---------Championship Wrestling--------
A 4am crack                  2015-03-03
---------------------------------------

Name: Championship Wrestling
Genre: sports
Year: 1986
Authors: L. Ropp, R. Ditton, D. Thiel,
  J. Lee, T. Skelly, E. Ditton
Publisher: Epyx
Media: double-sided 5.25-inch floppy
OS: custom
Other versions: Tom E. Hawk / Digital
  Gang
Similar cracks: Street Sports
  Basketball (4am crack no. 52)

                   ~

               Chapter 0
 In Which Various Automated Tools Fail
          In Interesting Ways


COPYA
  immediate disk read error

Locksmith Fast Disk Backup
  unable to read any track

EDD 4 bit copy (no sync, no count)
  no read errors, but copy just reboots

Copy ][+ nibble editor
  modified epilogue bytes (FF FF EB)
  
Disk Fixer
  ["O" -> "Input/Output Control"]
    set Address Epilogue to "FF FF FF"
    set Data Epilogue to "FF FF FF"
  Success! All tracks readable!
  T00 -> looks like a DOS 3.3 RWTS
  no other signs of DOS though
  no disk catalog

Why didn't COPYA work?
  modified epilogue bytes (every track)

Why didn't Locksmith FDB work?
  modified epilogue bytes (every track)

Why didn't my EDD copy work?
  probably a nibble check during boot

Next steps:

  1. capture RWTS with AUTOTRACE
  2. convert disk to standard format
     with Advanced Demuffin
  3. find nibble check and bypass it

                   ~

               Chapter 1
In Which We Attempt To Use The Original
    Disk As A Weapon Against Itself


[S6,D1=original disk]
[S6,D2=blank disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0
/!\ BOOT0 JUMPS TO $BB00
CAPTURING BOOT1
...reboots slot 6...
...reboots slot 5...
SAVING BOOT1
SAVING RWTS
/!\ NIBBLE CHECK AT $BB00

]BRUN ADVANCED DEMUFFIN 1.5

["5" to switch to slot 5]

["R" to load a new RWTS module]
  --> At $B8, load "RWTS" from drive 1

["6" to switch to slot 6]

["C" to convert disk]

                 --v--

ADVANCED DEMUFFIN 1.5    (C) 1983, 2014
ORIGINAL BY THE STACK    UPDATES BY 4AM
=======PRESS ANY KEY TO CONTINUE=======
TRK:...................................
+.5:
    0123456789ABCDEF0123456789ABCDEF012
SC0:...................................
SC1:...................................
SC2:...................................
SC3:...................................
SC4:...................................
SC5:...................................
SC6:...................................
SC7:...................................
SC8:...................................
SC9:...................................
SCA:...................................
SCB:...................................
SCC:...................................
SCD:...................................
SCE:...................................
SCF:...................................
=======================================
16SC $00,$00-$22,$0F BY1.0 S6,D1->S6,D2

                 --^--

]PR#6
...reboots...

Let's go find that nibble check.

                   ~

               Chapter 2
    In Which We Go Code Spelunking
      And Run Into An Old Friend


]PR#5
]BLOAD BOOT1,A$2600
]CALL -151
*FE89G FE93G     ; disconnect DOS
*B600<2600.2FFFM ; move RWTS into place
*BB00L

BB00-   A9 00       LDA   #$00
BB02-   A2 F0       LDX   #$F0

; possibly some stack manipulation?
BB04-   9A          TXS
BB05-   95 00       STA   $00,X
BB07-   E8          INX
BB08-   D0 FB       BNE   $BB05

; initialize death counter
BB0A-   A9 0A       LDA   #$0A
BB0C-   85 FC       STA   $FC

; turn on drive motor manually
; (always suspicious)
BB0E-   A6 2B       LDX   $2B
BB10-   BD 89 C0    LDA   $C089,X
BB13-   BD 8E C0    LDA   $C08E,X

; secondary death counter
BB16-   A9 80       LDA   #$80
BB18-   85 FD       STA   $FD
BB1A-   C6 FD       DEC   $FD

; if this hits 0, nibble check fails
BB1C-   F0 6E       BEQ   $BB8C

; subroutine looks for next available
; address field
BB1E-   20 96 BB    JSR   $BB96

; can't find one --> fail immediately
BB21-   B0 69       BCS   $BB8C

; check if it's sector $08
BB23-   A5 F9       LDA   $F9
BB25-   C9 08       CMP   #$08

; loop until it is
BB27-   D0 F1       BNE   $BB1A

; find $D5 nibble
BB29-   A0 00       LDY   #$00
BB2B-   BD 8C C0    LDA   $C08C,X
BB2E-   10 FB       BPL   $BB2B
BB30-   88          DEY
BB31-   F0 59       BEQ   $BB8C
BB33-   C9 D5       CMP   #$D5
BB35-   D0 F4       BNE   $BB2B

; Search for a specific sequence of
; nibbles in the "dead zone" between
; the address field and data field.
; This area is normally not important,
; so COPYA didn't copy it precisely
; because normal disks don't care.
; (Actually, it's even more evil than
; that, because the original disk is
; written with timing bits in specific
; non-standard places between the
; nibbles in the dead zone. This code
; not only requires the right nibbles
; in the right order, it reads them
; just slightly slower than normal. So
; the timing bits need to be in the
; right places too, or else this code
; will read the wrong nibble values
; while it's out of sync. This will
; trip up even the best bit copiers.
; And you can forget about making a
; disk image for emulators -- those
; don't store timing bits at all.)
BB37-   A0 00       LDY   #$00
BB39-   BD 8C C0    LDA   $C08C,X
BB3C-   10 FB       BPL   $BB39
BB3E-   88          DEY
BB3F-   F0 4B       BEQ   $BB8C
BB41-   C9 E7       CMP   #$E7
BB43-   D0 F4       BNE   $BB39
BB45-   BD 8C C0    LDA   $C08C,X
BB48-   10 FB       BPL   $BB45
BB4A-   C9 E7       CMP   #$E7
BB4C-   D0 3E       BNE   $BB8C
BB4E-   BD 8C C0    LDA   $C08C,X
BB51-   10 FB       BPL   $BB4E
BB53-   C9 E7       CMP   #$E7
BB55-   D0 35       BNE   $BB8C

; kill some time to get out of sync
; with the "proper" start of nibbles)
BB57-   BD 8D C0    LDA   $C08D,X
BB5A-   A0 10       LDY   #$10
BB5C-   24 80       BIT   $80

; now start looking for nibbles that
; don't really exist (except they do,
; because we're out of sync and reading
; timing bits as data)
BB5E-   BD 8C C0    LDA   $C08C,X
BB61-   10 FB       BPL   $BB5E
BB63-   88          DEY
BB64-   F0 26       BEQ   $BB8C
BB66-   C9 EE       CMP   #$EE
BB68-   D0 F4       BNE   $BB5E
BB6A-   EA          NOP
BB6B-   EA          NOP

; store next 8 nibbles in zero page
BB6C-   A0 07       LDY   #$07
BB6E-   BD 8C C0    LDA   $C08C,X
BB71-   10 FB       BPL   $BB6E
BB73-   99 F0 00    STA   $00F0,Y
BB76-   EA          NOP
BB77-   88          DEY
BB78-   10 F4       BPL   $BB6E

; decrypt part of the RWTS based on one
; of the stored nibbles
BB7A-   A0 00       LDY   #$00
BB7C-   A5 F4       LDA   $F4
BB7E-   59 00 B7    EOR   $B700,Y
BB81-   99 00 B7    STA   $B700,Y
BB84-   88          DEY
BB85-   D0 F5       BNE   $BB7C

; jump to decrypted boot1 code
BB87-   A6 2B       LDX   $2B
BB89-   4C 00 B7    JMP   $B700

; The Badlands -- decrement death
; counters and eventually reboot
BB8C-   C6 FC       DEC   $FC
BB8E-   D0 86       BNE   $BB16
BB90-   EE F4 03    INC   $03F4
BB93-   6C FC FF    JMP   ($FFFC)

I'm going to need to trace past this
nibble check, then interrupt it before
it jumps to the (decrypted) $B700 to
load the game.

                   ~

               Chapter 3
      In Which We Unlock The Door
     And Wedge It Open Permanently


*9600<C600.C6FFM

; set up callback #1 after boot0
96F8-   A9 4C       LDA   #$4C
96FA-   8D 4A 08    STA   $084A
96FD-   A9 0A       LDA   #$0A
96FF-   8D 4B 08    STA   $084B
9702-   A9 97       LDA   #$97
9704-   8D 4C 08    STA   $084C

; start the boot
9707-   4C 01 08    JMP   $0801

; callback #1 is here -- set up
; callback #2 after nibble check
; succeeds and decrypts boot1
970A-   A9 4C       LDA   #$4C
970C-   8D 89 BB    STA   $BB89
970F-   A9 1C       LDA   #$1C
9711-   8D 8A BB    STA   $BB8A
9714-   A9 97       LDA   #$97
9716-   8D 8B BB    STA   $BB8B

; continue to the nibble check
9719-   4C 00 BB    JMP   $BB00

; callback #2 is here -- relocate
; decrypted boot1 code to graphics
; page so it will survive a reboot
971C-   A0 00       LDY   #$00
971E-   B9 00 B7    LDA   $B700,Y
9721-   99 00 27    STA   $2700,Y
9724-   C8          INY
9725-   D0 F7       BNE   $971E

; turn off slot 6 drive motor
9727-   AD E8 C0    LDA   $C0E8

; reboot to my work disk
972A-   4C 00 C5    JMP   $C500

*BSAVE TRACE BB00,A$9600,L$12D
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE B700 DECRYPTED,A$2700,L$100

Now to write the decrypted version
to disk:

 20 FB DA D0 EB
*8C0L

08C0-   A9 08       LDA   #$08
08C2-   A0 E8       LDY   #$E8
08C4-   4C D9 03    JMP   $03D9

08E8- 01 60 01 00 00 01 FB 08
                  ^   ^
          track --+   +-- sector

08F0- 00 27 00 00 02 00 FE 60
          ^
          +-- address

08F8- 01 00 00 00 01 EF D8 00

*BSAVE WRITE B700,A$8C0,L$40
*8C0G

Now I can safely bypass the nibble
check. Since $B700 is already decrypted
on disk, I can change boot0 to jump to
it directly.

T00,S00,$4C change "BB" to "B7"

Side B uses the same modified epilogue
bytes, so I used Advanced Demuffin with
the same RWTS to convert it.

The RWTS is permissive enough to read
the copies in a standard format, so no
RWTS patches were required.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 238
------------------EOF------------------