8-Bit BTCS - Wedging into the Bard's Tale II engine.

Any developer realated stuff
User avatar
Twoflower
Posts: 128
Joined: Thu Mar 19, 2009 12:40 am
Location: Haarlem, NL
Contact:

8-Bit BTCS - Wedging into the Bard's Tale II engine.

Post by Twoflower »

This is a bit of the breakthrough we have been waiting for. After i've gotten some hints from the old documents in Hardcore Computist that the protection was identical with BT 1 on Apple II, I started to suspect that the same was a fact on the C-64 - something which Zerozero leaned towards aswell. I decided to take a peek today, and guess what?

The copy-protection on BT II is byte by byte identical with the one i've examined on BT I.

Since Zerozero allready had decloaked some of the files, I encoded (EOR #$EA) the file which is known to be "the first file" on EA-disks with these kind of protections, located at track 03, sector 00. This file loads to $C000 in the C-64 memory and is very alike the one found in BT 1. The loader seems to be identical with the one in BT 1 aswell, and here are some interesting snippets from the disassembly of the file from BT II. I believe the JSR $0200 is the load-routine:

Code: Select all

$C000	LDA #$35
	STA $01

$C004	SEI
	LDY #$04	; Load track $04...
	LDX #$00	; ...sector $00.
	LDA #$E2	; With Pirateslayer-loader.
	JSR $0200	; Execute load.

$C00E	SEI
	LDY #$06	; Load track $06...
	LDX #$00	; ...sector $00.
	LDA #$E2	; With Pirateslayer-loader.
	JSR $0200	; Execute load.

$C071	SEI
	LDY #$0F	; Load track $0F...
	LDX #$00	; ...sector $00.
	LDA #$E0	; With C-64 ROM-loader.
	JSR $0200	; Execute load.

$C09A	LDY #$13	; Load track $13...
	LDX #$00	; ...sector $00.
	LDA #$E0	; With C-64 ROM-loader.
	JSR $0200	; Execute load.

$C0A3	SEI
	LDY #$14	; Load track $14...
	LDX #$00	; ...sector $00.
	LDA #$E0	; With C-64 ROM-loader.
	JSR $0200	; Execute load.
With other words - we got a lead on how this works. I have allready extracted the files mentioned above, and also some additional files which I believe are relevant. All the decloaked filed doesn't seem to be valid ones, but there are definitly more relevant files than the ones referred to in the above loader. This should be enough to start the intro and the engine, though. I will put up a disk with the decloaked and decoded files shortly, together with some other essential downloads.
/Twoflower
User avatar
Twoflower
Posts: 128
Joined: Thu Mar 19, 2009 12:40 am
Location: Haarlem, NL
Contact:

Post by Twoflower »

/Twoflower
User avatar
Darendor
Posts: 1502
Joined: Wed Jan 14, 2009 1:53 am
Location: Red Deer, Alberta, Canada

Post by Darendor »

So you mean, the NMxx file format that makes up the BTI disks are files that were compiled by someone who dissected the game after it was distributed by EA?
User avatar
Darendor
Posts: 1502
Joined: Wed Jan 14, 2009 1:53 am
Location: Red Deer, Alberta, Canada

Post by Darendor »

Twoflower wrote:Essential downloads:

* The nibbled, original BT II - in G64 format with copyprotection intact.

More to come...
What is a G64 format? The first disk is .G64, the other 3 are .D64. :?

And what's with the .SID file?
User avatar
Twoflower
Posts: 128
Joined: Thu Mar 19, 2009 12:40 am
Location: Haarlem, NL
Contact:

Post by Twoflower »

A G64 is a nibbled C-64 diskimage. All the faults and extra information is still on the disk - meaning that it replicates copyprotections. The files you have been found floating around are with 90% security more-or-less cracked versions. This is the digital 1:1 representation of the original, untampered, disks. The SID-file is only there for completeness - if you look in the sid-file you can see where the music is located within the engine.

The NMXX files that makes up the BT I disks is the original format implemented by Interplay. The first diskside is the only thing that is copyprotected on both of the games. You can copy all the B,C,D sides (which is why only the first file in the pack is a .G64) without any problem. The difference is that they have chose to hide the files, and use the Pirateslayer-loader as a framework for the entire game. On BT 1, that ends when the main program is loaded. On BT 2, all files are track/sector-loaded through the Pirateslayer-loader.
/Twoflower
User avatar
Darendor
Posts: 1502
Joined: Wed Jan 14, 2009 1:53 am
Location: Red Deer, Alberta, Canada

Post by Darendor »

Is the NMxx file scheme used for BTII as well?



And, I'd like something to do. Something that doesn't require arcane knowledge of ML and hexadecimal. :?
User avatar
Twoflower
Posts: 128
Joined: Thu Mar 19, 2009 12:40 am
Location: Haarlem, NL
Contact:

Post by Twoflower »

Nope, no NMXX-scheme used in BT II as far as I have seen so far - but I haven't dived into the game-engine yet, so I can't tell 100%. My theory is that it works in several layers:

1) Interplay-Layer Game requests to load a file - let's say file #10. This is probably done by a LDA#$0A (load accumulator with the value of the file), followed by a JSR $1000 (jump to subroutine located at $1000). Pretty straight so far. The game simply requests a file to be loaded.

2) Pirateslayer-Layer this is an interpretation layer. It probably takes the value in accumulator A and picks the (in this case) 10:th value from a list, storing that value in accumulator Y, picks the 10:th value from another list, storing that value in accumulator X. These lists contains the track (Y) and sector (X) locations for the file. The layer changes the info in accumulator A to a job-code - f.ex #$E0 (=read normally) and does a JSR $0200 (location of the loader).

3) Pirateslayer-Loader. The Pirateslayer loader can only read the information given to it through the three accumulators - X, Y and A. In this case it gets the information to load a file located at track 12 (=Y), sector 00 (=X). The jobcode #$E0 (=A) tells it to trackload normally, using the Pirateslayer loader.

What needs to be done is to intervene with this process at either point #2 or #3. The earlier we intervene, the more memory will be gained, and the less structure will need to be preserved - but that also means that more stuff needs to be recoded. Hope this wasn't too complicated.
/Twoflower
User avatar
Twoflower
Posts: 128
Joined: Thu Mar 19, 2009 12:40 am
Location: Haarlem, NL
Contact:

Post by Twoflower »

Current status:

Big progress! After converting the files I found referenced in the file located on T3S0 on the bootdisk I copied them to a separate disk. I replaced the Pirateslayer-loader with the loader from GI-Joe which I recieved from a friend the other week. The copied files have been given names after their respective track+sector.

After 1) activating the loader and 2) making it use the address Pirateslayer uses for fileloading and finally 3) activating the control routine at $C000 I managed to fileload the entire intro and startup-sequence - then I ran out of converted files and got the game to give me a load-error message. But the game is now file-loading from a separate disk! I believe that this won't work when we enter the town as the current location of the loader will be overwritten by the city graphics. If we can find some other space for it, we have possibly replaced the loader completely with a fileloader.

How does the Pirateslayer-loader work?

The game calls the loadroutine at $0200, feeding it a track, a sector and a jobcode. I haven't found the track/sector tables yet. Jobcodes known to be used so far are E2 (load track+sector?), E0 (load file?), 80 (save file?), 90 (save track+sector?) and F0 (reset drive, clear drivememory and revert to CBM-Dos). Neat, huh?
/Twoflower
User avatar
Darendor
Posts: 1502
Joined: Wed Jan 14, 2009 1:53 am
Location: Red Deer, Alberta, Canada

Post by Darendor »

You spoke Spanish to me, except for the "Big progress!" bit.

But nevertheless, it sounds very cool.
User avatar
Twoflower
Posts: 128
Joined: Thu Mar 19, 2009 12:40 am
Location: Haarlem, NL
Contact:

Post by Twoflower »

Darendor wrote:You spoke Spanish to me, except for the "Big progress!" bit. But nevertheless, it sounds very cool.
Well, cool it is - no doubt the biggest breakthrough on BT II since ZeroZero found out that the files on BT II uses standard Track/Sector links. Let's just say that we soon may have access to the BT II engine. This means that we can document it in the same way as we have documented BT I. But you're right - a diskimage shows more than a thousand Spanish words:

* Check out my fileloading version of the BT II bootdisk.

Just run it in VICE or CCS64 - you can verify, copy, do whatever you want with the files. It'll work since the replaced loader uses decrypted files, instead of encrypted tracks and sectors. What you have is the entire startup of the game - including the intro. It won't work trying to load characters after the end of this disk, though - it'll look for files, not track+sector.
/Twoflower
User avatar
Darendor
Posts: 1502
Joined: Wed Jan 14, 2009 1:53 am
Location: Red Deer, Alberta, Canada

Post by Darendor »

What is in each of the files on this boot disk?
User avatar
Darendor
Posts: 1502
Joined: Wed Jan 14, 2009 1:53 am
Location: Red Deer, Alberta, Canada

Post by Darendor »

And what's with the "LET DRIVE INIT..." bit? Did you do that?
User avatar
Twoflower
Posts: 128
Joined: Thu Mar 19, 2009 12:40 am
Location: Haarlem, NL
Contact:

Post by Twoflower »

Code: Select all

"BT II - BOOTFILE" - The start-file, containing the GI-Joe loader.
"01-01  $EA1D    " - I believe this is the C64 side of the Pirateslayer Loader.
"03-00  $C000    " - The control code - this dictates in which order the intro and engine is loaded.
"04-00  $0800    " - The engine subroutines for the intro, much like in BT I.
"06-00  $4000    " - First part of the intro + intrographics.
"0F-00  $4000    " - Second part of the intrographics.
"13-00  $0800    " - The engine subroutines for the game, much like in BT I.
"15-00  $0800    " - The final parts of the BT II engine.
After executing the engine, it reloads the 01-01 file (the loader) and asks for the character disk. The "let drive init" text is just put there so that the code peacefully can be transferred to the drive-memory. The DEL-files are just visual separators - good for nothing other than for separating the files visually.
/Twoflower
User avatar
Twoflower
Posts: 128
Joined: Thu Mar 19, 2009 12:40 am
Location: Haarlem, NL
Contact:

Post by Twoflower »

More progress:

Track and Sector tables for the Citydisk have been located in the BT II engine - the tracktable is located at $649E and the sectortable is located at $6522.
The routine which utilizes them can be found at $62D6 - this is what I referred to as the Pirateslayer-Layer above.
/Twoflower
User avatar
Darendor
Posts: 1502
Joined: Wed Jan 14, 2009 1:53 am
Location: Red Deer, Alberta, Canada

Post by Darendor »

So the track/sector tables for the city disk allow us to reorganize the cities then.
Post Reply