------------Video Title Shop-----------
A 4am crack                  2014-12-15
---------------------------------------

"Video Title Shop" is a 1987 graphics
program programmed by John Butrovich
and Richard Mirsky and distributed by
DataSoft.

COPYA copies the original disk with no
complaint, but the copy does not work.
It boots, loads several tracks, then
prints "PLEASE USE ORIGINAL DISK" and
hangs.

Turning to my trusty Disk Fixer sector
editor, I don't see any evidence of a
disk catalog on track $11 or anywhere
else. I don't see any evidence of a
normal operating system (DOS, ProDOS,
or Pascal). The bootloader on track 0
appears to be entirely custom.

Oh, and encrypted.

Let's see if AUTOTRACE can make heads
or tails of it.

[S6,D1=original disk]
[S5,D1=my work disk]

]PR#5
CAPTURING BOOT0
...reboots slot 6...
...reboots slot 5...
SAVING BOOT0

For those of you just tuning in, my
work disk uses a custom program that I
affectionately call "AUTOTRACE" to
automate the process of boot tracing as
far as possible. For some disks (like
this one, apparently), it just captures
track 0, sector 0 (saved in a file
called "BOOT0") and stops.

Gonna have to do this the hard way.

]CALL -151

*800<2800.28FFM

0801-   4C 7E 08    JMP   $087E

*87EL

087E-   A2 79       LDX   #$79
0880-   BD 04 08    LDA   $0804,X
0883-   48          PHA
0884-   4A          LSR
0885-   68          PLA
0886-   6A          ROR
0887-   9D 04 08    STA   $0804,X
088A-   CA          DEX
088B-   D0 F3       BNE   $0880
088D-   4C 14 08    JMP   $0814

A decryption loop for the first half
of the sector (more or less). It looks
like it's self-contained (not dependent
on any initial state), so I should just
be able to run it and see the decrypted
code.

*88D:60    ; put "RTS" after decryption
*801G      ; go

Well, the good news is that it worked.
The bad news is... well, see for
yourself.

*814L

; ends up with $40 in $0801, which is
; the little-used "RTI" instruction
0814-   A9 0C       LDA   #$0C
0816-   4D 01 08    EOR   $0801
0819-   8D 01 08    STA   $0801

; save boot slot (x16) in zero page $DF
081C-   A6 2B       LDX   $2B
081E-   8A          TXA
081F-   85 DF       STA   $DF

; munge boot slot (weird)
0821-   0A          ASL
0822-   0A          ASL
0823-   2A          ROL
0824-   2A          ROL
0825-   2A          ROL
0826-   49 C0       EOR   #$C0
0828-   8D 08 08    STA   $0808

; set up zero page to reuse disk
; controller ROM routine to read more
; sectors
082B-   A0 03       LDY   #$03
082D-   B9 05 08    LDA   $0805,Y
0830-   99 27 00    STA   $0027,Y
0833-   B9 09 08    LDA   $0809,Y
0836-   99 3E 00    STA   $003E,Y
0839-   88          DEY
083A-   10 F1       BPL   $082D

; at this point, $28 has the value from
; $0806, which was $06
083C-   A4 28       LDY   $28

; $080D is a table of physical sectors
; to read
083E-   B9 0D 08    LDA   $080D,Y
0841-   A0 00       LDY   #$00

; At this point, $40 has the value from
; $080B/$080C, which is $003D. Multiple
; levels of indirection going on here.
0843-   91 40       STA   ($40),Y

; $0805 starts at $45 and is used as
; the target address (high byte)
0845-   AD 05 08    LDA   $0805
0848-   85 27       STA   $27

; ...and decremented
084A-   CE 05 08    DEC   $0805

; a sector count (starts at $06)
084D-   CE 06 08    DEC   $0806

; break out of sector read loop
0850-   30 0F       BMI   $0861

; set up a return address on the stack
0852-   A9 08       LDA   #$08
0854-   48          PHA
0855-   A9 5E       LDA   #$5E
0857-   48          PHA

; ...and one more byte (WTF)
0858-   A9 00       LDA   #$00
085A-   48          PHA

; At this point, $29/$2A have the value
; from $0807/$0808, except that $0808
; was modified earlier based on the
; munged boot slot. It ends up being
; $C65C if the boot slot was 6.
085B-   6C 29 00    JMP   ($0029)

So this will jump to $C65C (or similar,
depending on the boot slot), which will
read a sector based on the zero page
addresses set up earlier, then jump to
$0801. But $0801 got munged into an RTI
instruction. What does RTI do? It pulls
one byte off the stack and sets the
processor flags (like PLP). Then it
pulls an address off the stack and
jumps to it. Note: unlike RTS, the
address on the stack is the actual
address, not the actual address -1.

In other words, it clears all flags and
jumps to $085E.

085E-   6C 3E 00    JMP   ($003E)

More indirection. What's at $3E? At
this point, it holds the value from
$0809/$080A, which is the address
$082B.

Without a doubt, this is the strangest
way I have ever seen to read a few
sectors from track 0.

The sector read loop ends when $0806
goes negative, and the BMI at $0850
branches to $0861. So let's continue
there.

; put address $4000 in $02/$03
0861-   A9 40       LDA   #$40
0863-   85 03       STA   $03
0865-   A0 00       LDY   #$00
0867-   84 02       STY   $02

; another loop, to decrypt the 6 pages
; of boot1 code we just read
0869-   A2 06       LDX   #$06
086B-   B1 02       LDA   ($02),Y
086D-   48          PHA
086E-   4A          LSR
086F-   68          PLA
0870-   6A          ROR
0871-   91 02       STA   ($02),Y
0873-   C8          INY
0874-   D0 F5       BNE   $086B
0876-   E6 03       INC   $03
0878-   CA          DEX
0879-   D0 F0       BNE   $086B

; jump to boot1
087B-   4C CB 43    JMP   $43CB

Before I get to tracing the next stage
of the boot, I want to save my progress
with the decrypted boot0. I'll make one
more patch so that the initial JMP goes
straight to $0814 instead of the
decryption loop at $087E.

*802:14    ; patch to skip decryption

*BSAVE BOOT0 DECRYPTED,A$800,L$100

Now then. I need to interrupt the boot
at $087B and capture the decrypted
boot1 code. But of course boot0 is
still encrypted on disk, so I'll need
to do it in two callbacks.

*9600<C600.C6FFM
*96F8L

; set up callback #1 (after boot0
; decrypts itself)
96F8-   A9 4C       LDA   #$4C
96FA-   8D 8D 08    STA   $088D
96FD-   A9 0A       LDA   #$0A
96FF-   8D 8E 08    STA   $088E
9702-   A9 97       LDA   #$97
9704-   8D 8F 08    STA   $088F

; start the boot
9707-   4C 01 08    JMP   $0801

; callback #1 is here -- set up the
; second callback after boot0 loads and
; decrypts boot1
970A-   A9 4C       LDA   #$4C
970C-   8D 7B 08    STA   $087B
970F-   A9 1C       LDA   #$1C
9711-   8D 7C 08    STA   $087C
9714-   A9 97       LDA   #$97
9716-   8D 7D 08    STA   $087D

; continue the boot
9719-   4C 14 08    JMP   $0814

; callback #2 is here -- turn off the
; slot 6 drive motor and reboot to my
; work disk
971C-   AD E8 C0    LDA   $C0E8
971F-   4C 00 C5    JMP   $C500

*BSAVE TRACE,A$9600,L$122
*9600G
...reboots slot 6...
...reboots slot 5...

]BSAVE BOOT1 4000-45FF,A$4000,L$600
]CALL -151

*43CBL

; zero page $DF holds the boot slot x16
43CB-   A5 DF       LDA   $DF
43CD-   8D 6A 40    STA   $406A

; set reset vector
43D0-   A9 60       LDA   #$60
43D2-   8D F2 03    STA   $03F2
43D5-   49 A5       EOR   #$A5
43D7-   8D F4 03    STA   $03F4
43DA-   A9 10       LDA   #$10
43DC-   8D F3 03    STA   $03F3

; don't know what this does yet
43DF-   A2 00       LDX   #$00
43E1-   20 E7 44    JSR   $44E7

; hmm, setting interrupts, why?
43E4-   78          SEI

; don't know what this does either
43E5-   20 2F 44    JSR   $442F

; call this again, but with a
; different parameter in X register
43E8-   A2 01       LDX   #$01
43EA-   20 E7 44    JSR   $44E7

; and this again
43ED-   20 2F 44    JSR   $442F

; and clear interrupts, why?
43F0-   58          CLI

; this must have been loaded by one of
; those two subroutines
43F1-   20 00 20    JSR   $2000

Let's start with $44E7.

*44E7L

44E7-   BD 00 40    LDA   $4000,X
44EA-   8D 71 40    STA   $4071
44ED-   BD 05 40    LDA   $4005,X
44F0-   8D 72 40    STA   $4072
44F3-   BD 0A 40    LDA   $400A,X
44F6-   8D 6D 40    STA   $406D
44F9-   BD 0F 40    LDA   $400F,X
44FC-   8D 6E 40    STA   $406E
44FF-   BD 14 40    LDA   $4014,X
4502-   8D 19 40    STA   $4019
4505-   20 62 42    JSR   $4262
4508-   AC 6E 40    LDY   $406E
450B-   88          DEY
450C-   10 05       BPL   $4513
450E-   A0 0F       LDY   #$0F
4510-   EE 6D 40    INC   $406D
4513-   8C 6E 40    STY   $406E
4516-   EE 72 40    INC   $4072
4519-   CE 19 40    DEC   $4019
451C-   D0 E7       BNE   $4505
451E-   60          RTS

OK, after some further investigation,
it appears this is a multi-sector read
routine. It takes a single parameter,
in the X register, that is used to look
up all the other values from lookup
tables at $4000, $4005, $400A, $400F,
and $4014. Logical sectors are read in
descending order (DEY at $450B), while
tracks are read in ascending order. The
actual RWTS entry point is at $4262.

Here are the actual tables:

*4000.4004

4000- 00 00 00 00 00

*4005.4009

4005- 08 20 08 60 F0

*400A.400E

400A- 01 02 02 05 09

*400F.4013

400F- 0F 07 03 0D 05

*4014.4018

4014- 18 04 26 48 10

$4000: low byte of storage address
$4005: high byte of storage address
$400A: starting track number
$400F: starting sector number
$4014: sector count

This is all a very compact, elegant way
to organize disk reads, but as far as I
can tell, it isn't related to the copy
protection. So I'm betting that $442F
is a nibble check.

*442FL

; this is the slot number (x16)
442F-   AE 6A 40    LDX   $406A
4432-   A4 00       LDY   $00
4434-   8C 48 45    STY   $4548

; death counter
4437-   A9 4A       LDA   #$4A
4439-   8C 49 45    STY   $4549

; turn on drive motor manually and go
; into read mode -- this is always
; suspicious (outside of RWTS code)
443C-   BD 89 C0    LDA   $C089,X

; look for a string of identical bits
; (not bytes)
443F-   BD 8C C0    LDA   $C08C,X
4442-   DD 8C C0    CMP   $C08C,X
4445-   D0 FB       BNE   $4442
4447-   A9 FA       LDA   #$FA
4449-   20 4A 45    JSR   $454A
444C-   BD 8C C0    LDA   $C08C,X
444F-   10 FB       BPL   $444C
4451-   CE 48 45    DEC   $4548
4454-   D0 05       BNE   $445B

; if the death counter hits 0, GOTO FAIL
4456-   CE 49 45    DEC   $4549
4459-   F0 47       BEQ   $44A2

; look for a specific nibble sequence
445B-   C9 CC       CMP   #$CC
445D-   D0 ED       BNE   $444C
445F-   BD 8C C0    LDA   $C08C,X
4462-   10 FB       BPL   $445F
4464-   C9 AA       CMP   #$AA
4466-   D0 F3       BNE   $445B
4468-   BD 8C C0    LDA   $C08C,X
446B-   10 FB       BPL   $4468
446D-   C9 96       CMP   #$96
446F-   D0 DB       BNE   $444C
4471-   8C 48 45    STY   $4548
4474-   BD 8C C0    LDA   $C08C,X
4477-   10 FB       BPL   $4474
4479-   EE 48 45    INC   $4548
447C-   C9 D5       CMP   #$D5
447E-   D0 F4       BNE   $4474
4480-   BD 8C C0    LDA   $C08C,X
4483-   10 FB       BPL   $4480
4485-   C9 DE       CMP   #$DE
4487-   D0 F7       BNE   $4480
4489-   BD 8C C0    LDA   $C08C,X
448C-   10 FB       BPL   $4489
448E-   C9 AA       CMP   #$AA
4490-   D0 F3       BNE   $4485
4492-   BD 8C C0    LDA   $C08C,X
4495-   10 FB       BPL   $4492
4497-   C9 EB       CMP   #$EB
4499-   D0 EA       BNE   $4485
449B-   8C 49 45    STY   $4549
449E-   C8          INY
449F-   D0 04       BNE   $44A5
44A1-   60          RTS

; failure path is here --
; jump to The Badlands
44A2-   4C 1F 45    JMP   $451F

; nibble check continues here
; (presumably because of limitations on
; branch length for the failure path)
; and counts timing bits between the
; nibbles
44A5-   BD 8C C0    LDA   $C08C,X
44A8-   30 14       BMI   $44BE
44AA-   BD 8C C0    LDA   $C08C,X
44AD-   30 0F       BMI   $44BE
44AF-   BD 8C C0    LDA   $C08C,X
44B2-   30 16       BMI   $44CA
44B4-   BD 8C C0    LDA   $C08C,X
44B7-   30 11       BMI   $44CA
44B9-   BD 8C C0    LDA   $C08C,X
44BC-   30 0C       BMI   $44CA
44BE-   2C 49 45    BIT   $4549
44C1-   EA          NOP
44C2-   EA          NOP
44C3-   EA          NOP
44C4-   EA          NOP
44C5-   88          DEY
44C6-   F0 0D       BEQ   $44D5
44C8-   D0 DB       BNE   $44A5
44CA-   EE 49 45    INC   $4549
44CD-   EA          NOP
44CE-   EA          NOP
44CF-   EA          NOP
44D0-   EA          NOP
44D1-   F0 02       BEQ   $44D5
44D3-   D0 D0       BNE   $44A5
44D5-   AD 48 45    LDA   $4548
44D8-   C9 10       CMP   #$10
44DA-   B0 C6       BCS   $44A2
44DC-   AD 49 45    LDA   $4549
44DF-   C9 0B       CMP   #$0B

; fail
44E1-   B0 BF       BCS   $44A2

; success path ends up here --
; turn off drive motor and exit
; gracefully
44E3-   BD 88 C0    LDA   $C088,X
44E6-   60          RTS

Meanwhile, this is The Badlands (from
which there is no return):

*451FL

; turn off drive motor
451F-   BD 88 C0    LDA   $C088,X

; print error message (below)
4522-   A0 17       LDY   #$17
4524-   B9 30 45    LDA   $4530,Y
4527-   99 B0 05    STA   $05B0,Y
452A-   88          DEY
452B-   10 F7       BPL   $4524

; hang in an infinite loop
452D-   4C 2D 45    JMP   $452D
4530- "PLEASE USE ORIGINAL DISK"

...which is exactly the behavior I saw
in my failed copy.

Meanwhile, the nibble check itself has
no side effects. It's called at least
twice, both times with the same entry
point ($442F). I should be able to put
an "RTS" at $442F to neutralize it.

*442F:60
*BSAVE BOOT1 PATCHED,A$4000,L$600

Here's the plan: I'm going to write the
decrypted and patched versions of boot0
and boot1 back to the disk. I already
patched boot0 to skip its self-
decryption loop at $087E. Now I need to
patch it again to skip the second loop
that decrypts $4000..$45FF.

This was the line of code in boot0 that
broke out of the sector read loop and
jumped to the routine to decrypt the
next stage of the boot:

0850-   30 0F       BMI   $0861

I can change that to skip over the
decryption loop and go to the code that
jumps to next stage.

*BLOAD BOOT0 DECRYPTED,A$800
*851:29
*BSAVE BOOT0 PATCHED,A$800,L$100

Now I need to write a small program to
write all the decrypted and patched
code to disk. I'll put boot0 at $3F00
and boot1 at $4000 (since it's already
there). Boot0 goes to T00,S00; boot1
goes to T00,S01-S06. (Yeah, that crazy
boot0 code just ended up loading code
from the first 6 logical sectors on
track 0.)

This code writes to the disk in slot 6,
drive 1, and there is no error checking
or confirmation.

08C0-   A9 08       LDA   #$08
08C2-   A0 E8       LDY   #$E8
08C4-   20 D9 03    JSR   $03D9
08C7-   AC ED 08    LDY   $08ED
08CA-   88          DEY
08CB-   10 05       BPL   $08D2
08CD-   A0 0F       LDY   #$0F
08CF-   CE EC 08    DEC   $08EC
08D2-   8C ED 08    STY   $08ED
08D5-   CE F1 08    DEC   $08F1
08D8-   CE E1 08    DEC   $08E1
08DB-   D0 E3       BNE   $08C0
08DD-   60          RTS

         ++-- sector count
         vv
08E0- 00 07 00 00 00 00 00 00

    start track --++ ++-- start sector
                  vv vv
08E8- 01 60 01 00 00 06 FB 08

08F0- 00 45 00 00 02 00 FE 60
      ^^^^^
      +++++-- start address

08F8- 01 00 00 00 01 EF D8 00

*BSAVE WRITE TRACK 0,A$8C0,L$40
*BLOAD BOOT0 PATCHED,A$3FFF
; boot1 is already at $4000..$45FF
*8C0G

]PR#6

The disk boots and loads without
complaint. There doesn't appear to be
any further protection.

Quod erat liberandum.

---------------------------------------
A 4am crack                     No. 177
------------------EOF------------------