前言
没错,俺是标题党:)
xiao✌后来告诉我有源码。
俺英语不好
复现
环境准备
一开始看到一个SFC文件其实有点懵,搜了之后出现一堆莫名奇妙的东西最后没排查出来,最后看了wp才发现是任天堂游戏
https://www.solvusoft.com/zh-cn/file-extensions/file-extension-sfc/
https://github.com/srdnlen/srdnlenctf-2025_public/tree/main/pwn_A_childs_dream
然后提示说用mesen模拟器来运行,下载与使用见下面参考链接
mesen下载和使用推荐
或者可详见官方文档
https://www.mesen.ca/docs/
写一个fc/sfc模拟器
NES Emulator From Scratch
编程实现简单的FC模拟器
使用
任天堂yyds
w d 左右移动 u结束游戏 i崩溃或者卡死了 L暂停
mesen提供了不同游戏按键对应在键盘上的模拟的按键
漏洞
一开始无从下手,逆又逆不懂,只好调试找输入点和游戏开始运行的地方
想找到处理输入点地方,调试时候不停继续和开始运行发现会停在这里一段时间,看指令含义应该是等待输入产生中断的
直接在游戏里作为输入来调试根本不行,因为他一次输出的时间很快,还没来得及输入就又回来了。幸运的是可以通过调试器的控制器来输入
然后随便试试各个按钮,发现R建直接卡死了,然后就没有然后了。。。
看了wp后说里面有个flag,让你自己打印出来就行,没咋想到,太菜了我
然后搜到D658地方有个flag
发现DEEE函数会使用这个地址。且只有这个地方,maybe会输出flag,应该属于DEDF这个函数,因为和上面通过RTL隔开了
所以就想怎么调用DEDF这个函数吧
处理逻辑
一开始WAI 中断后会去哪里,因为发现WAI后点击步进没反应
我想看看如何进入到中断处理函数中,哪里也许有如何处理我的输入的,因为我发现WAI到下一个指令,游戏就移动了一帧
网上搜mesen如何进入到中断处理函数知道了会进入NMI
然后通过这个
就进入了中断处理函数
但我貌似想错了,也许调试器和实际存在延迟? 因为这个里面没有处理输入的
然后网上搜了下,吃了中文的亏,没找到啥资料,看了看wp
To search where to start in the code, we can try to understand the input handling on SNES. On the internet we can find various wikies like https://en.wikibooks.org/wiki/Super_NES_Programming/Joypad_Input, that indicates that the current states of the keys pressed on the first joypad are saved on
$4016or$4218. In the first address we can’t see anything, but the second changes according to our input. From that we can map the values of all the keys:
调试看 看内存,输入的按键的值在4218里,然后发现WAI后到下一条指令确实4218的值改变了,然后知道了各个按键对应的值
RIGHT = 256
LEFT = 512
DOWN = 1024
UP = 2048
R = 16
L = 32
X = 64
A = 128
START = 4096
SELECT = 819
B = 32768
Y = 16384
然后如何处理呢?还是不知道,我是废物
应该是要使用到这些输入的按钮值得的。wp说要搜有哪些使用到这个按钮所在的地址的。有是有在NMI中的208地址处的指令
这里是发现下面会将按钮值存到39地址处后面有用
但然后就返回了,回到原来WAI 的下一个指令了,没啥用。
wp说着存着相同内容的地址的引用,也没啥用。也许是我太菜了
瓦达西,难道就这样结束了吗?
不,我觉得与其在意如何处理输入,不如考虑R键是如何使其崩溃的先
然后一步一步调知道下面这些
函数重要的逻辑如下,一条指令一条指令步进看的,眼睛都花了,真佩服那些逆向大佬
这里会陷入一个循环,不断处理输入的值,然后给出一帧图像,再移动
00CD5E [004D5E] A9 00 00 LDA #$0000
……
00CD73 [004D73] 22 AC C0 00 JSL $00C0AC
00C0AC [0040AC] 3B TSC
……
00C8E0 [0048E0] 22 69 E0 00 JSL $00E069
00E069 [006069] 08 PHP
……
00E073 [006073] CB WAI 中断
00E074 [006074] AF 30 00 00 LDA $000030
……
00E07C [00607C] 6B RTL
……
00C8EA [0048EA] 6B RTL
00CD77 [004D77] 80 E5 BRA $00CD5E
对比其他键发现R键的时候没有 JSL $00E069,而且 直接到 RTL,并且也没有返回到BRA $00CD5E
但当开始00C0AC时候 此时返回地址是正常的
发现实际返回地址比保存到栈里的返回地址多1,而且内存查看器貌似返回地址起始字节与此时的栈指针还隔着一个字节。 可能是这个汇编的特色吧
所以问题就出在这段
00C0AC [0040AC] 3B TSC 到 00C8EA [0048EA] 6B RTL这段代码里
不但改掉了返回地址,并且没有进入00E069 里
然后设了个条件断点观察栈的返回地址改变时候自动下断点
发现进入 00C3F7 [0043F7] 22 01 83 01 JSL $018301
--------sub start-------- 018301 [008301] A3 04 LDA $04,S后改变的
调试后又发现是 018316 [008316] 20 28 00 JSR $0028导致的,会跳转到0028去执行
000028 [000028] 54 00 7F MVN $7F,$00
00002B [00002B] 60 RTS
用AI逆出大致逻辑如下
// 假设有一个 `stack[]` 数组表示堆栈,`memory[]` 数组表示内存
void subroutine() {
A = stack[4]; // LDA $04,S
memory[0] = A; // STA $00
Y = A; // TAY
A = stack[8]; // LDA $08,S
X = A; // TAX
A = stack[10]; // LDA $0A,S
int temp = X; // 保存 X 的值
X = Y; // XBA: 交换 A 和 X
Y = temp;
A |= stack[6]; // ORA $06,S
memory[41] = A; // STA $29
A = stack[12]; // LDA $0C,S
if (A == 0) {
goto skip_decrement;
}
A--; // DEC
skip_decrement:
// PHB 及 PLB 没有直接映射
subroutine_0028(); // JSR $0028
A = stack[6]; // LDA $06,S
memory[2] = A; // STA $02
return; // RTL
}
010028 [000028] 54 00 7F MVN $7F,$00
此时A=2 X=0 Y=1ff9 DB=7E
第一次复制:
源地址:$7F:0000 的值被复制到 目标地址 $00:1FF9。
X 和 Y 递增:
X = 0 + 1 = 1
Y = 1FF9 + 1 = 1FFA(以十六进制计算,加 1 是 1FF9 → 1FFA)。
A 减 1:A = 2 - 1 = 1。
第二次复制:
源地址:$7F:0001 的值被复制到 目标地址 $00:1FFA。
X 和 Y 递增:
X = 1 + 1 = 2
Y = 1FFA + 1 = 1FFB.
A 减 1:A = 1 - 1 = 0.
第三次复制(A 变为 0,但 MVN 会继续执行直到 A 为 $FFFF):
源地址:$7F:0002 的值被复制到 目标地址 $00:1FFB。
X 和 Y 递增:
X = 2 + 1 = 3
Y = 1FFB + 1 = 1FFC.
A 减 1:A = 0 - 1 = -1(以十六进制表示为 $FFFF)。
所以目标就是怎么改0x7f0000
期间自己乱尝试的时候发现前面的按键会导致后面的R的结果不一样。猜测可能是由影响的,自己准备下个断点监视0x7f0000内容。尝试后发现上下按钮对返回地址有影响,类似上按钮+1,下按钮-1,但加的比特位置有区别,貌似和左右移动有关。并且球球不能掉下去,不然会清零
这个地方逆得不是很明白,有时间再看看
补上:
想看看如何处理每个按钮的,我觉得应该是在之前那部分代码逻辑里,因为这段代码,R建和其他建逻辑不同,而且我发现其他按钮并没有执行
00C3F7 [0043F7] 22 01 83 01 JSL $018301
往前看正好有个R的按钮值 0x10
结合前面一堆出现的AND 各种各样的按钮值,这里应该就是处理按钮值,然后进入对应的函数,所以00C0AC [0040AC] 3B TSC 到 00C8EA [0048EA] 6B RTL这段代码应该就是处理输入的了,中间会跳转,因为代码不连续
--------sub start--------
00C0AC [0040AC] 3B TSC
00C0AD [0040AD] 38 SEC
00C0AE [0040AE] E9 01 00 SBC #$0001
00C0B1 [0040B1] 1B TCS
00C0B2 [0040B2] AF 39 00 00 LDA $000039
00C0B6 [0040B6] 8D 8B 32 STA $328B
00C0B9 [0040B9] 22 D0 D9 00 JSL $00D9D0
00C0BD [0040BD] AD 8B 32 LDA $328B
00C0C0 [0040C0] 29 80 00 AND #$0080
00C0C3 [0040C3] 85 00 STA $00
00C0C5 [0040C5] A5 00 LDA $00
00C0C7 [0040C7] D0 03 BNE $00C0CC
00C0C9 [0040C9] 82 73 01 BRL $00C23F
00C0CC [0040CC] AD 8B 32 LDA $328B
00C0CF [0040CF] 29 00 01 AND #$0100
00C0D2 [0040D2] 85 00 STA $00
00C0D4 [0040D4] A5 00 LDA $00
00C0D6 [0040D6] D0 03 BNE $00C0DB
00C0D8 [0040D8] 82 52 00 BRL $00C12D
00C12D [00412D] AD 8B 32 LDA $328B
00C130 [004130] 29 00 02 AND #$0200
00C133 [004133] 85 00 STA $00
00C135 [004135] A5 00 LDA $00
00C137 [004137] D0 03 BNE $00C13C
00C139 [004139] 82 58 00 BRL $00C194
00C194 [004194] AD 8B 32 LDA $328B
00C197 [004197] 29 00 08 AND #$0800
00C19A [00419A] 85 00 STA $00
00C19C [00419C] A5 00 LDA $00
00C19E [00419E] D0 03 BNE $00C1A3
00C1A0 [0041A0] 82 45 00 BRL $00C1E8
00C1E8 [0041E8] AD 8B 32 LDA $328B
00C1EB [0041EB] 29 00 04 AND #$0400
00C1EE [0041EE] 85 00 STA $00
00C1F0 [0041F0] A5 00 LDA $00
00C1F2 [0041F2] D0 03 BNE $00C1F7
00C1F4 [0041F4] 82 45 00 BRL $00C23C
00C1F7 [0041F7] AD 90 32 LDA $3290
00C1FA [0041FA] 85 00 STA $00
00C1FC [0041FC] AD 8B 32 LDA $328B
00C1FF [0041FF] 85 04 STA $04
00C201 [004201] A2 01 00 LDX #$0001
00C204 [004204] A5 00 LDA $00
00C206 [004206] 38 SEC
00C207 [004207] E5 04 SBC $04
00C209 [004209] A8 TAY
00C20A [00420A] D0 01 BNE $00C20D
00C20C [00420C] CA DEX
00C20D [00420D] 86 14 STX $14
00C20F [00420F] 8A TXA
00C210 [004210] D0 03 BNE $00C215
00C212 [004212] 82 27 00 BRL $00C23C
00C215 [004215] A9 7F 00 LDA #$007F
00C218 [004218] 85 02 STA $02
00C21A [00421A] A9 00 00 LDA #$0000
00C21D [00421D] 85 00 STA $00
00C21F [00421F] AD 92 32 LDA $3292
00C222 [004222] 18 CLC
00C223 [004223] 65 00 ADC $00
00C225 [004225] 85 00 STA $00
00C227 [004227] A9 00 00 LDA #$0000
00C22A [00422A] E2 20 SEP #$20
00C22C [00422C] A7 00 LDA [$00]
00C22E [00422E] C2 20 REP #$20
00C230 [004230] 38 SEC
00C231 [004231] E9 10 00 SBC #$0010
00C234 [004234] 85 04 STA $04
00C236 [004236] E2 20 SEP #$20
00C238 [004238] 87 00 STA [$00]
00C23A [00423A] C2 20 REP #$20
00C23C [00423C] 4C B7 C3 JMP $C3B7
00C23F [00423F] AD 8B 32 LDA $328B
00C242 [004242] 29 00 01 AND #$0100
00C245 [004245] 85 00 STA $00
00C247 [004247] A5 00 LDA $00
00C249 [004249] D0 03 BNE $00C24E
00C24B [00424B] 82 50 00 BRL $00C29E
00C24E [00424E] AD 81 32 LDA $3281
00C251 [004251] 1A INC
00C252 [004252] 1A INC
00C253 [004253] 8D 81 32 STA $3281
00C256 [004256] AD 90 32 LDA $3290
00C259 [004259] 85 00 STA $00
00C25B [00425B] AD 8B 32 LDA $328B
00C25E [00425E] 85 04 STA $04
00C260 [004260] A2 01 00 LDX #$0001
00C263 [004263] A5 00 LDA $00
00C265 [004265] 38 SEC
00C266 [004266] E5 04 SBC $04
00C268 [004268] A8 TAY
00C269 [004269] D0 01 BNE $00C26C
00C26B [00426B] CA DEX
00C26C [00426C] 86 14 STX $14
00C26E [00426E] 8A TXA
00C26F [00426F] D0 03 BNE $00C274
00C271 [004271] 82 15 00 BRL $00C289
00C274 [004274] AD 92 32 LDA $3292
00C277 [004277] 85 00 STA $00
00C279 [004279] A2 01 00 LDX #$0001
00C27C [00427C] 38 SEC
00C27D [00427D] E9 02 00 SBC #$0002
00C280 [004280] A8 TAY
00C281 [004281] 90 01 BCC $00C284
00C283 [004283] CA DEX
00C284 [004284] 86 14 STX $14
00C286 [004286] 8A TXA
00C287 [004287] D0 03 BNE $00C28C
00C289 [004289] 82 12 00 BRL $00C29E
00C28C [00428C] AD 92 32 LDA $3292
00C28F [00428F] 85 00 STA $00
00C291 [004291] 85 04 STA $04
00C293 [004293] A5 02 LDA $02
00C295 [004295] 85 06 STA $06
00C297 [004297] E6 00 INC $00
00C299 [004299] A5 00 LDA $00
00C29B [00429B] 8D 92 32 STA $3292
00C29E [00429E] AD 8B 32 LDA $328B
00C2A1 [0042A1] 29 00 02 AND #$0200
00C2A4 [0042A4] 85 00 STA $00
00C2A6 [0042A6] A5 00 LDA $00
00C2A8 [0042A8] D0 03 BNE $00C2AD
00C2AA [0042AA] 82 56 00 BRL $00C303
00C2AD [0042AD] AD 81 32 LDA $3281
00C2B0 [0042B0] 3A DEC
00C2B1 [0042B1] 3A DEC
00C2B2 [0042B2] 8D 81 32 STA $3281
00C2B5 [0042B5] AD 90 32 LDA $3290
00C2B8 [0042B8] 85 00 STA $00
00C2BA [0042BA] AD 8B 32 LDA $328B
00C2BD [0042BD] 85 04 STA $04
00C2BF [0042BF] A2 01 00 LDX #$0001
00C2C2 [0042C2] A5 00 LDA $00
00C2C4 [0042C4] 38 SEC
00C2C5 [0042C5] E5 04 SBC $04
00C2C7 [0042C7] A8 TAY
00C2C8 [0042C8] D0 01 BNE $00C2CB
00C2CA [0042CA] CA DEX
00C2CB [0042CB] 86 14 STX $14
00C2CD [0042CD] 8A TXA
00C2CE [0042CE] D0 03 BNE $00C2D3
00C2D0 [0042D0] 82 17 00 BRL $00C2EA
00C2D3 [0042D3] AD 92 32 LDA $3292
00C2D6 [0042D6] 85 00 STA $00
00C2D8 [0042D8] A2 01 00 LDX #$0001
00C2DB [0042DB] 38 SEC
00C2DC [0042DC] E9 00 00 SBC #$0000
00C2DF [0042DF] A8 TAY
00C2E0 [0042E0] F0 02 BEQ $00C2E4
00C2E2 [0042E2] B0 01 BCS $00C2E5
00C2E4 [0042E4] CA DEX
00C2E5 [0042E5] 86 14 STX $14
00C2E7 [0042E7] 8A TXA
00C2E8 [0042E8] D0 03 BNE $00C2ED
00C2EA [0042EA] 82 16 00 BRL $00C303
00C2ED [0042ED] AD 92 32 LDA $3292
00C2F0 [0042F0] 85 00 STA $00
00C2F2 [0042F2] 85 04 STA $04
00C2F4 [0042F4] A5 02 LDA $02
00C2F6 [0042F6] 85 06 STA $06
00C2F8 [0042F8] 18 CLC
00C2F9 [0042F9] A5 00 LDA $00
00C2FB [0042FB] 69 FF FF ADC #$FFFF
00C2FE [0042FE] 85 00 STA $00
00C300 [004300] 8D 92 32 STA $3292
00C303 [004303] AD 8B 32 LDA $328B
00C306 [004306] 29 00 08 AND #$0800
00C309 [004309] 85 00 STA $00
00C30B [00430B] A5 00 LDA $00
00C30D [00430D] D0 03 BNE $00C312
00C30F [00430F] 82 4B 00 BRL $00C35D
00C312 [004312] AD 90 32 LDA $3290
00C315 [004315] 85 00 STA $00
00C317 [004317] AD 8B 32 LDA $328B
00C31A [00431A] 85 04 STA $04
00C31C [00431C] A2 01 00 LDX #$0001
00C31F [00431F] A5 00 LDA $00
00C321 [004321] 38 SEC
00C322 [004322] E5 04 SBC $04
00C324 [004324] A8 TAY
00C325 [004325] D0 01 BNE $00C328
00C327 [004327] CA DEX
00C328 [004328] 86 14 STX $14
00C32A [00432A] 8A TXA
00C32B [00432B] D0 03 BNE $00C330
00C32D [00432D] 82 2D 00 BRL $00C35D
00C330 [004330] A9 7F 00 LDA #$007F
00C333 [004333] 85 02 STA $02
00C335 [004335] A9 00 00 LDA #$0000
00C338 [004338] 85 00 STA $00
00C33A [00433A] AD 92 32 LDA $3292
00C33D [00433D] 18 CLC
00C33E [00433E] 65 00 ADC $00
00C340 [004340] 85 00 STA $00
00C342 [004342] A9 00 00 LDA #$0000
00C345 [004345] E2 20 SEP #$20
00C347 [004347] A7 00 LDA [$00]
00C349 [004349] C2 20 REP #$20
00C34B [00434B] 85 04 STA $04
00C34D [00434D] 85 08 STA $08
00C34F [00434F] A5 06 LDA $06
00C351 [004351] 85 0A STA $0A
00C353 [004353] E6 04 INC $04
00C355 [004355] E2 20 SEP #$20
00C357 [004357] A5 04 LDA $04
00C359 [004359] 87 00 STA [$00]
00C35B [00435B] C2 20 REP #$20
00C35D [00435D] AD 8B 32 LDA $328B
00C360 [004360] 29 00 04 AND #$0400
00C363 [004363] 85 00 STA $00
00C365 [004365] A5 00 LDA $00
00C367 [004367] D0 03 BNE $00C36C
00C369 [004369] 82 4B 00 BRL $00C3B7
00C36C [00436C] AD 90 32 LDA $3290
00C36F [00436F] 85 00 STA $00
00C371 [004371] AD 8B 32 LDA $328B
00C374 [004374] 85 04 STA $04
00C376 [004376] A2 01 00 LDX #$0001
00C379 [004379] A5 00 LDA $00
00C37B [00437B] 38 SEC
00C37C [00437C] E5 04 SBC $04
00C37E [00437E] A8 TAY
00C37F [00437F] D0 01 BNE $00C382
00C381 [004381] CA DEX
00C382 [004382] 86 14 STX $14
00C384 [004384] 8A TXA
00C385 [004385] D0 03 BNE $00C38A
00C387 [004387] 82 2D 00 BRL $00C3B7
00C38A [00438A] A9 7F 00 LDA #$007F
00C38D [00438D] 85 02 STA $02
00C38F [00438F] A9 00 00 LDA #$0000
00C392 [004392] 85 00 STA $00
00C394 [004394] AD 92 32 LDA $3292
00C397 [004397] 18 CLC
00C398 [004398] 65 00 ADC $00
00C39A [00439A] 85 00 STA $00
00C39C [00439C] A9 00 00 LDA #$0000
00C39F [00439F] E2 20 SEP #$20
00C3A1 [0043A1] A7 00 LDA [$00]
00C3A3 [0043A3] C2 20 REP #$20
00C3A5 [0043A5] 85 04 STA $04
00C3A7 [0043A7] 85 08 STA $08
00C3A9 [0043A9] A5 06 LDA $06
00C3AB [0043AB] 85 0A STA $0A
00C3AD [0043AD] C6 04 DEC $04
00C3AF [0043AF] E2 20 SEP #$20
00C3B1 [0043B1] A5 04 LDA $04
00C3B3 [0043B3] 87 00 STA [$00]
00C3B5 [0043B5] C2 20 REP #$20
00C3B7 [0043B7] AD 8B 32 LDA $328B
00C3BA [0043BA] 29 20 00 AND #$0020
00C3BD [0043BD] 85 00 STA $00
00C3BF [0043BF] A5 00 LDA $00
00C3C1 [0043C1] D0 03 BNE $00C3C6
00C3C3 [0043C3] 82 0F 00 BRL $00C3D5
00C3C6 [0043C6] A9 FF 00 LDA #$00FF
00C3C9 [0043C9] 85 00 STA $00
00C3CB [0043CB] E2 20 SEP #$20
00C3CD [0043CD] 8D 8F 32 STA $328F
00C3D0 [0043D0] C2 20 REP #$20
00C3D2 [0043D2] 4C E4 C8 JMP $C8E4
00C3D5 [0043D5] AD 8B 32 LDA $328B
00C3D8 [0043D8] 29 10 00 AND #$0010
00C3DB [0043DB] 85 00 STA $00
00C3DD [0043DD] A5 00 LDA $00
00C3DF [0043DF] D0 03 BNE $00C3E4
00C3E1 [0043E1] 82 20 00 BRL $00C404
00C3E4 [0043E4] F4 03 00 PEA #$0003
00C3E7 [0043E7] F4 7F 00 PEA #$007F
00C3EA [0043EA] F4 00 00 PEA #$0000
00C3ED [0043ED] 64 02 STZ $02
00C3EF [0043EF] 3B TSC
00C3F0 [0043F0] 18 CLC
00C3F1 [0043F1] 69 07 00 ADC #$0007
00C3F4 [0043F4] D4 02 PEI $02
00C3F6 [0043F6] 48 PHA
00C3F7 [0043F7] 22 01 83 01 JSL $018301
00C3FB [0043FB] 3B TSC
00C3FC [0043FC] 18 CLC
00C3FD [0043FD] 69 0A 00 ADC #$000A
00C400 [004400] 1B TCS
00C401 [004401] 4C E4 C8 JMP $C8E4
00C404 [004404] AD 8B 32 LDA $328B
00C407 [004407] 8D 90 32 STA $3290
00C40A [00440A] F4 90 00 PEA #$0090
00C40D [00440D] F4 10 00 PEA #$0010
00C410 [004410] AD 81 32 LDA $3281
00C413 [004413] 48 PHA
00C414 [004414] 22 9C DE 00 JSL $00DE9C
00C418 [004418] 3B TSC
00C419 [004419] 18 CLC
00C41A [00441A] 69 06 00 ADC #$0006
00C41D [00441D] 1B TCS
00C41E [00441E] A5 00 LDA $00
00C420 [004420] 8D 81 32 STA $3281
00C423 [004423] AD 87 32 LDA $3287
00C426 [004426] 85 00 STA $00
00C428 [004428] AD 83 32 LDA $3283
00C42B [00442B] 18 CLC
00C42C [00442C] 65 00 ADC $00
00C42E [00442E] 8D 87 32 STA $3287
00C431 [004431] AD 89 32 LDA $3289
00C434 [004434] 85 00 STA $00
00C436 [004436] AD 85 32 LDA $3285
00C439 [004439] 85 04 STA $04
00C43B [00443B] 18 CLC
00C43C [00443C] 65 00 ADC $00
00C43E [00443E] 8D 89 32 STA $3289
00C441 [004441] AD 87 32 LDA $3287
00C444 [004444] 85 00 STA $00
00C446 [004446] A2 01 00 LDX #$0001
00C449 [004449] 38 SEC
00C44A [00444A] E9 AB 00 SBC #$00AB
00C44D [00444D] A8 TAY
00C44E [00444E] F0 07 BEQ $00C457
00C450 [004450] 50 03 BVC $00C455
00C452 [004452] 49 00 80 EOR #$8000
00C455 [004455] 10 01 BPL $00C458
00C457 [004457] CA DEX
00C458 [004458] 86 14 STX $14
00C45A [00445A] 8A TXA
00C45B [00445B] D0 03 BNE $00C460
00C45D [00445D] 82 19 00 BRL $00C479
00C460 [004460] 64 00 STZ $00
00C462 [004462] AD 83 32 LDA $3283
00C465 [004465] 85 04 STA $04
00C467 [004467] 38 SEC
00C468 [004468] A5 00 LDA $00
00C46A [00446A] E5 04 SBC $04
00C46C [00446C] 8D 83 32 STA $3283
00C46F [00446F] A9 AB 00 LDA #$00AB
00C472 [004472] 85 00 STA $00
00C474 [004474] 8D 87 32 STA $3287
00C477 [004477] 80 2A BRA $00C4A3
00C479 [004479] AD 87 32 LDA $3287
00C47C [00447C] 85 00 STA $00
00C47E [00447E] 38 SEC
00C47F [00447F] E9 10 00 SBC #$0010
00C482 [004482] 50 03 BVC $00C487
00C484 [004484] 49 00 80 EOR #$8000
00C487 [004487] 30 03 BMI $00C48C
00C489 [004489] 82 17 00 BRL $00C4A3
00C48C [00448C] 64 00 STZ $00
00C48E [00448E] AD 83 32 LDA $3283
00C491 [004491] 85 04 STA $04
00C493 [004493] 38 SEC
00C494 [004494] A5 00 LDA $00
00C496 [004496] E5 04 SBC $04
00C498 [004498] 8D 83 32 STA $3283
00C49B [00449B] A9 10 00 LDA #$0010
00C49E [00449E] 85 00 STA $00
00C4A0 [0044A0] 8D 87 32 STA $3287
00C4A3 [0044A3] AD 89 32 LDA $3289
00C4A6 [0044A6] 85 00 STA $00
00C4A8 [0044A8] 38 SEC
00C4A9 [0044A9] E9 0F 00 SBC #$000F
00C4AC [0044AC] 50 03 BVC $00C4B1
00C4AE [0044AE] 49 00 80 EOR #$8000
00C4B1 [0044B1] 30 03 BMI $00C4B6
00C4B3 [0044B3] 82 14 00 BRL $00C4CA
00C4B6 [0044B6] 64 00 STZ $00
00C4B8 [0044B8] AD 85 32 LDA $3285
00C4BB [0044BB] 85 04 STA $04
00C4BD [0044BD] 38 SEC
00C4BE [0044BE] A5 00 LDA $00
00C4C0 [0044C0] E5 04 SBC $04
00C4C2 [0044C2] 85 00 STA $00
00C4C4 [0044C4] 8D 85 32 STA $3285
00C4C7 [0044C7] 4C DC C8 JMP $C8DC
00C4CA [0044CA] AD 89 32 LDA $3289
00C4CD [0044CD] 85 00 STA $00
00C4CF [0044CF] A2 01 00 LDX #$0001
00C4D2 [0044D2] 38 SEC
00C4D3 [0044D3] E9 C3 00 SBC #$00C3
00C4D6 [0044D6] A8 TAY
00C4D7 [0044D7] F0 07 BEQ $00C4E0
00C4D9 [0044D9] 50 03 BVC $00C4DE
00C4DB [0044DB] 49 00 80 EOR #$8000
00C4DE [0044DE] 10 01 BPL $00C4E1
00C4E0 [0044E0] CA DEX
00C4E1 [0044E1] 86 14 STX $14
00C4E3 [0044E3] 8A TXA
00C4E4 [0044E4] D0 03 BNE $00C4E9
00C4E6 [0044E6] 82 E1 00 BRL $00C5CA
00C4E9 [0044E9] AD 89 32 LDA $3289
00C4EC [0044EC] 85 00 STA $00
00C4EE [0044EE] 38 SEC
00C4EF [0044EF] E9 CB 00 SBC #$00CB
00C4F2 [0044F2] 50 03 BVC $00C4F7
00C4F4 [0044F4] 49 00 80 EOR #$8000
00C4F7 [0044F7] 30 03 BMI $00C4FC
00C4F9 [0044F9] 82 A8 00 BRL $00C5A4
00C4FC [0044FC] AD 87 32 LDA $3287
00C4FF [0044FF] 85 00 STA $00
00C501 [004501] AD 81 32 LDA $3281
00C504 [004504] 85 04 STA $04
00C506 [004506] A2 01 00 LDX #$0001
00C509 [004509] A5 00 LDA $00
00C50B [00450B] 38 SEC
00C50C [00450C] E5 04 SBC $04
00C50E [00450E] A8 TAY
00C50F [00450F] B0 01 BCS $00C512
00C511 [004511] CA DEX
00C512 [004512] 86 14 STX $14
00C514 [004514] 8A TXA
00C515 [004515] D0 03 BNE $00C51A
00C517 [004517] 82 1F 00 BRL $00C539
00C51A [00451A] AD 81 32 LDA $3281
00C51D [00451D] 18 CLC
00C51E [00451E] 69 1B 00 ADC #$001B
00C521 [004521] 85 00 STA $00
00C523 [004523] AD 87 32 LDA $3287
00C526 [004526] 85 04 STA $04
00C528 [004528] A2 01 00 LDX #$0001
00C52B [00452B] 38 SEC
00C52C [00452C] E5 00 SBC $00
00C52E [00452E] A8 TAY
00C52F [00452F] F0 03 BEQ $00C534
00C531 [004531] 90 01 BCC $00C534
00C533 [004533] CA DEX
00C534 [004534] 86 14 STX $14
00C536 [004536] 8A TXA
00C537 [004537] D0 03 BNE $00C53C
00C539 [004539] 82 66 00 BRL $00C5A2
00C53C [00453C] AD 87 32 LDA $3287
00C53F [00453F] 85 00 STA $00
00C541 [004541] AD 81 32 LDA $3281
00C544 [004544] 85 04 STA $04
00C546 [004546] 38 SEC
00C547 [004547] A5 00 LDA $00
00C549 [004549] E5 04 SBC $04
00C54B [00454B] 85 00 STA $00
00C54D [00454D] AA TAX
00C54E [00454E] A9 07 00 LDA #$0007
00C551 [004551] 22 F6 80 01 JSL $0180F6
00C555 [004555] A5 18 LDA $18
00C557 [004557] E2 20 SEP #$20
00C559 [004559] 8D 66 32 STA $3266
00C55C [00455C] C2 20 REP #$20
00C55E [00455E] A9 00 00 LDA #$0000
00C561 [004561] E2 20 SEP #$20
00C563 [004563] AD 66 32 LDA $3266
00C566 [004566] C2 20 REP #$20
00C568 [004568] 0A ASL
00C569 [004569] 0A ASL
00C56A [00456A] 85 00 STA $00
00C56C [00456C] A9 00 00 LDA #$0000
00C56F [00456F] 85 06 STA $06
00C571 [004571] A9 8F D5 LDA #$D58F
00C574 [004574] 18 CLC
00C575 [004575] 65 00 ADC $00
00C577 [004577] 85 04 STA $04
00C579 [004579] A7 04 LDA [$04]
00C57B [00457B] 8D 83 32 STA $3283
00C57E [00457E] A9 00 00 LDA #$0000
00C581 [004581] E2 20 SEP #$20
00C583 [004583] AD 66 32 LDA $3266
00C586 [004586] C2 20 REP #$20
00C588 [004588] 0A ASL
00C589 [004589] 0A ASL
00C58A [00458A] 85 00 STA $00
00C58C [00458C] A9 00 00 LDA #$0000
00C58F [00458F] 85 06 STA $06
00C591 [004591] A9 8F D5 LDA #$D58F
00C594 [004594] 18 CLC
00C595 [004595] 65 00 ADC $00
00C597 [004597] 1A INC
00C598 [004598] 1A INC
00C599 [004599] 85 04 STA $04
00C59B [00459B] A7 04 LDA [$04]
00C59D [00459D] 85 00 STA $00
00C59F [00459F] 8D 85 32 STA $3285
00C5A2 [0045A2] 80 23 BRA $00C5C7
00C5A4 [0045A4] AD 89 32 LDA $3289
00C5A7 [0045A7] 85 00 STA $00
00C5A9 [0045A9] A2 01 00 LDX #$0001
00C5AC [0045AC] 38 SEC
00C5AD [0045AD] E9 E0 00 SBC #$00E0
00C5B0 [0045B0] A8 TAY
00C5B1 [0045B1] F0 07 BEQ $00C5BA
00C5B3 [0045B3] 50 03 BVC $00C5B8
00C5B5 [0045B5] 49 00 80 EOR #$8000
00C5B8 [0045B8] 10 01 BPL $00C5BB
00C5BA [0045BA] CA DEX
00C5BB [0045BB] 86 14 STX $14
00C5BD [0045BD] 8A TXA
00C5BE [0045BE] D0 03 BNE $00C5C3
00C5C0 [0045C0] 82 04 00 BRL $00C5C7
00C5C3 [0045C3] 22 07 D3 00 JSL $00D307
00C5C7 [0045C7] 4C DC C8 JMP $C8DC
00C5CA [0045CA] AD 89 32 LDA $3289
00C5CD [0045CD] 85 00 STA $00
00C5CF [0045CF] 38 SEC
00C5D0 [0045D0] E9 70 00 SBC #$0070
00C5D3 [0045D3] 50 03 BVC $00C5D8
00C5D5 [0045D5] 49 00 80 EOR #$8000
00C5D8 [0045D8] 30 03 BMI $00C5DD
00C5DA [0045DA] 82 FF 02 BRL $00C8DC
00C5DD [0045DD] AD 6F 32 LDA $326F
00C5E0 [0045E0] 8D 73 32 STA $3273
00C5E3 [0045E3] AD 71 32 LDA $3271
00C5E6 [0045E6] 8D 75 32 STA $3275
00C5E9 [0045E9] AD 87 32 LDA $3287
00C5EC [0045EC] 38 SEC
00C5ED [0045ED] E9 0E 00 SBC #$000E
00C5F0 [0045F0] C9 00 80 CMP #$8000
00C5F3 [0045F3] 6A ROR
00C5F4 [0045F4] C9 00 80 CMP #$8000
00C5F7 [0045F7] 6A ROR
00C5F8 [0045F8] C9 00 80 CMP #$8000
00C5FB [0045FB] 6A ROR
00C5FC [0045FC] C9 00 80 CMP #$8000
00C5FF [0045FF] 6A ROR
00C600 [004600] 8D 6F 32 STA $326F
00C603 [004603] AD 89 32 LDA $3289
00C606 [004606] 38 SEC
00C607 [004607] E9 0E 00 SBC #$000E
00C60A [00460A] C9 00 80 CMP #$8000
00C60D [00460D] 6A ROR
00C60E [00460E] C9 00 80 CMP #$8000
00C611 [004611] 6A ROR
00C612 [004612] C9 00 80 CMP #$8000
00C615 [004615] 6A ROR
00C616 [004616] 8D 71 32 STA $3271
00C619 [004619] AD 71 32 LDA $3271
00C61C [00461C] 0A ASL
00C61D [00461D] 0A ASL
00C61E [00461E] 0A ASL
00C61F [00461F] 85 00 STA $00
00C621 [004621] AD 6F 32 LDA $326F
00C624 [004624] 18 CLC
00C625 [004625] 65 00 ADC $00
00C627 [004627] 85 04 STA $04
00C629 [004629] AD 71 32 LDA $3271
00C62C [00462C] 0A ASL
00C62D [00462D] 18 CLC
00C62E [00462E] 65 04 ADC $04
00C630 [004630] 38 SEC
00C631 [004631] E9 0A 00 SBC #$000A
00C634 [004634] 85 04 STA $04
00C636 [004636] 8D 6B 32 STA $326B
00C639 [004639] AD 6B 32 LDA $326B
00C63C [00463C] 85 00 STA $00
00C63E [00463E] A2 01 00 LDX #$0001
00C641 [004641] 38 SEC
00C642 [004642] E9 00 00 SBC #$0000
00C645 [004645] A8 TAY
00C646 [004646] B0 01 BCS $00C649
00C648 [004648] CA DEX
00C649 [004649] 86 14 STX $14
00C64B [00464B] 8A TXA
00C64C [00464C] D0 03 BNE $00C651
00C64E [00464E] 82 15 00 BRL $00C666
00C651 [004651] AD 6B 32 LDA $326B
00C654 [004654] 85 00 STA $00
00C656 [004656] A2 01 00 LDX #$0001
00C659 [004659] 38 SEC
00C65A [00465A] E9 64 00 SBC #$0064
00C65D [00465D] A8 TAY
00C65E [00465E] 90 01 BCC $00C661
00C660 [004660] CA DEX
00C661 [004661] 86 14 STX $14
00C663 [004663] 8A TXA
00C664 [004664] D0 03 BNE $00C669
00C666 [004666] 82 73 02 BRL $00C8DC
00C669 [004669] A9 7E 00 LDA #$007E
00C66C [00466C] 85 02 STA $02
00C66E [00466E] A9 00 32 LDA #$3200
00C671 [004671] 85 00 STA $00
00C673 [004673] AD 6B 32 LDA $326B
00C676 [004676] 18 CLC
00C677 [004677] 65 00 ADC $00
00C679 [004679] 85 00 STA $00
00C67B [00467B] A9 00 00 LDA #$0000
00C67E [00467E] E2 20 SEP #$20
00C680 [004680] A7 00 LDA [$00]
00C682 [004682] C2 20 REP #$20
00C684 [004684] 85 04 STA $04
00C686 [004686] A2 01 00 LDX #$0001
00C689 [004689] 38 SEC
00C68A [00468A] E9 08 00 SBC #$0008
00C68D [00468D] A8 TAY
00C68E [00468E] D0 01 BNE $00C691
00C690 [004690] CA DEX
00C691 [004691] 86 14 STX $14
00C693 [004693] 8A TXA
00C694 [004694] D0 03 BNE $00C699
00C696 [004696] 82 43 02 BRL $00C8DC
00C699 [004699] AD 6D 32 LDA $326D
00C69C [00469C] 85 00 STA $00
00C69E [00469E] 85 04 STA $04
00C6A0 [0046A0] A5 02 LDA $02
00C6A2 [0046A2] 85 06 STA $06
00C6A4 [0046A4] 18 CLC
00C6A5 [0046A5] A5 00 LDA $00
00C6A7 [0046A7] 69 FF FF ADC #$FFFF
00C6AA [0046AA] 8D 6D 32 STA $326D
00C6AD [0046AD] A9 00 00 LDA #$0000
00C6B0 [0046B0] 85 00 STA $00
00C6B2 [0046B2] E2 20 SEP #$20
00C6B4 [0046B4] 8D 64 32 STA $3264
00C6B7 [0046B7] C2 20 REP #$20
00C6B9 [0046B9] A9 00 00 LDA #$0000
00C6BC [0046BC] E2 20 SEP #$20
00C6BE [0046BE] AD 64 32 LDA $3264
00C6C1 [0046C1] C2 20 REP #$20
00C6C3 [0046C3] 85 00 STA $00
00C6C5 [0046C5] AD 7F 32 LDA $327F
00C6C8 [0046C8] 85 04 STA $04
00C6CA [0046CA] A2 01 00 LDX #$0001
00C6CD [0046CD] A5 00 LDA $00
00C6CF [0046CF] 38 SEC
00C6D0 [0046D0] E5 04 SBC $04
00C6D2 [0046D2] A8 TAY
00C6D3 [0046D3] F0 03 BEQ $00C6D8
00C6D5 [0046D5] 90 01 BCC $00C6D8
00C6D7 [0046D7] CA DEX
00C6D8 [0046D8] 86 14 STX $14
00C6DA [0046DA] 8A TXA
00C6DB [0046DB] D0 03 BNE $00C6E0
00C6DD [0046DD] 82 4E 00 BRL $00C72E
00C6E0 [0046E0] 80 20 BRA $00C702
00C6E2 [0046E2] A9 00 00 LDA #$0000
00C6E5 [0046E5] E2 20 SEP #$20
00C6E7 [0046E7] AD 64 32 LDA $3264
00C6EA [0046EA] C2 20 REP #$20
00C6EC [0046EC] 85 00 STA $00
00C6EE [0046EE] 85 04 STA $04
00C6F0 [0046F0] A5 02 LDA $02
00C6F2 [0046F2] 85 06 STA $06
00C6F4 [0046F4] E6 00 INC $00
00C6F6 [0046F6] E2 20 SEP #$20
00C6F8 [0046F8] A5 00 LDA $00
00C6FA [0046FA] 8D 64 32 STA $3264
00C6FD [0046FD] C2 20 REP #$20
00C6FF [0046FF] 4C B9 C6 JMP $C6B9
00C702 [004702] A9 7E 00 LDA #$007E
00C705 [004705] 85 02 STA $02
00C707 [004707] A9 00 32 LDA #$3200
00C70A [00470A] 85 00 STA $00
00C70C [00470C] AD 6B 32 LDA $326B
00C70F [00470F] 18 CLC
00C710 [004710] 65 00 ADC $00
00C712 [004712] 85 00 STA $00
00C714 [004714] A9 00 00 LDA #$0000
00C717 [004717] E2 20 SEP #$20
00C719 [004719] A7 00 LDA [$00]
00C71B [00471B] C2 20 REP #$20
00C71D [00471D] 1A INC
00C71E [00471E] 85 04 STA $04
00C720 [004720] AD 77 32 LDA $3277
00C723 [004723] 18 CLC
00C724 [004724] 65 04 ADC $04
00C726 [004726] 85 00 STA $00
00C728 [004728] 8D 77 32 STA $3277
00C72B [00472B] 4C E2 C6 JMP $C6E2
00C72E [00472E] AD 75 32 LDA $3275
00C731 [004731] 85 00 STA $00
00C733 [004733] AD 71 32 LDA $3271
00C736 [004736] 85 04 STA $04
00C738 [004738] A2 01 00 LDX #$0001
00C73B [00473B] A5 00 LDA $00
00C73D [00473D] 38 SEC
00C73E [00473E] E5 04 SBC $04
00C740 [004740] A8 TAY
00C741 [004741] D0 01 BNE $00C744
00C743 [004743] CA DEX
00C744 [004744] 86 14 STX $14
00C746 [004746] 8A TXA
00C747 [004747] D0 03 BNE $00C74C
00C749 [004749] 82 11 00 BRL $00C75D
00C74C [00474C] 64 00 STZ $00
00C74E [00474E] AD 85 32 LDA $3285
00C751 [004751] 85 04 STA $04
00C753 [004753] 38 SEC
00C754 [004754] A5 00 LDA $00
00C756 [004756] E5 04 SBC $04
00C758 [004758] 85 00 STA $00
00C75A [00475A] 8D 85 32 STA $3285
00C75D [00475D] AD 73 32 LDA $3273
00C760 [004760] 85 00 STA $00
00C762 [004762] AD 6F 32 LDA $326F
00C765 [004765] 85 04 STA $04
00C767 [004767] A2 01 00 LDX #$0001
00C76A [00476A] A5 00 LDA $00
00C76C [00476C] 38 SEC
00C76D [00476D] E5 04 SBC $04
00C76F [00476F] A8 TAY
00C770 [004770] D0 01 BNE $00C773
00C772 [004772] CA DEX
00C773 [004773] 86 14 STX $14
00C775 [004775] 8A TXA
00C776 [004776] D0 03 BNE $00C77B
00C778 [004778] 82 11 00 BRL $00C78C
00C77B [00477B] 64 00 STZ $00
00C77D [00477D] AD 83 32 LDA $3283
00C780 [004780] 85 04 STA $04
00C782 [004782] 38 SEC
00C783 [004783] A5 00 LDA $00
00C785 [004785] E5 04 SBC $04
00C787 [004787] 85 00 STA $00
00C789 [004789] 8D 83 32 STA $3283
00C78C [00478C] A9 7E 00 LDA #$007E
00C78F [00478F] 85 02 STA $02
00C791 [004791] A9 00 32 LDA #$3200
00C794 [004794] 85 00 STA $00
00C796 [004796] AD 6B 32 LDA $326B
00C799 [004799] 18 CLC
00C79A [00479A] 65 00 ADC $00
00C79C [00479C] 85 00 STA $00
00C79E [00479E] A9 08 00 LDA #$0008
00C7A1 [0047A1] 85 04 STA $04
00C7A3 [0047A3] E2 20 SEP #$20
00C7A5 [0047A5] 87 00 STA [$00]
00C7A7 [0047A7] C2 20 REP #$20
00C7A9 [0047A9] AD 71 32 LDA $3271
00C7AC [0047AC] 85 00 STA $00
00C7AE [0047AE] A0 05 00 LDY #$0005
00C7B1 [0047B1] 0A ASL
00C7B2 [0047B2] 88 DEY
00C7B3 [0047B3] D0 FC BNE $00C7B1
00C7B5 [0047B5] 85 00 STA $00
00C7B7 [0047B7] AD 6F 32 LDA $326F
00C7BA [0047BA] 0A ASL
00C7BB [0047BB] 85 04 STA $04
00C7BD [0047BD] 18 CLC
00C7BE [0047BE] 65 00 ADC $00
00C7C0 [0047C0] 8D 6B 32 STA $326B
00C7C3 [0047C3] AD 6B 32 LDA $326B
00C7C6 [0047C6] 18 CLC
00C7C7 [0047C7] 69 42 00 ADC #$0042
00C7CA [0047CA] 0A ASL
00C7CB [0047CB] 85 00 STA $00
00C7CD [0047CD] A9 7E 00 LDA #$007E
00C7D0 [0047D0] 85 06 STA $06
00C7D2 [0047D2] A9 00 20 LDA #$2000
00C7D5 [0047D5] 18 CLC
00C7D6 [0047D6] 65 00 ADC $00
00C7D8 [0047D8] 85 04 STA $04
00C7DA [0047DA] 64 00 STZ $00
00C7DC [0047DC] A5 00 LDA $00
00C7DE [0047DE] 87 04 STA [$04]
00C7E0 [0047E0] AD 6B 32 LDA $326B
00C7E3 [0047E3] 18 CLC
00C7E4 [0047E4] 69 43 00 ADC #$0043
00C7E7 [0047E7] 0A ASL
00C7E8 [0047E8] 85 00 STA $00
00C7EA [0047EA] A9 7E 00 LDA #$007E
00C7ED [0047ED] 85 06 STA $06
00C7EF [0047EF] A9 00 20 LDA #$2000
00C7F2 [0047F2] 18 CLC
00C7F3 [0047F3] 65 00 ADC $00
00C7F5 [0047F5] 85 04 STA $04
00C7F7 [0047F7] 64 00 STZ $00
00C7F9 [0047F9] A5 00 LDA $00
00C7FB [0047FB] 87 04 STA [$04]
00C7FD [0047FD] AD 6B 32 LDA $326B
00C800 [004800] 18 CLC
00C801 [004801] 69 63 00 ADC #$0063
00C804 [004804] 0A ASL
00C805 [004805] 85 00 STA $00
00C807 [004807] A9 7E 00 LDA #$007E
00C80A [00480A] 85 06 STA $06
00C80C [00480C] A9 00 28 LDA #$2800
00C80F [00480F] 18 CLC
00C810 [004810] 65 00 ADC $00
00C812 [004812] 85 04 STA $04
00C814 [004814] A7 04 LDA [$04]
00C816 [004816] 38 SEC
00C817 [004817] E9 00 04 SBC #$0400
00C81A [00481A] 87 04 STA [$04]
00C81C [00481C] AD 6B 32 LDA $326B
00C81F [00481F] 18 CLC
00C820 [004820] 69 64 00 ADC #$0064
00C823 [004823] 0A ASL
00C824 [004824] 85 00 STA $00
00C826 [004826] A9 7E 00 LDA #$007E
00C829 [004829] 85 06 STA $06
00C82B [00482B] A9 00 28 LDA #$2800
00C82E [00482E] 18 CLC
00C82F [00482F] 65 00 ADC $00
00C831 [004831] 85 04 STA $04
00C833 [004833] A7 04 LDA [$04]
00C835 [004835] 38 SEC
00C836 [004836] E9 00 04 SBC #$0400
00C839 [004839] 87 04 STA [$04]
00C83B [00483B] F4 26 04 PEA #$0426
00C83E [00483E] F4 F5 00 PEA #$00F5
00C841 [004841] F4 7E 00 PEA #$007E
00C844 [004844] F4 00 20 PEA #$2000
00C847 [004847] E2 20 SEP #$20
00C849 [004849] A9 08 LDA #$08
00C84B [00484B] 48 PHA
00C84C [00484C] C2 20 REP #$20
00C84E [00484E] AD 77 32 LDA $3277
00C851 [004851] 48 PHA
00C852 [004852] 22 A1 D6 00 JSL $00D6A1
00C856 [004856] 3B TSC
00C857 [004857] 18 CLC
00C858 [004858] 69 0B 00 ADC #$000B
00C85B [00485B] 1B TCS
00C85C [00485C] AD 77 32 LDA $3277
00C85F [00485F] 85 00 STA $00
00C861 [004861] AD 79 32 LDA $3279
00C864 [004864] 85 04 STA $04
00C866 [004866] A5 00 LDA $00
00C868 [004868] C5 04 CMP $04
00C86A [00486A] F0 05 BEQ $00C871
00C86C [00486C] 90 03 BCC $00C871
00C86E [00486E] 82 03 00 BRL $00C874
00C871 [004871] 82 27 00 BRL $00C89B
00C89B [00489B] 22 69 E0 00 JSL $00E069
00C89F [00489F] F4 00 08 PEA #$0800
00C8A2 [0048A2] F4 00 00 PEA #$0000
00C8A5 [0048A5] F4 7E 00 PEA #$007E
00C8A8 [0048A8] F4 00 20 PEA #$2000
00C8AB [0048AB] 22 91 DF 00 JSL $00DF91
00C8AF [0048AF] 3B TSC
00C8B0 [0048B0] 18 CLC
00C8B1 [0048B1] 69 08 00 ADC #$0008
00C8B4 [0048B4] 1B TCS
00C8B5 [0048B5] F4 00 08 PEA #$0800
00C8B8 [0048B8] F4 00 04 PEA #$0400
00C8BB [0048BB] F4 7E 00 PEA #$007E
00C8BE [0048BE] F4 00 28 PEA #$2800
00C8C1 [0048C1] 22 91 DF 00 JSL $00DF91
00C8C5 [0048C5] 3B TSC
00C8C6 [0048C6] 18 CLC
00C8C7 [0048C7] 69 08 00 ADC #$0008
00C8CA [0048CA] 1B TCS
00C8CB [0048CB] AD 6D 32 LDA $326D
00C8CE [0048CE] 85 00 STA $00
00C8D0 [0048D0] C9 00 00 CMP #$0000
00C8D3 [0048D3] F0 03 BEQ $00C8D8
00C8D5 [0048D5] 82 04 00 BRL $00C8DC
00C8D8 [0048D8] 22 B5 CD 00 JSL $00CDB5
00C8DC [0048DC] 22 35 D1 00 JSL $00D135
00C8E0 [0048E0] 22 69 E0 00 JSL $00E069
00C8E4 [0048E4] 3B TSC
00C8E5 [0048E5] 18 CLC
00C8E6 [0048E6] 69 01 00 ADC #$0001
00C8E9 [0048E9] 1B TCS
00C8EA [0048EA] 6B RTL
----------------
给了AI逆逆 代码的核心逻辑围绕 $328B 的状态展开。通过从 $328B 中提取特定的位标志(如 $0080, $0100,
$0200, $0400, $0800, $1000, $2000 等),程序判断当前所处的状态。
根据不同的位标志设置,程序分发到不同的处理逻辑分支。例如,如果 $0080 位被设置,则跳转到一个特定的处理逻辑,否则继续检查其他位。
找了找328B,在开始地方有个
这里将39地址的值存到了328B,39地址内容正是之前存了的按钮值。通了。舒服然后是逆各个按钮对0x7F0000位置的影响
有影响的按钮如下A键
00C0C0 [0040C0] 29 80 00 AND #$0080 00C0C3 [0040C3] 85 00 STA $00 00C0C5 [0040C5] A5 00 LDA $00 00C0C7 [0040C7] D0 03 BNE $00C0CC 00C0C9 [0040C9] 82 73 01 BRL $00C23F 00C0CC [0040CC] AD 8B 32 LDA $328B左键
00C2A1 [0042A1] 29 00 02 AND #$0200 00C2A4 [0042A4] 85 00 STA $00 00C2A6 [0042A6] A5 00 LDA $00 00C2A8 [0042A8] D0 03 BNE $00C2AD 00C2AA [0042AA] 82 56 00 BRL $00C303 00C2AD [0042AD] AD 81 32 LDA $3281 00C2B0 [0042B0] 3A DEC 00C2B1 [0042B1] 3A DEC 00C2B2 [0042B2] 8D 81 32 STA $3281 00C2B5 [0042B5] AD 90 32 LDA $3290 00C2B8 [0042B8] 85 00 STA $00 00C2BA [0042BA] AD 8B 32 LDA $328B 00C2BD [0042BD] 85 04 STA $04 00C2BF [0042BF] A2 01 00 LDX #$0001 00C2C2 [0042C2] A5 00 LDA $00 00C2C4 [0042C4] 38 SEC 00C2C5 [0042C5] E5 04 SBC $04 00C2C7 [0042C7] A8 TAY 00C2C8 [0042C8] D0 01 BNE $00C2CB 00C2CA [0042CA] CA DEX 00C2CB [0042CB] 86 14 STX $14 00C2CD [0042CD] 8A TXA 00C2CE [0042CE] D0 03 BNE $00C2D3 00C2D0 [0042D0] 82 17 00 BRL $00C2EA 00C2D3 [0042D3] AD 92 32 LDA $3292 00C2D6 [0042D6] 85 00 STA $00 00C2D8 [0042D8] A2 01 00 LDX #$0001 00C2DB [0042DB] 38 SEC 00C2DC [0042DC] E9 00 00 SBC #$0000 00C2DF [0042DF] A8 TAY 00C2E0 [0042E0] F0 02 BEQ $00C2E4 00C2E2 [0042E2] B0 01 BCS $00C2E5 00C2E4 [0042E4] CA DEX 00C2E5 [0042E5] 86 14 STX $14 00C2E7 [0042E7] 8A TXA 00C2E8 [0042E8] D0 03 BNE $00C2ED 00C2EA [0042EA] 82 16 00 BRL $00C303 00C2ED [0042ED] AD 92 32 LDA $3292 00C2F0 [0042F0] 85 00 STA $00 00C2F2 [0042F2] 85 04 STA $04 00C2F4 [0042F4] A5 02 LDA $02 00C2F6 [0042F6] 85 06 STA $06 00C2F8 [0042F8] 18 CLC 00C2F9 [0042F9] A5 00 LDA $00 00C2FB [0042FB] 69 FF FF ADC #$FFFF 00C2FE [0042FE] 85 00 STA $00 00C300 [004300] 8D 92 32 STA $3292 00C303 [004303] AD 8B 32 LDA $328B右键
00C242 [004242] 29 00 01 AND #$0100 00C245 [004245] 85 00 STA $00 00C247 [004247] A5 00 LDA $00 00C249 [004249] D0 03 BNE $00C24E 00C24B [00424B] 82 50 00 BRL $00C29E 00C24E [00424E] AD 81 32 LDA $3281 00C251 [004251] 1A INC 00C252 [004252] 1A INC 00C253 [004253] 8D 81 32 STA $3281 00C256 [004256] AD 90 32 LDA $3290 00C259 [004259] 85 00 STA $00 00C25B [00425B] AD 8B 32 LDA $328B 00C25E [00425E] 85 04 STA $04 00C260 [004260] A2 01 00 LDX #$0001 00C263 [004263] A5 00 LDA $00 00C265 [004265] 38 SEC 00C266 [004266] E5 04 SBC $04 00C268 [004268] A8 TAY 00C269 [004269] D0 01 BNE $00C26C 00C26B [00426B] CA DEX 00C26C [00426C] 86 14 STX $14 00C26E [00426E] 8A TXA 00C26F [00426F] D0 03 BNE $00C274 00C271 [004271] 82 15 00 BRL $00C289 00C274 [004274] AD 92 32 LDA $3292 00C277 [004277] 85 00 STA $00 00C279 [004279] A2 01 00 LDX #$0001 00C27C [00427C] 38 SEC 00C27D [00427D] E9 02 00 SBC #$0002 00C280 [004280] A8 TAY 00C281 [004281] 90 01 BCC $00C284 00C283 [004283] CA DEX 00C284 [004284] 86 14 STX $14 00C286 [004286] 8A TXA 00C287 [004287] D0 03 BNE $00C28C 00C289 [004289] 82 12 00 BRL $00C29E 00C28C [00428C] AD 92 32 LDA $3292 00C28F [00428F] 85 00 STA $00 00C291 [004291] 85 04 STA $04 00C293 [004293] A5 02 LDA $02 00C295 [004295] 85 06 STA $06 00C297 [004297] E6 00 INC $00 00C299 [004299] A5 00 LDA $00 00C29B [00429B] 8D 92 32 STA $3292 00C29E [00429E] AD 8B 32 LDA $328B上键
00C306 [004306] 29 00 08 AND #$0800 00C309 [004309] 85 00 STA $00 00C30B [00430B] A5 00 LDA $00 00C30D [00430D] D0 03 BNE $00C312 00C30F [00430F] 82 4B 00 BRL $00C35D 00C312 [004312] AD 90 32 LDA $3290 00C315 [004315] 85 00 STA $00 00C317 [004317] AD 8B 32 LDA $328B 00C31A [00431A] 85 04 STA $04 00C31C [00431C] A2 01 00 LDX #$0001 00C31F [00431F] A5 00 LDA $00 00C321 [004321] 38 SEC 00C322 [004322] E5 04 SBC $04 00C324 [004324] A8 TAY 00C325 [004325] D0 01 BNE $00C328 00C327 [004327] CA DEX 00C328 [004328] 86 14 STX $14 00C32A [00432A] 8A TXA 00C32B [00432B] D0 03 BNE $00C330 00C32D [00432D] 82 2D 00 BRL $00C35D 00C330 [004330] A9 7F 00 LDA #$007F 00C333 [004333] 85 02 STA $02 00C335 [004335] A9 00 00 LDA #$0000 00C338 [004338] 85 00 STA $00 00C33A [00433A] AD 92 32 LDA $3292 00C33D [00433D] 18 CLC 00C33E [00433E] 65 00 ADC $00 00C340 [004340] 85 00 STA $00 00C342 [004342] A9 00 00 LDA #$0000 00C345 [004345] E2 20 SEP #$20 00C347 [004347] A7 00 LDA [$00] 00C349 [004349] C2 20 REP #$20 00C34B [00434B] 85 04 STA $04 00C34D [00434D] 85 08 STA $08 00C34F [00434F] A5 06 LDA $06 00C351 [004351] 85 0A STA $0A 00C353 [004353] E6 04 INC $04 00C355 [004355] E2 20 SEP #$20 00C357 [004357] A5 04 LDA $04 00C359 [004359] 87 00 STA [$00] 00C35B [00435B] C2 20 REP #$20 00C35D [00435D] AD 8B 32 LDA $328B下键
00C360 [004360] 29 00 04 AND #$0400 00C363 [004363] 85 00 STA $00 00C365 [004365] A5 00 LDA $00 00C367 [004367] D0 03 BNE $00C36C 00C369 [004369] 82 4B 00 BRL $00C3B7 00C36C [00436C] AD 90 32 LDA $3290 00C36F [00436F] 85 00 STA $00 00C371 [004371] AD 8B 32 LDA $328B 00C374 [004374] 85 04 STA $04 00C376 [004376] A2 01 00 LDX #$0001 00C379 [004379] A5 00 LDA $00 00C37B [00437B] 38 SEC 00C37C [00437C] E5 04 SBC $04 00C37E [00437E] A8 TAY 00C37F [00437F] D0 01 BNE $00C382 00C381 [004381] CA DEX 00C382 [004382] 86 14 STX $14 00C384 [004384] 8A TXA 00C385 [004385] D0 03 BNE $00C38A 00C387 [004387] 82 2D 00 BRL $00C3B7 00C38A [00438A] A9 7F 00 LDA #$007F 00C38D [00438D] 85 02 STA $02 00C38F [00438F] A9 00 00 LDA #$0000 00C392 [004392] 85 00 STA $00 00C394 [004394] AD 92 32 LDA $3292 00C397 [004397] 18 CLC 00C398 [004398] 65 00 ADC $00 00C39A [00439A] 85 00 STA $00 00C39C [00439C] A9 00 00 LDA #$0000 00C39F [00439F] E2 20 SEP #$20 00C3A1 [0043A1] A7 00 LDA [$00] 00C3A3 [0043A3] C2 20 REP #$20 00C3A5 [0043A5] 85 04 STA $04 00C3A7 [0043A7] 85 08 STA $08 00C3A9 [0043A9] A5 06 LDA $06 00C3AB [0043AB] 85 0A STA $0A 00C3AD [0043AD] C6 04 DEC $04 00C3AF [0043AF] E2 20 SEP #$20 00C3B1 [0043B1] A5 04 LDA $04 00C3B3 [0043B3] 87 00 STA [$00] 00C3B5 [0043B5] C2 20 REP #$20 00C3B7 [0043B7] AD 8B 32 LDA $328BR键
00C3D8 [0043D8] 29 10 00 AND #$0010
00C3DB [0043DB] 85 00 STA $00
00C3DD [0043DD] A5 00 LDA $00
00C3DF [0043DF] D0 03 BNE $00C3E4
00C3E1 [0043E1] 82 20 00 BRL $00C404
00C3E4 [0043E4] F4 03 00 PEA #$0003
00C3E7 [0043E7] F4 7F 00 PEA #$007F
00C3EA [0043EA] F4 00 00 PEA #$0000
00C3ED [0043ED] 64 02 STZ $02
00C3EF [0043EF] 3B TSC
00C3F0 [0043F0] 18 CLC
00C3F1 [0043F1] 69 07 00 ADC #$0007
00C3F4 [0043F4] D4 02 PEI $02
00C3F6 [0043F6] 48 PHA
00C3F7 [0043F7] 22 01 83 01 JSL $018301
--------sub start--------
018301 [008301] A3 04 LDA $04,S
018303 [008303] 85 00 STA $00
018305 [008305] A8 TAY
018306 [008306] A3 08 LDA $08,S
018308 [008308] AA TAX
018309 [008309] A3 0A LDA $0A,S
01830B [00830B] EB XBA
01830C [00830C] 03 06 ORA $06,S
01830E [00830E] 85 29 STA $29
018310 [008310] A3 0C LDA $0C,S
018312 [008312] F0 0A BEQ $01831E
018314 [008314] 3A DEC
018315 [008315] 8B PHB
018316 [008316] 20 28 00 JSR $0028
018319 [008319] AB PLB
01831A [00831A] A3 06 LDA $06,S
01831C [00831C] 85 02 STA $02
01831E [00831E] 6B RTL
----------------
逆不动一点,内存监控断点,逻辑如下,间接取址00后直接得到其值,然后+1,然后放回去
00地址存的内容通过如下方式得来
下面是偏移,3292位置存的偏移,然后和原本的位置值(但都是零 因为前面赋值为零了)相加,再放回原位置
3292处存了偏移,调断点看如何改变,发现是左右移动会改变
直接搜含3292的指令
左移中找到,取出3292位置内容,存到00处,加载出来到A,加个-1,存到3292
所以最终目标将其变成DEDF即可,还要保证球球不掉落下
因为会自动加1,所以是DEDE,先减去1变到0xff,然后再减到0xDE就行,比较考验手速
看wp说A键辅助是能一次变化0x10,感觉可能方便点,但没想到,不过感觉不需要这个也够了,就是有点吃手速
但这指令在
00C197 [004197] 29 00 08 AND #$0800
00C19A [00419A] 85 00 STA $00
00C19C [00419C] A5 00 LDA $00
00C19E [00419E] D0 03 BNE $00C1A3
00C1A0 [0041A0] 82 45 00 BRL $00C1E8
00C1A3 [0041A3] AD 90 32 LDA $3290
总结
逆向实力个人感觉有待提高,感觉主要靠逆向和根据做题思路来猜测
扫一扫
4540
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
