-----------------Take 1----------------
A 4am crack                  2014-06-12
---------------------------------------

"Take 1" is a 1984 animation utility
distributed by Baudville, Inc.

COPYA gives no read errors, but the
copy does not work. (EDD 4 bit copy
fares no better.) It displays the two
strings "TAKE 1" and "06451" (a version
number, I think), then grinds the disk
in a most unusual fashion (hopping back
and forth between two tracks? trying to
read a quarter track? I've never heard
anything like it) until I frantically
power off in an attempt to save my 30
year old floppy drive from marching off
my desk.

Time for boot tracing, I suppose.

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]BLOAD BOOT0,A$800
]CALL -151

*801L

; starts off looking like DOS 3.3 boot0
0801-   A5 27       LDA   $27
0803-   C9 09       CMP   #$09
0805-   D0 37       BNE   $083E
0807-   A5 2B       LDA   $2B
0809-   4A          LSR
080A-   4A          LSR
080B-   4A          LSR
080C-   4A          LSR
080D-   09 C0       ORA   #$C0
080F-   85 3F       STA   $3F
0811-   8D FE 08    STA   $08FE
0814-   A9 5C       LDA   #$5C
0816-   85 3E       STA   $3E
0818-   18          CLC

; slightly unusual -- it appears to
; keep the target address and sector
; count in $0869/A instead of $08FE/F
0819-   AD 69 08    LDA   $0869
081C-   6D 6A 08    ADC   $086A
081F-   8D 69 08    STA   $0869

; enable read/write on RAM bank 2 (at
; $D000..$FFFF)
0822-   AD 83 C0    LDA   $C083
0825-   AD 83 C0    LDA   $C083

; set low-level reset vector
0828-   A9 F9       LDA   #$F9
082A-   8D FC FF    STA   $FFFC
082D-   8D FE FF    STA   $FFFE
0830-   8D FA FF    STA   $FFFA
0833-   A9 08       LDA   #$08
0835-   8D FD FF    STA   $FFFD
0838-   8D FF FF    STA   $FFFF
083B-   8D FB FF    STA   $FFFB

; looks like a sector read loop
083E-   AE 6A 08    LDX   $086A

; jump out of the read loop here
0841-   30 28       BMI   $086B
0843-   BD 58 08    LDA   $0858,X
0846-   85 3D       STA   $3D
0848-   CE 6A 08    DEC   $086A
084B-   AD 69 08    LDA   $0869
084E-   85 27       STA   $27
0850-   CE 69 08    DEC   $0869
0853-   A6 2B       LDX   $2B

; jump to disk controller ROM routine
; to read sectors
0855-   6C 3E 00    JMP   ($003E)
.
.
.
; looks like the loop above will read
; 7 sectors into $DA00..$E0FF
0869-   DA
086A-   07

; out of the sector read loop --
; switch back to ROM, initialize
; keyboard/video/text mode/screen
086B-   AD 82 C0    LDA   $C082
086E-   20 93 FE    JSR   $FE93
0871-   20 89 FE    JSR   $FE89
0874-   20 2F FB    JSR   $FB2F
0877-   20 58 FC    JSR   $FC58

; these two subroutines appear to copy
; the title and version number to the
; text page
087A-   A0 00       LDY   #$00
087C-   20 AC 08    JSR   $08AC
087F-   C8          INY
0880-   20 AC 08    JSR   $08AC

; check for Applesoft in ROM, display
; error message if not found
0883-   AD 00 E0    LDA   $E000
0886-   C9 4C       CMP   #$4C
0888-   D0 13       BNE   $089D

; switch back to RAM bank 2
088A-   AD 83 C0    LDA   $C083
088D-   AD 83 C0    LDA   $C083

; push ($E000) to the stack, then
; "return" to that address (+1)
0890-   AD 00 E0    LDA   $E000
0893-   C9 E0       CMP   #$E0
0895-   D0 06       BNE   $089D
0897-   48          PHA
0898-   AD 01 E0    LDA   $E001
089B-   48          PHA
089C-   60          RTS

Since this boot0 code bears little
resemblance to DOS 3.3, I'll need a
custom trace routine to capture the
code it loads into $DA00..$E0FF.

*9600<C600.C6FFM

; Interrupt boot at $086B, immediately
; after the sector read loop. Set up a
; callback to a routine under my
; control so I can capture the code in
; RAM bank 2.
96F8-   A9 4C       LDA   #$4C
96FA-   8D 6B 08    STA   $086B
96FD-   A9 0A       LDA   #$0A
96FF-   8D 6C 08    STA   $086C
9702-   A9 97       LDA   #$97
9704-   8D 6D 08    STA   $086D

; start the boot
9707-   4C 01 08    JMP   $0801

; callback is here -- copy $DA00..$E0FF
; to main memory so it will survive a
; reboot (RAM bank 2 is read/write at
; this point)
970A-   A2 07       LDX   #$07
970C-   A0 00       LDY   #$00
970E-   B9 00 DA    LDA   $DA00,Y
9711-   99 00 2A    STA   $2A00,Y
9714-   C8          INY
9715-   D0 F7       BNE   $970E
9717-   EE 10 97    INC   $9710
971A-   EE 13 97    INC   $9713
971D-   CA          DEX
971E-   D0 EE       BNE   $970E

; switch back from RAM bank 2 to ROM
9720-   AD 82 C0    LDA   $C082

; turn off slot 6 drive motor
9723-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9726-   4C 00 C5    JMP   $C500

*BSAVE TRACE1,A$9600,L$129

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1 DA00-E0FF,A$2A00,L$700
]CALL -151

(The code at $DA00..$E0FF is loaded in
$2A00..$30FF, so everything is off by
$B000. Relative branches will look
correct, but absolute addresses will
be off by $B000.)

First, let's see what would be at $E000
and $E001, which the boot0 code pushes
to the stack.

*3000.3001

3000- E0 02

OK, so execution continues at $E003
(the address pushed to the stack, +1).

*3003L

; seek to track 0
3003-   A6 2B       LDX   $2B
3005-   A9 00       LDA   #$00
3007-   20 A0 DC    JSR   $DCA0

; read the next available address field
300A-   20 44 DC    JSR   $DC44

; Zero page $2D is part of the scratch
; space used by the RWTS to verify the
; address field checksum. (The routine
; is at $B962..$B98A, in a regular DOS
; 3.3 RWTS. Zero page $2F holds the
; disk volume number; $2E holds the
; track number; $2D holds the sector
; number; $2C holds the checksum.)
300D-   A5 2D       LDA   $2D
300F-   C9 00       CMP   #$00

; keep reading address fields until we
; find sector 0
3011-   D0 F7       BNE   $300A

; this subroutine is just a wait loop
3013-   20 AE E0    JSR   $E0AE

; now seek to track 1
3016-   A0 01       LDY   #$01
3018-   8C BC E0    STY   $E0BC
301B-   98          TYA
301C-   0A          ASL
301D-   20 A0 DC    JSR   $DCA0

; and read the address field of the
; next available sector (without any
; regard for which sector it is)
3020-   20 44 DC    JSR   $DC44

; and wait again
3023-   20 AE E0    JSR   $E0AE

; now compare the sector number we
; actually found to a predetermined
; list of expected sector numbers)
3026-   A5 2D       LDA   $2D
3028-   AC BC E0    LDY   $E0BC
302B-   D9 BD E0    CMP   $E0BD,Y

; if we didn't find the "right" sector,
; jump back to the beginning and start
; again (which explains why my copy
; makes that unique grinding sound
; forever)
302E-   D0 D5       BNE   $3005
3030-   C8          INY
3031-   C0 08       CPY   #$08
3033-   90 E3       BCC   $3018

; seek back to track 0
3035-   A9 00       LDA   #$00
3037-   20 A0 DC    JSR   $DCA0

; the rest of this looks like normal
; initialization of the RWTS parameter
; table (albeit shifted)
303A-   A5 2B       LDA   $2B
303C-   8D D0 DF    STA   $DFD0
303F-   8D DE DF    STA   $DFDE
3042-   8D F6 DF    STA   $DFF6
3045-   4A          LSR
3046-   4A          LSR
3047-   4A          LSR
3048-   4A          LSR
3049-   AA          TAX
304A-   A9 00       LDA   #$00
304C-   8D F4 03    STA   $03F4
304F-   8D 79 DD    STA   $DD79
3052-   0A          ASL
3053-   9D 79 DD    STA   $DD79,X
3056-   9D F8 04    STA   $04F8,X
.
.
.     ; array of expected sectors
30BE-   05 0A 0F 04 09 0E 03 08
30C6-   0D 02 07 0C 01 06 0B 00

That is a fascinating form of copy
protection. It relies on tracks 0 and 1
being synchronized on the physical disk
in such a way that blindly jumping
between the tracks finds sectors in a
specific order as the disk is rotating
in the drive. It's theoretically
possible to defeat this copy protection
with a bit copy that maintains that
synchronization (the so-called "sync
tracks" option in most copiers), but
even then it probably wouldn't work in
an emulator. For example, the AppleWin
emulator offers an "enhanced speed"
option which ignores sector skew to get
standard DOS 3.3 disks to load faster.
So even if I did manage to create a
perfectly synchronized copy of this
disk, emulators would just ignore it.
Emulating copy protection is A Hard
Problem(tm).

Anyway, this copy protection routine
doesn't seem to have any side effects.
If it succeeds, execution continues at
$E03A. If it fails, it keeps trying
until it succeeds (or until it destroys
your disk drive).

Thus, I can change the jump address at
$E000 to point to the first instruction
after the copy protection (minus 1, due
to how pushing addresses to the stack
works).

T00,S06,$01 change "02" to "39"

Quod erat liberandum.

---------------------------------------
A 4am crack                      No. 69
------------------EOF------------------