00000DCA
dc.W $0000, $0000, $0000, $0000, $0000, $0000, $0000, $0000 ;................
dc.W $0000, $0000, $0000, $0000, $0000, $0000, $0000, $0000 ;................
dc.W $0000, $0000, $0000, $0000, $0000, $0000, $0000, $0000 ;................
dc.W $0000, $0000, $0000, $0000, $0000, $0000, $0000, $0000 ;......
dc.W $0000, $0000, $0000
;------------ copy protection variables/data ------------------------
;-- various data registers and storage value start at $E10
cp_register_store ; original address $00000E10
dc.w $0000, $0000, $0000, $0000, $0000, $0000, $0000, $0000 ;................
dc.W $0000, $0000, $0000, $0000, $0000, $0000, $0000, $0000 ;................
dc.W $0000, $0000, $0000, $0000, $0000, $0000, $0000, $0000 ;................
dc.W $0000, $0000, $0000, $0000, $0000, $0000, $0000, $0000 ;................
;------------ saved exception vector values --------------------------
cp_exception_vectors_store ; original address $00000E50
dc.l $00000000
dc.l $00000000
dc.l $00000000
dc.l $00000000
dc.l $00000000
dc.l $00000000
dc.l $00000000
cp_checksum_vector
dc.l $00000000 ; original address $00000E6C
;------------ current drive track numbers ---------------------------
; copy protection appears to support either drive 0 or drive 1
; any more drives may cause bug with indexing into other values.
cp_current_track ; original address $00000E70
dc.w $FFFF ; current track drive 0
dc.w $FFFF ; current track drive 1
;------------ current disk drive in use -----------------------------
; 0 or 1 used as an index to cp_current_track
cp_current_drive ; original address $00000E74
dc.w $0000
;------------ copy lock track number --------------------------------
; the track number holding the protected copylock track data
cp_protection_track ; original address $00000E76
dc.w $0001
;------------ saved track number ------------------------------------
; the track that the disk drive was at before the copylock started
; used to return the heads back to where they started after copy
; check.
cp_saved_track_number ; original address $00000E78
dc.W $0000
;------------ decoded/encoded instruction buffer --------------------
; normally used by the trace vector decoder to store the encoded
; versions of the currently executing instruction, so they
; can be replaced quickly without requiring re-encoding
cp_decode_instructions ; original address $00000E7A
dc.W $0000, $0000, $0000, $0000
;----------------- initialise copy protection ------------------------
; 1) Saves a copy of all registers in 'cp_register_store'
; 2) Enters 68000 'supervisor' mode by generating an ILLEGAL exception
; 3) Saves exception vectors into cp_exception_vectors memory store.
; 4) Insert TVD toggle on/off into ILLEGAL exception handler
; 5) Toggle on the TVD
copy_protection_init1 ; original routine address $00000E82
MOVE.L A6,-(A7) ; current value A6 stored on stack
LEA.L cp_register_store(PC),A6 ; A6 = register storage area, $00000E10
MOVEM.L D0-D7/A0-A7,(A6) ; save all register values to storage area
LEA.L $0040(A6),A6 ; A6 = cp_exception_vectors_store (64 bytes offset from cp_register_store)
MOVE.L (A7)+,-$0008(A6) ; save original A6 value from stack in cp_register_store
MOVE.L $00000010,D0 ; D0.l = ILLEGAL exception vector value
PEA.L cp_supervisor(PC) ; push address of cp_supervisor to stack
MOVE.L (A7)+,$00000010 ; set ILLEGAL exception vector with address of cp_supervisor from stack
ILLEGAL ; enter supervisor mode, continue execution at 'cp_supervisor'
; -- Enter supervisor mode
; This exception never returns to this point in the code.
; Later the stack is return address is modified to return to
; the routine at address $0000139C 'cp_end'
cp_supervisor
MOVE.L D0,$00000010 ; restore ILLEGAL exception vector to original value.
; -- Save exception vectors
MOVEM.L $00000008,D0-D7 ; copy 8 exception vectors $8 - $24 into registers D0-D7
MOVEM.L D0-D7,(A6) ; save exception vectors into cp_exception_vectors memory store
; -- Insert Trace Vector Decoder into ILLEGAL exception vector
LEA.L cp_toggle_tvd(PC),A0
MOVE.L A0,$00000010 ; Set ILLEGAL Exception vector to 'cp_toggle_tvd'
; -- Toggle On TVD (patched to flash screen as code is now decoded)
ILLEGAL ; Toggle on trace vector decoder (TVD)
; Execution continues here with TVD on
; Normally the following code would be encoded and illegible.
;---------------- jump around table nonsense --------------------
;-- Normally this code would be encoded by the TVD, this table
;-- of jumps is no doubt intended to cause confusion and
;-- cause would-be crackers problems tracing the code.
cp_confusion ; original instruction address $00000EC4
L00000EC4 BRA.W L00000ED4
L00000EC8 BRA.W L00000F04
L00000ECC BRA.W L00000F30
L00000ED0 BRA.W L00000EDC
L00000ED4 BRA.W L00000EE0
L00000ED8 BRA.W L00000EF4
L00000EDC BRA.W L00000F00
L00000EE0 BRA.W L00000F34
L00000EE4 BRA.W L00000EC8
L00000EE8 BRA.W L00000EF0
L00000EEC BRA.W L00000EFC
L00000EF0 BRA.W L00000F0C
L00000EF4 BRA.W L00000F2C
L00000EF8 BRA.W L00000F28
L00000EFC BRA.W L00000F10
L00000F00 BRA.W L00000EE4
L00000F04 BRA.W L00000EE8
L00000F08 BRA.W cp_set_vectors ; Exit point from the jumps, jmp $00000F9E
L00000F0C BRA.W L00000F14
L00000F10 BRA.W L00000ED0
L00000F14 BRA.W L00000F1C
L00000F18 BRA.W L00000ECC
L00000F1C BRA.W L00000ED8
L00000F20 BRA.W L00000EEC
L00000F24 BRA.W L00000EF8
L00000F28 BRA.W L00000F18
L00000F2C BRA.W L00000F24
L00000F30 BRA.W L00000F08
L00000F34 BRA.W L00000F20
;---------------- copy protection - toggle trace vector decoder ----------------
;-- ILLEGAL intruction exception handler,
; This routine toggles on/off the 68000 trace mode whenan ILLEGAL
; instruction is executed.
; Originally, this routine would have also decoded/encoded the first/last
; instruction that was being executed by the copy protection.
; It's been patched so it doesn't encode/decode any instructions,
; The 68000 trace bit is still toggled on/off to enable/disable the TVD routine
;
cp_toggle_tvd ; original routine address $00000F38
MOVEM.L D0/A0-A1,-(A7) ; save registers on stack
LEA.L cp_tvd(PC),A0 ; A0 = Address of Trace Vector Decoded routine.
MOVE.L A0,$00000024 ; Set TVD Address in Trace Exception Vector
LEA.L cp_end(PC),A0 ; A0 = Address of copy protection end routine 'cp_end' $0000139C
MOVE.L A0,$00000020 ; Set 'cp_end' in Privilege Violation Exception Vector, maybe a protection mechanism to prevent tampering.
ADD.L #$00000002,$000e(A7) ; Increment the return address on stack 2 bytes
OR.B #$07,$000c(A7) ; Enable Interrupts
BCHG.B #$07,$000c(A7) ; Toggle the 68000 trace bit on/off
LEA.L cp_decode_instructions(PC),A1 ; unused (locatopn previously used for encode/decode)
MOVEM.L (A7)+,D0/A0-A1 ; restore registers from the stack
RTE ; The act of returning sets the SR (Toggle Trace) and PC
NOP ; ... patch code
NOP ; ... patch code
;----------- copy protection - trace vector decoder (TVD) -------------
; This code would have originally decoded the next instruction and
; re-encoded the previous instruction while the 68000 is in trace mode.
;
; It has been patched to do nothing but flash the screen when each
; instruction executes while the 68000 trace bit is enabled.
;
; The NOPs have been added as patch code to keep the code the
; same size (bytes) as the original code.
;
cp_tvd ; original routine address $00000F72
AND.W #$f8ff,SR
MOVEM.L D0/A0-A1,-(A7)
NOP
NOP
MOVE.W #$0fff,D0
.flash_loop MOVE.W D0,$00dff180
SUB.W #$0111,D0
BNE.B .flash_loop
NOP
NOP
NOP
NOP
NOP
MOVEM.L (A7)+,D0/A0-A1
RTE
;------------------ copy protection - set vectors -------------------------
; After the copy protection initialisation and the execution through the
; maze of encoded jumps, the execution continues here.
;
; The routine installs a new set of Exception Vectors, some useless,
; others useful. i.e. Toggle TVD and the TVD istself.
;
; The vector routine addresses are calculated by adding address offsets
; to the address of the 'copy_protection_init' routine.
; So if the code changes size then the addresses will be wrong, unless
; the offsets are correctly updated also.
;
; Updates exception vectors $08 (Bus Error) to $24 (Trace)
; with new values, the original code updates the vectors
; to the following values:-
;
; $08 - Bus Error = $0000141c
; $0C - Address Error = $0000139C 'cp_end'
; $10 - Illegal Intruction = $00000F38 'cp_toggle_tvd'
; $14 - Zero Divide = $0000145C
; $18 - CHK Instruction = $0000149C
; $1C - TRAPV Instruction = $0000151C
; $20 - Privilege Instruction = $0000139C 'cp_end'
; $24 - Trace = $00000F72 'cp_tvd'
;
; The important entries are:
; $10 - Illegal Instruction - normally used to toggle TVD on/off
; $24 - Trace - normally decode/encode next/previous instuction
;
; The other entries are there most probably to disguise the above
; entries, or to cause additional problems with tracing/tampering.
;
; The 'exception_vector_offsets' is a table of values for the offsets
; of each exception handler, the offsets are added to the address of
; 'copy_protection_init1', originally located at $00000E82
; again, any tampering would cause these offsets to alter, causing
; problems with the execution of the code.
;
cp_set_vectors ; original routine address $00000F9E
LEA.L exception_vector_offsets(PC),A0 ; A0 = address of 'exception handler address offsets' table.
LEA.L $00000008,A1 ; A1 = first exception vector address $08 = Bus Error
LEA.L copy_protection_init1(PC),A2 ; A2 = Address of 'copy_protection_init1', originally $00000E82
MOVE.L #$00000007,D0 ; D0 = loop counter 7 + 1
.loop
MOVE.L #$00000000,D1 ; D1 = 0.l - clear value
MOVE.W (A0)+,D1 ; D1 = next handler address offset
ADD.L A2,D1 ; D1 = offset + base address 'copy_protection_init1'
MOVE.L D1,(A1)+ ; set exception handler address
DBF.W D0,.loop ; update next exception vector, loop to $00000FAE
BRA.W cp_do_protection_check ; continue as address $00000FCE
exception_vector_offsets ; original address $00000FBE
; original value | effective address | exception name | additional info
;----------------+-------------------+-----------------------+-----------------
dc.w $059A ; $059A | $0000141C | Bus Error | ** nonsense - address inside wait_for_correct_disk
dc.w $051A ; $051A | $0000139C | Address Error | ** nonsense - cp_end routine
dc.w cp_toggle_tvd-copy_protection_init1 ; $00B6 | $00000F38 | Illegal Instruction | cp_toggle_tvd - TVD Toggle On/Off
dc.w $05DA ; $05DA | $0000145C | Zero Divide | ** nonsense - address inside wait_for_correct_disk
dc.w $061A ; $061A | $0000149C | CHK Instruction | ** nonsense - address inside the copper list
dc.w $069A ; $069A | $0000151C | TRAPV Instruction | ** nonsense - address inside the copper list
dc.w $051A ; $051A | $0000139C | Privilege Instruction | ** nonsense - cp_end routine
dc.w cp_tvd-copy_protection_init1 ; $00F0 | $00000F72 | Trace | cp_tvd - Trace Vector Decoder Routine
;---------------------------------- Do Protection Check ----------------------------------
; try to load data from the copylock track,
; check the values loaded from the track and calculate a
; checksum/serial number for the copy protection check.
;
; 1) Check is a Copylock Disk ( cp_load_data1 uses 1st sync mark from cp_disk_sync_table $8A91)
; - if fail then exit
;
; 2) Read data using sync mark ($8911) table index from D0.l = #$0000005 from cp_disk_sync_table
; store bytes read in D3.l
; discards data read into buffer A0.l
;
; 3) Read data using sync mark ($8912) table index from D0.l = #$0000004 from cp_disk_sync_table
; store bytes read in D1.l
; discards data read into buffer A0.l
;
; 4) Validate number of bytes read in steps 2 & 3 above
; D0.l = bytes read (1st read)
; D1.l = bytes read (2nd read)
;
; 5) Read data using sync mark ($8914) table index from D0.l = #$0000006 from cp_disk_sync_table
; store bytes read in D0.l
; data buffer contains data checked in step 5 below.
;
; 4) Validate number of bytes read in steps 2 & 3 above
; D0.l = bytes read (3rd read)
; D1.l = bytes read (1st read)
;
; 5) Compares 1st 4 Longs (16 bytes) with the values 'Rob Northen Comp'
; ** TODO ** - examine further 10 bytes read in to buffer (could be game data)
; -
;
; -- at start of routine $0DCA is all 0
; -- 00000DCA 0000 0000 0000 0000 0000 0000 0000 0000 ................
; -- 00000DDA 0000 0000 0000 0000 0000 0000 0000 0000 ................
; -- 00000DEA 0000 0000 0000 0000 0000 0000 0000 0000 ................
; -- 00000DFA 0000 0000 0000 0000 0000 0000 0000 0000 ................
; -- 00000E0A 0000 0000 0000
; -- after cp_load_data1 $0DCA contains:-
; -- 0000DCA 2AAA 4914 A452 9149 4525 1495 5255 4955 *.I..R.IE%..RUIU
; -- 00000DDA 2554 9552 554A 5529 54A4 5292 4A49 2925 %T.RUJU)T.R.JI)%
; -- 00000DEA 2495 1254 4952 A54A 9529 54A5 5294 4A51 $..TIR.J.)T.R.JQ
; -- 00000DFA 2945 0000 0000 0000 0000 0000 0000 0000 )E..............
; -- 00000E0A 0000 0000 0000
; -- Register D0 = $00000DE2, D1 = $FFFFFF77, D2 = $00000002, D3 = $00000003
;
; -- after cp_load_data2 $0DCA contains:-
; -- 00000DCA B060 C081 0307 0F1E 3D7B F7EE DCB8 70E1 .`......={....p.
; -- 00000DDA C284 0912 2448 9020 5454 5152 454A 952A ....$H. TTQREJ.*
; -- 00000DEA 54A9 52A4 4A92 AA49 2924 A492 924A 492A T.R.J..I)$...JI*
; -- 00000DFA A4AA 0000 0000 0000 0000 0000 0000 0000 ................
; -- 00000E0A 0000 0000 0000
; -- Register D0 = $00000DCD, D1 = $FFFFFF77, D2 = $00000005, D3 = $00FC081E
;
; -- after cp_load_data2 $0DCA contains:-
; -- 00000DCA 2850 A040 8102 050A 152A 55AB 56AD 5BB6 (P.@.....*U.V.[.
; -- 00000DDA 6CD8 B163 C68C 1830 4445 1114 4451 1145 l..c...0DE..DQ.E
; -- 00000DEA 4514 9452 514A 4529 14A5 5294 4A52 A94A E..RQJE)..R.JR.J
; -- 00000DFA A52A 0000 0000 0000 0000 0000 0000 0000 .*..............
; -- 00000E0A 0000 0000 0000
; -- Register D0 = $00000D0F, D1 = $FFFFFF77, D2 = $00000005, D3 = $00000DCD
;
; -- after cp_load_data2 $0DCA contains:-
; -- 00000DCA 526F 6220 4E6F 7274 6865 6E20 436F 6D70 Rob Northen Comp
; -- 00000DDA 6AD4 A952 A449 9327 A4AA 92A5 1455 1451 j..R.I.'.....U.Q
; -- 00000DEA 152A 9444 5112 4449 1124 4492 9249 4925 .*.DQ.DI.$D..II%
; -- 00000DFA 2495 0000 0000 0000 0000 0000 0000 0000 $...............
; -- 00000E0A 0000 0000 0000
; -- Register D0 = $00000E8D, D1 = $00000D0F, D2 = $00000005, D3 = $00000DCD
;
;
cp_do_protection_check ; original routine address $00000FCE
LEA.L cp_exception_vectors_store(PC),A1 ; A1 = Address buffer of saved exception vectors $00000E50
CLR.L $001C(A1) ; clear copy protection checksum value $00000E6C
BSR.W cp_load_data1 ; cp_load_data1, calls $00001070, D0.l = 0 then fail
BEQ.W cp_end_protection_check ; if Z = 1 then fail, jmp $0000136E
; D0.l = Number of bytes read (including skiped bytes) (appears to be ignored except for check = 0 above)
; cp_mfm_buffer = 50 bytes of data read from disk (appears to be ignored and overwritten again below)
; perhaps cp_load_data1 is just a verification that this is a copylock disk before proceeding further?
MOVE.L #$00000006,D2 ; D2 = loop counter -retry count
.retry_loop
SUB.L #$00000001,D2 ; D2 = decrement by 1
BEQ.B exit_do_protection_check ; if D2 = 0 then exit, jmp $00001044
LEA.L cp_mfm_buffer(PC),A0 ; A0.l = MFM/data buffer -$00000DCA
; Read Data 1
MOVE.L #$00000005,D0 ; D0 = sync mark table index value
BSR.W cp_load_data2 ; Read 24 bytes from disk, return number of bytes read - calls $000010B4
MOVE.L D0,D3 ; D0.l,D3.l = num bytes read (including skipped bytes)
; Read Data 2
MOVE.L #$00000004,D0 ; D0 = sync mark table index value
BSR.W cp_load_data2 ; Read 24 bytes from disk, return number of bytes read - calls $000010B4
; validate bytes read (1st and 2nd cp_load_data2 results)
MOVE.L D0,D1 ; D0.l,D1.l = num bytes read (cp_load_data2 - 2nd read)
MOVE.L D3,D0 ; D3.l,D0.l = num bytes read (cp_load_data2 - 1st read)
BSR.B cp_check_bytes_read ; check bytes read, $00001058
BMI.B .retry_loop ; 0 = success, if N = 1 then retry, jmp $00000FE0
; Read Data 3
MOVE.L #$00000006,D0 ; D0 = sync mark table index value
BSR.W cp_load_data2 ; Read 24 bytes from disk, return number of bytes read - calls $000010B4
; validate bytes read (3rd and 1st cp_load_data2 results)
MOVE.L D3,D1 ; D1 = num bytes read (cp_load_data2 - 1st read)
; D0 = num bytes read (cp_load_data2 - 3rd read)
BSR.B cp_check_bytes_read ; check bytes read, $00001058
BMI.B .retry_loop ; 0 = success, if N = 1 then retry, jmp $00000FE0
.compare_string
; compare 1st 16 bytes loaded in load 3
; with the string 'Rob Nothen Comp'
CMP.L #'Rob ',(A0) ; #$526f6220,(A0)
BNE.B .retry_loop ; $00000FE0
CMP.L #'Nort',$0004(A0) ; #$4e6f7274,$0004(A0)
BNE.B .retry_loop ; $00000FE0
CMP.L #'hen ',$0008(A0) ; #$68656e20,$0008(A0)'
BNE.B .retry_loop ; $00000FE0
CMP.L #'Comp',$000c(A0) ; #$436f6d70,$000c(A0)
BNE.B .retry_loop ; $00000FE0
.calc_checksum
; create copy protection checksum/serial no.
; accumulate a value in D0.l by summing and rotating data buffer values
; D0.l = accumulator value for checksum/serial (inital value = $00000000)
; A0.l = data buffer (decode mfm 24 bytes)
MOVE.L #$00000005,D1 ; D1 = loop counter 5 + 1 (6 * 4 = 24 bytes)
MOVEA.L A0,A1 ; A0, A1 = decoded copy protection data buffer
.checksum_loop
ADD.L (A1)+,D0 ; D0.l = sum next long word of buffer data to accumulator value D0.l
ROL.L #$00000001,D0 ; D0.l = rotate data left
DBF.W D1,.checksum_loop ; loop through 6 long words (24 bytes)
.store_checksum
LEA.L cp_exception_vectors_store(PC),A1 ; table of stored exception vector values, $00000E50
ADD.L D0,$001C(A1) ; set copy protection checksum $00000E6C (cleared at start of routine above)
exit_do_protection_check ; original address $00001044
MOVE.W cp_saved_track_number(PC),D2 ; $00000E78
BSR.W cp_seek_to_track ; D2.w = track number, calls $0000124C (stores current track number)
BSR.W cp_drive_off ; switch drive motor off $0000121A
MOVE.L cp_checksum_vector(PC),D0 ; $00000E6C
BRA.W cp_end_protection_check ; jmp $0000136E
;------------------------ check bytes read --------------------------
; checks the number of bytes read in by successive calls to