--------Cross Country California-------
A 4am crack                  2015-06-09
---------------------------------------

Name: Cross Country California
Genre: educational
Year: 1987
Authors: Darcy Allen, Dave Vincent
Publisher: Didatech Software
Media: double-sided 5.25-inch floppy
OS: Pronto-DOS
Other versions: none (preserved here
  for the first time)

Side B is unprotected but unbootable.
Side A is bootable but protected.
Life is like that.

That is not a haiku.

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  fails on first pass

Locksmith Fast Disk Backup
  can read every sector except T02,S07;
  copy displays title screen then quits
  to BASIC prompt with DOS disconnected

EDD 4 bit copy (no sync, no count)
  ditto

Copy ][+ nibble editor
  There's an address field for T02,S07,
  but no data

Disk Fixer
  T00 -> DOS 3.3-shaped RWTS
  T11 -> DOS 3.3 disk catalog
  T01,S09 -> startup program is named
    "COPYRIGHT 1987"

Why didn't COPYA work?
  intentionally unreadable sector on
  track $02

Why didn't Locksmith FDB / EDD work?
  probably a nibble check that checks
  that unreadable sector

Next steps:

  1. Trace startup program
  2. Find nibble check and disable it
  3. There is no step 3 (I hope)

                   ~

               Chapter 1
   In Which You Ain't Gonna Need It
            (Until You Do)


[S6,D1=non-working copy (side A)]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

I probably don't need that since the
disk is (539/540)% copyable, but OK.

]BLOAD COPYRIGHT 1987,S6,D1
]CALL -151

; under Diversi-DOS 64K, the last BLOAD
; address is at $BF55, and length is at
; $BF51
*BF55.BF56

BF55- 02 08     ; A$802

*BF51.BF52

BF51- 42 04     ; L$442

*802L

0802-   4C E1 BC    JMP   $BCE1

Well then. Glad I captured the RWTS
after all.

*BLOAD RWTS,A$3800,S5,D1

*B800<3800.3EFFM

*BCE1L

; decrypt the code at $0805 (which is
; part of the startup program we just
; loaded)
BCE1-   A2 04       LDX   #$04
BCE3-   A0 05       LDY   #$05
BCE5-   A9 96       LDA   #$96
BCE7-   59 00 08    EOR   $0800,Y
BCEA-   99 00 08    STA   $0800,Y
BCED-   C8          INY
BCEE-   D0 F5       BNE   $BCE5
BCF0-   EE E9 BC    INC   $BCE9
BCF3-   EE EC BC    INC   $BCEC
BCF6-   CA          DEX
BCF7-   D0 EC       BNE   $BCE5
BCF9-   4C 89 BA    JMP   $BA89

*BA89L

; wipe the previous decryption routine
BA89-   A2 1C       LDX   #$1C
BA8B-   98          TYA
BA8C-   9D E0 BC    STA   $BCE0,X
BA8F-   CA          DEX
BA90-   D0 FA       BNE   $BA8C
BA92-   4C 05 08    JMP   $0805

*BA92:60  ; exit via RTS instead of JMP

*BEC1G    ; run decryption routine

*805L

; DOS command "MAXFILES 1"
; (I checked -- that's really what it
; is; they didn't sneak something else
; into the DOS area)
0805-   A9 01       LDA   #$01
0807-   85 44       STA   $44
0809-   20 51 A2    JSR   $A251

; turn off GS acceleration
080C-   AD 36 C0    LDA   $C036
080F-   29 7F       AND   #$7F
0811-   8D 36 C0    STA   $C036

; my "Peeks, Pokes and Pointers" poster
; tells me this clears the hi-res
; graphics screen to black
0814-   A9 20       LDA   #$20
0816-   9D 64 1F    STA   $1F64,X
0819-   85 E6       STA   $E6
081B-   20 F2 F3    JSR   $F3F2
081E-   A2 00       LDX   #$00
0820-   86 1D       STX   $1D

; show hi-res graphics screen
0822-   8E 10 C0    STX   $C010
0825-   AD 54 C0    LDA   $C054
0828-   AD 57 C0    LDA   $C057
082B-   AD 52 C0    LDA   $C052
082E-   AD 50 C0    LDA   $C050
0831-   A9 01       LDA   #$01
0833-   20 C6 09    JSR   $09C6

*9C6L

09C6-   48          PHA
09C7-   A0 00       LDY   #$00
09C9-   84 62       STY   $62
09CB-   20 D6 09    JSR   $09D6
09CE-   68          PLA
09CF-   A8          TAY
09D0-   20 D6 09    JSR   $09D6

; this gets a starting address from a
; table (given at $09EF for the low
; bytes and $09FE for the high bytes)
; and passes bytes to $0A47...
09D6-   B9 EF 09    LDA   $09EF,Y
09D9-   85 08       STA   $08
09DB-   B9 FE 09    LDA   $09FE,Y
09DE-   85 09       STA   $09
09E0-   A0 00       LDY   #$00
09E2-   B1 08       LDA   ($08),Y
09E4-   C9 FC       CMP   #$FC
09E6-   F0 06       BEQ   $09EE
09E8-   20 47 0A    JSR   $0A47
09EB-   C8          INY
09EC-   D0 F4       BNE   $09E2
09EE-   60          RTS

; ...which stores them in the DOS input
; buffer at $0200
0A47-   A6 62       LDX   $62
0A49-   9D 00 02    STA   $0200,X
0A4C-   E6 62       INC   $62
0A4E-   60          RTS

*9D3L

09D3-   4C 45 0A    JMP   $0A45

*A45L

; and ends with a carriage return (this
; falls through to $0A47, listed above)
0A45-   A9 8D       LDA   #$8D

*836L

; this tells DOS to execute the command
; in the input buffer
0836-   20 4F 0A    JSR   $0A4F

This code is a little hard to follow,
but looking at the actual strings helps
a lot. $09EF/$09FE points to $0A0D.

*FC58G N 400<A0D.AFFM

BLOAD |B0|P2|P3|P4|A1,A$4000|A2|A3|A4|
A5|A6|A7|DD|CR|A8|

Nice. Compact. Totally unrelated to
copy protection.

Moving on.

                   ~

               Chapter 2
   In Which We Find Some Protections
Against Things We Weren't Trying To Do
 Anyway, And Some Protections Against
  The Very Thing We Are Trying To Do


*83BL

; calculate a checksum on the file we
; just loaded ("B0", which is the
; hi-res title screen)
083B-   A0 00       LDY   #$00
083D-   84 1B       STY   $1B
083F-   A9 20       LDA   #$20
0841-   85 1C       STA   $1C
0843-   98          TYA
0844-   18          CLC
0845-   71 1B       ADC   ($1B),Y
0847-   C8          INY
0848-   D0 FA       BNE   $0844
084A-   E6 1C       INC   $1C
084C-   A6 1C       LDX   $1C
084E-   E0 40       CPX   #$40
0850-   90 F2       BCC   $0844
0852-   C9 85       CMP   #$85

; if the title screen hasn't been
; modified by egomaniacal pirates,
; execution continues below
0854-   F0 23       BEQ   $0879

I love finding protections against
things I wasn't going to do anyway.

; no program for you!
0856-   AD 51 C0    LDA   $C051
0859-   20 58 FC    JSR   $FC58
085C-   A9 20       LDA   #$20
085E-   85 E6       STA   $E6
0860-   20 F2 F3    JSR   $F3F2

; print "LOADING ERROR"
0863-   A0 00       LDY   #$00
0865-   B9 B8 09    LDA   $09B8,Y
0868-   F0 06       BEQ   $0870
086A-   99 B3 05    STA   $05B3,Y
086D-   C8          INY
086E-   D0 F5       BNE   $0865

; clear hi-res screen
0870-   20 E2 FB    JSR   $FBE2

; switch to text mode
0873-   AD 51 C0    LDA   $C051

; exits to prompt
0876-   4C 9B FA    JMP   $FA9B

; execution continues here (from $0854)
0879-   20 D0 0A    JSR   $0AD0

; $C8 + $34 = $FC
087C-   A2 C8       LDX   #$C8
087E-   BC 34 1F    LDY   $1F34,X
0881-   C8          INY
0882-   C0 FF       CPY   #$FF

; if $1FFC is not $FE, branch back to
; a bad place (above) that switches to
; text mode and exits to a prompt
0884-   D0 ED       BNE   $0873

I didn't see a "LOADING ERROR" message,
and I haven't tampered with the title
page file, so I'm guessing this is
where my non-working copy bailed out.

*AD0L

0AD0-   A0 00       LDY   #$00
0AD2-   84 19       STY   $19
0AD4-   84 08       STY   $08
0AD6-   A9 50       LDA   #$50
0AD8-   85 1A       STA   $1A

; pass a byte to $0B9C...
0ADA-   A9 BD       LDA   #$BD
0ADC-   20 9C 0B    JSR   $0B9C

*B9CL

; ...which stores it in ($19), which
; starts at $5000 and is incremented
; in situ
0B9C-   91 19       STA   ($19),Y
0B9E-   E6 19       INC   $19
0BA0-   D0 02       BNE   $0BA4
0BA2-   E6 1A       INC   $1A
0BA4-   60          RTS

Ah! We're sneakily creating code, one
byte at a time.

; more of the same
0ADF-   A9 8C       LDA   #$8C
0AE1-   20 9C 0B    JSR   $0B9C
0AE4-   A9 C0       LDA   #$C0
0AE6-   20 9C 0B    JSR   $0B9C
0AE9-   A9 8D       LDA   #$8D
0AEB-   20 9C 0B    JSR   $0B9C
0AEE-   A9 C0       LDA   #$C0
0AF0-   18          CLC
0AF1-   65 08       ADC   $08
0AF3-   20 9C 0B    JSR   $0B9C
0AF6-   A9 50       LDA   #$50
0AF8-   20 9C 0B    JSR   $0B9C
0AFB-   E6 08       INC   $08
0AFD-   A5 08       LDA   $08
0AFF-   C9 1E       CMP   #$1E
0B01-   90 D7       BCC   $0ADA
0B03-   A9 60       LDA   #$60
0B05-   20 9C 0B    JSR   $0B9C
0B08-   20 E3 03    JSR   $03E3

Let's break it there and see what code
we just created at $5000.

*B08:60

*AD0G

*5000L

5000-   BD 8C C0    LDA   $C08C,X
5003-   8D C0 50    STA   $50C0
5006-   BD 8C C0    LDA   $C08C,X
5009-   8D C1 50    STA   $50C1
500C-   BD 8C C0    LDA   $C08C,X
500F-   8D C2 50    STA   $50C2
5012-   BD 8C C0    LDA   $C08C,X
5015-   8D C3 50    STA   $50C3
5018-   BD 8C C0    LDA   $C08C,X
501B-   8D C4 50    STA   $50C4
501E-   BD 8C C0    LDA   $C08C,X
5021-   8D C5 50    STA   $50C5
5024-   BD 8C C0    LDA   $C08C,X
5027-   8D C6 50    STA   $50C6
502A-   BD 8C C0    LDA   $C08C,X
502D-   8D C7 50    STA   $50C7
5030-   BD 8C C0    LDA   $C08C,X
5033-   8D C8 50    STA   $50C8
5036-   BD 8C C0    LDA   $C08C,X
5039-   8D C9 50    STA   $50C9
503C-   BD 8C C0    LDA   $C08C,X
503F-   8D CA 50    STA   $50CA
5042-   BD 8C C0    LDA   $C08C,X
5045-   8D CB 50    STA   $50CB
5048-   BD 8C C0    LDA   $C08C,X
504B-   8D CC 50    STA   $50CC
504E-   BD 8C C0    LDA   $C08C,X
5051-   8D CD 50    STA   $50CD
5054-   BD 8C C0    LDA   $C08C,X
5057-   8D CE 50    STA   $50CE
505A-   BD 8C C0    LDA   $C08C,X
505D-   8D CF 50    STA   $50CF
5060-   BD 8C C0    LDA   $C08C,X
5063-   8D D0 50    STA   $50D0
5066-   BD 8C C0    LDA   $C08C,X
5069-   8D D1 50    STA   $50D1
506C-   BD 8C C0    LDA   $C08C,X
506F-   8D D2 50    STA   $50D2
5072-   BD 8C C0    LDA   $C08C,X
5075-   8D D3 50    STA   $50D3
5078-   BD 8C C0    LDA   $C08C,X
507B-   8D D4 50    STA   $50D4
507E-   BD 8C C0    LDA   $C08C,X
5081-   8D D5 50    STA   $50D5
5084-   BD 8C C0    LDA   $C08C,X
5087-   8D D6 50    STA   $50D6
508A-   BD 8C C0    LDA   $C08C,X
508D-   8D D7 50    STA   $50D7
5090-   BD 8C C0    LDA   $C08C,X
5093-   8D D8 50    STA   $50D8
5096-   BD 8C C0    LDA   $C08C,X
5099-   8D D9 50    STA   $50D9
509C-   BD 8C C0    LDA   $C08C,X
509F-   8D DA 50    STA   $50DA
50A2-   BD 8C C0    LDA   $C08C,X
50A5-   8D DB 50    STA   $50DB
50A8-   BD 8C C0    LDA   $C08C,X
50AB-   8D DC 50    STA   $50DC
50AE-   BD 8C C0    LDA   $C08C,X
50B1-   8D DD 50    STA   $50DD
50B4-   60          RTS

Awesome. Note: no BPL loops. This will
just keep reading the data latch as
fast as possible and storing the raw
values in $50C0..$50DD. Including any
timing bits between the nibbles. Good
luck copying that with a nibble copier!

*B08:20

*B08L

; get address of RWTS parameter table
0B08-   20 E3 03    JSR   $03E3
0B0B-   84 1B       STY   $1B
0B0D-   85 1C       STA   $1C

; set up an RWTS seek to track $02
0B0F-   A9 02       LDA   #$02
0B11-   A0 04       LDY   #$04
0B13-   91 1B       STA   ($1B),Y
0B15-   A9 00       LDA   #$00
0B17-   A0 0C       LDY   #$0C
0B19-   91 1B       STA   ($1B),Y
0B1B-   A0 03       LDY   #$03
0B1D-   91 1B       STA   ($1B),Y
0B1F-   20 E3 03    JSR   $03E3

; and do it
0B22-   20 D9 03    JSR   $03D9

; that better work (it's just a seek)
; or else we give up immediately
0B25-   B0 27       BCS   $0B4E

; turn on drive motor manually
0B27-   BD 89 C0    LDA   $C089,X

; initialize Death Counter
0B2A-   A9 30       LDA   #$30
0B2C-   8D 78 05    STA   $0578
0B2F-   38          SEC
0B30-   CE 78 05    DEC   $0578
0B33-   F0 19       BEQ   $0B4E

; look for next available address field
0B35-   20 44 B9    JSR   $B944
0B38-   B0 F5       BCS   $0B2F

; physical sector 1 (logical sector 7)
0B3A-   A5 2D       LDA   $2D
0B3C-   C9 01       CMP   #$01

; nope, try again
0B3E-   D0 EF       BNE   $0B2F

; wait
0B40-   BD 8E C0    LDA   $C08E,X
0B43-   A9 06       LDA   #$06
0B45-   20 A8 FC    JSR   $FCA8

; now execute the routine we created
; one byte at a time
0B48-   20 00 50    JSR   $5000
0B4B-   18          CLC
0B4C-   90 04       BCC   $0B52
0B4E-   A0 0D       LDY   #$0D
0B50-   B1 1B       LDA   ($1B),Y

; turn off drive motor
0B52-   9D 88 C0    STA   $C088,X
0B55-   A0 00       LDY   #$00
0B57-   84 48       STY   $48
0B59-   B0 38       BCS   $0B93

; check the result we got from the
; bit reading routine at $5000
0B5B-   84 19       STY   $19
0B5D-   A2 00       LDX   #$00
0B5F-   84 08       STY   $08
0B61-   BD A5 0B    LDA   $0BA5,X
0B64-   85 1B       STA   $1B
0B66-   BD AA 0B    LDA   $0BAA,X
0B69-   85 1C       STA   $1C
0B6B-   A0 00       LDY   #$00
0B6D-   B1 1B       LDA   ($1B),Y
0B6F-   C9 FF       CMP   #$FF
0B71-   D0 0A       BNE   $0B7D
0B73-   E6 19       INC   $19
0B75-   A4 19       LDY   $19
0B77-   C0 1A       CPY   #$1A
0B79-   90 E2       BCC   $0B5D
0B7B-   B0 16       BCS   $0B93
0B7D-   84 09       STY   $09
0B7F-   A4 08       LDY   $08
0B81-   D9 C0 50    CMP   $50C0,Y
0B84-   F0 05       BEQ   $0B8B
0B86-   A4 09       LDY   $09
0B88-   C8          INY
0B89-   D0 E2       BNE   $0B6D
0B8B-   E6 08       INC   $08
0B8D-   E8          INX
0B8E-   E0 05       CPX   #$05
0B90-   90 CF       BCC   $0B61

; success path is here
0B92-   18          CLC

; failure path is here (from $0B7B)
; (carry bit will be set on failure)
0B93-   A0 FE       LDY   #$FE

; success path skips next instruction
0B95-   90 01       BCC   $0B98

; failure path increments Y
0B97-   C8          INY

; now store the result (will be $FE on
; success, $FF on failure)
0B98-   8C FC 1F    STY   $1FFC
0B9B-   60          RTS

Sneaky. Twisty. Unnecessary.

Let's skip it.

                   ~

               Chapter 3
   In Which We Make Things As Simple
      As Possible, But No Simpler

This entire program was encrypted on
disk and decrypted on the fly. To make
any permanent changes, I'll need to
store the decrypted version and bypass
the encrption.

*802:2C ; don't call decryption routine

*884:24 ; don't branch if $1FFC != $FE

*BSAVE COPYRIGHT 1987,A$802,L$442,S6,D1

*C600G
...boots to main menu, but after it
asks for side B, it accesses the disk
briefly then quits to a prompt again...

Argh. Another check on the other side.
But there were no unreadable sectors on
side B. So what's going on?

Several possible explanations:

  - It's checking the magic value at
    $1FFC again. (It should be $FE.)
    I disabled the branch at $0884, but
    $1FFC still holds the wrong value.

  - It's detecting that the first check
    was tampered with. Given that they
    already checksummed the title page,
    this is a definite possibility.

  - It's calling the nibble check again
    on side B and expecting it to work,
    even though there's no unreadable
    sector to hold the "correct" data.
    Theoretically possible, but
    unlikely. If they could have left
    the sector readable on side A, they
    would have. (Having a single
    unreadable sector is like painting
    a big target on your disk that says
    "Pirates, look here!")

  - It's calling an entirely different
    nibble check. Highly unlikely.
    Most disks don't use more than one
    kind of nibble check. (They were
    expensive to build, expensive to
    buy, and expensive to test.)

Well, let's start with the simplest
explanation and see how far down the
list we have to go...

]PR#5
...
]BLOAD COPYRIGHT 1987,S6,D1
]CALL -151

Here is the relevant code at $0B93
(executed near the end of the routine
at $0AD0) that sets the magic value at
$1FFC:

0B93-   A0 FE       LDY   #$FE
0B95-   90 01       BCC   $0B98
0B97-   C8          INY
0B98-   8C FC 1F    STY   $1FFC
0B9B-   60          RTS

NOP'ing out that "INY" at $B97 should
solve all of my problems.(*)

(*)not guaranteed, problems may vary

*B97:EA ; make failure = success

Now I can undo the other patch I made
the first time around.

*884:D0 ; restore branch on failure
        ; (but it will never fail)

*BSAVE COPYRIGHT 1987,A$802,L$442,S6,D1

*C600G
...works...

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 335
------------------EOF------------------