---------------Spy Hunter--------------
A 4am crack                  2015-03-06
---------------------------------------

Name: Spy Hunter
Genre: arcade
Year: 1983
Publisher: Bally Midway
Media: single-sided 5.25-inch floppy
OS: custom
Other versions:
  - PPG crack
  - The Duplicator / West Coast
    Connection crack
    
                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  works

Copy ][+ nibble editor
  modified address and data epilogue
    bytes (AA DE EB)
  T01 is all sync bytes except maybe
    one sector(?)
  
Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "AA DE EB"
    set Data Epilogue to "AA DE EB"
  T00, T02-T22 readable
  T00,S00 lets the disk controller ROM
    routine load two sectors instead of
    the usual one
  T01,S00 readable, but no other sector
    on that track
  custom bootloader on track 0
  no sign of a disk catalog
  no sign of a standard OS anywhere

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

Next steps:

  1. Super Demuffin to convert disk to
     standard format
  2. Patch RWTS to read standard format
     (if necessary)

                   ~
                   
               Chapter 1
        In Which Things Quickly
            Get Interesting


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
]BRUN SUPER DEMUFFIN

                 --v--

      SUPER-DEMUFFIN AND FAST COPY
Modified by: The Saltine/Coast to Coast


   Address prologue: D5 AA 96

   Address epilogue: AA DE EB    DISK
                     ^^^^^     ORIGINAL
   was "DE AA"-------+++++

      Data prologue: D5 AA AD

      Data epilogue: AA DE EB
                     ^^^^^
   was "DE AA"-------+++++


 Ignore write errors while demuffining!


  D - Edit parameters
      <SPACE> - Advance to next parm
      <RETURN> - Exit edit mode
  R - Restore DOS 3.3 parameters
  O - Edit Original disk's parameters
  C - Edit Copy disk's parameters
  G - Begin demuffin process

                 --^--

Pressing "G" switches to the Locksmith
Fast Disk Copy UI.

                 --v--

     LOCKSMITH 7.0  FAST DISK BACKUP


   R...................................
   W***********************************
HEX 00000000000000001111111111111111222
TRK 0123456789ABCDEF0123456789ABCDEF012
   0...................................
   1.D.................................
   2.D.................................
   3.D.................................
   4.D.................................
   5.D.................................
   6.D.................................
   7.D.................................
   8.D.................................
   9.D.................................
   A.D.................................
   B.D.................................
   C.D.................................
   D.D.................................
12 E.D.................................
   F.D.................................
[               ] PRESS [RESET] TO EXIT

                 --^--

As expected, it can only read the first
sector from track $01. Everything else
copies without a hitch.

[S6,D1=Super Demuffin'd copy]

]PR#6
...displays hi-res graphics screen then
halts with drive motor off...

That's interesting. If the drive motor
stayed on, I would just think it was
trying forever it read itself (maybe
with some custom RWTS that didn't grind
like DOS does). Or maybe a nibble check
that was forever looking for some magic
sequence that wasn't there. But this is
something different. This is something
deliberate.

                   ~
                   
               Chapter 2
          In Which Things Get
         Even More Interesting


Let's capture that bootloader and see
why it halts.

]PR#5
]CALL -151
*9600<C600.C6FFM

96F8-   A0 00       LDY   #$00
96FA-   B9 00 08    LDA   $0800,Y
96FD-   99 00 48    STA   $4800,Y
9700-   B9 00 09    LDA   $0900,Y
9703-   99 00 49    STA   $4900,Y
9706-   C8          INY
9707-   D0 F1       BNE   $96FA
9709-   AD E8 C0    LDA   $C0E8
970C-   4C 00 C5    JMP   $C500

*BSAVE TRACE,A$9600,L$10F
*9600G
...reboots slot 6...
...reboots slot 5...
]BSAVE BOOT0,A$4800,L$200
]CALL -151
*800<4800.49FFM
*801L

0801-   EE F2 03    INC   $03F2
0804-   AD 8A C0    LDA   $C08A
0807-   AD 52 C0    LDA   $C052
080A-   AD 57 C0    LDA   $C057
080D-   AD 50 C0    LDA   $C050
0810-   AD 55 C0    LDA   $C055
0813-   A9 00       LDA   #$00
0815-   85 05       STA   $05
0817-   85 02       STA   $02
0819-   A8          TAY
081A-   B9 00 08    LDA   $0800,Y
081D-   99 00 BE    STA   $BE00,Y
0820-   B9 00 09    LDA   $0900,Y
0823-   99 00 BF    STA   $BF00,Y
0826-   C8          INY
0827-   D0 F1       BNE   $081A
0829-   4C 2C BE    JMP   $BE2C

*FE89G FE93G
*BE00<800.8FFM
*BE2CL

; not sure what this memory copy is for
BE2C-   A2 69       LDX   #$69
BE2E-   BD 6C 03    LDA   $036C,X
BE31-   95 96       STA   $96,X
BE33-   CA          DEX
BE34-   10 F8       BPL   $BE2E

; clear hi-res screen 2
BE36-   A9 5F       LDA   #$5F
BE38-   85 03       STA   $03
BE3A-   98          TYA
BE3B-   91 02       STA   ($02),Y
BE3D-   C8          INY
BE3E-   D0 FB       BNE   $BE3B
BE40-   C6 03       DEC   $03
BE42-   A5 03       LDA   $03
BE44-   C9 40       CMP   #$40
BE46-   B0 F2       BCS   $BE3A

; subroutine advances the drive head to
; the next whole track; no tricks,
; nothing fancy
BE48-   A6 2B       LDX   $2B
BE4A-   20 CB BE    JSR   $BECB

BE4D-   A9 04       LDA   #$04
BE4F-   85 06       STA   $06
BE51-   A9 14       LDA   #$14
BE53-   20 07 BF    JSR   $BF07

*BF07L

; store something on the way in
BF07-   85 10       STA   $10

; the rest appears to be a standard
; disk read routine based on the one at
; $C65C in the disk controller ROM
; $06 is the logical sector (set by the
; caller)
BF09-   A6 06       LDX   $06

; $07 is the physical sector
BF0B-   BD F7 BE    LDA   $BEF7,X
BF0E-   85 07       STA   $07

; $2B is still the slot number (x16)
BF10-   A6 2B       LDX   $2B
BF12-   18          CLC
BF13-   08          PHP
BF14-   BD 8C C0    LDA   $C08C,X
BF17-   10 FB       BPL   $BF14
BF19-   49 D5       EOR   #$D5
BF1B-   D0 F7       BNE   $BF14
BF1D-   BD 8C C0    LDA   $C08C,X
BF20-   10 FB       BPL   $BF1D
BF22-   C9 AA       CMP   #$AA
BF24-   D0 F3       BNE   $BF19
BF26-   EA          NOP
BF27-   BD 8C C0    LDA   $C08C,X
BF2A-   10 FB       BPL   $BF27
BF2C-   C9 96       CMP   #$96

; matched address field prologue,
; branch to $BF3A
BF2E-   F0 0A       BEQ   $BF3A
BF30-   28          PLP
BF31-   90 DF       BCC   $BF12
BF33-   49 AD       EOR   #$AD

; matched data field prologue, branch
; to $BF90
BF35-   F0 59       BEQ   $BF90
BF37-   4C 12 BF    JMP   $BF12

; read address field
BF3A-   A0 03       LDY   #$03
BF3C-   BD 8C C0    LDA   $C08C,X
BF3F-   10 FB       BPL   $BF3C
BF41-   2A          ROL

; $00 is used as scratch to decode the
; 4-4 encoded values in the address
; field
BF42-   85 00       STA   $00
BF44-   BD 8C C0    LDA   $C08C,X
BF47-   10 FB       BPL   $BF44
BF49-   25 00       AND   $00

; address field stored in $0C..$0F
BF4B-   99 0C 00    STA   $000C,Y
BF4E-   88          DEY
BF4F-   10 EB       BPL   $BF3C

; epilogue bytes are reversed (as
; expected, based on what I saw in
; the Copy II+ nibble editor earlier)
BF51-   BD 8C C0    LDA   $C08C,X
BF54-   10 FB       BPL   $BF51
BF56-   C9 AA       CMP   #$AA

; fail immediately if not found
BF58-   D0 2D       BNE   $BF87
BF5A-   BD 8C C0    LDA   $C08C,X
BF5D-   10 FB       BPL   $BF5A
BF5F-   C9 DE       CMP   #$DE

; fail immediately if not found
BF61-   D0 24       BNE   $BF87
BF63-   28          PLP

; verify address field checksum
; $0C is checksum
; $0D is sector
; $0E is track
; $0F is disk volume number
BF64-   A5 0F       LDA   $0F
BF66-   45 0E       EOR   $0E
BF68-   45 0D       EOR   $0D
BF6A-   C5 0C       CMP   $0C
BF6C-   D0 A4       BNE   $BF12

; check whether this is the sector we
; wanted
BF6E-   A5 0D       LDA   $0D
BF70-   C5 07       CMP   $07

; if so, continue at $BF7E
BF72-   F0 0A       BEQ   $BF7E

; decrement the counter that was set on
; the way in (at $BF07)
BF74-   EA          NOP
BF75-   EA          NOP
BF76-   EA          NOP
BF77-   C6 10       DEC   $10

; if it hits 0, exit RWTS entirely
BF79-   F0 14       BEQ   $BF8F

; otherwise try again
BF7B-   4C 12 BF    JMP   $BF12

; On successful sector read, execution
; continues here. Verify the track is
; correct.
BF7E-   A5 0E       LDA   $0E
BF80-   C5 05       CMP   $05

; if not, try again
BF82-   D0 F7       BNE   $BF7B

; otherwise jump back (with carry set)
; and look for data field prologue
BF84-   4C 13 BF    JMP   $BF13

; mismatched epilogue bytes end up here
; which -- lo and behold -- turns off
; the drive motor and halts ($BF8C is
; an infinite loop)
BF87-   A6 2B       LDX   $2B
BF89-   BD 88 C0    LDA   $C088,X
BF8C-   4C 8C BF    JMP   $BF8C
BF8F-   60          RTS

; read data field
BF90-   A0 56       LDY   #$56
BF92-   84 00       STY   $00
BF94-   BC 8C C0    LDY   $C08C,X
BF97-   10 FB       BPL   $BF94
BF99-   59 00 00    EOR   $0000,Y
BF9C-   A4 00       LDY   $00
BF9E-   88          DEY
BF9F-   99 40 00    STA   $0040,Y
BFA2-   D0 EE       BNE   $BF92
BFA4-   84 00       STY   $00
BFA6-   BC 8C C0    LDY   $C08C,X
BFA9-   10 FB       BPL   $BFA6
BFAB-   59 00 00    EOR   $0000,Y
BFAE-   A4 00       LDY   $00
BFB0-   91 02       STA   ($02),Y
BFB2-   C8          INY
BFB3-   D0 EF       BNE   $BFA4
BFB5-   BC 8C C0    LDY   $C08C,X
BFB8-   10 FB       BPL   $BFB5
BFBA-   59 00 00    EOR   $0000,Y
BFBD-   D0 BC       BNE   $BF7B

; epilogue bytes are reversed again
BFBF-   BD 8C C0    LDA   $C08C,X
BFC2-   10 FB       BPL   $BFBF
BFC4-   C9 AA       CMP   #$AA
BFC6-   D0 BF       BNE   $BF87
BFC8-   BD 8C C0    LDA   $C08C,X
BFCB-   10 FB       BPL   $BFC8
BFCD-   C9 DE       CMP   #$DE
BFCF-   D0 B6       BNE   $BF87

; verify data field checksum
BFD1-   A0 00       LDY   #$00
BFD3-   A2 56       LDX   #$56
BFD5-   CA          DEX
BFD6-   30 FB       BMI   $BFD3
BFD8-   B1 02       LDA   ($02),Y
BFDA-   56 40       LSR   $40,X
BFDC-   2A          ROL
BFDD-   56 40       LSR   $40,X
BFDF-   2A          ROL
BFE0-   91 02       STA   ($02),Y
BFE2-   C8          INY
BFE3-   D0 F0       BNE   $BFD5

; calculate some sort of checksum on
; the sector data (cumulative -- uses
; zero page $09 as a seed, then stores
; the new result in $09 as well)
BFE5-   A0 00       LDY   #$00
BFE7-   A5 09       LDA   $09
BFE9-   51 02       EOR   ($02),Y
BFEB-   C8          INY
BFEC-   D0 FB       BNE   $BFE9
BFEE-   85 09       STA   $09
BFF0-   60          RTS

That's it; that's the entire RWTS.

Three things of note:

  1. Reversed epilogue bytes. The RWTS
     can't read the Super Demuffin'd
     disk, so it fails immediately and
     jumps to The Badlands at $BF87.
  2. The value on the way in (stored in
     zero page $10 and decremented)
     serves as the maximum number of
     "misses" for the sector we're
     looking for.
  3. Zero page $09 is a cumulative
     checksum on the sector data,
     presumably to detect tampering
     of the game code.

Let's fix those epilogue bytes.

T00,S07,$57 change "AA" to "DE"
T00,S07,$60 change "DE" to "AA"
T00,S07,$C5 change "AA" to "DE"
T00,S07,$CE change "DE" to "AA"

]PR#6
...displays hi-res graphics screen then
halts with drive motor off...

No change. The disk can read itself,
but now it's just refusing to do so for
some reason.

                   ~
                   
               Chapter 3
        In Which We Learn That
    Everything Happens For A Reason


Before I delved into the RWTS, I was
at $BE48 (now with added notes because
I know what's going on):

; advance track (from $00 to $01)
BE48-   A6 2B       LDX   $2B
BE4A-   20 CB BE    JSR   $BECB

; sector $04
BE4D-   A9 04       LDA   #$04
BE4F-   85 06       STA   $06

; maximum of $14 tries
BE51-   A9 14       LDA   #$14
BE53-   20 07 BF    JSR   $BF07

; check number of tries
BE56-   A5 10       LDA   $10

; if not 0, fail
BE58-   D0 1C       BNE   $BE76

($BE76 jumps to $BF87, which as we know
is The Badlands.)

So it's checking to make sure that
track $01, sector $04 is unreadable.
Which, on my copy, it's not.

T00,S00,$53 change "20" to "2C"
T00,S00,$58 change "D0" to "24"

(The first patch neuters the JSR at
$BE53 that tries to read track $01. The
second patch neuters the check at $BE58
for whether the read failed properly.)

]PR#6
...works...

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 240
------------------EOF------------------