Speedlock 3


This is virtually identical to Speedlock 2, except for the way you work out where the loader should be. I'm doing Outrun as an example. First off, *Load and *list the bit of basic.

"outrun" LINE 0 LEN 155
0 BORDER 0: PAPER 0: INK 0: CLEAR 45000: LOAD ""CODE: GO TO USR 58616
The rest of the basic is unimportant. CLEAR 45e3 and load the code which follows, and disassemble 58616 (DF13 hex).


...And Half A Dozen Of The Others
There are also six decryptors in this Speedlock.
DF13 DI
DF14 LD   HL,DF24
DF17 LD   B,7F
DF19 LD   A,(HL)
DF1A XOR  B
DB1B LD   B,A
DF1C LD   (HL),A
DF1D INC  HL
DF1E LD   A,H
DF1F OR   L
DF20 JR   Z,DF24
DF22 JR   DF19
Crack this one (and the five that follow) exactly as you cracked the six in Speedlock 2. Notice that in the final hack we won't be able to PUSH HL and BC, or CALL the decryptor, because there is a LD SP,HL and a LD SP,IY. Notice that the SP instructions in the third decryptor are never executed (that code is used as a hidden message, not running code).


Moving Speedlock 3
First off, search for FD 21 00 00 (LD IY,0000) to find the first byte of Speedlock; you'll find it at E7B6 for Outrun. Now search for ED 53 (the standard Speedlock patch). Change the LD DE,FE9E at E9FF to read LD DE,address of pokes. Finally, search for F3 31 (DI: LD SP,nn) for the address Speedlock runs from. I found it at EAB8. Following the code down, you'll see a standard headerless load at EACA:
EACA LD   IX,FEC5
EACE LD   DE,010B
EAD1 CALL FEC1
EAD4 NOP
... and then a load of crap. The way that this Speedlock (and all the ones after it) work is to load in the code to load the game, and the table of load addresses from tape (that first short turboload block). From looking at the code above, you see that this code will be loaded to FEC5, which means that EAD4 should go to FEC5. The length is EAD3-E7B6+1, and it runs from EAB8+FEC5-EAD4. We can patch it before it is moved (as we did with Speedlock 2), so there is no need to calculate where the patch ends up.



The Outrun hack

The decryptor loop is similar to the one in the Speedlock 2 routine, but the decryptor is JP'ed tp, not CALLed, and the PUSHes and POPs are replaced with direct LD (nn),register's and LD register,(nn)'s (because we can't use the stack). Also, the lengths of the six decryptors are different (as you'll find out when you hack the game for yourself), so the line of data has different values in it. Make sure you CLEAR 45e3: LOAD ""CODE (from the basic loader) before you use ths program.
       ORG  30000
       LD   IX,DATA
       LD   HL,#DF13
       LD   B,6
DCRLP  LD   (KEEPBC),BC   ;THIS REPLACES THE PUSH BC IN
                          ; THE SPEEDLOCK 2 ROUTINE
       LD   C,(IX+0)
       LD   B,0
       INC  IX
       LD   DE,25000
       LDIR
       LD   (KEEPHL),HL
       LD   HL,JPBACK     ;REPLACE THE RET WITH A JP
                          ; BACK TO THE HACKING ROUTINE
       LD   C,3           ;A JP IS 3 BYTES LONG
       LDIR               ;STICK IT TO END OF THE
                          ; DECRYPTOR
       JP   25000         ;AND JP TO IT
JPBACK JP   HACK          ;THIS IS THE JP EXECUTED AT
                          ; THE END OF EACH DECRYPTOR
HACK   LD   HL,(KEEPHL)   ;THIS IS WHERE THE JP WILL JP
                          ; TO, THE INSTRUCTION
                          ; REPLACES THE POP HL
       LD   BC,(KEEPBC)   ;THIS REPLACES THE POP BC
       DJNZ DCRLP
       LD   HL,POKES
       LD   DE,#5BA0      ;A SAFE PLACE
       LD   BC,DATA-POKES ;LENGTH OF THE POKES
       LD   (#EA00),DE    ;STANDARD SPEEDLOCK PATCH
       LDIR               ;MOVE THE POKES
       LD   HL,#EAD3      ;LAST BYTE OF SPEEDLOCK
       LD   DE,#FEC4      ;PUTS IT IN ITS PROPER PLACE
       LD   BC,#EAD3-#E7B6+1 ;LENGTH OF SPEEDLOCK
       LDDR               ;LIKE A LDIR BUT STARTS AT THE
                          ; LAST BYTE AND WORKS
                          ; BACKWARDS
       JP   #EAB8+#FEC4-#EAD3 ;LOAD THE GAME
POKES  EQU  $             ;PUT YOUR INFY LIVES POKES
                          ; HERE
       JP   #FE9E         ;THE ADDRESS OVERWRITTEN BY
                          ; THE SPEEDLOCK PATCH
DATA   DEFB 17,36,57,14,25,23 ;LENGTHS OF THE SIX
                              ; DECRYPTORS
KEEPBC DEFW 0             ;A SAFE PLACE TO STICK BC
KEEPHL DEFW 0             ;A SAFE PLACE TO STICK HL