View Single Post
Old 14 March 2002, 02:41   #7
2 contact me: email only!

Codetapper's Avatar
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,143
Originally posted by Toni Wilen
There is small and very simple protection code that uses self-modifying code and it fails due to bad emulation.

Protection code needs 68000's instruction prefetch ("more compatible"-option) but UAE's CPU emulator isn't 100% correct yet. (This feature isn't even documented by Motorola!)

And I thought prefetch emulation was 100% correct already
As far as prefetch is concerned, I think the CPU always fetches instructions until it is longword aligned.

Hence if you have:

$030 move.w (a0),d1 ;a0 = $038
$032 eor.w d2,d1
$034 move.w d1,(a0)+
$036 dbra d0,$400 ;4 byte instruction ($036-$03a)

then the code at $36 will be run, decrement d0, branch to $400 and then the instruction at $36 will be modified so that the dbra will go to a different address on the next loop. This is common code used in lots of game protection such as all the Readysoft games and stuff like Plutos, Carcharodon etc.

When I'm decoding encryption on games I always assume it fetches to the nearest longword and that hasn't failed me yet!

Toni: I'm very keen to get my hands on a version of WinUAE with debugging features like the old Dos version of Fellow had (v0.33 or v0.35) where you can tell it to break at a certain address and examine memory etc. I would love to be able to set registers and tell the CPU to start at a certain location like the AR cartridge allows. What do you use when you are debugging "dodgy" Amiga programs under emulation and where can I get it without having to compile myself?
Codetapper is offline  
Page generated in 0.03947 seconds with 10 queries