------------Blazing Paddles------------
A 4am crack                  2014-06-10
---------------------------------------

"Blazing Paddles" is a 1984 paint
program distributed by Baudville, Inc.

COPYA gives no read errors, but the
copy does not work. (EDD 4 bit copy
fares no better.) It displays the two
strings "BLAZING PADDLES" and "04431"
(apparently a version number of sorts),
then grinds the disk in a most unusual
fashion (hopping back and forth between
two tracks? trying to read a quarter
track? I've never heard anything like
it) until I frantically power off in an
attempt to save my 30 year old floppy
drive from twerking right off my desk.

Time for boot tracing, I suppose.

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]BLOAD BOOT0,A$800
]CALL -151

*801L

; starts off looking like DOS 3.3 boot0
0801-   A5 27       LDA   $27
0803-   C9 09       CMP   #$09
0805-   D0 18       BNE   $081F
0807-   A5 2B       LDA   $2B
0809-   4A          LSR
080A-   4A          LSR
080B-   4A          LSR
080C-   4A          LSR
080D-   09 C0       ORA   #$C0
080F-   85 3F       STA   $3F
0811-   A9 5C       LDA   #$5C
0813-   85 3E       STA   $3E
0815-   18          CLC

; slightly unusual -- it appears to
; keep the target address and sector
; count in $084A/B instead of $08FE/F
0816-   AD 4A 08    LDA   $084A
0819-   6D 4B 08    ADC   $084B
081C-   8D 4A 08    STA   $084A
081F-   AE 4B 08    LDX   $084B

; jump out of the sector read loop here
0822-   30 28       BMI   $084C
0824-   BD 39 08    LDA   $0839,X
0827-   85 3D       STA   $3D
0829-   CE 4B 08    DEC   $084B
082C-   AD 4A 08    LDA   $084A
082F-   85 27       STA   $27
0831-   CE 4A 08    DEC   $084A
0834-   A6 2B       LDX   $2B

; jump to disk controller ROM routine
; to read sectors
0836-   6C 3E 00    JMP   ($003E)
.
.
.
; looks like the loop above will read
; all of track 0 into $B000..$BFFF
084A-   B0
084B-   0F

; out of the sector read loop --
; initialize keyboard/video/text mode
; and clear screen
084C-   20 93 FE    JSR   $FE93
084F-   20 89 FE    JSR   $FE89
0852-   20 2F FB    JSR   $FB2F
0855-   20 58 FC    JSR   $FC58

; these two subroutines appear to copy
; the title and version number to the
; text page
0858-   A0 1A       LDY   #$1A
085A-   20 C2 08    JSR   $08C2
085D-   C8          INY
085E-   20 BC 08    JSR   $08BC

; normal-looking RWTS parameter table
; initialization stuff here
0861-   A5 2B       LDA   $2B
0863-   8D E9 B7    STA   $B7E9
0866-   8D F7 B7    STA   $B7F7
0869-   4A          LSR
086A-   4A          LSR
086B-   4A          LSR
086C-   4A          LSR
086D-   AA          TAX
086E-   A9 00       LDA   #$00
0870-   8D F4 03    STA   $03F4
0873-   8D 78 04    STA   $0478
0876-   0A          ASL
0877-   9D 78 04    STA   $0478,X
087A-   9D F8 04    STA   $04F8,X
087D-   A9 01       LDA   #$01
087F-   8D F8 B7    STA   $B7F8
0882-   8D EA B7    STA   $B7EA
0885-   A2 FF       LDX   #$FF
0887-   9A          TXS
0888-   A2 00       LDX   #$00
088A-   8E EB B7    STX   $B7EB

; check for Applesoft in ROM, display
; error message if not found
088D-   AD 82 C0    LDA   $C082
0890-   AD 00 E0    LDA   $E000
0893-   C9 4C       CMP   #$4C
0895-   F0 12       BEQ   $08A9
0897-   AD 80 C0    LDA   $C080
089A-   AD 00 E0    LDA   $E000
089D-   C9 4C       CMP   #$4C
089F-   F0 03       BEQ   $08A4
08A1-   4C AC 08    JMP   $08AC
08A4-   A9 FF       LDA   #$FF
08A6-   8D B7 B2    STA   $B2B7

; execution continues here
08A9-   4C 00 BB    JMP   $BB00

Since this boot0 code bears little
resemblance to DOS 3.3, I'll need a
custom trace routine to capture the
code it loads into $B000..$BFFF.

*9600<C600.C6FFM

; Interrupt boot at $084C, immediately
; after the loop that reads sectors
; from track 0 using disk controller
; ROM routine at $C65C. Set up a
; callback to a routine under my
; control so I can capture the code in
; memory.
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4C 08    STA   $084C
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4D 08    STA   $084D
9702-   A9 97       LDA   #$97
9704-   8D 4E 08    STA   $084E

; start the boot
9707-   4C 01 08    JMP   $0801

; callback is here -- copy $B000..$BFFF
; to graphics page so it will survive a
; reboot
970A-   A2 10       LDX   #$10
970C-   A0 00       LDY   #$00
970E-   B9 00 B0    LDA   $B000,Y
9711-   99 00 20    STA   $2000,Y
9714-   C8          INY
9715-   D0 F7       BNE   $970E
9717-   EE 10 97    INC   $9710
971A-   EE 13 97    INC   $9713
971D-   CA          DEX
971E-   D0 EE       BNE   $970E

; turn off slot 6 drive motor
9720-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9723-   4C 00 C5    JMP   $C500

*BSAVE TRACE1,A$9600,L$126

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1 B000-BFFF,A$2000,L$1000
]CALL -151

*FE89G FE93G       ; disconnect DOS

*B000<2000.2FFFM   ; put boot1 in place

*BB00L

BB00-   A6 2B       LDX   $2B

; seek to track 0
BB02-   A9 00       LDA   #$00
BB04-   20 A0 B9    JSR   $B9A0

; read the next available address field
BB07-   20 44 B9    JSR   $B944

; Zero page $2D is part of the scratch
; space used by the RWTS to verify the
; address field checksum. (The routine
; is at $B962..$B98A, which is the same
; place as a regular DOS 3.3 RWTS. Zero
; page $2F holds the disk volume
; number; $2E holds the track number;
; $2D holds the sector number; $2C
; holds the checksum.)
BB0A-   A5 2D       LDA   $2D
BB0C-   C9 00       CMP   #$00

; keep reading address fields until we
; find sector 0
BB0E-   D0 F7       BNE   $BB07

; this subroutine is just a wait loop
BB10-   20 3A BB    JSR   $BB3A
BB13-   A0 01       LDY   #$01
BB15-   8C 48 BB    STY   $BB48
BB18-   98          TYA
BB19-   0A          ASL

; now seek to track 1
BB1A-   20 A0 B9    JSR   $B9A0

; and read the address field of the
; next available sector (without any
; regard for which sector it is)
BB1D-   20 44 B9    JSR   $B944

; and wait again
BB20-   20 3A BB    JSR   $BB3A

; now compare the sector number we
; actually found to a predetermined
; list of expected sector numbers)
BB23-   A5 2D       LDA   $2D
BB25-   AC 48 BB    LDY   $BB48
BB28-   D9 49 BB    CMP   $BB49,Y

; if we didn't find the "right" sector,
; jump back to the beginning and start
; again (which explains why my copy
; makes that unique grinding sound
; forever)
BB2B-   D0 D5       BNE   $BB02
BB2D-   C8          INY
BB2E-   C0 08       CPY   #$08
BB30-   90 E3       BCC   $BB15

; seek back to track 0
BB32-   A9 00       LDA   #$00
BB34-   20 A0 B9    JSR   $B9A0

; continue with actual boot1 code
BB37-   4C 00 B1    JMP   $B100
.
.
.     ; array of expected sectors
BB4A-   05 0A 0F 04 09 0E 03 08
BB52-   0D 02 07 0C 01 06 0B 00

That is a fascinating form of copy
protection. It relies on tracks 0 and 1
being synchronized on the physical disk
in such a way that blindly jumping
between the tracks finds sectors in a
specific order as the disk is rotating
in the drive. It's theoretically
possible to defeat this copy protection
with a bit copy that maintains that
synchronization (the so-called "sync
tracks" option in most copiers), but
even then it probably wouldn't work in
an emulator. For example, the AppleWin
emulator offers an "enhanced speed"
option which ignores sector skew to get
standard DOS 3.3 disks to load faster.
So even if I did manage to create a
perfectly synchronized copy of this
disk, emulators would just ignore it.
Emulating copy protection is A Hard
Problem(tm).

Anyway, this copy protection routine
doesn't appear to have any side
effects. It doesn't even clear the
carry flag. If it succeeds, it just
continues to $B100; if it fails, it
keeps trying until it succeeds (or
until it destroys your disk drive).

The original call to $BB00 happened at
$08A9 in the boot0 code, so I'll change
that to jump straight to $B100 instead.

T00,S00,$AB change "BB" to "B1"

Quod erat liberandum.

---------------------------------------
A 4am crack                      No. 68
------------------EOF------------------