------Mystery of the Witch's Shoes-----
A 4am crack                  2015-02-13
---------------------------------------

Name: Mystery of the Witch's Shoes:
  Sequencing
Genre: educational
Year: 1986
Publisher: Troll Associates
Media: single-sided 5.25-inch floppy
OS: David-DOS II.2 (see T00,S08)
Other versions: none (preserved here
  for the first time)
Identical cracks: Mrs. Wigglesworth's
  Secret (no. 223); Case of the Missing
  Chick (no. 222); Case of the Great
  Train Robbery (no. 221)
  
                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  disk read error on first pass

Locksmith Fast Disk Backup
  reads every track except $03; copy
  hangs on boot

EDD 4 bit copy (no sync, no count)
  no errors, but copy boots DOS and
  exits to prompt

Oddly, DOS commands still work at this
point, but the files are gibberish.

]CATALOG

VOL-*-FREE
254   127

 B 005 HELP
 B 005 HELP2
 B 033 MENU.SCREEN
 B 011 TABLES
 A 002 HELLO
 B 033 TROLL
 B 033 TITLE
 B 009 MENU
 B 011 FAO2.OBJ
 B 005 TABLE(A)2
 B 014 TABLE.ALL
 B 027 TABLE(B)1
 B 022 DATA.FUN
 B 002 LETTERS.USE
 B 016 FAO.OBJ
 B 005 TABLE(A)1
 B 034 TABLE(C1)1
 B 032 TABLE(C2)1
 B 002 SCRN1.C
 B 009 SCRN2.COLD
 B 022 DATA.M&S
 B 022 DATA.F&F
 B 010 SCRN2.C

]LOAD HELLO
]LIST

 20826  SYNTAX  GOSUB |asy|
cFGD

Copy ][+ nibble editor
  T03 appears to be almost entirely
  sync bytes (all $FF, no data, no
  sectors per se, no structure at all)
  
Disk Fixer
  T00,S00 starts off as a DOS 3.3-style
    bootloader, then goes off into the
    weeds
  T01,S01 is entirely blank
  T00,S08 has a copyright message:
    DAVID-DOS II.2 COPYRIGHT 1984 DAVID
    WESTON ...mailing address...
  T01,S09 -> startup program is blank
  T11 -> DOS 3.3-style disk catalog
  can't read T03 under any combination
    of parameters

Why didn't COPYA work?
  T03 is unreadable because it does not
  have a standard sector structure

Why didn't Locksmith FDB work?
  probably a nibble check during boot

Why didn't my EDD copy work?
  I have no idea

Next steps:

  1. Capture bootloader with AUTOTRACE
  2. Find nibble check and disable it
  3. Figure out what's up with HELLO

                   ~

               Chapter 1
   In Which We Get Nothing For Free,
  And Our Adventure Begins In Earnest


[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

Hmm, a custom bootloader.

Wait, I want to test something first.

]CATALOG,S6,D1
...works...
]LOAD HELLO
]LIST
...same garbled results as before...

OK, this HELLO program is definitely
corrupted.

Back to boot tracing.

]CALL -151
*800<2800.28FFM
*801L

; similar enough to DOS 3.3 boot0 loop
; to re-use the disk controller ROM
; routine to read sectors from track 0
0801-   A5 27       LDA   $27
0803-   C9 09       CMP   #$09
0805-   D0 17       BNE   $081E
0807-   A5 2B       LDA   $2B
0809-   4A          LSR
080A-   4A          LSR
080B-   4A          LSR
080C-   4A          LSR
080D-   AA          TAX
080E-   09 C0       ORA   #$C0
0810-   85 3F       STA   $3F
0812-   A9 00       LDA   #$00
0814-   9D 78 04    STA   $0478,X
0817-   9D F8 04    STA   $04F8,X
081A-   A9 5C       LDA   #$5C
081C-   85 3E       STA   $3E

; $08FF holds the sector count
081E-   AE FF 08    LDX   $08FF
0821-   30 15       BMI   $0838
0823-   BD ED 08    LDA   $08ED,X
0826-   85 3D       STA   $3D
0828-   CE FF 08    DEC   $08FF

; $08FE holds the address (highest page
; first then decremented, unlike normal
; DOS 3.3)
082B-   AD FE 08    LDA   $08FE
082E-   85 27       STA   $27
0830-   CE FE 08    DEC   $08FE

; call disk controller to read sector
; (loops back to $801 on exit)
0833-   A6 2B       LDX   $2B
0835-   6C 3E 00    JMP   ($003E)

; execution continues here (from $0821)
; after sector reads are complete
0838-   20 89 FE    JSR   $FE89
083B-   8D 0C C0    STA   $C00C
083E-   8D 0E C0    STA   $C00E
0841-   20 93 FE    JSR   $FE93
0844-   20 2F FB    JSR   $FB2F
0847-   20 58 FC    JSR   $FC58

; looks like we're printing something
; to the screen, but there's nothing
; there except spaces ($A0) -- maybe
; this bootloader is generic/reusable
; with an option to print a title?
084A-   A2 0D       LDX   #$0D
084C-   BD B9 08    LDA   $08B9,X
084F-   9D 0D 04    STA   $040D,X
0852-   CA          DEX
0853-   10 F7       BPL   $084C

; also blank spaces
0855-   A2 25       LDX   #$25
0857-   BD C7 08    LDA   $08C7,X
085A-   9D 01 05    STA   $0501,X
085D-   CA          DEX
085E-   10 F7       BPL   $0857

; VTAB 2
0860-   A9 02       LDA   #$02
0862-   85 25       STA   $25
0864-   20 22 FC    JSR   $FC22

; set up RWTS parameters (usually done
; at $B700, but inlined here)
0867-   A6 2B       LDX   $2B
0869-   8E E9 B7    STX   $B7E9
086C-   8E F7 B7    STX   $B7F7
086F-   A0 01       LDY   #$01
0871-   8C F4 B7    STY   $B7F4
0874-   8C EA B7    STY   $B7EA
0877-   8C F8 B7    STY   $B7F8
087A-   A0 02       LDY   #$02
087C-   8C EC B7    STY   $B7EC
087F-   A0 1A       LDY   #$1A
0881-   8C E1 B7    STY   $B7E1
0884-   A0 B6       LDY   #$B6
0886-   8C F1 B7    STY   $B7F1
0889-   A0 02       LDY   #$02

; highly suspect
088B-   20 03 BB    JSR   $BB03

; reset stack
088E-   A2 FF       LDX   #$FF
0890-   9A          TXS
0891-   8E EB B7    STX   $B7EB
0894-   8E FB 04    STX   $04FB

; start DOS
0897-   4C 84 9D    JMP   $9D84

Looks like $BB03 (there shouldn't be
any code there at all, by the way) is
loading the rest of DOS. I bet it's
doing a nibble check first, though.

*8FE.8FF

08FE- BF 0B

OK, we're loading into $B400..$BFFF.
Let's capture it.

*9600<C600.C6FFM

; call my code instead of $BB03
96F8-   A9 4C       LDA   #$4C
96FA-   8D 8B 08    STA   $088B
96FD-   A9 0A       LDA   #$0A
96FF-   8D 8C 08    STA   $088C
9702-   A9 97       LDA   #$97
9704-   8D 8D 08    STA   $088D

; start the boot
9707-   4C 01 08    JMP   $0801

; capture everything loaded into memory
970A-   A2 0B       LDX   #$0B
970C-   A0 00       LDY   #$00
970E-   B9 00 B4    LDA   $B400,Y
9711-   99 00 24    STA   $2400,Y
9714-   C8          INY
9715-   D0 F7       BNE   $970E
9717-   EE 10 97    INC   $9710
971A-   EE 13 97    INC   $9713
971D-   CA          DEX
971E-   D0 EE       BNE   $970E

; turn off drive motor
9720-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9723-   4C 00 C5    JMP   $C500

*BSAVE TRACE1,A$9600,L$126
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1 B400-BFFF,A$2400,L$B00
]CALL -151
*FE89G FE93G
*B400<2400.2FFFM
*BB03L

BB03-   4E 06 BB    LSR   $BB06

Uh oh. Self-modifying code. The 6502
processor has no instruction cache, so
one instruction can literally change
the next instruction in memory, and the
CPU will execute the new instruction.
Which is what's happening here.

This may take some patience.

                   ~

               Chapter 2
           In Which We Learn
      The True Meaning Of Patience


To capture this self-modifying code, I
need to reproduce the modifications
without running the modified code. I'll
start with a pristine copy (at $2B00),
copy it into place (at $BB00), then
reproduce the modifications and inspect
the results. Lather, rinse, repeat.

2000-   A0 00       LDY   #$00
2002-   B9 00 2B    LDA   $2B00,Y
2005-   99 00 BB    STA   $BB00,Y
2008-   C8          INY
2009-   D0 F7       BNE   $2002
200B-   4E 06 BB    LSR   $BB06
200E-   60          RTS

*2000G
*BB06L

BB06-   38          SEC
BB07-   6E 0A BB    ROR   $BB0A

More self-modifying code.

*200E:38 6E 0A BB 60
*2000G
*BB0AL

BB0A-   A0 27       LDY   #$27
BB0C-   6E 0F BB    ROR   $BB0F

More.

*2012:6E 0F BB 60
*2000G
*BB0FL

BB0F-   6E 1B BB    ROR   $BB1B
BB12-   6E 15 BB    ROR   $BB15

More.

*2015:6E 1B BB 6E 15 BB 60
*2000G
*BB15L

BB15-   6E 1E BB    ROR   $BB1E
BB18-   6E 25 BB    ROR   $BB25
BB1B-   B9 00 BB    LDA   $BB00,Y

Kill me now.

*201B:6E 1E BB 6E 25 BB 60
*2000G
*BB1EL

BB1E-   59 00 B8    EOR   $B800,Y
BB21-   99 00 BB    STA   $BB00,Y
BB24-   C8          INY
BB25-   D0 F4       BNE   $BB1B

More, now using the page at $B800 as an
encryption key.

*2021:A0 27 B9 00 BB 59 00 58 99 00 BB
      C8 D0 F4 60
*2000G
*BB27L

BB27-   A0 55       LDY   #$55
BB29-   B9 00 BC    LDA   $BC00,Y
BB2C-   59 00 B8    EOR   $B800,Y
BB2F-   99 00 BC    STA   $BC00,Y
BB32-   88          DEY
BB33-   10 F4       BPL   $BB29

And again, for $BC00.

*202F:A0 55 B9 00 BC 59 00 B8 99 00 BC
      88 10 F4 60
*2000G
*BB35L

Finally some real code.

; cover our tracks in memory (overwrite
; the call to $BB03)
BB35-   A9 A9       LDA   #$A9
BB37-   8D 8C 08    STA   $088C
BB3A-   A9 B7       LDA   #$B7
BB3C-   8D 8D 08    STA   $088D

; push an address to the stack
BB3F-   A9 B5       LDA   #$B5
BB41-   48          PHA
BB42-   A9 19       LDA   #$19
BB44-   48          PHA

; save some other values on the stack
BB45-   AD EC B7    LDA   $B7EC
BB48-   48          PHA
BB49-   AD F4 B7    LDA   $B7F4
BB4C-   48          PHA

; set up an RWTS seek to track $03
BB4D-   A9 03       LDA   #$03
BB4F-   8D EC B7    STA   $B7EC
BB52-   A9 00       LDA   #$00
BB54-   8D F4 B7    STA   $B7F4

; call RWTS
BB57-   A0 E8       LDY   #$E8
BB59-   A9 B7       LDA   #$B7
BB5B-   20 B5 B7    JSR   $B7B5

; turn on drive motor manually (always
; suspicious)
BB5E-   BD 89 C0    LDA   $C089,X

; restore some values from the stack
BB61-   68          PLA
BB62-   8D F4 B7    STA   $B7F4
BB65-   68          PLA
BB66-   8D EC B7    STA   $B7EC

; look for $D5
BB69-   BD 8C C0    LDA   $C08C,X
BB6C-   10 FB       BPL   $BB69
BB6E-   48          PHA
BB6F-   68          PLA
BB70-   C9 D5       CMP   #$D5
BB72-   D0 F5       BNE   $BB69

; modify data later in this routine (!)
; (might need to track this)
BB74-   A0 00       LDY   #$00
BB76-   8C C8 BB    STY   $BBC8

; look for some weird bitstream
; (hoping I don't need to care about
; the specifics)
BB79-   BD 8C C0    LDA   $C08C,X
BB7C-   10 FB       BPL   $BB79
BB7E-   C9 D5       CMP   #$D5
BB80-   F0 0F       BEQ   $BB91
BB82-   C9 F7       CMP   #$F7
BB84-   D0 01       BNE   $BB87
BB86-   C8          INY

; more data modification -- maybe it's
; just a counter?
BB87-   18          CLC
BB88-   6D C8 BB    ADC   $BBC8
BB8B-   8D C8 BB    STA   $BBC8
BB8E-   4C 79 BB    JMP   $BB79
BB91-   98          TYA
BB92-   F0 E0       BEQ   $BB74
BB94-   BD 8C C0    LDA   $C08C,X
BB97-   10 FB       BPL   $BB94
BB99-   48          PHA
BB9A-   68          PLA
BB9B-   C9 FF       CMP   #$FF
BB9D-   F0 F5       BEQ   $BB94
BB9F-   C9 D5       CMP   #$D5

; this is an error -- $BBCE is the
; failure path
BBA1-   F0 2B       BEQ   $BBCE
BBA3-   A0 05       LDY   #$05
BBA5-   BD 8C C0    LDA   $C08C,X
BBA8-   10 FB       BPL   $BBA5
BBAA-   48          PHA
BBAB-   68          PLA
BBAC-   88          DEY
BBAD-   D0 F6       BNE   $BBA5
BBAF-   BD 8C C0    LDA   $C08C,X
BBB2-   10 FB       BPL   $BBAF
BBB4-   48          PHA
BBB5-   68          PLA
BBB6-   C9 FF       CMP   #$FF
BBB8-   F0 F5       BEQ   $BBAF
BBBA-   C9 D5       CMP   #$D5
BBBC-   D0 10       BNE   $BBCE   ;fail
BBBE-   BD 8C C0    LDA   $C08C,X
BBC1-   10 FB       BPL   $BBBE
BBC3-   C9 FF       CMP   #$FF
BBC5-   D0 07       BNE   $BBCE   ;fail

; success path falls through to here
; (this $00 was modified repeatedly)
; and apparently needs to be 
BBC7-   A9 00       LDA   #$00
BBC9-   38          SEC
BBCA-   E9 10       SBC   #$10

; success path continues at $BBD0
BBCC-   F0 02       BEQ   $BBD0

; failure path is here (called from
; several places) -- pop the mystery
; address off the stack and continue
BBCE-   68          PLA
BBCF-   68          PLA

; success path continues here -- leave
; mystery address on the stack and
; continue
BBD0-   A0 04       LDY   #$04
BBD2-   4C A9 B7    JMP   $B7A9

If the nibble check succeeds, execution
continues at $B7A9, then jumps to $B51A
(based on the $B5/$19 pair that was
manually pushed to the stack at $BB3F).

If the nibble check fails, execution
continues at $B7A9 and returns (because
$B5/$18 was popped off the stack).

The routine at $B51A is the difference
between the original disk and my non-
working bit copy. The original ran it;
my EDD bit copy did not. (The copy I
made with Locksmith FDB just looped
forever looking for the right sequence
of sync bytes.)

I need to trace $B51A. But before I
trace it, I'll save my work to date.

*2B00<BB00.BCFFM
*C500G
...
]BSAVE DECRYPT BB00,A$2000,L$3E
]BSAVE BB00 DECRYPTED,A$2B00,L$200

Now let's see what's at $B51A.

                   ~

               Chapter 3
  In Which We Begin To Tire Of These
  Opportunities To Practice Patience


]BLOAD BOOT1 B400-BFFF,A$2400
]CALL -151
*FE89G FE93G
*B400<2400.2FFFM
*B51AL

B51A-   00          BRK
B51B-   00          BRK
B51C-   00          BRK
B51D-   00          BRK
B51E-   00          BRK
B51F-   00          BRK
B520-   00          BRK
B521-   00          BRK
B522-   00          BRK
B523-   00          BRK

Oh. There's nothing there. Because the
real code is only loaded as part of the
second stage boot (the weird call to
$B7A9, which is in the middle of the
standard multi-sector read routine at
$B793).

I need to trace further.

*9600<C600.C6FFM

; call my code instead of $BB03
96F8-   A9 4C       LDA   #$4C
96FA-   8D 8B 08    STA   $088B
96FD-   A9 0A       LDA   #$0A
96FF-   8D 8C 08    STA   $088C
9702-   A9 97       LDA   #$97
9704-   8D 8D 08    STA   $088D

; start the boot
9707-   4C 01 08    JMP   $0801

; callback is here -- replicate part of
; the success path by setting Y and
; calling $B7A9 (but not $B51A)
970A-   A0 04       LDY   #$04
970C-   20 A9 B7    JSR   $B7A9

; capture everything we just loaded
970F-   A2 23       LDX   #$23
9711-   A0 00       LDY   #$00
9713-   B9 00 9D    LDA   $9D00,Y
9716-   99 00 2D    STA   $2D00,Y
9719-   C8          INY
971A-   D0 F7       BNE   $9713
971C-   EE 15 97    INC   $9715
971F-   EE 18 97    INC   $9718
9722-   CA          DEX
9723-   D0 EE       BNE   $9713

; reboot to my work disk
9725-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$128
*9600G
...reboots slot 6...
...reboots slot 5...
]BSAVE BOOT2,A$2D00,L$2300
]CALL -151
*FE89G FE93G      ; disconnect old DOS
*9D00<2D00.4FFFM  ; move DOS into place
*B51AL

B51A-   4E 1D B5    LSR   $B51D

Oh no. Here we go again.

2000-   A0 00       LDY   #$00
2002-   B9 00 45    LDA   $4500,Y
2005-   99 00 B5    STA   $B500,Y
2008-   C8          INY
2009-   D0 F7       BNE   $2002
200B-   98          TYA
200C-   4E 1D B5    LSR   $B51D
200F-   60          RTS

*2000G
*B51DL

B51D-   38          SEC
B51E-   6E 21 B5    ROR   $B521

*200F:38 6E 21 B5 60
*2000G
*B521L

B521-   A0 3E       LDY   #$3E
B523-   6E 26 B5    ROR   $B526

*2013:A0 3E 6E 26 B5 60
*2000G
*B526L

B526-   6E 32 B5    ROR   $B532
B529-   6E 2C B5    ROR   $B52C

*2018:6E 32 B5 6E 2C B5 60
*2000G
*B52CL

B52C-   6E 35 B5    ROR   $B535
B52F-   6E 3C B5    ROR   $B53C
B532-   B9 00 B5    LDA   $B500,Y

*201E:6E 35 B5 6E 3C B5 B9 0 B5 60
*2000G
*B535L

B535-   59 00 B8    EOR   $B800,Y
B538-   99 00 B5    STA   $B500,Y
B53B-   C8          INY
B53C-   D0 F4       BNE   $B532

*2027:59 0 B8 99 0 B5 C8 D0 F4 60
*2000G
*B53EL

B53E-   A0 1A       LDY   #$1A
B540-   88          DEY
B541-   B9 00 B5    LDA   $B500,Y
B544-   59 00 B8    EOR   $B800,Y
B547-   99 00 B5    STA   $B500,Y
B54A-   88          DEY
B54B-   10 F4       BPL   $B541
B54D-   A0 00       LDY   #$00
B54F-   B9 00 B4    LDA   $B400,Y
B552-   59 00 B8    EOR   $B800,Y
B555-   99 00 B4    STA   $B400,Y
B558-   88          DEY
B559-   D0 F4       BNE   $B54F

*2030<B53E.B55AM
*204D:60
*2000G
*B55BL

Finally some real code.

; set reset vector
B55B-   A9 4B       LDA   #$4B
B55D-   8D F2 03    STA   $03F2
B560-   A9 B7       LDA   #$B7
B562-   8D F3 03    STA   $03F3
B565-   49 A5       EOR   #$A5
B567-   8D F4 03    STA   $03F4

; a loop to change various memory
; locations, based on a list of patches
; at $B400
B56A-   A9 00       LDA   #$00
B56C-   85 00       STA   $00
B56E-   A9 B4       LDA   #$B4
B570-   85 01       STA   $01
B572-   A0 00       LDY   #$00
B574-   F0 0B       BEQ   $B581
B576-   B1 00       LDA   ($00),Y
B578-   99 FF FF    STA   $FFFF,Y
B57B-   88          DEY
B57C-   D0 F8       BNE   $B576
B57E-   A4 02       LDY   $02
B580-   C8          INY
B581-   B1 00       LDA   ($00),Y
B583-   F0 1C       BEQ   $B5A1
B585-   85 02       STA   $02
B587-   C8          INY
B588-   B1 00       LDA   ($00),Y
B58A-   8D 79 B5    STA   $B579
B58D-   C8          INY
B58E-   B1 00       LDA   ($00),Y
B590-   8D 7A B5    STA   $B57A
B593-   98          TYA
B594-   18          CLC
B595-   A4 02       LDY   $02
B597-   65 00       ADC   $00
B599-   85 00       STA   $00
B59B-   90 D9       BCC   $B576
B59D-   E6 01       INC   $01
B59F-   D0 D5       BNE   $B576
B5A1-   60          RTS

Each patch is a variable-length record,
starting at $B400 (pointed to by ($00))
and continuing until the first byte of
the record is $00 (compared at $B583).
The general format of each record is

+0  [1 byte]    length of data, or $00
+1  [2 bytes]   starting address (-1)
+3  [variable]  data to write in memory

Once decrypted, the raw patch records
look like this:

*B400.B4FF

B400- 1E 74 AA C8 C5 CC CC CF
B408- A0 A0 A0 A0 A0 A0 A0 A0
B410- A0 A0 A0 A0 A0 A0 A0 A0
B418- A0 A0 A0 A0 A0 A0 A0 A0
B420- A0 01 24 A4 A3 21 4D A4
B428- A5 68 48 38 A5 AF E5 67
B430- A8 A5 B0 E5 68 AA E8 65
B438- 68 85 68 C6 68 20 BC A3
B440- CA D0 F8 68 85 68 6C 60
B448- 9D 12 BB A3 98 49 52 51
B450- 67 91 67 88 C0 FF D0 F4
B458- 60 A9 01 20 B1 A4 13 2F
B460- 9E A9 80 85 D6 30 0B AD
B468- 00 C0 C9 83 F0 F9 4C D2
B470- D7 EA A9 06 03 02 A5 4C
B478- 36 9E 30 FF B5 60 A0 20
B480- B9 0F B6 99 00 03 88 10
B488- F7 4C 00 03 A9 BF 85 01
B490- A0 00 84 00 91 00 C8 D0
B498- FB C6 01 A5 01 C9 08 B0
B4A0- F3 AD 81 C0 20 93 FE 20
B4A8- 89 FE 4C 00 E0 01 C1 B7
B4B0- 60 03 72 9E 01 B6 13 02
B4B8- 96 A3 18 60 00 8A A3 4C
B4C0- 82 A5 32 7E A5 4C 84 9D
B4C8- 20 71 A4 A5 68 48 A5 67
B4D0- 48 38 AE 61 AA AC 60 AA
B4D8- D0 01 CA 88 8A E8 6D 73
B4E0- AA 85 68 AD 72 AA 85 67
B4E8- C6 68 20 BC A3 CA D0 F8
B4F0- 68 85 67 68 85 68 60 02
B4F8- 51 A3 9A A3 02 5A A3 A6

                   ~

               Chapter 4
    In Which We Thoroughly Document
    These Patches, And All Remaining
         Mysteries Are Resolved


Location     | Description      | Value
-------------+------------------+------
$B400        | length of data   |  $1E
$B401/$B402  | starting address | $AA74
$B403..$B420 | data

The first patch sets the name of the
startup program, which is blank on disk
(T01,S09) but is now patched in memory
(at $AA75) as "HELLO".

The second record follows immediately;
there is no record separator.

Location     | Description      | Value
-------------+------------------+------
$B421        | length of data   |  $01
$B422/$B423  | starting address | $A424
$B424..$B424 | data             |  $A3

The second patch munges one branch
instruction in the middle of the LOAD
command handler at $A413 (c.f. "Beneath
Apple DOS" p. 8-12).

Location     | Description      | Value
-------------+------------------+------
$B425        | length of data   |  $21
$B426/$B427  | starting address | $A44D
$B428..$B448 | data

The $21 bytes from $B428..$B448 end up
at $A44E, and they look like this:

A44E-   A5 68       LDA   $68
A450-   48          PHA
A451-   38          SEC
A452-   A5 AF       LDA   $AF
A454-   E5 67       SBC   $67
A456-   A8          TAY
A457-   A5 B0       LDA   $B0
A459-   E5 68       SBC   $68
A45B-   AA          TAX
A45C-   E8          INX
A45D-   65 68       ADC   $68
A45F-   85 68       STA   $68
A461-   C6 68       DEC   $68
A463-   20 BC A3    JSR   $A3BC
A466-   CA          DEX
A467-   D0 F8       BNE   $A461
A469-   68          PLA
A46A-   85 68       STA   $68
A46C-   6C 60 9D    JMP   ($9D60)

This is changing the behavior of the
LOAD command for loading Applesoft
BASIC programs into memory. It extends
past $A450, which is normally the part
of DOS that handles loading Integer
BASIC programs. It also adds a call to
$A3BC, which is normally a test for
Integer BASIC, but which I'm guessing
is about to get overwritten in a later
patch.

Location     | Description      | Value
-------------+------------------+------
$B449        | length of data   |  $12
$B44A/$B44B  | starting address | $A3BB
$B44C..$B45D | data

The $12 bytes from $B44C..$B45D end up
at $A3BC, and they look like this:

A3BC-   98          TYA
A3BD-   49 AA       EOR   #$AA
A3BF-   51 67       EOR   ($67),Y
A3C1-   91 67       STA   ($67),Y
A3C3-   88          DEY
A3C4-   C0 FF       CPY   #$FF
A3C6-   D0 F4       BNE   $A3BC
A3C8-   60          RTS
A3C9-   A9 01       LDA   #$01
A3CB-   20 B1 A4    JSR   $A4B1

This is an on-the-fly decryption that
occurs as Applesoft BASIC programs are
loaded. ($67) points to the BASIC
program in memory. This explains why I
couldn't LOAD or LIST HELLO: it was
encrypted.

Location     | Description      | Value
-------------+------------------+------
$B45E        | length of data   |  $13
$B45F/$B460  | starting address | $9E2F
$B461..$B473 | data

The $12 bytes from $B461..$B473 end up
at $9E30 (part of the late-stage boot),
and they look like this:

9E30-   A9 80       LDA   #$80
9E32-   85 D6       STA   $D6
9E34-   30 0B       BMI   $9E41
9E36-   AD 00 C0    LDA   $C000
9E39-   C9 83       CMP   #$83
9E3B-   F0 F9       BEQ   $9E36
9E3D-   4C D2 D7    JMP   $D7D2
9E40-   EA          NOP
9E41-   A9 06       LDA   #$06

This part of late-stage boot usually
sets the reset vector to something
useful. Instead, this patch will set
the Applesoft RUN flag (zero page $D6),
which makes any command typed from the
BASIC prompt RUN the current program in
memory instead. The rest of the new
code (at $9E36) checks for <Ctrl-C> and
hangs until you press something else.
That part is skipped for now, but I'm
guessing it's called later.

Location     | Description      | Value
-------------+------------------+------
$B474        | length of data   |  $03
$B475/$B476  | starting address | $A502
$B477..$B479 | data

The 3 bytes at $B477 end up at $A503,
which is the tail end of the RUN entry
point. It's just a JMP to the code that
was just patched earlier:

A503-   4C 36 9E    JMP   $9E36

Thus, trying to <Ctrl-C> break to the
prompt during boot will hang until you
press something else. (Even if you did
manage to get to the prompt, the RUN
flag would ensure you couldn't do
anything useful. Defense in depth!)

Location     | Description      | Value
-------------+------------------+------
$B47A        | length of data   |  $30
$B47B/$B47C  | starting address | $B5FF
$B47D..$B4AC | data

The $30 bytes at $B47D end up at $B600.
The new code looks like this:

B600-   60          RTS
B601-   A0 20       LDY   #$20
B603-   B9 0F B6    LDA   $B60F,Y
B606-   99 00 03    STA   $0300,Y
B609-   88          DEY
B60A-   10 F7       BPL   $B603
B60C-   4C 00 03    JMP   $0300
B60F-   A9 BF       LDA   #$BF
B611-   85 01       STA   $01
B613-   A0 00       LDY   #$00
B615-   84 00       STY   $00
B617-   91 00       STA   ($00),Y
B619-   C8          INY
B61A-   D0 FB       BNE   $B617
B61C-   C6 01       DEC   $01
B61E-   A5 01       LDA   $01
B620-   C9 08       CMP   #$08
B622-   B0 F3       BCS   $B617
B624-   AD 81 C0    LDA   $C081
B627-   20 93 FE    JSR   $FE93
B62A-   20 89 FE    JSR   $FE89
B62D-   4C 00 E0    JMP   $E000

Looks like this is going to be The
Badlands routine that wipes main memory
and exits.

Location     | Description      | Value
-------------+------------------+------
$B4AD        | length of data   |  $01
$B4AE/$B4AF  | starting address | $B7C1
$B4B0        | data             |  $60

This puts an RTS instruction at $B7C2,
which would normally set up the RWTS
parameters for writing DOS after INIT.

Location     | Description      | Value
-------------+------------------+------
$B4B1        | length of data   |  $03
$B4B2/$B4B3  | starting address | $9E72
$B4B4..$B4B6 | data

This modifies DOS's image of the page 3
jump vectors so that <Ctrl-Reset> will
jump to $B601, a.k.a. The Badlands.

Location     | Description      | Value
-------------+------------------+------
$B4B7        | length of data   |  $02
$B4B8/$B4B9  | starting address | $A396
$B4BA..$B4BB | data             | 18 60

This patch neutralizes the SAVE handler
at $A397 so it does nothing but claims
to have succeeded.

That's it. The next byte is $00, so the
BEQ at $B583 branches and the patch
loop exits gracefully via RTS. (There
appear to be more patches to decrypt
binary files, but this disk does not
use them.)

The result is a really messed up DOS
that is maximally unfriendly to prying
eyes and maximally incompatible with
any other version of DOS. It decrypts
BASIC files on the fly, traps <Ctrl-
Reset>, traps <Ctrl-C>, sets the RUN
flag, and disables the SAVE command.

It does not, however, hinder copying
the disk itself. The only patch I need
to bypass the copy protection is at
$BB03:

 1. push $B5/$19 to the stack
 2. set Y register to $04
 3. jump to $B7A9

T00,S07,$03
old: "4E 06 BB 71 6E 0A BB 40 27 6E 0F"
new: "A9 B5 48 A9 19 48 A0 04 4C A9 B7"

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 224
------------------EOF------------------