-----------------Ribbit---------------- A 4am crack 2014-06-14 --------------------------------------- "Ribbit" is a 1982 arcade game written by C. Eisnaugle and L. Fortnow, and distributed by Piccadilly Software Inc. The original disk immediately switches to the hi-res graphics page and progressively displays a title screen while loading the rest of the game. Once loaded, the game never touches the original disk, so it may be possible to capture this game as a single file. COPYA fails miserably and immediately with a disk read error. EDD 4 bit copy fares no better; read errors everywhere and the copy seems like it never even gets past track 0. Time for boot tracing with AUTOTRACE. [S6,D1=original disk] [S5,D1=my work disk] ]PR#5 ... CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 ]CALL -151 *800<2800.28FFM *801L 0801- A2 00 LDX #$00 0803- BD 00 08 LDA $0800,X 0806- 9D 00 02 STA $0200,X 0809- E8 INX 080A- D0 F7 BNE $0803 080C- 4C 0F 02 JMP $020F Ooh, exciting. Right off the bat, we're relocating to a low memory page. *20F<80F.8FFM *20FL ; Set up a data table of some sort. But ; why? 020F- A0 AB LDY #$AB 0211- 98 TYA 0212- 85 3C STA $3C 0214- 4A LSR 0215- 05 3C ORA $3C 0217- C9 FF CMP #$FF 0219- D0 09 BNE $0224 021B- C0 D5 CPY #$D5 021D- F0 05 BEQ $0224 021F- 8A TXA 0220- 99 00 08 STA $0800,Y 0223- E8 INX 0224- C8 INY 0225- D0 EA BNE $0211 0227- 84 3D STY $3D ; $00 into zero page $26 and $03 into ; $27 means we're probably going to be ; loading data into $0300..$03FF later. 0229- 84 26 STY $26 022B- A9 03 LDA #$03 022D- 85 27 STA $27 022F- A6 2B LDX $2B 0231- 20 5D 02 JSR $025D *25DL ; read a sector from somewhere on track ; 0, using a 4-4 nibble encoding scheme 025D- 18 CLC 025E- 08 PHP 025F- BD 8C C0 LDA $C08C,X 0262- 10 FB BPL $025F 0264- 49 D5 EOR #$D5 0266- D0 F7 BNE $025F 0268- BD 8C C0 LDA $C08C,X 026B- 10 FB BPL $0268 026D- C9 AA CMP #$AA 026F- D0 F3 BNE $0264 0271- EA NOP 0272- BD 8C C0 LDA $C08C,X 0275- 10 FB BPL $0272 0277- C9 B5 CMP #$B5 0279- F0 09 BEQ $0284 027B- 28 PLP 027C- 90 DF BCC $025D 027E- 49 AD EOR #$AD 0280- F0 1F BEQ $02A1 0282- D0 D9 BNE $025D 0284- A0 03 LDY #$03 0286- 84 2A STY $2A 0288- BD 8C C0 LDA $C08C,X 028B- 10 FB BPL $0288 028D- 2A ROL 028E- 85 3C STA $3C 0290- BD 8C C0 LDA $C08C,X 0293- 10 FB BPL $0290 0295- 25 3C AND $3C 0297- 88 DEY 0298- D0 EE BNE $0288 029A- 28 PLP 029B- C5 3D CMP $3D 029D- D0 BE BNE $025D 029F- B0 BD BCS $025E 02A1- A0 9A LDY #$9A 02A3- 84 3C STY $3C 02A5- BC 8C C0 LDY $C08C,X 02A8- 10 FB BPL $02A5 ; Ah, this was the purpose of the table ; we set up earlier: it's a decryption ; table. 02AA- 59 00 08 EOR $0800,Y 02AD- A4 3C LDY $3C 02AF- 88 DEY 02B0- 99 00 08 STA $0800,Y 02B3- D0 EE BNE $02A3 02B5- 84 3C STY $3C 02B7- BC 8C C0 LDY $C08C,X 02BA- 10 FB BPL $02B7 02BC- 59 00 08 EOR $0800,Y 02BF- A4 3C LDY $3C 02C1- 91 26 STA ($26),Y 02C3- C8 INY 02C4- D0 EF BNE $02B5 02C6- BC 8C C0 LDY $C08C,X 02C9- 10 FB BPL $02C6 02CB- 59 00 08 EOR $0800,Y 02CE- D0 8D BNE $025D 02D0- 60 RTS Continuing from where we left off... 0237- A9 A9 LDA #$A9 0239- 8D 0F 03 STA $030F 023C- A9 02 LDA #$02 023E- 8D 10 03 STA $0310 0241- 4C 01 03 JMP $0301 OK, it looks like the decryption is self-contained, so I'm going to let it happen, then interrupt the boot before it jumps to $0301. One thing I'm not sure of is which bytes in the $0800 page are part of the decryption table. To be safe, I'm not going to change any bytes in the $0800..$08FF range. That will require a little more code on my part, but not much. *9600 A few manual memory moves and reboots later, I have the entire game in three segments: B 026 RIBBIT 0800-1FFF B 066 RIBBIT 2000-5FFF B 060 RIBBIT 6000-99FF ]BLOAD RIBBIT 0800-1FFF,A$800 ]BLOAD RIBBIT 2000-5FFF,A$2000 ]BLOAD RIBBIT 6000-99FF,A$6000 ]CALL -151 *7FD:4C 00 60 *BSAVE RIBBIT (4AM CRACK),A$7FD,L$9203 In an attempt to more faithfully reproduce the experience of booting the original disk, I've put this binary file on its own disk with a modified CompatiBoot loader. Like the original disk, my loader switches to the hi-res graphics page immediately on boot, so you can see the title screen load over the (uninitialized) graphics page. But you can run the binary file from any DOS 3.3 compatible disk. (You may need "MAXFILES 1" first, since it extends beyond the $9600 boundary that DOS uses for file buffers.) Quod erat liberandum. --------------------------------------- A 4am crack No. 73 ------------------EOF------------------