---------Little Computer People--------
A 4am crack                  2014-06-16
---------------------------------------

"Little Computer People" (a.k.a. "House
on a Disk") is a 1986 simulation game
distributed by Activision, Inc. It uses
both sides of a double-sided disk.

Only side A is bootable. COPYA copies
both sides, but the copy does not work.
The side A copy loads sequential tracks
(slowly), then halts. EDD 4 bit copy
fares no better.

The boot process does not sound like
DOS 3.3, ProDOS, or Pascal. There *is*
a disk catalog on track $11, but it
holds nothing but two deleted files
while claiming that the disk has zero
free sectors.

Time for boot tracing with AUTOTRACE.

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
...
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS

Well, that went swimmingly. Despite its
custom loading process (and fake disk
catalog), this disk appears to use a
standard boot0 and DOS 3.3-derived RWTS
routine. Let's find out where it all
goes wrong.

]BLOAD BOOT1,A$2600

]CALL -151

; disconnect DOS
*FE89G FE93G

*B600<2600.2FFFM

*B700L

; standard initialization of the RWTS
; parameter table (starts at $B7E8)
B700-   8E E9 B7    STX   $B7E9
B703-   8E F7 B7    STX   $B7F7
B706-   A9 01       LDA   #$01
B708-   8D F8 B7    STA   $B7F8
B70B-   8D EA B7    STA   $B7EA

; $B7E0 is $03 (sectors to read)
B70E-   AD E0 B7    LDA   $B7E0
B711-   8D E1 B7    STA   $B7E1

; hmm, reading T00,S0C is unusual (DOS
; usually starts at T02,S04)
B714-   A9 00       LDA   #$00
B716-   8D EC B7    STA   $B7EC
B719-   A9 0C       LDA   #$0C
B71B-   8D ED B7    STA   $B7ED

; $B7E7 is $0F (1 + high byte address
; of last sector to read)
B71E-   AC E7 B7    LDY   $B7E7
B721-   88          DEY
B722-   8C F1 B7    STY   $B7F1
B725-   A9 01       LDA   #$01
B727-   8D F4 B7    STA   $B7F4
B72A-   8A          TXA
B72B-   4A          LSR
B72C-   4A          LSR
B72D-   4A          LSR
B72E-   4A          LSR
B72F-   AA          TAX
B730-   A9 00       LDA   #$00
B732-   9D F8 04    STA   $04F8,X
B735-   9D 78 04    STA   $0478,X
B738-   8D EB B7    STA   $B7EB

; read 'em
B73B-   20 93 B7    JSR   $B793
B73E-   A2 FF       LDX   #$FF
B740-   9A          TXS

; normal, jumps back to $B744
B741-   4C C8 BF    JMP   $BFC8
B744-   20 89 FE    JSR   $FE89

; execution continues here
B747-   4C 00 0C    JMP   $0C00

OK, so it's loading 3 sectors from
T00,S0A-0C into $C00..$EFF, then
jumping to $C00. I'll interrupt the
boot there and see what it looks like.

*9600<C600.C6FFM

; interrupt after boot0 loads boot1 in
; $B600..$BFFF, call a routine under my
; control instead of continuing to
; $B700 as usual
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; callback #1 is here -- set up another
; callback at $B747, where the game
; would ordinarily jump to $0C00, to
; jump to my routine instead
970A-   A9 4C       LDA   #$4C
970C-   8D 47 B7    STA   $B747
970F-   A9 1C       LDA   #$1C
9711-   8D 48 B7    STA   $B748
9714-   A9 97       LDA   #$97
9716-   8D 49 B7    STA   $B749

; continue the boot
9719-   4C 00 B7    JMP   $B700

; callback #2 is here -- relocate the
; code into the graphics page so it
; will survive a reboot (the HELLO
; program on my work disk would
; overwrite part of this at $0C00)
971C-   A2 03       LDX   #$03
971E-   A0 00       LDY   #$00
9720-   B9 00 0C    LDA   $0C00,Y
9723-   99 00 2C    STA   $2C00,Y
9726-   C8          INY
9727-   D0 F7       BNE   $9720
9729-   EE 22 97    INC   $9722
972C-   EE 25 97    INC   $9725
972F-   CA          DEX
9730-   D0 EE       BNE   $9720

; turn off slot 6 drive motor (probably
; unnecessary since the call to $B793
; probably turns it off, but it's just
; muscle memory at this point)
9732-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9735-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$138

*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT2,A$2C00,L$300
]CALL -151

*C00<2C00.2EFFM

*C00L

; manually pushing $5FFF to the stack
; (so "RTS" will "return" to $6000)
0C00-   A9 5F       LDA   #$5F
0C02-   48          PHA
0C03-   A9 FF       LDA   #$FF
0C05-   48          PHA

; set reset vector
0C06-   A9 5D       LDA   #$5D
0C08-   8D F2 03    STA   $03F2
0C0B-   A9 0E       LDA   #$0E
0C0D-   8D F3 03    STA   $03F3
0C10-   49 A5       EOR   #$A5
0C12-   8D F4 03    STA   $03F4

; clear text page 2
0C15-   A2 00       LDX   #$00
0C17-   A9 A0       LDA   #$A0
0C19-   9D 00 08    STA   $0800,X
0C1C-   9D 00 09    STA   $0900,X
0C1F-   9D 00 0A    STA   $0A00,X
0C22-   9D 00 0B    STA   $0B00,X
0C25-   E8          INX
0C26-   D0 F1       BNE   $0C19

; switch to text page 2
0C28-   AD 51 C0    LDA   $C051
0C2B-   AD 55 C0    LDA   $C055
0C2E-   A9 60       LDA   #$60
0C30-   85 FA       STA   $FA
0C32-   A9 0E       LDA   #$0E
0C34-   85 FB       STA   $FB

; hmm, another manual push to the stack
0C36-   A9 C5       LDA   #$C5
0C38-   48          PHA
0C39-   A9 00       LDA   #$00
0C3B-   85 FC       STA   $FC
0C3D-   A2 03       LDX   #$03
0C3F-   BC 5C 0C    LDY   $0C5C,X
0C42-   91 FA       STA   ($FA),Y
0C44-   CA          DEX
0C45-   10 F8       BPL   $0C3F
0C47-   8A          TXA

; and another
0C48-   48          PHA

; don't know what this does yet
0C49-   20 60 0C    JSR   $0C60

*C60L

; ah, it reads a sector
0C60-   A5 FB       LDA   $FB
0C62-   A4 FA       LDY   $FA
0C64-   20 B5 B7    JSR   $B7B5
0C67-   A9 00       LDA   #$00
0C69-   85 48       STA   $48
0C6B-   90 02       BCC   $0C6F
0C6D-   68          PLA
0C6E-   68          PLA
0C6F-   60          RTS

We're closing in on the copy protection
routine. Can you feel it? I swear I can
feel it. The random PHA instructions
are a good clue. Oh, and did you notice
that the subroutine at $0C60 pops two
bytes off the stack if the disk read
fails? Which means it erases the
address of the calling procedure (the
instruction after $0C49) and "returns"
to...  $C5FF+1. Which reboots. That's
kind of a harsh punishment for failing
to read one sector, don't you think?

Backing up and moving on.

*C4CL

0C4C-   A0 01       LDY   #$01
0C4E-   8C 6C 0E    STY   $0E6C
0C51-   B1 FA       LDA   ($FA),Y
0C53-   AA          TAX

; don't know what this does yet
0C54-   20 70 0C    JSR   $0C70

; hmm
0C57-   68          PLA
0C58-   68          PLA

; looks like actual useful code
0C59-   4C C6 0C    JMP   $0CC6

*C70L

; Here we go, turning on the disk motor
; manually -- a sure sign that this
; code is up to no good.
0C70-   BD 89 C0    LDA   $C089,X
0C73-   A9 56       LDA   #$56
0C75-   85 FD       STA   $FD
0C77-   A9 08       LDA   #$08
0C79-   C6 FC       DEC   $FC
0C7B-   D0 04       BNE   $0C81
0C7D-   C6 FD       DEC   $FD

; I've seen enough nibble checks to
; know that zero page $FD is being used
; as a sudden death counter. If it
; reaches 0, the check has failed.
0C7F-   F0 34       BEQ   $0CB5

; look for a specific nibble sequence
0C81-   BC 8C C0    LDY   $C08C,X
0C84-   10 FB       BPL   $0C81
0C86-   C0 FB       CPY   #$FB
0C88-   D0 ED       BNE   $0C77
0C8A-   F0 00       BEQ   $0C8C
0C8C-   EA          NOP
0C8D-   EA          NOP
0C8E-   BC 8C C0    LDY   $C08C,X
0C91-   C0 08       CPY   #$08
0C93-   2A          ROL
0C94-   B0 0B       BCS   $0CA1
0C96-   BC 8C C0    LDY   $C08C,X
0C99-   10 FB       BPL   $0C96
0C9B-   C0 FF       CPY   #$FF
0C9D-   D0 D8       BNE   $0C77
0C9F-   F0 EB       BEQ   $0C8C
0CA1-   BC 8C C0    LDY   $C08C,X
0CA4-   10 FB       BPL   $0CA1
0CA6-   84 FC       STY   $FC
0CA8-   C9 0A       CMP   #$0A
0CAA-   D0 CB       BNE   $0C77
0CAC-   BD 8C C0    LDA   $C08C,X
0CAF-   10 FB       BPL   $0CAC

; do some math
0CB1-   38          SEC
0CB2-   2A          ROL
0CB3-   25 FC       AND   $FC
0CB5-   49 AA       EOR   #$AA

; Uh oh, there may be a side effect
; here. We're taking the result of the
; manipulation of the raw nibbles and
; storing it in $0D12. That doesn't
; appear to be used anywhere in this
; current routine. Also interesting:
; if the nibble check fails (because
; zero page $FD hits 0), the code does
; not error out or immediately reboot.
; It just branches to here (technically
; one instruction above) and continues.
0CB7-   8D 12 0D    STA   $0D12

; "This nibble check will self-destruct
; in ten seconds..."
0CBA-   A9 00       LDA   #$00
0CBC-   A8          TAY
0CBD-   99 60 0C    STA   $0C60,Y
0CC0-   C8          INY
0CC1-   C0 5D       CPY   #$5D
0CC3-   D0 F8       BNE   $0CBD
0CC5-   60          RTS

And that's it. Whether the nibble check
succeeds or fails, this routine returns
to the caller. It doesn't even set a
flag. (Lots of nibble checks clear the
carry flag if they succeed and set it
if they fail, following the convention
of the DOS 3.3 RWTS routines.) The only
difference is the value of $0D12.

Then it pops the $C5FF address off the
stack and execution continues at $0CC6.
I won't bother showing it, but it reads
a bunch of tracks through standard RWTS
calls (in increasing sector order, so
it's quite slow), then jumps to $0D21.

*D21L

; The value of $0D12 (set by the nibble
; check at $0C70) is used multiple
; times. First, it's added to $0D1E and
; put in $02. Then it's subtracted from
; $0D1F and put in $03. Then exclusive-
; or'd (WTF?) with $0D20 and stored in
; $04.
0D21-   AD 1E 0D    LDA   $0D1E
0D24-   18          CLC
0D25-   6D 12 0D    ADC   $0D12
0D28-   85 02       STA   $02
0D2A-   AD 1F 0D    LDA   $0D1F
0D2D-   38          SEC
0D2E-   ED 12 0D    SBC   $0D12
0D31-   85 03       STA   $03
0D33-   AD 20 0D    LDA   $0D20
0D36-   4D 12 0D    EOR   $0D12
0D39-   85 04       STA   $04
0D3B-   A9 00       LDA   #$00
0D3D-   85 FA       STA   $FA
0D3F-   A8          TAY
0D40-   A9 60       LDA   #$60
0D42-   85 FB       STA   $FB
0D44-   A2 20       LDX   #$20
0D46-   20 5B 0D    JSR   $0D5B

So that value *is* used and it *is*
important. From my experience with
other Activision games (like "The Great
American Cross-Country Road Race"),
I'm guessing that those zero page
addresses end up in an RWTS parameter
table somewhere down the line. If the
nibble check failed, the track and
sector to read will be completely wrong
and the game will crash.

At any rate, I need to trace the
original disk and capture the correct
value of $0D12.

*9600<C600.C6FFM

; set up callback #1 after boot0
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; callback #1 is here -- set up
; callback #2 after boot1
970A-   A9 4C       LDA   #$4C
970C-   8D 47 B7    STA   $B747
970F-   A9 1C       LDA   #$1C
9711-   8D 48 B7    STA   $B748
9714-   A9 97       LDA   #$97
9716-   8D 49 B7    STA   $B749

; continue the boot
9719-   4C 00 B7    JMP   $B700

; callback #2 is here -- jump to the
; monitor immediately after the nibble
; check sets the value of $0D12
971C-   A9 4C       LDA   #$4C
971E-   8D BA 0C    STA   $0CBA
9721-   A9 59       LDA   #$59
9723-   8D BB 0C    STA   $0CBB
9726-   A9 FF       LDA   #$FF
9728-   8D BC 0C    STA   $0CBC
972B-   4C 00 0C    JMP   $0C00

*BSAVE CAPTURE 0D12,A$9600,L$12E

*9600G
...reboots slot 6...
<beep>

*D12

0D12- 55

Now it should be safe to remove the
call to $0C60 (which just reads a
pointless sector to position the drive
head for the following nibble check)
and the call to $0C70 (the nibble check
that calculates the correct value of
$0D12), and manually set $0D12 on disk
to the correct value.

T00,S0A,$49 change "20" to "2C"
T00,S0A,$54 change "20" to "2C"
T00,S0B,$12 change "00" to "55"

Success! The game boots and loads with
no complaint. There doesn't appear to
be any further protection on side A or
side B.

Quod erat liberandum.

                   ~

     POSTSCRIPT: RESETTING THE GAME

This game saves its state on side B. I
have reset the state on this copy. When
you run it for the first time, it will
ask for your name and the date, then
you will see the moving-in sequence.
(The game suffers from a Y2K bug, in
that you can only enter 2-digit years.)
The next time you boot, the game will
remember your name and just ask for the
date, then increment the session number
and continue where you left off.

The moving-in sequence is quite long,
and while it's running, no interaction
is possible. The doorbell will ring
several times, then the little guy will
come in and look around, then he will
leave. Then he will come back with his
dog and look around some more. After
that, the game will access the disk
drive, and soon you will be able to
type commands.

If you want to reset the game to this
pristine state later but can't re-
download it for some reason, use a
sector editor to read T0E,S0F on side
A, change the last byte in the sector
from "01" to "02", then write that
sector to T0E,S0F on side B.

---------------------------------------
A 4am crack                      No. 78
------------------EOF------------------