-----------------Baron----------------- A 4am crack 2015-12-27 --------------------------------------- Name: Baron: The Real Estate Simulation Version: 2.1 Genre: simulation Year: 1985 Author: Jim Zuber Publisher: Blue Chip Software Media: double-sided 5.25-inch floppy OS: DOS 3.3 Previous cracks: none (of this version) Identical cracks: #506 Millionaire 2.0 Side B boots to a BASIC program that clears the screen and displays the error message "WRONG SIDE". So, uh, I guess I'll start with side A. ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA No read errors on either side, but the copy boots DOS, runs a startup program, clears the screen, prints "Apple ][", swings to a high track, grinds the disk several times, then crashes at $AA54. /!\ Subsequent attempts to boot don't ever get off track $00. Looking at the copy in a sector editor, T00,S00 has been overwritten with a random chunk of memory. An actively destructive protection check. That's not something you see every day. Locksmith Fast Disk Backup ditto EDD 4 bit copy (no sync, no count) ditto Copy ][+ nibble editor nothing suspicious Disk Fixer T00-T02 -> standard DOS 3.3 T11 -> standard disk catalog T01,S09 -> startup program is "ENTRA" Why didn't any of my copies work? There is a runtime protection check which actively destroys any copies it doesn't like. (Hint: it doesn't like any copies.) Next steps: 1. Trace the startup program 2. Disable the protection check 3. Declare victory(*) (*) take a nap ~ Chapter 1 In Which We Gain Unfettered Access And Make The Most Of It [S6,D1=original disk] ]PR#6 ... I break to a DOS prompt with unfettered access. ]CATALOG DISK VOLUME 254 A 002 ENTRA B 003 CON A 002 CDIINC A 045 BARINIT.BAS T 038 DATA.RND T 026 SAVE T 002 RANDOM.DTA T 002 GCHAR.DTA T 002 CHECK T 004 PLAYER T 007 MORTGAGE.RND T 024 Y *B 033 PICTR.BOPENERC ]LIST 10 PRINT CHR$ (4);"BLOADCON" 20 CALL 16384 50 PRINT CHR$ (4);"RUNCDIINC" ]BLOAD CON ]CALL -151 *AA72.AA73 AA72- 00 40 *4000L ; clear screen and print "Apple ][" 4000- 18 CLC 4001- 20 58 FC JSR $FC58 4004- A9 C1 LDA #$C1 4006- 8D 0F 04 STA $040F 4009- A9 F0 LDA #$F0 400B- 8D 10 04 STA $0410 400E- 8D 11 04 STA $0411 4011- A9 EC LDA #$EC 4013- 8D 12 04 STA $0412 4016- A9 E5 LDA #$E5 4018- 8D 13 04 STA $0413 401B- A9 DD LDA #$DD 401D- 8D 15 04 STA $0415 4020- A9 DB LDA #$DB 4022- 8D 16 04 STA $0416 4025- 4C A0 40 JMP $40A0 *40A0L ; set up... something 40A0- A9 23 LDA #$23 40A2- 85 02 STA $02 40A4- A9 00 LDA #$00 40A6- 85 03 STA $03 40A8- A9 01 LDA #$01 40AA- 85 04 STA $04 40AC- 20 28 40 JSR $4028 *4028L ; get the address of the RWTS parameter ; table 4028- 20 E3 03 JSR $03E3 402B- 84 00 STY $00 402D- 85 01 STA $01 ; track = $23 (set at $40A2) 402F- A5 02 LDA $02 4031- A0 04 LDY #$04 4033- 91 00 STA ($00),Y ; sector = $00 (set at $40A6) 4035- A5 03 LDA $03 4037- C9 10 CMP #$10 4039- 90 04 BCC $403F 403B- A9 00 LDA #$00 403D- 85 03 STA $03 403F- A0 05 LDY #$05 4041- 91 00 STA ($00),Y 4043- A0 08 LDY #$08 4045- A9 00 LDA #$00 4047- 91 00 STA ($00),Y 4049- C8 INY 404A- A9 0A LDA #$0A 404C- 91 00 STA ($00),Y ; RWTS command = $01 (set at $40AA) 404E- A5 04 LDA $04 4050- A0 0C LDY #$0C 4052- 91 00 STA ($00),Y 4054- A9 00 LDA #$00 4056- A0 03 LDY #$03 4058- 91 00 STA ($00),Y 405A- 20 E3 03 JSR $03E3 ; read it 405D- 20 D9 03 JSR $03D9 4060- A9 00 LDA #$00 4062- 85 48 STA $48 ; if the read worked, branch forward 4064- 90 1B BCC $4081 ; read failed, off to The Badlands! 4066- 4C D0 40 JMP $40D0 ... 4081- 60 RTS The protection check is reading track $23 -- an extra track that is normally unused. All of my copies stopped at track $22, which explains why they all failed. *40D0L ; corrupt part of DOS in memory 40D0- A9 00 LDA #$00 40D2- 8D 00 A0 STA $A000 40D5- EE D3 40 INC $40D3 40D8- AD D3 40 LDA $40D3 40DB- C9 FF CMP #$FF 40DD- D0 F1 BNE $40D0 ; track = $00 ; sector = $00 ; RWTS command = $02 (write!) 40DF- A9 00 LDA #$00 40E1- 85 02 STA $02 40E3- 85 03 STA $03 40E5- A9 02 LDA #$02 40E7- 85 04 STA $04 40E9- A9 F6 LDA #$F6 40EB- 8D 67 40 STA $4067 40EE- A9 10 LDA #$10 40F0- 8D 68 40 STA $4068 40F3- 20 28 40 JSR $4028 After the protection check fails, it intentionally overwrites T00,S00. ; clear all of this out of memory ; (up to the previous instruction) 40F6- A9 00 LDA #$00 40F8- 8D 00 40 STA $4000 40FB- EE F9 40 INC $40F9 40FE- AD F9 40 LDA $40F9 4101- C9 F5 CMP #$F5 4103- D0 F1 BNE $40F6 ; crash 4105- 4C 3E AA JMP $AA3E That explains the behavior I saw on my non-working copy. Continuing from $40AF... ; check the data we actually read from ; track $23, sector $00 40AF- AD 00 0A LDA $0A00 40B2- C9 00 CMP #$00 40B4- F0 03 BEQ $40B9 ; first byte doesn't match, off to ; The Badlands! 40B6- 4C D0 40 JMP $40D0 ; execution continues here (from $40B4) 40B9- AD 01 0A LDA $0A01 40BC- C9 00 CMP #$00 40BE- F0 03 BEQ $40C3 ; second byte doesn't match, off to ; The Badlands! 40C0- 4C D0 40 JMP $40D0 ; execution continues here (from $40BE) 40C3- AD 02 0A LDA $0A02 40C6- C9 00 CMP #$00 40C8- F0 03 BEQ $40CD ; third byte doesn't match, off to ; The Badlands! 40CA- 4C D0 40 JMP $40D0 ; execution continues here (from $40C8) 40CD- 4C 08 41 JMP $4108 ... ; exit gracefully 4108- 60 RTS So this entire routine is unnecessary. Well, it clears the screen and prints "Apple ][". But everything after the the JMP at $4025 is just the protection check. [S6,D1=fresh (uncorrupted) copy] [Disk Fixer] ["D" for directory mode] [select "CON"] T13,S0E,$29 change "4C" to "60" Quod erat liberandum. --------------------------------------- A 4am crack No. 542 ------------------EOF------------------