TSX, I need Help.

For standard data there is always a header block and a data block.
If the header block determines that the data block is a binary data block, then inside this (data block) the first 6 bytes determine the start/end/execution addresses.

Hi gdx,

You are not going to "directly" find the start/execution addresses of the game because that TSX contains the Red Point custom loader, which is for copy protection. What you are calling "data" starting a 0x133 is part of the loader start address. However, the actual loader data starts at offset 0x138! As the loader is encoded using TZX BLOCK #4B, but not the rest of the blocks, the only addresses that you can "directly" see are the load, end, and execution addresses of the loader, located at offsets 0x132, 0x134, and 0x136, respectively. These are 0xC350, 0xD36B, 0xC350.

However, if the addresses you are looking for are the actual game addresses, you need to know that these ones are encrypted. They are not easy to find because you need to know exactly how the loader and protection work. In addition to that, this TSX file is encoded using BLOCK #15, which makes it even harder for the identification of those address.

However, I can tell you that you can find them (encoded), somewhere after the offset 0x14840. First, search for the hexadecimal sequence "154F00". With that, what you actually find is the four headers of the four BLOCKS #15.

* 1st block: Encodes the Red Point splash screen!

* 2nd block: Encodes some proprietary data used by the loader for the countdown counter you see at top-right corner during the load.

* 3er block: Encodes what you are looking for:
* Data Block Size
* Load Start Address
* Execution Address
* End Address

* 4th block: The actual game data encoded using the Red Point proprietary format, called ITM (because of the file extension they used, named after their copy software: Intermega).

If you really want to see these addresses with your eyes, you can try the TSX version of this game encoded as BLOCK #11:

http://www.mediafire.com/file/xpg0r1p4s6wis92/bang_-_block11.tsx/file

In that file, the addresses are exactly at the following offsets:

* Load Start Address: 0x1C5D
* Execution Address: 0x1C5F
* End Address: 0x1C61

However, the addresses are encoded, so the WORD values at those offsets have to be decoded. First, you need to apply 1-bit "circular" rotation to the left, to each byte, and then you have to decrypt the resulting WORD values with an XOR using 0xAAAA, as shown below, only for the load address:

Load Start Address:

First, 0x5512 is decoded as 0xAA24:
0x55 << 1 = 0xAA
0x12 << 1 = 0x24

And then, 0xAA24 is decrypted:
0xAA24 XOR 0xAAAA = 0x008E

Because the values are stored as little-endian, the actual load address is 0x8E00. You can decode the rest!!! Also, keep in mind that the last byte of each BLOCK #11 is the CRC of the whole block, which is encoded diferently.

FYI and others who might be interested in this protection, I have been working on a project for the development of a tool that covers all this. The project is about the preservation of the ITM format for the creation of ITM files, but the tool also allows for the creation of protected floppy disks and cassette tape images using the Red Point protection, and it comes with stand-alone ITM loaders to directly load separate ITM files stored in FAT12 partitions. I will release all that soon, but I am still working on the review of the help manual.

Wow, thank you very much.
Okay, I chose the wrong game as an example. I thought I would take a simple little game as an example to understand the basics of TSX format, and bad pickaxe. In addition, I was offset by one byte. I was nowhere near understanding. Fortunately, you intervened. I would have liked to convert this game to ROM but I am putting it off until later. It might take some time.