--------Championship Lode Runner------- A 4am crack 2015-03-26 --------------------------------------- Name: Championship Lode Runner Genre: arcade Year: 1984 Authors: Doug Smith Publisher: Broderbund Software Media: single-sided 5.25-inch floppy OS: custom Other versions: The Burglar/MPG ~ Chapter 0 In Which Various Automated Tools Fail In Interesting Ways COPYA immediate disk read error Locksmith Fast Disk Backup unable to read any track Copy ][+ automatic bit copy --> "LODE RUNNER (CHAMPIONSHIP)" parm entry says to copy T00, then T03-T0C with sector copy without address epilogue checking, then T0D.25-T1B.25 (a.k.a. "quarter tracks") It also says that the quarter tracks are extremely difficult to copy, which matches my experience. (I never succeeded in doing so.) EDD 4 bit copy (no sync, no count) read errors on T01-02, T1C-T22 copy just hangs on boot EDD 4 bit copy (redo with quarter tracks T0D.25-T1B.25) no success; copy still hangs on boot Copy ][+ nibble editor T03-T0C appear to be mostly normal with modified address epilogue (not consistent, but starts with "DE") I can see nibble data on the quarter tracks. Appears to be 4-4 encoded. --v-- COPY ][ PLUS BIT COPY PROGRAM 8.4 (C) 1982-9 CENTRAL POINT SOFTWARE, INC. --------------------------------------- TRACK: 0D.25 START: 3706 LENGTH: 015F ^^^^^ 39B8: AA AA AA AA AA AA AA AA VIEW 39C0: AA AA AA AA AA AA AA AA 39C8: AA AA AA AA AA AA AA AA 39D0: AA AA AA AA F5 AA AA BF 39D8: AE EA AA FA EA EA EA EA <-39DE 39E0: EA FA EA FA EA FA FA FA 39E8: FA FE FA FE FA FE FA FE 39F0: FE FE FE FF FE FF FE AA 39F8: AA AA AF FF FF AA AA AE --------------------------------------- A TO ANALYZE DATA ESC TO QUIT ? FOR HELP SCREEN / CHANGE PARMS Q FOR NEXT TRACK SPACE TO RE-READ --^-- Disk Fixer ["O" -> "Input/Output Control"] set CHECKSUM ENABLED=NO T03-T0C readable, appear to be level data (first 50 sectors have titles like "HELLO...WELCOME", "MUSIC MAESTRO", "LADDERS GALORE", &c.) no ability to read quarter tracks, so the rest of the disk is a mystery Why didn't COPYA work? so many reasons Why didn't Locksmith FDB work? LOL Why didn't my EDD copy work? My first attempt didn't copy the quarter tracks. I've heard that it's theoretically possible to copy them, but it's very difficult even when you know exactly which quarter tracks to copy. All my attempts to do so were unsuccessful, for unknown reasons. This is going to be one of those "capture the game in memory and rebuild it from the ground up" cracks. Next steps: 1. Trace bootloader 2. Capture game code in memory 3. Write game to a standard disk and build my own bootloader to load it ~ Chapter 1 In Which It Is Not At All Clear What's Going On [S6,D1=original disk] [S5,D1=my work disk] ]PR#5 CAPTURING BOOT0 ...reboots slot 6... ...reboots slot 5... SAVING BOOT0 ]CALL -151 *800<2800.28FFM *801L ; clear hi-res graphics screens (both) 0801- A0 00 LDY #$00 0803- A9 20 LDA #$20 0805- A2 40 LDX #$40 0807- 84 00 STY $00 0809- 85 01 STA $01 080B- 98 TYA 080C- 91 00 STA ($00),Y 080E- C8 INY 080F- D0 FB BNE $080C 0811- E6 01 INC $01 0813- CA DEX 0814- D0 F6 BNE $080C ; show hi-res graphics screen 1 0816- 2C 52 C0 BIT $C052 0819- 2C 57 C0 BIT $C057 081C- 2C 54 C0 BIT $C054 081F- 2C 50 C0 BIT $C050 ; save slot number (x16) 0822- A6 2B LDX $2B 0824- 86 08 STX $08 ; decrypt rest of boot0 and store it in ; zero page (starting at $60) 0826- EA NOP 0827- EA NOP 0828- A0 00 LDY #$00 082A- EA NOP 082B- EA NOP 082C- B9 50 08 LDA $0850,Y 082F- EA NOP 0830- EA NOP 0831- 49 A5 EOR #$A5 0833- EA NOP 0834- EA NOP 0835- 99 60 00 STA $0060,Y 0838- EA NOP 0839- EA NOP 083A- C8 INY 083B- D0 EF BNE $082C 083D- EA NOP 083E- EA NOP ; reset stack pointer 083F- A2 FF LDX #$FF 0841- EA NOP 0842- EA NOP 0843- EA NOP 0844- 9A TXS 0845- EA NOP 0846- EA NOP ; and exit 0847- 60 RTS Wait, what? Here's what: we decrypted $B0 bytes and stored them in zero page starting at $60. But that means $10 bytes were also stored in $0100..$010F. Then we reset the stack pointer, then we "returned." The stack pointer wrapped around to $00, and whatever ended up at $0100 serves as a "return" address (minus 1, as usual). Let's find out what that is. *9600