---------------Deathsword--------------
A 4am crack                  2014-05-23
---------------------------------------

Deathsword is a 1988 arcade game by
Palace Software. The Apple version was
developed by Designer Software and
distributed by Epyx as part of their
"MAXX OUT!" series.

COPYA fails immediately with a disk
read error. EDD 4 bit copy gives no
errors, but the copy just reboots over
and over. The original disk boots to
ProDOS and might be entirely file-based
(based on the pattern of disk activity
while the game loads), but the copy
never even gets as far as displaying
the ProDOS splash screen.

Turning to my trusty Copy ][+ sector
editor, I press "P" to get to the
Sector Editor Patcher, and select "DOS
3.3 PATCHED". This option ignores
checksum bytes and epilogue sequences
-- as long as the address and data
prologue are standard ("D5 AA 96" and
"D5 AA AD", respectively), this will
allow me to read each sector. And lo
and behold, it works!

Based on my limited experience cracking
other disks, I would guess that this
disk has

- Standard prologue bytes before the
  address and data fields [otherwise
  Copy ][+ sector editor would give
  read errors, even with the "DOS 3.3
  PATCHED" option]
- Non-standard epilogue bytes after the
  address and data fields [otherwise
  COPYA would work]
- Some secondary protection [otherwise
  the bit copy created with EDD 4 would
  work]

The easiest way to convert the disk to
standard epilogue bytes is to use COPYA
with a patched RWTS that accepts any
epilogue bytes on read but includes
standard epilogue bytes on write.

[S6D1=DOS 3.3 master disk]

]PR#6
...

]CALL -151

*B942:18

*3D0G

]RUN COPYA

[S6D1=original disk]
[S6D2=blank disk]

...read read read...
...grind grind grind...
...write write write...

Now I have a copy of the game in a
standard disk format that can be read
by any tools. That is, I can copy the
copy without patching the DOS 3.3 RWTS
beforehand. I can sector edit the disk
without messing with the Sector Editor
Patcher.

There are two problems with this copy:

1. Depending on how the original disk
   was written, this copy may or may
   not be able to read itself. I may
   need to patch the disk's RWTS to
   deal with the fact that the disk is
   now in a standard format.

2. Even if it can read itself, it won't
   run. The copies I tried to make --
   even the bit copies -- just rebooted
   endlessly, which means there is some
   code being executed during boot to
   check if the disk is original.
   (Hint: it's not.)

Just by booting the copy, I can rule
out problem #1. The disk seems to read
itself just fine. It makes it exactly
as far as the failed bit copy -- far
enough to figure out that it's not an
original disk and reboot.

Time for boot tracing with AUTOTRACE.

[S6D1=original disk]
[S5D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]BLOAD BOOT0,A$800

]CALL -151

*801L

; This looks like the standard ProDOS
; boot0 code, which is unsurprising,
; since the original disk loads ProDOS
0801-   38          SEC
0802-   B0 03       BCS   $0807
0804-   4C 32 A1    JMP   $A132
0807-   86 43       STX   $43
0809-   C9 03       CMP   #$03
080B-   08          PHP
080C-   8A          TXA
080D-   29 70       AND   #$70
080F-   4A          LSR
0810-   4A          LSR
0811-   4A          LSR
0812-   4A          LSR
0813-   09 C0       ORA   #$C0
0815-   85 49       STA   $49
0817-   A0 FF       LDY   #$FF
0819-   84 48       STY   $48
081B-   28          PLP
081C-   C8          INY
081D-   B1 48       LDA   ($48),Y
081F-   D0 3A       BNE   $085B
0821-   B0 0E       BCS   $0831
0823-   A9 03       LDA   #$03
0825-   8D 00 08    STA   $0800
0828-   E6 3D       INC   $3D
082A-   A5 49       LDA   $49
082C-   48          PHA
082D-   A9 5B       LDA   #$5B
082F-   48          PHA
0830-   60          RTS

; this is not standard
0831-   4C 00 09    JMP   $0900

Let's see what's lurking at $0900.

*9600<C600.C6FFM

; ProDOS boot0 code is sensitive to the
; value of the accumulator on entry, so
; make sure we save it and restore it
; along with the state of all the flags
96F8-   48          PHA
96F9-   08          PHP

; set up callback to call a routine
; under my control instead of
; continuing to $0900
96FA-   A9 09       LDA   #$09
96FC-   8D 32 08    STA   $0832
96FF-   A9 97       LDA   #$97
9701-   8D 33 08    STA   $0833
9704-   28          PLP
9705-   68          PLA

; start the boot
9706-   4C 01 08    JMP   $0801

; callback is here --
; just turn off the disk motor and jump
; to the monitor for now
9709-   AD E8 C0    LDA   $C0E8
970C-   4C 59 FF    JMP   $FF59

*BSAVE TRACE1,A$9600,L$110

*9600G
...reboots slot 6...
<beep>

*2900<900.9FFM

*C500G
...

]BSAVE BOOT1,A$2900,L$100

]BLOAD BOOT1,A$900

]CALL -151

*900L

; the first few instructions here are
; what usually happen at $0831 (instead
; of jumping to $0900)
0900-   85 48       STA   $48
0902-   85 40       STA   $40
0904-   A9 00       LDA   #$00
0906-   8D F4 03    STA   $03F4
0909-   A9 0A       LDA   #$0A
090B-   85 F4       STA   $F4
090D-   A6 2B       LDX   $2B

; turning on the drive motor manually
; (highly suspicious)
090F-   BD 89 C0    LDA   $C089,X
0912-   BD 8E C0    LDA   $C08E,X

; set up some parameters and counters
0915-   A9 A5       LDA   #$A5
0917-   85 F6       STA   $F6
0919-   A9 09       LDA   #$09
091B-   85 F7       STA   $F7
091D-   A9 80       LDA   #$80
091F-   85 F5       STA   $F5
0921-   C6 F5       DEC   $F5
0923-   F0 76       BEQ   $099B

; this finds the next address prologue
; ("D5 AA 96") and skips over the
; address field
0925-   20 AD 09    JSR   $09AD

; if that didn't work, bail
0928-   B0 71       BCS   $099B

092A-   A5 F1       LDA   $F1
092C-   C9 07       CMP   #$07
092E-   D0 F1       BNE   $0921

; look for the magic nibble sequence
0930-   A0 00       LDY   #$00
0932-   BD 8C C0    LDA   $C08C,X
0935-   10 FB       BPL   $0932
0937-   88          DEY
0938-   F0 61       BEQ   $099B
093A-   C9 D5       CMP   #$D5
093C-   D0 F4       BNE   $0932
093E-   A0 00       LDY   #$00
0940-   BD 8C C0    LDA   $C08C,X
0943-   10 FB       BPL   $0940
0945-   88          DEY
0946-   F0 53       BEQ   $099B
0948-   C9 E7       CMP   #$E7
094A-   D0 F4       BNE   $0940
094C-   BD 8C C0    LDA   $C08C,X
094F-   10 FB       BPL   $094C
0951-   C9 E7       CMP   #$E7
0953-   D0 46       BNE   $099B
0955-   BD 8C C0    LDA   $C08C,X
0958-   10 FB       BPL   $0955
095A-   C9 E7       CMP   #$E7
095C-   D0 3D       BNE   $099B
095E-   BD 8D C0    LDA   $C08D,X
0961-   A0 10       LDY   #$10
0963-   24 06       BIT   $06
0965-   BD 8C C0    LDA   $C08C,X
0968-   10 FB       BPL   $0965
096A-   88          DEY
096B-   F0 2E       BEQ   $099B
096D-   C9 EE       CMP   #$EE
096F-   D0 F4       BNE   $0965
0971-   A0 07       LDY   #$07
0973-   BD 8C C0    LDA   $C08C,X
0976-   10 FB       BPL   $0973
0978-   D1 F6       CMP   ($F6),Y
097A-   D0 1F       BNE   $099B
097C-   88          DEY
097D-   10 F4       BPL   $0973

; success path is here -- reuse the
; disk controller ROM routine to read
; the sector that was supposed to be
; at $0900 in the first place, then
; "return" to $0834
097F-   A2 60       LDX   #$60
0981-   8E 01 08    STX   $0801
0984-   A6 2B       LDX   $2B
0986-   A9 0B       LDA   #$0B
0988-   85 3D       STA   $3D
098A-   A9 09       LDA   #$09
098C-   85 27       STA   $27
098E-   A9 08       LDA   #$08
0990-   48          PHA
0991-   A9 34       LDA   #$34
0993-   48          PHA
0994-   A5 49       LDA   $49
0996-   48          PHA
0997-   A9 5B       LDA   #$5B
0999-   48          PHA
099A-   60          RTS

; if zero page $F4 hits 0, the nibble
; check has failed
099B-   C6 F4       DEC   $F4
099D-   D0 03       BNE   $09A2

; reboot on failure
099F-   4C 00 C6    JMP   $C600

; or continue trying
09A2-   4C 1D 09    JMP   $091D

; data table of nibbles
09A5-   FC EE EE FC
09A9-   E7 EE FC E7

There are two ways to go here. I could
wipe out this entire sector and replace
it with the code that's supposed to be
loaded at $0900 in the first place,
then patch T00,S00 to do the standard
ProDOS boot0 thing at $0831. Or, I
could do the Simplest Thing That Could
Possibly Work by patching this sector
to skip over the nibble check and jump
directly to the success path.

I chose door #2. Changing the code at
$090B from a STA to a BNE $097F will
unconditionally jump to the post-check
cleanup and continue the boot.

T00,S0E,$0B change "85 F4" to "D0 72"

Quod erat liberandum.

---------------------------------------
A 4am crack                      No. 47
------------------EOF------------------