----------------Paperboy--------------- A 4am crack 2014-05-15 --------------------------------------- Paperboy is a 1988 arcade game distributed by Mindscape, Inc. COPYA fails immediately with a disk read error. EDD 4 bit copy appears to work, but the copy does not boot. It loads ProDOS and displays a graphical Mindscape logo, but then glitches out and fills the screen with garbage and crashes. Turning to my trusty Copy ][+ sector editor, I find the "DOS 3.3 PATCHED" option (press "P" to go to the Sector Editor Patcher) allows me to read every sector on every track. The name of this option is a misnomer; it works on copy protected ProDOS disks like this one, not just DOS 3.3 disks. What it really means is "16-sector" (as opposed to DOS 3.2, which was a 13-sector-per- track format). Based on my experience cracking other disks, I would guess that this disk has - Standard prologue bytes before the address and data fields [otherwise Copy ][+ sector editor would give read errors, even with the "DOS 3.3 PATCHED" option] - Non-standard epilogue bytes after the address and data fields [otherwise COPYA would work] - Some secondary protection [otherwise the bit copy created with EDD 4 would work] The easiest way to convert the disk to standard epilogue bytes is to use COPYA with a patched RWTS that accepts any epilogue bytes on read but includes standard epilogue bytes on write. [S6D1=DOS 3.3 master disk] ]PR#6 ... ]CALL -151 *B942:18 *3D0G ]RUN COPYA [S6D1=original disk] [S6D2=blank disk] ...read read read... ...grind grind grind... ...write write write... OK, now I have a copy in standard disk format that can be read by any tools. i.e. I can copy the disk in drive 2 with COPYA without patching the RWTS beforehand. I can sector edit the disk without messing with the Sector Editor Patcher. There are two problems with this copy: 1. Depending on how the original disk was written, this copy may or may not be able to read itself. I may need to patch the disk's RWTS to deal with the fact that the disk is now in a standard format. 2. Even if it can read itself, it won't run, because it still has some sort of secondary protection checking if the disk is original. It's not, obviously. That's kind of the point. Just by booting the copy, I can rule out problem #1. The disk seems to read itself just fine. It makes it exactly as far as my unsuccessful bit copy: ProDOS --> logo --> glitch --> crash. On the bright side, now that it's in a standard format, I can boot another ProDOS disk with BASIC.SYSTEM and poke around. [S6D1=ProDOS disk] [S6D2=my non-working copy] ]PR#6 ... PRODOS BASIC 1.5 COPYRIGHT APPLE 1983-92 ]CAT,S6,D2 /P NAME TYPE BLOCKS MODIFIED PRODOS SYS 32 17-APR-87 LOGO BIN 17 17-FEB-88 PBTITLE.PIC BIN 21 25-MAR-88 PBD.BIN BIN 25 25-MAR-88 PBCH2.BIN BIN 8 2-MAR-88 PBMAP.BIN BIN 46 2-MAR-88 PBC.BIN BIN 9 25-MAR-88 PBLOAD.SYSTEM SYS 3 28-MAR-88 PB.TSK BIN 30 28-MAR-88 PBSYS.TSK BIN 17 25-MAR-88 PBM.TSK BIN 15 25-MAR-88 *,,,,,, $AC 44032 BLOCKS FREE: 50 BLOCKS USED: 230 First of all, I have no idea what that last "file" is. It's possible that the disk catalog has been intentionally corrupted, or my original disk was bad. (Unlikely; the game itself plays fine. But after 25 years, anything is possible.) ProDOS loads the first .SYSTEM file -- in this case, the only .SYSTEM file -- at address $2000 and runs it. ]BLOAD PBLOAD.SYSTEM,A$2000,TSYS,S6,D2 ]CALL -151 *2000L ; reset vector 2000- A2 2D LDX #$2D 2002- 8E F3 03 STX $03F3 ; It turns out that $2117 is a wrapper ; around ProDOS file reads -- this call ; loads the graphical Mindscape logo. ; This call is harmless (as far as copy ; protection goes); it works just fine ; on my not-yet-working copy. 2005- A0 23 LDY #$23 2007- 20 17 21 JSR $2117 200A- 8D 00 C0 STA $C000 ; and display the logo 200D- AD 55 C0 LDA $C055 2010- AD 52 C0 LDA $C052 2013- AD 57 C0 LDA $C057 2016- AD 50 C0 LDA $C050 ; load more files 2019- A2 57 LDX #$57 201B- A0 23 LDY #$23 201D- 20 17 21 JSR $2117 ; Copy data from main memory to aux ; memory, using the built-in routine at ; $C311. See Apple II Technical Note #3 ; "Double High-Resolution Graphics" ; pp. 15-16, "Using AUXMOVE." ; Anyway, this is harmless. 2020- A9 00 LDA #$00 2022- 85 3C STA $3C 2024- 85 42 STA $42 2026- A9 60 LDA #$60 2028- 85 3D STA $3D 202A- A9 A4 LDA #$A4 202C- 85 43 STA $43 202E- A9 FF LDA #$FF 2030- 85 3E STA $3E 2032- A9 7B LDA #$7B 2034- 85 3F STA $3F 2036- 38 SEC 2037- 20 11 C3 JSR $C311 ; don't know what this is yet 203A- 20 AA 21 JSR $21AA *21AAL ; save zero page state 21AA- A2 F0 LDX #$F0 21AC- B5 00 LDA $00,X 21AE- 9D AA 20 STA $20AA,X 21B1- E8 INX 21B2- D0 F8 BNE $21AC ; this does a disk read through ProDOS, ; presumably to position the drive head ; for an upcoming nibble check 21B4- 20 75 21 JSR $2175 21B7- A9 0A LDA #$0A 21B9- 85 F4 STA $F4 ; turning on the drive motor manually ; is a sure sign of something shady ; (and by "shady" I mean "copy- ; protection-related") 21BB- A6 2B LDX $2B 21BD- BD 89 C0 LDA $C089,X 21C0- BD 8E C0 LDA $C08E,X 21C3- A9 50 LDA #$50 21C5- 85 F6 STA $F6 21C7- A9 22 LDA #$22 21C9- 85 F7 STA $F7 21CB- A9 80 LDA #$80 21CD- 85 F5 STA $F5 21CF- C6 F5 DEC $F5 21D1- F0 5C BEQ $222F 21D3- 20 5A 22 JSR $225A *225AL ; this subroutine finds the address ; prologue sequence ("D5 AA 96") and ; skips over the actual address field ; (8 bytes) 225A- A0 FD LDY #$FD 225C- 84 F8 STY $F8 225E- C8 INY 225F- D0 04 BNE $2265 2261- E6 F8 INC $F8 2263- F0 3D BEQ $22A2 2265- BD 8C C0 LDA $C08C,X 2268- 10 FB BPL $2265 226A- C9 D5 CMP #$D5 226C- D0 F0 BNE $225E 226E- EA NOP 226F- BD 8C C0 LDA $C08C,X 2272- 10 FB BPL $226F 2274- C9 AA CMP #$AA 2276- D0 F2 BNE $226A 2278- A0 03 LDY #$03 227A- BD 8C C0 LDA $C08C,X 227D- 10 FB BPL $227A 227F- C9 96 CMP #$96 2281- D0 E7 BNE $226A 2283- A9 00 LDA #$00 2285- 85 F9 STA $F9 2287- BD 8C C0 LDA $C08C,X 228A- 10 FB BPL $2287 228C- 2A ROL 228D- 85 F8 STA $F8 228F- BD 8C C0 LDA $C08C,X 2292- 10 FB BPL $228F 2294- 25 F8 AND $F8 2296- 99 F0 00 STA $00F0,Y 2299- 45 F9 EOR $F9 229B- 88 DEY 229C- 10 E7 BPL $2285 229E- A8 TAY 229F- EA NOP 22A0- 18 CLC 22A1- 60 RTS 22A2- 38 SEC 22A3- 60 RTS Popping the stack back to $21D6... *21D6L ; address prologue not found? fail 21D6- B0 57 BCS $222F 21D8- A5 F1 LDA $F1 21DA- C9 07 CMP #$07 21DC- D0 F1 BNE $21CF ; actual nibble check starts here 21DE- A0 00 LDY #$00 21E0- BD 8C C0 LDA $C08C,X 21E3- 10 FB BPL $21E0 21E5- 88 DEY ; didn't find nibble? fail 21E6- F0 47 BEQ $222F 21E8- C9 D5 CMP #$D5 21EA- D0 F4 BNE $21E0 21EC- A0 00 LDY #$00 21EE- BD 8C C0 LDA $C08C,X 21F1- 10 FB BPL $21EE 21F3- 88 DEY ; didn't find nibble? fail 21F4- F0 39 BEQ $222F 21F6- C9 E7 CMP #$E7 21F8- D0 F4 BNE $21EE 21FA- BD 8C C0 LDA $C08C,X 21FD- 10 FB BPL $21FA 21FF- C9 E7 CMP #$E7 ; didn't find the right nibbles in the ; right order? fail 2201- D0 2C BNE $222F 2203- BD 8C C0 LDA $C08C,X 2206- 10 FB BPL $2203 2208- C9 E7 CMP #$E7 ; (Actually, it's even worse than that, ; because the original disk is written ; with timing bits in specific non- ; standard places between the nibbles. ; This code not only requires the right ; nibbles in the right order, it reads ; them just slightly faster than it's ; supposed to. So the timing bits need ; to be in the right places too, or the ; disk will get out of sync and read ; the wrong nibble values. This will ; trip up even the best bit copiers. ; And you can forget about making a ; disk image for emulators -- those ; don't store timing bits at all.) 220A- D0 23 BNE $222F 220C- BD 8D C0 LDA $C08D,X 220F- A0 10 LDY #$10 2211- 24 06 BIT $06 2213- BD 8C C0 LDA $C08C,X 2216- 10 FB BPL $2213 2218- 88 DEY 2219- F0 14 BEQ $222F 221B- C9 EE CMP #$EE 221D- D0 F4 BNE $2213 221F- A0 07 LDY #$07 2221- BD 8C C0 LDA $C08C,X 2224- 10 FB BPL $2221 2226- D1 F6 CMP ($F6),Y 2228- D0 05 BNE $222F 222A- 88 DEY 222B- 10 F4 BPL $2221 222D- 30 03 BMI $2232 222F- 4C 47 22 JMP $2247 ; success path lands here -- ; restore zero page 2232- A0 F0 LDY #$F0 2234- B9 AA 20 LDA $20AA,Y 2237- 99 00 00 STA $0000,Y 223A- C8 INY 223B- D0 F7 BNE $2234 ; turn off drive motor 223D- BD 88 C0 LDA $C088,X ; don't know what this does but maybe ; it prevents the game from glitching ; and hanging? 2240- A9 60 LDA #$60 2242- 8D 50 23 STA $2350 ; clear carry flag and exit 2245- 18 CLC 2246- 60 RTS ; failure lands here -- set carry flag ; and exit 2247- C6 F4 DEC $F4 2249- F0 03 BEQ $224E 224B- 4C CB 21 JMP $21CB 224E- 38 SEC 224F- 60 RTS OK, a couple of side effects here. Rather than trying to reproduce all of them or worrying which ones are relevant, the safest course of action would be to change the caller at $203A from JSR $211A (call nibble check) to JSR $2240 (call the success path). I'm afraid to BSAVE this file, given the corruption I saw in the disk catalog earlier. (Maybe that was the point? Who knows.) But using my trusty Copy ][+ sector editor, I searched for the hex sequence "20 AA 21" and found it on track 14, sector 05. T14,S05,$3B change "AA 21" to "40 22" Tada! The game boots and runs without complaint. Quod erat liberandum. --------------------------------------- A 4am crack No. 34 ------------------EOF------------------