Thread: keyroll emm and the fix (code it ur self)
View Single Post
   
cable satellite consoles Old 1st December 2008, 21:06   #134 (permalink)
Donnie Darko
DW Guru ++
 
cable satellite consoles Donnie Darko's Avatar
 
Join Date: Jul 2005
Location: In the bookies
Posts: 5,276
Downloads: 0
Uploads: 0
Thanks: 5
Thanked 0 Times in 0 Posts
cable satellite consoles Donnie Darko is just really nicecable satellite consoles Donnie Darko is just really nice
Re: keyroll ecm and the fix (code it ur self)
Quote:
Originally Posted by cydine_ cable satellite consoles View Post
ROM:74F1 BD 81 call EMMBUF_01

This is the point where the code in the emm buffer is executed.


ROM:74EC CD 74 27 call ENSUREIRDINFO ; Ensure we have a type $01 item,

At this point, just before the above jump, the keyroll emm has been loaded into the buffer but not yet executed.

The idea is to, at this point, jump to a section of patch code. This will modify the emm buffer in such a way that when the code in the buffer is executed, the correct key will be returned.

So if this is the keyroll emm:

Code:
0081: 5F           clrx                 ; x <-- 0
0082: A6 10        lda #$10             ; Load in A
0084: B7 21        sta RC0ADDRH         ; Store A in...
0086: A6 02        lda #$02             ; Load in A
0088: 2D 07        bms $91              ; Branch if mask=1
008A: 9B           sei                  ; I <-- 1
008B: CD 20 0F     jsr $200F            ; Go to subroutine
008E: 9A           cli                  ; I <-- 0
008F: 20 03        bra $94              ; Branch always
0091: CD 20 0F     jsr $200F            ; Go to subroutine
0094: 9F           txa                  ; X --> A
0095: B8 AF        eor $AF              ; A= A xor ...
0097: B7 AF        sta $AF              ; Store A in...
0099: 9F           txa                  ; X --> A
009A: B8 BB        eor $BB              ; A= A xor ...
009C: B7 BB        sta $BB              ; Store A in...
009E: A6 26        lda #$26             ; Load in A
00A0: CC 48 BB     jmp FILTEROK         ; 2
what the patch does is modify the above code - after it has been stored in the buffer but before it has been run

to look like this:

Code:
0081: 5F           clrx                 ; x <-- 0
0082: AE 10        ldx #$10             ; Load in X
0084: 20 0E        bra $94              ; Branch always
0086: A6 02        lda #$02             ; Load in A
0088: 2D 07        bms $91              ; Branch if mask=1
008A: 9B           sei                  ; I <-- 1
008B: CD 20 0F     jsr $200F            ; Go to subroutine
008E: 9A           cli                  ; I <-- 0
008F: 20 03        bra $94              ; Branch always
0091: CD 20 0F     jsr $200F            ; Go to subroutine
0094: 9F           txa                  ; X --> A
0095: B8 AF        eor $AF              ; A= A xor ...
0097: B7 AF        sta $AF              ; Store A in...
0099: 9F           txa                  ; X --> A
009A: B8 BB        eor $BB              ; A= A xor ...
009C: B7 BB        sta $BB              ; Store A in...
009E: A6 26        lda #$26             ; Load in A
00A0: CC 48 BB     jmp FILTEROK         ; 2
Thus loading the correct value into x then jumping straight to the xor.

I change

CD 74 27
to
CD 93 63

and start the patch code at that location. Remember the rom 10 codespace starts at 4000 so in your hex editor 9363 is actually 5363.

CD 74 27
to
CD 93 63

Once i've changed the above in rom10 lst text editor,i take it i need to save a copy?

Otherwise i'm a bit stuck now?the saved rom10 do i need to open/make a change in winex?
__________________
It matters not how strait the gate. How charged with punishments the scroll,I am the master of my fate,I am the captain of my soul.
cable satellite consoles Donnie Darko is offline                  
Quote Post