---------------Succession-------------- A 4am crack 2015-08-17 --------------------------------------- Name: Succession Genre: arcade Year: 1982 Authors: Chris Eisnaugle Publisher: Piccadilly Software, Inc. Media: single-sided 5.25-inch floppy OS: custom with DOS 3.3 bootloader Previous cracks: Super Pirates of Minneapolis ("short version from Black Bag") ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error, but it gets a participation medal just for showing up Locksmith Fast Disk Backup unable to read any track EDD 4 bit copy (no sync, no count) works Copy ][+ nibble editor T00-T08 -> modified address epilogue ("DE D5 EB" instead of "DE AA EB") T09+ unformatted Disk Fixer ["O" -> "Input/Output Control"] set Address Epilogue to "DE D5 EB" Success! T00-T08 readable T00 -> looks like a DOS 3.3 RWTS No sign of the rest of DOS though No disk catalog on any track Why didn't COPYA work? modified address epilogues Why didn't Locksmith FDB work? modified address epilogues EDD worked. What does that tell us? no half or quarter tracks probably no nibble check just structural changes (epilogue) Next steps: 1. capture RWTS with AUTOTRACE 2. convert disk to standard format with Advanced Demuffin (tracks $00-$08 only) 3. patch RWTS (if necessary) ~ Chapter 1 In Which We Attempt To Use The Original Disk As A Weapon Against Itself And It Goes As Well As Can Be Expected [S6,D1=original disk] [S6,D2=blank disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 CAPTURING BOOT1 ...reboots slot 6... ...reboots slot 5... SAVING BOOT1 SAVING RWTS ]BRUN ADVANCED DEMUFFIN 1.5 ["5" to switch to slot 5] ["R" to load a new RWTS module] --> At $B8, load "RWTS" from drive 1 ["6" to switch to slot 6] ["C" to convert disk] [press "Y" to change default values] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM ======================================= INPUT ALL VALUES IN HEX SECTORS PER TRACK? (13/16) 16 START TRACK: $00 START SECTOR: $00 END TRACK: $08 <-- change this END SECTOR: $0F <-- change this INCREMENT: 1 MAX # OF RETRIES: 0 COPY FROM DRIVE 1 TO DRIVE: 2 ======================================= 16SC $00,$00-$08,$0F BY$01 S6,D1->S6,D2 --^-- [press RETURN to start conversion] --v-- ADVANCED DEMUFFIN 1.5 (C) 1983, 2014 ORIGINAL BY THE STACK UPDATES BY 4AM =======PRESS ANY KEY TO CONTINUE======= TRK:......... +.5: 0123456789ABCDEF0123456789ABCDEF012 SC0:......... SC1:......... SC2:......... SC3:......... SC4:......... SC5:......... SC6:......... SC7:......... SC8:......... SC9:......... SCA:......... SCB:......... SCC:......... SCD:......... SCE:......... SCF:......... ======================================= 16SC $00,$00-$08,$0F BY1.0 S6,D1->S6,D2 --^-- [S6,D1=demuffin'd copy] ]PR#6 ...reboots endlessly... Interesting. On the one hand, it would not surprise me if the demuffin'd disk couldn't read itself without patching. But with a DOS 3.3-shaped RWTS, that manifests itself as grinding (as the RWTS assumes a disk read error can be solved by resynchronizing to track $00 and back again). Perhaps the RWTS has been modified to immediately give up on any read error. Or perhaps there is a nibble check after all. But that would surprise me, since my EDD bit copy worked. ~ Chapter 2 In Which We Are Surprised If the RWTS needs patching, my Post- Demuffin Patcher can probably fix it automatically. As I recall from my investigations with a nibble editor, there was only one change to the address epilogue. ]PR#5 ... ]BRUN PDP T00,S03,$9B change D5 to AA (As expected, PDP fixed the RWTS check for address epilogue nibble #2.) ]PR#6 ...loads title then beeps endlessly... That is most definitely progress. A minute ago, my copy didn't even load the title screen. Possible explanations: - The disk has 2 RWTSs, and it switches to the second one after loading the title screen. (Up'N' Down does this.) - I didn't convert all the tracks. I thought T09+ were unformatted, but maybe I missed one. If the game has some sort of checksum on the code, it would fail because some of the code is missing. (Spy Hunter does this.) - There really is a nibble check, but it's weak enough that an EDD bit copy fools it. When in doubt, trace the boot. ]PR#5 ... ]BLOAD BOOT0,A$800 ]CALL -151 *801L ... Nothing stands out. In fact, boot0 is identical to DOS 3.3. *BLOAD BOOT1,A$2600 *FE89G FE93G ; disconnect DOS *B600<2600.2FFFM ; move RWTS into place *B700L ; probably a standard RWTS parameter ; table B700- 8E E6 B7 STX $B7E6 B703- 8E F4 B7 STX $B7F4 ; turn on graphics page B706- AD 50 C0 LDA $C050 B709- AD 57 C0 LDA $C057 B70C- 4C D0 BF JMP $BFD0 *BFD0L ; not sure what these are for yet BFD0- A9 83 LDA #$83 BFD2- 85 4E STA $4E BFD4- A9 B9 LDA #$B9 BFD6- 85 4F STA $4F BFD8- 4C 0F B7 JMP $B70F *B70FL ; set (probably nasty) reset vector B70F- A9 D8 LDA #$D8 B711- 8D F2 03 STA $03F2 B714- A9 BF LDA #$BF B716- 8D F3 03 STA $03F3 B719- 49 A5 EOR #$A5 B71B- 8D F4 03 STA $03F4 ; clear hi-res screen B71E- A9 00 LDA #$00 B720- 85 00 STA $00 B722- A9 20 LDA #$20 B724- 85 01 STA $01 B726- AA TAX B727- A0 00 LDY #$00 B729- 98 TYA B72A- 91 00 STA ($00),Y B72C- C8 INY B72D- D0 FB BNE $B72A B72F- E6 01 INC $01 B731- CA DEX B732- D0 F6 BNE $B72A ; set up standard RWTS parameter table ; except everything is shifted ; start address = $0C00 B734- 8D ED B7 STA $B7ED B737- A9 0C LDA #$0C B739- 8D EE B7 STA $B7EE ; start track/sector = T01,S0F B73C- A9 01 LDA #$01 B73E- 8D E9 B7 STA $B7E9 B741- A9 0F LDA #$0F B743- 8D EA B7 STA $B7EA ; call RWTS B746- A9 B7 LDA #$B7 B748- A0 E5 LDY #$E5 B74A- 20 00 BD JSR $BD00 ; any error is fatal (no retries) B74D- B0 35 BCS $B784 ; multi-sector read loop into ; consecutive memory B74F- AC EA B7 LDY $B7EA B752- 88 DEY B753- 10 05 BPL $B75A B755- A0 0F LDY #$0F B757- EE E9 B7 INC $B7E9 B75A- 8C EA B7 STY $B7EA B75D- EE EE B7 INC $B7EE ; up to $8C00, so 8 full tracks B760- AD EE B7 LDA $B7EE B763- C9 8C CMP #$8C B765- D0 DF BNE $B746 B767- A9 00 LDA #$00 B769- 8D F1 B7 STA $B7F1 ; hmm B76C- AD FF B7 LDA $B7FF B76F- 8D E9 B7 STA $B7E9 *B7FF B7FF- 19 OK, so we're seeking to track $19. Why? B772- A0 E5 LDY #$E5 B774- A9 B7 LDA #$B7 B776- 20 00 BD JSR $BD00 ; ah, here's why: a nibble check B779- AE E6 B7 LDX $B7E6 ; turn on drive motor manually B77C- BD 89 C0 LDA $C089,X ; this seems important B77F- 20 A1 B7 JSR $B7A1 ; carry clear = success, branch over ; the line that reboots the machine B782- 90 03 BCC $B787 ; carry set = reboot the machine (we ; also ended up here if there were disk ; read errors earlier, from $B74D) B784- 6C FC FF JMP ($FFFC) ; success path here -- set the reset ; vector to something else B787- A9 0C LDA #$0C B789- 8D F3 03 STA $03F3 B78C- 49 A5 EOR #$A5 B78E- 8D F4 03 STA $03F4 B791- A9 00 LDA #$00 B793- 8D F2 03 STA $03F2 B796- AE E6 B7 LDX $B7E6 ; turn off the drive motor B799- BD 88 C0 LDA $C088,X ; start the game B79C- 4C 00 0C JMP $0C00 OK, the routine at $B7A1 is definitely the copy protection. I already know that it should clear the carry bit on success and set it on failure (a common convention). B79F- 38 SEC B7A0- 60 RTS ; entry point is here -- ; set up the Death Counter B7A1- A0 50 LDY #$50 B7A3- 84 04 STY $04 B7A5- 88 DEY B7A6- D0 04 BNE $B7AC B7A8- C6 04 DEC $04 ; if Death Counter hits 0, branch back ; to set the carry and exit (this will ; end up rebooting, at $B784) B7AA- F0 F3 BEQ $B79F ; look for standard epilogue "DE AA EB" B7AC- BD 8C C0 LDA $C08C,X B7AF- 10 FB BPL $B7AC B7B1- C9 DE CMP #$DE ; if not found, loop back and decrement ; the Death Counter B7B3- D0 F0 BNE $B7A5 B7B5- BD 8C C0 LDA $C08C,X B7B8- 10 FB BPL $B7B5 B7BA- C9 AA CMP #$AA B7BC- D0 F3 BNE $B7B1 B7BE- EA NOP B7BF- BD 8C C0 LDA $C08C,X B7C2- 10 FB BPL $B7BF B7C4- C9 EB CMP #$EB B7C6- D0 E9 BNE $B7B1 ; now look for a specific sequence of ; nibbles, "FC FC D5" B7C8- BD 8C C0 LDA $C08C,X B7CB- 10 FB BPL $B7C8 B7CD- C9 FC CMP #$FC B7CF- D0 E0 BNE $B7B1 B7D1- BD 8C C0 LDA $C08C,X B7D4- 10 FB BPL $B7D1 B7D6- C9 FC CMP #$FC B7D8- D0 D7 BNE $B7B1 B7DA- BD 8C C0 LDA $C08C,X B7DD- 10 FB BPL $B7DA B7DF- C9 D5 CMP #$D5 B7E1- D0 CE BNE $B7B1 ; success path falls through to here -- ; clear carry and exit B7E3- 18 CLC B7E4- 60 RTS This explains why my EDD bit copy was successful. It's looking for a nibble sequence, but it doesn't care about timing bits or desynchronized nibbles or anything fancy. It just looks for a specific nibble sequence on track $19 and fails if it can't find it. EDD copied that sequence just fine, but of course my demuffin'd copy doesn't have anything like that on track $19. After the multi-sector read loop, I can unconditionally jump to the success path at $B787, bypassing the track seek and the nibble check altogether. T00,S01,$67 change "A9 00" to "F0 18" Quod erat liberandum. --------------------------------------- A 4am crack No. 408 ------------------EOF------------------