On the first disk 'ROMIIA' the file to patch is: data_a/rom2
Look for:
Code:
BF EC 5F 3C 65 00 05 38 70 00
...and replace it with:
Code:
70 16 BE 80 66 04 70 15 60 04
For those who are interested, here's the assembly with some comments.
Original (with "Build Fort" bug):
Code:
cmpa.l $5F3C(a4),a7
bcs $80CB16A ;this will never happen, c compiler bloat?
moveq #0,d0
move.b $B(a5),d0 ;d0 will be #$16 when bug occurs after selecting "build fort"
asl.l #2,d0 ;now d0 is #$58 with bug
lea -$17B4(a4),a0 ;get jump table offset start
movea.l 0(a0,d0.l),a0 ;bad a0 now points to string data instead of correct jump vector (which is -4)
jsr (a0) ;the instruction causing "address error" when a0 points to memory with odd address
unlk a5 ;a lot of this shit going on in almost every subroutine, C or Pascal?
rts
Patched:
Code:
moveq #$16,d0 ;bug command for "build fort"
cmp.l d0,d7 ;check if "bad fort", register d7 includes current menu command from previous check
bne.s foo1 ;if other command, lets skip this
moveq #$15,d0 ;d0 was bad #$16, lets move #$15 there instead
bra.s foo2
;end patch, byte count match
foo1 move.b $B(a5),d0
foo2 asl.l #2,d0 ;after patch, d0 will be #$54 when "build fort" was selected
lea -$17B4(a4),a0 ;get jump table offset start
movea.l 0(a0,d0.l),a0 ;a0 now points to the correct jump vector for "build fort"
jsr (a0)
unlk a5
rts
I debugged this on my A1200 (see sig) using MonAm (the debugger for Devpac 3), since it lacks direct assembly the opcodes were entered manually using the "hex edit" window.
