Jump to content
Jet Set Willy & Manic Miner Community

Jsw2 Loader Differences


Spider

Recommended Posts

There are three official releases of JSW2. I'm not counting the 'JSW2-128' version here as far as I'm aware this was not in any way 'official' as it incorporates a built in cheat mode. Feedback on this point is appreciated. To quote the readme:

With that said the official versions are:
 
1. The Software Projects release
2. The DroSoft Re-Release
3. The Ricochet Re-Release
 
The loading screen is the same for all versions so one pic will suffice:
 
jsw2.loadingpic.jpg
 
Software Projects
 
This is the only release that has some protection on it. A small piece of basic containing assembly to headerless load the game code (47416 bytes) and the keypad routine as per JSW1 albeit this one has seven pages instead of one.
 
jsw2_keypad.jpg
 
loader_jsw_sp.jpg

To make life easier for myself after examining the basic itself I then decided to simply use a fake header to load the 'basic' at a higher address, and then examined the loader section, ie all code after the section of
My understanding of Z80 is not good (to say the least) so any thoughts / suggestions on my comments to the code are appreciated along with any errors I've made. :)
 
The code is thus and starts at 23832

org 23832    ; Loader code appears to start here, seen by using a fake header on the basic.

di        ; Kill interrupts.

xor a        ; Ensure that A is going to be black.
out (254), a    ; Set the border to A aka black.
ld hl, 22528    ; Setup the requirements for an LDIR so that we can blackout the screen with
ld de, 22529    ; black paper and ink. We actually seem to be copying the contents of 22528 into
ld bc, 800    ; 22529 to 23329 (800 bytes) which extends into the basic and variables area a
ld (hl), a    ; little bit. Assume this was done to prevent easy tampering with the loader itself.

ldir        ; Do it!

ld sp, 63796    ; Put stack pointer somewhere up top.

dec a        ; Decrease A before we swap them (protection maybe?)

scf        ; Set carry flag before calling loader.    
ex af, af'    ; Swap reg contents.
ld ix, 16384    ; Start address of data to load.
ld de, 47416    ; Length of the data to load.

call 1378    ; Call the rom loader so we can load in this big headerless block.

jp nc, 0    ; Reset on error or tampering ?
jp 36864    ; Exec the game code :)

 
 
Drosoft and Ricochet These are identical loading-wise so I'm counting them together as one. The keypad routine is not called.
 
The loader is unprotected apart from an attribute change to 'hide' the master saver routine, shown 'as is' when first listed and 'exposed'
 
loader_jsw2_drosoft_protected.jpg
 
loader_jsw2_drosoft.jpg
 
The game code is loaded at 25007 and appears to be 40528 bytes in length. After that 2kb piece of code loads to 18432 then the game is started with a call to 20140. I expect this is to simply bypass the keypad routine. Turns out (thanks Jon Elliott) that it appears to be a snapshot loader so we'd guess then that the 'snapshot' was simply taken after the keypad code was accepted.
 

Link to comment
Share on other sites

I only ever had JSW2 on the 6-Pak compilation - it's distribution denied so I can't check, but I'm pretty sure it had the Software Projects headerless loader but without the keypad protection, it just jumps straight to the game.

 

You must have a slightly different one then. :) I can't check that obviously I expect its denied because of the inclusion of '1942' in the compilation. Shame we can't get a .tzx minus that but with the rest of the compo.

 

It sounds like the original (I did have this once upon a time) but with keypad check awol then, another variant.

Link to comment
Share on other sites

  • 2 weeks later...

That's fine (thanks for uploading as we know it will 'stay' now unless you decided to remove it) rather than linking it. :)

 

I do have the variations of the B version to hand and they are on my 'todo' list, as there's a variation with the tape/disk versions of JSW2 iirc. The disk version is about the same (loads sections as you play) the tape version is a cut down one I seem to recall.

 

I'd not thought a great deal about the Electron version although I do have it floating somewhere ( I'm on the stardot /stairway forums too btw as AndyF )

 

Unless you wanted to do the Electron version and / or just the loaders ? :)

 

EDIT... Forgot my manners :blush: Welcome!

Link to comment
Share on other sites

  • 2 years later...

One observation from the loader routine. The stack is situated at 63796: the program loads from 16384 (#4000) and loads in 47416 bytes.  This means all data in memory from 16384 to 63800 is overwritten....This has two consequences..

 

1) the code you are reading is overwritten by the loader. Thus the lines

  

 jp nc, 0    
 jp 36864  

 

will not exist when the program is loaded 

 

2) the return address from the loader is pushed onto the stack. The stack is overwritten so after the program has loaded, it will not return to the routine that called it. The return address is written by the code that is loaded.

 

The above proved enough protection, that further duplication (MASTER TAPE) resorted to a snapshot loader

Edited by Norman Sword
Link to comment
Share on other sites

That does make sense, thank you Norman. :)

 

My knowledge has improved a bit since I initially wrote that, (thankfully!) , the Call would probably work as  JP actually (to the loader) given its got "never to return" as such. I have seen this in other loading schemes were there's no CALL just a JP which made me think.

 

Inserting a b.p at either the end of the memory or using Zero (which allows decent b.p's for things like memory read/write) would be possible to insert one into the rom loader so when it finished it would stop at the RET point and you could examine the SP and other data to see what was really going on.

 

I do agree I see why the re-releases were snaps though as such. The same with my 'immunity' as the codeblock was compressed a bit so I could directly alter the bytes I needed. The exception being the 'any key keypad' as that part thankfully was intact when I searched the tape file binary directly for sequences of bytes.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.