back to project page

Generating the Binary for Apple II Elite

As noted in the project description, the Elite binaries are split into pieces and scrambled. The game occupies about 45KB of RAM, which doesn't leave room for much else (it does not use any RAM in the Language Card).

There are five files on the disk:

  1. ELITE - Applesoft BASIC program that BRUNs ELA and then BRUNs SEC3.
  2. ELA - first half of game. Loads from $A00-711F, and includes a title screen from $2000-3FFF. When run, it turns the hi-res screen on, copies $4000-6FFF to $D000-FFFF in LC bank 1, and returns. Experiments indicate that the LC data is not actually used.
  3. SCRN - about 2K of graphics data, loaded by SEC3.
  4. ELB1 - second half of game, loaded by SEC3.
  5. SEC3 - second-stage loader. Loads from $2000-24F9, overwriting some of the title screen with garbage. Because the code and buffers live on the hi-res screen, you can watch it working. It copies $4000-6FFF to $9000-BFFF (yes, the same range that ELA copied from). It then uses custom DOS and RWTS routines to load SCRN at $200-A80 (the file is only 2047 bytes, but it reads 2177 into memory, pulling some zeroes out of the unused part of the last disk sector). Next, it loads ELB1 at $4000-8FFF, and jumps to $4000. (This overwrites the ELA contents from $7000+, which were not relocated earlier, so we can assume those are garbage.)

Some of the filenames have a Ctrl+E in them in an apparent attempt to confuse people examining the disk.

When ELB1 gets control at $4000, it copies $200-9FF to $2000-27FF, in a mostly-successful attempt to restore the damage done to the hi-res screen by SEC3. (This is necessary because the graphics for everything outside the viewport aren't stored anywhere else -- much of the title screen is there for the entire game.) It then calls $459F, which is where things get ugly: the code performs a rolling subtraction on the bytes from $B60-1FFF and $45EA-BFFE. This obfuscation was probably done to deter prying eyes, and prevents us from from disassembling most of the code. (They did a second obfuscation pass on the text strings, which is part of why you won't spot many in the listing.)

It's annoying to have the program spread across two files, and we need to descramble the data, so the best thing to do is to write a program that assembles the various pieces into a single binary that we can work on. What we're trying to put together is:

There are no gaps, which is convenient. SEC3 is just a file loader, and is overwritten when the hi-res screen is redrawn, so we don't need anything from that. Experiments showed that SCRN is strictly cosmetic, and so does not need to be included since we're not trashing the screen with SEC3.

A short C program, descram_elite.cpp, does all of the necessary work when provided with copies of ELA and ELB1 extracted with CiderPress (make sure to select "configure to preserve Apple II formats" when extracting the files).

Normally the game starts with a call to $4000, but that would do the SCRN memory move and repeat the descrambling step, which we don't want. Instead, we want to start execution at $4592.

Testing it is a little tricky because there's very little space left in memory. You can either write a custom loader, or use an AppleWin debugger feature: start the emulator and get to a BASIC prompt. Hit F7 to enter the debugger, then BLOAD "ELITE",A00 to pull the whole thing into memory. Hit F7 again to exit the debugger, then CALL 17810.

Copyright 2020 by Andy McFadden

Back to list of disassembly projects