------Curious George Goes Shopping----- A 4am crack 2014-04-02 --------------------------------------- Curious George Goes Shopping is a 1989 educational game designed by DLM, Inc. (Developmental Learning Materials) and programmed by Ahead Designs. I can not find any copies of this disk online, so this may be the first time it's ever been preserved. COPYA copies both sides of the original disk without complaint, but the copy doesn't actually work. It boots into ProDOS, does some disk activity, then displays a graphical error message, "I/O ERROR # 070. FILE: L55". (There are several files on the disk named L00, L01, and so on, but no L55, so I suspect this is a red herring.) I can boot from my ProDOS-based hard drive and get a file catalog of the non-working copy. ]PR#6 ... ]PREFIX /GEO3 ]CAT /GEO3 NAME TYPE BLOCKS MODIFIED PRODOS SYS 32 17-APR-87 START.SYSTEM SYS 3 19-JAN-89 INTREN0 BIN 12 4-FEB-89 INTREN1 BIN 18 4-FEB-89 STKPATS BIN 58 4-FEB-89 OSTRINGS BIN 3 4-FEB-89 ACTCOM BIN 14 4-FEB-89 L00 BIN 24 9-FEB-89 L01 BIN 23 5-FEB-89 L10 BIN 11 5-FEB-89 L12 BIN 5 5-FEB-89 L14 BIN 5 5-FEB-89 L16 BIN 5 5-FEB-89 L18 BIN 4 5-FEB-89 L20 BIN 4 5-FEB-89 S01.0 BIN 6 19-DEC-88 S10.0 BIN 4 19-JAN-89 S11.0 BIN 3 10-DEC-88 S18.0 BIN 3 12-DEC-88 S18.1 BIN 1 12-DEC-88 BLOCKS FREE: 35 BLOCKS USED: 245 ProDOS always runs the first .SYSTEM file in the root directory, and it always loads it at address $2000. ]BLOAD START.SYSTEM,A$2000,TSYS ]CALL -151 Scanning through the code one page at a time, nothing stands out until I get to this routine at $21C2: 21C2- A9 60 LDA #$60 21C4- 8D 9B 22 STA $229B 21C7- A9 05 LDA #$05 21C9- 8D 9C 22 STA $229C 21CC- AE 9B 22 LDX $229B 21CF- BD 8E C0 LDA $C08E,X ; turning on the disk motor manually is ; a dead giveaway that something fishy ; is going on 21D2- BD 89 C0 LDA $C089,X ; wait loop to let the disk spin up 21D5- A9 00 LDA #$00 21D7- 8D 9D 22 STA $229D 21DA- A0 00 LDY #$00 21DC- C8 INY 21DD- D0 FD BNE $21DC 21DF- EE 9D 22 INC $229D 21E2- D0 F6 BNE $21DA 21E4- A9 00 LDA #$00 21E6- 8C 9D 22 STY $229D ; wait for a nibble 21E9- 20 8F 22 JSR $228F 21EC- C8 INY 21ED- D0 08 BNE $21F7 21EF- EE 9D 22 INC $229D 21F2- D0 03 BNE $21F7 21F4- 4C 8A 22 JMP $228A ; find a specific nibble sequence 21F7- C9 D5 CMP #$D5 21F9- D0 EE BNE $21E9 21FB- 20 8F 22 JSR $228F 21FE- C9 AA CMP #$AA 2200- D0 F5 BNE $21F7 2202- 20 8F 22 JSR $228F 2205- C9 BB CMP #$BB 2207- D0 EE BNE $21F7 ; do some math on the next nibbles ; (don't really care how it works since ; I'm just going to bypass it later) 2209- A0 00 LDY #$00 220B- 20 8F 22 JSR $228F 220E- 38 SEC 220F- 2A ROL 2210- 8D 9D 22 STA $229D 2213- 20 8F 22 JSR $228F 2216- 2D 9D 22 AND $229D 2219- 99 9E 22 STA $229E,Y 221C- C8 INY 221D- C0 02 CPY #$02 221F- D0 EA BNE $220B 2221- A0 00 LDY #$00 2223- 20 8F 22 JSR $228F 2226- C8 INY 2227- C0 04 CPY #$04 2229- D0 F8 BNE $2223 222B- BD 8C C0 LDA $C08C,X 222E- 10 FB BPL $222B 2230- C9 FF CMP #$FF 2232- D0 4E BNE $2282 2234- BD 8D C0 LDA $C08D,X 2237- A0 10 LDY #$10 2239- A5 09 LDA $09 223B- BD 8C C0 LDA $C08C,X 223E- 10 FB BPL $223B 2240- 88 DEY 2241- F0 3F BEQ $2282 2243- C9 EE CMP #$EE 2245- D0 F4 BNE $223B 2247- A0 00 LDY #$00 2249- BD 8C C0 LDA $C08C,X 224C- 10 FB BPL $2249 224E- 99 A0 22 STA $22A0,Y 2251- C8 INY 2252- C0 04 CPY #$04 2254- D0 F3 BNE $2249 2256- AD 9E 22 LDA $229E 2259- CD 95 22 CMP $2295 225C- D0 24 BNE $2282 225E- AD 9F 22 LDA $229F 2261- CD 96 22 CMP $2296 2264- D0 1C BNE $2282 2266- A0 00 LDY #$00 2268- B9 A0 22 LDA $22A0,Y 226B- 49 87 EOR #$87 226D- 38 SEC 226E- E9 01 SBC #$01 2270- D9 97 22 CMP $2297,Y 2273- D0 0D BNE $2282 2275- 99 A0 22 STA $22A0,Y 2278- C8 INY 2279- C0 04 CPY #$04 227B- D0 EB BNE $2268 ; ah, this is the important bit: ; if everything checks out, turn off ; the disk motor and clear the carry 227D- BD 88 C0 LDA $C088,X 2280- 18 CLC 2281- 60 RTS 2282- CE 9C 22 DEC $229C 2285- F0 03 BEQ $228A 2287- 4C E4 21 JMP $21E4 ; if the nibble check failed, turn ; off the disk motor and set the carry 228A- BD 88 C0 LDA $C088,X 228D- 38 SEC 228E- 60 RTS 228F- BD 8C C0 LDA $C08C,X 2292- 10 FB BPL $228F 2294- 60 RTS Further searching indicates that $21C2 is indeed the entry point for the subroutine, and that it is only called once, from $20AA: 20AA- 20 C2 21 JSR $21C2 20AD- 90 05 BCC $20B4 20AF- A9 FF LDA #$FF 20B1- 8D 82 1F STA $1F82 As I would expect, the caller checks the carry bit afterwards. If it's clear, the nibble check passed. Let's "simplify" that subroutine a bit so it clears the carry bit and exits. *21C2:18 60 *BSAVE START.SYSTEM,A$2000,TSYS Rebooting, the game boots and runs without complaint. The copy protection appears to be a one-and-done thing during startup. Quod erat liberandum. --------------------------------------- A 4am crack 2014-04-02 -------------------EOF-----------------