Deja Vu #02 30 сентября 1997

Scorpion ZS     Программирование     Железо     Программирование

Coding - How to intercept the Magic and the Reset button on the computer ZS256.

(C) PLAYGEAR COMPANY / BD
Author: Cardinal
Edition: The Pagan



     How to intercept the MAGIC and RESET button on

             SCORPION ZS-256



                  *


             "There is only one terminally

               the disease is life. From her

               always die. "

                        Rob Griys

 "Why do it?" - Cprocite you. But
why. Many people make the protection of the MAGIC
far from the original cpocobom:

   1. Ochictka eighth Pages RAM. (If
continue pressing the MAGIC system hangs, cleaning the eighth 
page of RAM can be prevented ecli disable port # 1FFD button. 
Many programs that focus passes, but some do a series of tests, 
if prog'a loaded onto Scorp'e checks for additional memory, if 
it is present, then RAM8 MUST DIE! And if not, then JP # 0000 
BASIC 48K RULEZ FOREVER!)


   2. Using RST # 8; DEFB # 85. (Good cpocob, but it's easily 
likvidiruetcya program ANTIRST 8, which was placed in the annex 
of the journal DEJA VU # 1.) 

   3. Regictr I = # 41. (Quite Wondered
cpocob, but it has one nedoctatok: vce
tekcty, graphics, etc. you want to display in
the first screen nahodyaschiycya in the seventh page Case,
nadeyuc, you understand why. Kctati in
UFO-2 and the Black Crow-demo icpolzuetcya
it is a protection against MAGIC).

   4. Well, the Most original method of protection from MAGIC - 
is to intercept MAGIC, of ​​cozz! (Pocle clicking on the MAGIC 
you see cvoimi eyes not SSM, Shadow Service Monitor, and

something ...)
 MAGIC intercept on Scorpion'e not
intricate as kazhetcya at first glance. First razberemcya that 
proichodit pocle clicking on MAGIC. A proichodit this. CPU 
waiting for execution speed with the latest team, then 
vklyuchaetcya ROM TR-DOS and command vypolnyaetcya CALL # 0066 
(and, it vypolnyaetcya, not procto kladetcya adrec return to

ctek protseccor and begins to perform
subprogramme adrecu # 0066 in dokazatelctvo to that before 
protseccor moves to address # 0066, regictr R uvelichivaetcya c 
given the seventh bit to 1! Remember this, pozhaluycta). By 
adrecu # 0066 in TR-DOS ROM nahoditcya JP # 2A56, on adrecu

# 2A56 nahoditcya JP # 0807, and on adrecu
# 0807 nahoditcya Next Arrow routine:

# 0807 PUSH AF

               LD A, R

               PUSH AF

               LD A, 4

               PUSH AF

               INC SP

               PUSH BC

               LD BC, # 1FFD

               PUSH HL

               LD HL, (# COO1)

               EX (SP), HL

               LD A, # 55

               LD (# COO1), A

               CPL

               LD (# C002), A

               LD A, # 12

               JP # 0033

 From this lictinga seen that ctek kladetcya regictrovaya pair 
of AF, then the battery zapominaetcya regictr R, while at the 
same time in bit of P / V flag regictra cohranyaetcya

STATE OF trigger, IFF 2 (this is necessary to
at the exit of nemackiruemogo interrupt know whether prohibited 
or permitted to interrupt a moment of pressing MAGIC) and vce 
it kladetcya on ctek team PUSH AF. Then

on ctek kladetcya byte # 04 - ID-type input. According to him 
SSM determines that the entry occurred at MAGIC, and not by RST 
# 08. (Because the ROM is hosted shadow businesses, RST # 08, 
and controls one and MAGIC The same routine, and for this 
icpolzuyutcya identification numbers.) Then, we see 
cohranyayutcya regictry BC and HL, then on cteke cohranyayutcya 
two bytes, which were adrecam # C001 and # C002, and vmecto

They kladutcya Bytes # 55 and # AA. (Vcya this crap needs to 
shadow businesses cmog then determined by the Byte # 55 and # 
AA what Pages memory was included in the time of clicking on

MAGIC.) Ecli vac I have not yet downloaded, read on.
 Then go to delaetcya adrec # 0033,
where nahoditcya team OUT (C), A. Pocle its
Implementation vklyuchaetcya ROM shadow monitor and further 
work will already be there. Further, pocle neckolkih transition 
begins Next Arrow routine work:



               DI

               LD A, # 12

               OUT (C), A

               LD B, # 7F

               LD A, # 10

               OUT (C), A

               LD (# DD6D), SP

               LD (# DDF7), SP

               LD SP, # E375

               LD BC, (# C064)

               LD A, C

               OR B

               JR NZ, # 0116

NOTE: vce adreca except # C064, are different for different 
vercy shadow of the monitor. 

 Vce that nahoditcya on JR NZ Us is not
interecuet. From this we see the applets,
that vklyuchaetcya Pages 8-I memory cohranyaetcya ctek, then he 
pereuctanavlivaetcya. And then comes camoe Wondered: in regictr

BC kladetcya adrec of the cells # C064 and # C065
and ecli this adrec is 0, then begins
work cobctvenno, Monitor, but ecli
adrec not equal to 0, then begins to work
Next Arrow routine:


               PUSH BC

               DEC BC

               LD A, B

               OR C

               JR NZ, $ -3

               RET

 From which we can see that on ctek kladetcya
This is the Most adrec, then zakruchivaetcya
cycle, and when BC obnulitcya vypolnyaetcya
RET, and, hence, the transition to delaetcya
adrecu on cteke! So that's where I'm going. In
STATE normal for adrecam # C064 and
# C065 nahodyatcya zeros, but there ecli
podctavit adrec your program, then pocle
clicking on it zapuctitcya MAGIC. Ectectvenno, your program 
should nahoditcya in the fifth, second or eighth page Case 
Study. Ecli program does not exceed 5-6 kb, it better 
racpolozhit c adreca # C100 in the eighth page Case, but ecli 
it's big, it can be set as follows: The on adrecu # C064 and # 
C065 zapicat 0 and # C1, on adrecu # C100 pomectit such 
podprogrammku: 


               LD A, # 51

               OUT (# FD), A

 Turn on the 9th Pages, and on adrecu # C104
in the ninth page Case should already nahoditcya your
program. Here, perhaps, and vce that I can
racckazat the interception of MAGIC, and I ceychac
racckazhu how to intercept the RESET.
 Zdec case obctoyat not intricate than c
MAGIC. To do this, the ROM shadow businesses find
kucok such programs:


               LD HL, adrec

               LD A, B

               CP (HL)

               INC HL

 Learn "adrec, which kladetcya in HL,
then turn on the eighth Pages, fill it
Bytes # FE polnoctyu, zapuctit Next Arrow
program:


               LD HL, adrec, who learned

               LD B, 0; previously
LOOP LD (HL), B

               INC HL

               DJNZ LOOP

 By adrecu # FEFE pomectit:


               LD A, # 51

               OUT (# FD), A

 By adrecu # FF02 already in the ninth page Case pomectit:


               JP # C000

 By adrecu # C000 in the ninth page Case must
nahoditcya your program. We value Your not understand why it is 
necessary to intercept RESET so cpocobom (another I do not 
know), then reread the upper vocem ctrochek on ctr.42 book "The 
Shadow cervic monitor for the computer ZS 256" by Larchenko vce 
and you'll understand. Kctati, speed with the latest cpocobom 
can intercept and MAGIC, but the first necravnenno easier.  
Ecli have any questions of the vac, write to the editor or to 
me personally.