-------------L.A. Crackdown------------
A 4am crack                  2015-08-05
---------------------------------------

Name: L.A. Crackdown
Genre: simulation
Year: 1988
Authors: Nexa
Publisher: Epyx
Media: double-sided 5.25-inch floppy
OS: custom
Previous cracks:
  The Necromancer / First Class

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  side A: immediate disk read error
  side B: no errors

All further attention will be focused
on side A.

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  no read errors, but the copy swings
  to a high track and reboots

Copy ][+ nibble editor
  all tracks use standard prologues
  (address: D5 AA 96, data: D5 AA AD)
  but modified epilogues
  (address: FF FF FF, data: FF FF FF)

Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "FF FF FF"
    set Data Epilogue to "FF FF FF"
  Success! All tracks readable!
  T00,S00 -> looks like a DOS 3.3 boot0
  T11 -> looks like a DOS 3.3 catalog

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

Why didn't my EDD copy work?
  probably a nibble check during boot

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. find nibble check and bypass it

                   ~

               Chapter 1
       In Which We Are Surprised


[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

]BLOAD BOOT0,A$800
]CALL -151

*801L

0801-   A5 27       LDA   $27
0803-   C9 09       CMP   #$09
0805-   D0 1B       BNE   $0822
0807-   20 61 08    JSR   $0861   <-- !
080A-   A5 2B       LDA   $2B
080C-   4A          LSR
080D-   4A          LSR
080E-   4A          LSR
080F-   4A          LSR
0810-   09 C0       ORA   #$C0
0812-   85 3F       STA   $3F
0814-   A9 5C       LDA   #$5C
0816-   85 3E       STA   $3E

This looks like a normal DOS 3.3 boot0,
except for that suspicious call to
$0861 in the first-run part of the loop
(at $0807).

*861L

; write to the language card RAM bank 2
0861-   AD 81 C0    LDA   $C081
0864-   AD 81 C0    LDA   $C081

; copy $F800..$FFF into LC RAM bank 2
0867-   A9 F8       LDA   #$F8
0869-   85 01       STA   $01
086B-   A9 00       LDA   #$00
086D-   A8          TAY
086E-   85 00       STA   $00
0870-   85 02       STA   $02
0872-   A9 08       LDA   #$08
0874-   85 03       STA   $03
0876-   B1 00       LDA   ($00),Y
0878-   91 00       STA   ($00),Y
087A-   E6 00       INC   $00
087C-   D0 02       BNE   $0880
087E-   E6 01       INC   $01
0880-   C6 02       DEC   $02
0882-   D0 F2       BNE   $0876
0884-   C6 03       DEC   $03
0886-   D0 EE       BNE   $0876

; read/write LC RAM bank 2
0888-   AD 83 C0    LDA   $C083
088B-   AD 83 C0    LDA   $C083
088E-   60          RTS

That's not unheard of. Lots of programs
do similar tricks to fight against
modified hardware chips ("F8 ROMs"),
which were popular among hackers in the
1980s.

But wait! Here's the real reason:

*8FE.8FF

08FE- EB 0C

This disk is loading boot1 straight
into the languard card, starting at
$EB00! That's why it set RAM bank 2 to
read/write (at $0888).

The rest of boot0 is unsurprising. It
ends up here:

083C-   EE FE 08    INC   $08FE
083F-   EE FE 08    INC   $08FE
0842-   20 89 FE    JSR   $FE89
0845-   20 93 FE    JSR   $FE93
0848-   20 2F FB    JSR   $FB2F
084B-   A6 2B       LDX   $2B
084D-   4C 00 F0    JMP   $F000 <-boot1

And that's where I need to interrupt
the boot: $084D.

*9600<C600.C6FFM

; set up callback after boot1 is loaded
96F8-   A9 05       LDA   #$05
96FA-   8D 4E 08    STA   $084E
96FD-   A9 97       LDA   #$97
96FF-   8D 4F 08    STA   $084F

; start the boot
9702-   4C 01 08    JMP   $0801

; callback is here --
; copy boot1 to graphics page so it
; will survive a reboot
9705-   A2 0D       LDX   #$0D
9707-   A0 00       LDY   #$00
9709-   B9 00 EB    LDA   $EB00,Y
970C-   99 00 4B    STA   $4B00,Y
970F-   C8          INY
9710-   D0 F7       BNE   $9709
9712-   EE 0B 97    INC   $970B
9715-   EE 0E 97    INC   $970E
9718-   CA          DEX
9719-   D0 EE       BNE   $9709

; switch back to ROM (important! DOS
; will crash without it! I re-learn
; this the hard way every time I trace
; a disk like this!)
971B-   AD 82 C0    LDA   $C082

; turn off slot 6 drive motor
971E-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9721-   4C 00 C5    JMP   $C500

*BSAVE TRACE,A$9600,L$124
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1 EB00-F7FF,A$4B00,L$D00

                   ~

               Chapter 2
    In Which We Are Desynchronized


]CALL -151

I'm going to leave this code in the
graphics page for inspection. Relative
branches will look correct, but any
absolute address will be off by $A000.

[attempts to do hexadecimal subtraction
 in my head]

[gives up, goes to Google]

[idly wonders how anyone did anything
 before the internet]

[realizes the monitor can do math too]

*F0-A0
=50

OK, $F000 is at $5000.

*5000L

5000-   A9 00       LDA   #$00
5002-   8D 78 04    STA   $0478

; seek to track $20
5005-   A9 40       LDA   #$40
5007-   A6 2B       LDX   $2B
5009-   20 A0 EE    JSR   $EEA0
500C-   A9 0A       LDA   #$0A
500E-   85 FC       STA   $FC
5010-   A6 2B       LDX   $2B

; turn on drive motor manually
5012-   BD 89 C0    LDA   $C089,X
5015-   BD 8E C0    LDA   $C08E,X

; set up Death Counter
5018-   A9 80       LDA   #$80
501A-   85 FD       STA   $FD
501C-   C6 FD       DEC   $FD

; if Death Counter hits 0, give up
501E-   F0 71       BEQ   $5091

; find next address field
5020-   20 AF F0    JSR   $F0AF

; if that failed, give up
5023-   B0 6C       BCS   $5091

; check if sector is $00
5025-   A5 F9       LDA   $F9
5027-   C9 00       CMP   #$00

; if not, loop back until we find it
5029-   D0 F1       BNE   $501C

; look for $D5 nibble
502B-   A0 00       LDY   #$00
502D-   BD 8C C0    LDA   $C08C,X
5030-   10 FB       BPL   $502D
5032-   88          DEY
5033-   F0 5C       BEQ   $5091
5035-   C9 D5       CMP   #$D5
5037-   D0 F4       BNE   $502D

; look for $E7 nibble
5039-   A0 00       LDY   #$00
503B-   BD 8C C0    LDA   $C08C,X
503E-   10 FB       BPL   $503B
5040-   88          DEY

; fail if we don't find it in time
5041-   F0 4E       BEQ   $5091
5043-   C9 E7       CMP   #$E7
5045-   D0 F4       BNE   $503B

; look for two more $E7 nibbles
5047-   BD 8C C0    LDA   $C08C,X
504A-   10 FB       BPL   $5047
504C-   C9 E7       CMP   #$E7

; fail if it's anything else
504E-   D0 41       BNE   $5091
5050-   BD 8C C0    LDA   $C08C,X
5053-   10 FB       BPL   $5050
5055-   C9 E7       CMP   #$E7

; fail if it's anything else
5057-   D0 38       BNE   $5091

; kill some time to get out of sync
; with the "proper" start of nibbles
; (see below)
5059-   BD 8D C0    LDA   $C08D,X
505C-   A0 10       LDY   #$10
505E-   24 80       BIT   $80

; now start looking for nibbles that
; don't really exist (except they do,
; because we're out of sync and reading
; timing bits as data)
5060-   BD 8C C0    LDA   $C08C,X
5063-   10 FB       BPL   $5060
5065-   88          DEY
5066-   F0 29       BEQ   $5091
5068-   C9 EE       CMP   #$EE
506A-   D0 F4       BNE   $5060
506C-   EA          NOP
506D-   EA          NOP

; now take the next (desynced) nibbles
; and store them in zero page $F8..$FF
506E-   A0 F8       LDY   #$F8
5070-   BD 8C C0    LDA   $C08C,X
5073-   10 FB       BPL   $5070
5075-   99 00 00    STA   $0000,Y
5078-   EA          NOP
5079-   C8          INY
507A-   30 F4       BMI   $5070

A short digression here into some super
low-level disk stuff, because this
wasn't low-level enough already...

$E7 $E7 $E7 $E7. What would that nibble
sequence look like on disk? The answer
is, "It depends." $E7 in hexadecimal is
11100111 in binary, so here is the
simplest possible answer:

   |--E7--||--E7--||--E7--||--E7--|
   11100111111001111110011111100111

But wait. Every nibble read from disk
must have its high bit set. In theory,
you could insert one or two "0" bits
after any of those nibbles. (Two is the
maximum, due to hardware limitations.)
These extra "0" bits would be swallowed
by the standard "wait for data latch to
have its high bit set" loop, which you
see over and over in any RWTS code:

  :1   LDA $C08C,X
       BPL :1

Now consider the following bitstream:

  |--E7--| |--E7--|  |--E7--||--E7--|
  11100111011100111001110011111100111
          ^        ^^
       (extra)   (extra)

The first $E7 has one extra "0" bit
after it, and the second $E7 has two
extra "0" bits after it. Totally legal,
works on any Apple II computer and any
floppy drive. A "LDA $C08C,X; BPL" loop
would still interpret this bitstream as
a sequence of four $E7 nibbles. Each of
the extra "0" bits appear after we've
just read a nibble and we're waiting
for the high bit to be set again.

Now, what if we miss the first few bits
of this bitstream, then start looking?
The disk is always spinning, whether
we're reading from it or not. If we
waste too much time doing something
other than reading, we'll literally
miss some bits as the disk spins by.
This is why the timing of low-level
RWTS code is so critical.

Let's say we waste 12 CPU cycles before
we start reading this bitstream. Each
bit takes 4 CPU cycles to go by, so
after 12 cycles, we would have missed
the first 3 bits (marked with an X).

            (normal start)

  |--E7--| |--E7--|  |--E7--||--E7--|
  11100111011100111001110011111100111
  XXX  |--EE--| |--E7--|  |--FC--|

           (delayed start)

Ah! It's interpreted as a completely
different nibble sequence if you delay
just a few CPU cycles before you start
reading. Also note that some of those
"extra" bits are no longer being
ignored; now they're being interpreted
as data, as part of the nibbles that
are being returned to the higher level
code. Meanwhile, other bits that were
part of the $E7 nibbles are now being
swallowed.

Now, let's go back to the first stream,
which had no extra bits between the
nibbles, and see what happens when we
waste those same 12 CPU cycles.

           (normal start)

   |--E7--||--E7--||--E7--||--E7--|
   11100111111001111110011111100111
   XXX  |--FC--||--FC--||--FC--|

          (delayed start)

After skipping the first three bits,
the stream is interpreted as a series
of $FC $FC $FC repeating endlessly --
not $EE $E7 $FC like the other stream.

Here's the kicker: generic bit copiers
didn't preserve these extra "0" bits
between nibbles. By "desynchronizing"
(wasting just the right number of CPU
cycles at just the right time), then
interpreting the bits on the disk in
mid-stream, developers could determine
at runtime whether you had an original
disk. Which is precisely the code we
just saw.

Here is the complete "E7 bitstream,"
annotated to show both the synchronized
and desynchronized nibble sequences.
($0265 wastes the right amount of time;
$0274 checks for $EE; $027F checks for
the rest of the nibbles, stored in
reverse order at $02C7.)

 |--E7--| |--E7--|  |--E7--||--E7--|
 111001110111001110011100111111001110
 XXX  |--EE--| |--E7--|  |--FC--||--E

 |--E7--|  |--E7--||--E7--| |--E7--|
 111001110011100111111001110111001110
 E--| |--E7--|  |--FC--||--EE--| |--E

 |--E7--||--E7--|
 1110011111100111
 E--| |--FC--|

We now return you to the actual code...

                   ~

               Chapter 3
       In Which We Are Encrypted


507C-   A9 00       LDA   #$00
507E-   A8          TAY
507F-   85 F0       STA   $F0
5081-   A2 01       LDX   #$01
5083-   A9 EC       LDA   #$EC
5085-   20 9E F0    JSR   $F09E

*509EL

; looks like $F0/$F1 is an address, so
; we're working on $EC00, which is part
; of the boot1 code we just loaded
509E-   85 F1       STA   $F1

; take a desynchronized nibble (stored
; earlier in zero page)
50A0-   B5 F8       LDA   $F8,X

; use it as a decryption key for this
; page of the bootloader
50A2-   51 F0       EOR   ($F0),Y
50A4-   91 F0       STA   ($F0),Y
50A6-   88          DEY
50A7-   D0 F7       BNE   $50A0

; increment next bootloader page to be
; decrypted
50A9-   E6 F1       INC   $F1

; decrement page count
50AB-   CA          DEX
50AC-   10 F2       BPL   $50A0
50AE-   60          RTS

X was $01 going into this routine (set
at $F081), so we'll decrypt two pages,
$EC00..$EDFF.

Continuing from $F088...

; move drive head back to track $00
5088-   A6 2B       LDX   $2B
508A-   98          TYA
508B-   20 A0 EE    JSR   $EEA0

; and continue the boot
508E-   6C FD 08    JMP   ($08FD)

; all failures end up here --
; decrement the Death Counter and
; eventually reboot
5091-   C6 FC       DEC   $FC
5093-   F0 03       BEQ   $5098
5095-   4C 18 F0    JMP   $F018
5098-   EE F4 03    INC   $03F4
509B-   6C FC FF    JMP   ($FFFC)

Well, this is inconvenient. But not
insurmountable. I can interrupt the
boot after the nibble check has
decrypted the rest of the bootloader.

*9600<C600.C6FFM

; set up callback #1 when boot0 tries
; to call nibble check
96F8-   A9 05       LDA   #$05
96FA-   8D 4E 08    STA   $084E
96FD-   A9 97       LDA   #$97
96FF-   8D 4F 08    STA   $084F

; start the boot
9702-   4C 01 08    JMP   $0801

; callback #1 is here --
; set up callback #2 when nibble check
; tries to continue the boot
9705-   A9 4C       LDA   #$4C
9707-   8D 8E F0    STA   $F08E
970A-   A9 17       LDA   #$17
970C-   8D 8F F0    STA   $F08F
970F-   A9 97       LDA   #$97
9711-   8D 90 F0    STA   $F090

; continue the boot
9714-   4C 00 F0    JMP   $F000

; callback #2 is here --
; copy the now-decrypted boot1 code to
; the graphics page so it survives a
; reboot
9717-   A2 0D       LDX   #$0D
9719-   A0 00       LDY   #$00
971B-   B9 00 EB    LDA   $EB00,Y
971E-   99 00 4B    STA   $4B00,Y
9721-   C8          INY
9722-   D0 F7       BNE   $971B
9724-   EE 1D 97    INC   $971D
9727-   EE 20 97    INC   $9720
972A-   CA          DEX
972B-   D0 EE       BNE   $971B

; switch to ROM
972D-   AD 82 C0    LDA   $C082

; turn off slot 6 drive motor
9730-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
9733-   4C 00 C5    JMP   $C500

*BSAVE TRACE2,A$9600,L$136
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1 DECRYPTED,A$4B00,L$D00

Next steps, revised:

  1. Super Demuffin to convert the disk
     to a standard format
  2. Write the decrypted bootloader
     to disk
  3. Bypass the nibble check
  4. Declare victory(*)

(*) take a nap

                   ~

               Chapter 4
       In Which We Are Converted


I'm going to use Super Demuffin here
(instead of my usual go-to conversion
tool, Advanced Demuffin). I do have the
RWTS (in the BOOT1 DECRYPTED file), but
it's in the language card and I don't
feel like writing an IOB module and
fiddling with memory softswitches. The
RWTS modifications are minor (custom
epilogue bytes, same on every track),
so Super Demuffin will work just fine.

When you first run Super Demuffin, it
asks for the parameters of the original
disk. In this case, the prologue bytes
are the same, but the epilogues are "FF
FF EB" instead of "DE AA EB".

                 --v--

      SUPER-DEMUFFIN AND FAST COPY
Modified by: The Saltine/Coast to Coast


   Address prologue: D5 AA 96

   Address epilogue: FF FF EB    DISK
                     ^^^^^     ORIGINAL
change from DE AA ---+++++

      Data prologue: D5 AA AD

      Data epilogue: FF FF EB
                     ^^^^^
change from DE AA ---+++++


 Ignore write errors while demuffining!


  D - Edit parameters
      <SPACE> - Advance to next parm
      <RETURN> - Exit edit mode
  R - Restore DOS 3.3 parameters
  O - Edit Original disk's parameters
  C - Edit Copy disk's parameters
  G - Begin demuffin process

                 --^--

Pressing "G" switches to the Locksmith
Fast Disk Copy UI. It assumes that both
disks are in slot 6, and that drive 1
is the original and drive 2 is the
copy.

[S6,D1=original disk]
[S6,D2=blank disk]

                 --v--

     LOCKSMITH 7.0  FAST DISK BACKUP


   R...................................
   W***********************************
HEX 00000000000000001111111111111111222
TRK 0123456789ABCDEF0123456789ABCDEF012
   0...................................
   1...................................
   2...................................
   3...................................
   4...................................
   5...................................
   6...................................
   7...................................
   8...................................
   9...................................
   A...................................
   B...................................
   C...................................
   D...................................
12 E...................................
   F...................................
[               ] PRESS [RESET] TO EXIT

                 --^--

Side B needs no conversion. COPYA was
able to copy it, so it's already in a
standard format.


                   ~

               Chapter 5
       In Which We Are Finished


Here is a little helper program that
writes to the disk in slot 6, drive 1.
There is no confirmation and no error
checking, because life is nasty,
brutish, and short.

08C0-   A9 08       LDA   #$08
08C2-   A0 E8       LDY   #$E8
08C4-   20 D9 03    JSR   $03D9
08C7-   AC ED 08    LDY   $08ED
08CA-   88          DEY
08CB-   10 05       BPL   $08D2
08CD-   A0 0F       LDY   #$0F
08CF-   CE EC 08    DEC   $08EC
08D2-   8C ED 08    STY   $08ED
08D5-   CE F1 08    DEC   $08F1
08D8-   CE E1 08    DEC   $08E1
08DB-   D0 E3       BNE   $08C0
08DD-   60          RTS

*8E0.8FF

         +-- sector count
         v
08E0- 00 02 00 00 00 00 00 00

08E8- 01 60 01 00 00 02 FB 08
                  ^^ ^^
               track/sector
        (both of these count down)

08F0- 00 4D 00 00 02 00 FE 60
         ^^
       address (also counts down)

08F8- 01 00 00 00 01 EF D8 00

*BSAVE WRITE BOOT1 DECRYPTED,A$8C0,L$40
*8C0G
...write write write...

We have no use for that nibble check.
Its two purposes in life were to check
if we have an original disk (we don't)
and decrypt the rest of boot1 (now
permanently decrypted). So boot0 can
jump straight to $EC00 instead of $F000
(at $084D).

T00,S00,$4F change "F0" to "EC"

]PR#6
...works...

The disk can read itself, so the RWTS
must be flexible enough to read disks
in a standard format. This makes sense;
the original side B was already in a
standard format. But it confirms that
they used a flexible RWTS instead of
mucking about with an RWTS swapper.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 393
------------------EOF------------------