--------------Kids on Keys-------------
A 4am crack                  2014-03-31
---------------------------------------

Kids on Keys is a 1984 educational game
distributed by Spinnaker Software.

COPYA fails to read the disk on track
$1F. A more liberal sector copier like
Locksmith 7.0 Fast Disk Backup shows
read errors on tracks $1F and above but
finishes the copy anyway. The upper
tracks appear unformatted and the
original simply ignores them.

Unfortunately, the copy doesn't work.
It boots DOS and displays the BASIC
prompt, prints "STANDBY FOR KIDS ON
KEYS", does some more disk activity,
then stalls.

The original appears to boot a standard
DOS 3.3, and it has a standard VTOC on
track $11. I can even hit Ctrl-C during
boot to break into the BASIC
prompt. Whatever is causing the stall,
it's not part of the DOS.

]PR#6
<Ctrl-C>

BREAK
]CATALOG

DISK VOLUME 254

 A 002 HELLO
 B 034 KICK
 A 002 G
 B 020 LO
 B 068 KOKBAK
 B 069 KOKBAK2
 B 069 KOKBAK3
 A 002 HELLO2
 B 073 KOKBAK4
 B 073 KOKBAK5
 B 074 KOK

]LIST

 5  PRINT "STANDBY FOR KIDS ON KE
     YS"
 10  PRINT  CHR$ (4) + "BLOAD KOK
     "
 20  PRINT  CHR$ (4) + "BRUN KICK
     "

]BLOAD KOK
]BLOCK KICK

(Not shown: rebooting into Copy ][+ to
do a disk catalog with file lengths, to
discover that KICK starts at $2000.)

]CALL -151
*2000L
...

(Not shown: a loop to copy the range
$2800..$3FFF to $0800..$1FFF, followed
by a JMP $888F.)

*888FL

; sneaky way to chain subroutines
; without an explicit call, by manually
; pushing an address onto the stack
888F-   A9 88       LDA   #$88
8891-   48          PHA
8892-   A9 4A       LDA   #$4A
8894-   48          PHA
; save some state
8895-   A5 08       LDA   $08
8897-   8D C4 88    STA   $88C4
889A-   A5 09       LDA   $09
889C-   8D C5 88    STA   $88C5
; loop to decrypt code at $87AB
889F-   A9 AB       LDA   #$AB
88A1-   85 08       STA   $08
88A3-   A9 87       LDA   #$87
88A5-   85 09       STA   $09
88A7-   A9 96       LDA   #$96
88A9-   48          PHA
88AA-   A0 00       LDY   #$00
88AC-   68          PLA
88AD-   51 08       EOR   ($08),Y
88AF-   91 08       STA   ($08),Y
88B1-   48          PHA
88B2-   C8          INY
88B3-   98          TYA
88B4-   C9 FF       CMP   #$FF
88B6-   D0 F4       BNE   $88AC
88B8-   68          PLA
; restore state
88B9-   AD C4 88    LDA   $88C4
88BC-   85 08       STA   $08
88BE-   AD C5 88    LDA   $88C5
88C1-   85 09       STA   $09
; "return" to the address pushed at the
; beginning of this routine, 1+$884A.
88C3-   60          RTS

OK, so let's change that return address
so it breaks into the monitor once the
decryption is done.

*8890:FF
*8893:58
*888FG
<beep>

Now the routine at $884B is decrypted
and I can see what's going on.

*884BL

; again with the manual pushing
884B-   A9 3F       LDA   #$3F
884D-   48          PHA
884E-   A9 FF       LDA   #$FF
8850-   48          PHA
; don't know what this does yet
8851-   20 C5 87    JSR   $87C5
; turn on the disk motor
8854-   AD EA C0    LDA   $C0EA
8857-   AD E9 C0    LDA   $C0E9
885A-   A9 AB       LDA   #$AB
885C-   8D B7 87    STA   $87B7
885F-   A9 AF       LDA   #$AF
8861-   8D B6 87    STA   $87B6
; do something ($AB and $AF are valid
; nibbles, so maybe a nibble check
; based on the parameters it just
; stored?)
8864-   20 EF 87    JSR   $87EF
8867-   A9 01       LDA   #$01
8869-   8D B1 87    STA   $87B1
886C-   20 C5 87    JSR   $87C5
; turn on the disk motor again
886F-   AD E9 C0    LDA   $C0E9
8872-   A9 04       LDA   #$04
8874-   8D 29 88    STA   $8829
; maybe another nibble check? slightly
; different parameters this time
8877-   A9 AB       LDA   #$AB
8879-   8D B8 87    STA   $87B8
887C-   A9 AB       LDA   #$AB
887E-   8D B7 87    STA   $87B7
8881-   A9 AB       LDA   #$AB
8883-   8D B6 87    STA   $87B6
8886-   20 EF 87    JSR   $87EF
; turn off the disk motor
8889-   AD E8 C0    LDA   $C0E8
888C-   A9 00       LDA   #$00
; and "return" to the address pushed
; earlier, 1+$3FFF.
888E-   60          RTS

I haven't gone any deeper into this
code yet, but it seems like a good bet
that this is where it's stalling. If
the routine "succeeds" (ends), it
continues to address $4000 (1 + the
$3FFF that was manually pushed onto the
stack at the beginning on the routine).

I wonder what's at $4000.

*4000L

4000-   A9 53       LDA   #$53
4002-   8D F2 03    STA   $03F2
4005-   A9 43       LDA   #$43
4007-   8D F3 03    STA   $03F3
400A-   20 6F FB    JSR   $FB6F
400D-   AD 57 C0    LDA   $C057
4010-   AD 54 C0    LDA   $C054
4013-   AD 52 C0    LDA   $C052
4016-   AD 50 C0    LDA   $C050
4019-   4C 50 43    JMP   $4350

That certainly looks like a non-evil
initialization routine for a game. It
sets the reset vector at $3F2, turns on
hi-res graphics screen 1, and jumps
somewhere else. Now I'm wondering if I
could just bypass this entire silliness
at $888F and $884B and jump straight to
$4000 to start the game.

*2098:4C 00 40
*2000G

Lo and behold, the game runs just fine,
without any stalling.

My trusty Copy ][+ sector editor can
"follow" the KICK file to the actual
track and sector where it's actually
stored on disk. The patch is just two
bytes, bypassing the call to $888F and
jumping straight to the real start of
the game at $4000.

T14,S0E,$9D change "8F 88" to "00 40"

Quod erat liberandum.

---------------------------------------
A 4am crack                  2014-03-31
------------------EOF------------------