----------Race Car 'Rithmetic----------
A 4am crack                  2014-05-21
---------------------------------------

"Race Car 'Rithmetic" is a 1983
educational game. It was designed by
June S. Stark and David Flatman at the
Computer Learning Center for Children,
and it was distributed by Unicorn
Software Company.

[The copy protection is identical to
"Gertrude's Secrets," which is mildly
interesting in that it was distributed
by a different company. This write-up
is therefore quite similar to that one,
with a few corrections.]

Booting the original disk sounds like a
normal DOS 3.3, complete with track
seeking to track 2, then 1, then 0,
then swinging to the middle of the disk
to read the catalog track. It even
displays a BASIC prompt during boot, as
if it's loading a HELLO program.

However, the disk is uncopyable by any
automated method. COPYA fails
instantly. EDD4 bit copy gives read
errors on track $13 and up (which
appear to be entirely unformatted). The
copy that EDD4 creates can boot, but it
only gets as far as loading DOS and
displaying the BASIC prompt before
clearing the screen and rebooting. My
trusty Copy ][+ sector editor can read
tracks $00 through $12, though, once I
change the RWTS option to "DOS 3.3
PATCHED" (which ignores address field
checksums and epilogue bytes). Track
$11 does appear to contain a disk
catalog.

My initial hypothesis: 6-2 nibble
encoding scheme; custom RWTS with
standard prologue bytes ("D5 AA 96" and
"D5 AA AD") but non-standard epilogue
bytes; a CALL in the HELLO program that
executes a nibble check.

I can use COPYA from the DOS 3.3 master
disk to copy the data from the original
disk to a blank disk with standard
epilogue bytes. By booting the DOS 3.3
master disk and changing $B942 from SEC
($38) to CLC ($18), I can create a "no
checksum" RWTS that ignores epilogue
bytes on read but respects them on
write.

I will need to make one additional
modification. By default, COPYA copies
the entire disk, tracks $00 through
$22. There is no option in the UI to
change this, so I will need to manually
BLOAD COPY.OBJ0 and modify it to stop
reading and writing after track $12.

[S6D1=DOS 3.3 master disk]

Load COPYA and its helper program into
memory:

]LOAD COPYA

]BLOAD COPY.OBJ0

Stop COPYA from reloading COPY.OBJ0:

]70

Patch COPY.OBJ0 in memory to stop
reading (and writing -- two separate
patches) after track $12:

]CALL-151

*302:13

*35F:13

Patch DOS to ignore epilogue errors:

*B942:18

And go:

*3D0G

]RUN

[S6D1=original disk]
[S6D2=blank disk]

This produces a copy that is readable
by unmodified DOS 3.3. The copy can
even read itself (since the only thing
that's changed is the epilogue bytes
that it was ignoring in the first
place). But it still displays the same
behavior as the copy I made with EDD4:
it loads DOS, displays the BASIC
prompt, then reboots.

However, further investigation reveals
something very interesting...

[S6D1=DOS 3.3 master disk]
[S6D2=non-working copy]

]PR#6
]CATALOG,D2

DISK VOLUME 254

 A 002 HELLO
 B 066 LOGO.PAGE
 B 034 TITLE.PAGE
 B 034 RACE GAME.PAGE
 A 048 PROGRAM
 B 002 LOMEM:
 B 026 HIGHER TEXT
 B 008 SUBROUTINES.OBJ
 B 005 TITLE.OBJ

]RUN HELLO

Lo and behold, the game loads and runs!
That means that the last part of my
hypothesis was incorrect. Whatever
secondary protection causes the copy to
reboot is not part of the HELLO
program; it's part of the custom DOS.

At this point, I can recreate a working
copy of the game by initializing
another blank disk with DOS 3.3 and
copying these files over with a file
copier. What about the nibble check?
Don't even care.

OK, OK, I care a little. Let's do a
little boot tracing.

[S6D1=non-working copy]
[S5D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]CALL -151

*800<2800.28FFM

*801L
.
. all normal, until...
.
084A-   4C C0 08    JMP   $08C0

*8C0L

08C0-   8E E9 B7    STX   $B7E9
08C3-   6C FD 08    JMP   ($08FD)

Weird. "STX $B7E9" would usually be the
first instruction in the boot1 code, at
$B700. But otherwise, nothing unusual
here.

The boot0 code is close enough to DOS
3.3 that I can continue with the next
step of my AUTOTRACE program. (It
stopped after saving boot0 because the
instruction at $084A was non-standard.)

]BRUN AUTOTRACE1
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

]BLOAD BOOT1,A$2600

]CALL -151

*B600<2600.2EFFM

The very first line at $B700 is
suspicious:

B700-   20 00 BB    JSR   $BB00

I've learned from previous cracks (and
from reading "Beneath Apple DOS") that,
in a standard DOS-3.3-derived RWTS, the
area from $BB00 to $BC55 is overwritten
by during every disk read. So why is
there executable code there? Let's find
out.

*BB00L

BB00-   A0 00       LDY   #$00
BB02-   B9 00 BB    LDA   $BB00,Y
BB05-   99 00 02    STA   $0200,Y
BB08-   88          DEY
BB09-   D0 F7       BNE   $2B02
BB0B-   60          RTS

Well that's definitely suspicious.
Relocating yourself into the input
buffer at $200? Seriously, who does
that?

I'm guessing that the first instruction
after this is the entry point, so after
relocation that would be $020C.

*200<BB00.BBFFM

*20CL

; This subroutine sets the reset vector
; to something unfriendly, then seeks
; to track $11.
020C-   20 CF 02    JSR   $02CF
020F-   A9 0A       LDA   #$0A
0211-   85 2A       STA   $2A

; turn on the drive motor manually
; (always suspicious)
0213-   AE E9 B7    LDX   $B7E9
0216-   BD 89 C0    LDA   $C089,X
0219-   BD 8E C0    LDA   $C08E,X

; initialize some pointers and counters
021C-   A9 C7       LDA   #$C7
021E-   85 48       STA   $48
0220-   A9 02       LDA   #$02
0222-   85 49       STA   $49
0224-   A9 80       LDA   #$80
0226-   85 29       STA   $29
0228-   C6 29       DEC   $29

; if zero page $29 goes to zero, bail
022A-   F0 67       BEQ   $0293

; position disk head to where the
; nibble check should be
022C-   20 44 B9    JSR   $B944

; if that didn't work, bail
022F-   B0 62       BCS   $0293
0231-   A5 2D       LDA   $2D
0233-   C9 0D       CMP   #$0D
0235-   D0 F1       BNE   $0228
0237-   A0 00       LDY   #$00
0239-   BD 8C C0    LDA   $C08C,X
023C-   10 FB       BPL   $0239
023E-   88          DEY
023F-   F0 52       BEQ   $0293

; check for "D5 * E7 E7 E7 * EE"
0241-   C9 D5       CMP   #$D5
0243-   D0 F4       BNE   $0239
0245-   A0 00       LDY   #$00
0247-   BD 8C C0    LDA   $C08C,X
024A-   10 FB       BPL   $0247
024C-   88          DEY
024D-   F0 44       BEQ   $0293
024F-   C9 E7       CMP   #$E7
0251-   D0 F4       BNE   $0247
0253-   BD 8C C0    LDA   $C08C,X
0256-   10 FB       BPL   $0253
0258-   C9 E7       CMP   #$E7
025A-   D0 37       BNE   $0293
025C-   BD 8C C0    LDA   $C08C,X
025F-   10 FB       BPL   $025C
0261-   C9 E7       CMP   #$E7
0263-   D0 2E       BNE   $0293
0265-   BD 8D C0    LDA   $C08D,X
0268-   A0 10       LDY   #$10
026A-   24 06       BIT   $06
026C-   BD 8C C0    LDA   $C08C,X
026F-   10 FB       BPL   $026C
0271-   88          DEY
0272-   F0 1F       BEQ   $0293
0274-   C9 EE       CMP   #$EE
0276-   D0 F4       BNE   $026C

; check for nibble sequence stored
; in reverse order at $02C7
0278-   A0 07       LDY   #$07
027A-   BD 8C C0    LDA   $C08C,X
027D-   10 FB       BPL   $027A
027F-   D1 48       CMP   ($48),Y
0281-   D0 10       BNE   $0293
0283-   88          DEY
0284-   10 F4       BPL   $027A

; if we made it this far, the nibble
; check passed
0286-   A9 80       LDA   #$80
0288-   8D 4E 9E    STA   $9E4E
028B-   A9 A1       LDA   #$A1
028D-   8D 4F 9E    STA   $9E4F
0290-   4C 4D 9E    JMP   $9E4D

That last section at $0286..$0290 is
interesting. After the nibble check
passes, it replaces two bytes at $9E4E
and $9E4F, then immediately jumps to
$9E4D. That implies that this nibble
check is called via an unconditional
jump, not a JSR. With the Copy ][+
sector editor, I searched the disk for
"4C 0C 02" and found one reference on
T00,S0B. I wonder if I can just change
those two bytes to bypass the nibble
check altogether...

T00,S0B,$4E: change $0C to $80
T00,S0B,$4F: change $02 to $A1

Success! The game boots and runs with
no complaint.

Quod erat liberandum.

---------------------------------------
A 4am crack                      No. 45
------------------EOF------------------