-------------VCR Companion------------- A 4am crack 2017-01-17 -------------------. updated 2021-08-27 |___________________ Name: VCR Companion Version: 1988-09-28 (according to file metadata in ProDOS disk catalog) Genre: graphics Year: 1988 Credits: Louis Ewens and Lauren Elliott Publisher: Broderbund Software Platorm: Apple //e or later (128K) Media: two double-sided 5.25-inch disks OS: ProDOS 1.5 Previous cracks: none (of this version) Asimov has an uncredited crack whose latest file is dated 1988-07-27, so this is probably a bugfix release that was released two months later. ~ Chapter 0 In Which The Tools Will Save Us Disk 1 is bootable but protected. The other three sides are unbootable but unprotected. Life is like that. This has not been a haiku. Disk 1 was automatically cracked by Passport. Here is the transcript: --v-- READING FROM S6,D1 T00,S00 FOUND PRODOS BOOTLOADER USING BUILT-IN RWTS WRITING TO S6,D2 T00,S04 FOUND E7 BITSTREAM T00,S04,$A4: AC00AC00AC00AC00AC00AC00 -> 78A8589C30C004A8589C58A8 CRACK COMPLETE. --^-- More information and source code is available at https://archive.org/details/Passport4am Disks 2-4 are unprotected, so that's that. Except... ~ Chapter 1 In Which The Tools Will Not Save Us The Passport-assisted crack works, in the sense that the program disk boots and works. However, this program has something that most 8-bit Apple II programs did not: an option to install to a hard drive. This presents a new wrinkle. After the hard drive install, disk 1 acts as a "key" disk. That is, after you launch the program from your hard drive, it scans all available drives for disk 1 and presents this message: --v-- INSERT VCR COMPANION SIDE 1 INTO A DRIVE PRESS ANY KEY TO GO ON --^-- The Passport-cracked version of disk 1 works as a "key" disk, so technically this crack is already complete. But I want to bypass this message, which serves no purpose but copy protection. So here we go. Turning to my trusty Disk Fixer sector editor, I scan for the hex sequence "C9 E7" (since Passport already told me that this disk is protected with the E7 bitstream). Mirabile dictu! The copy protection code is not encrypted or obfuscated in any way. I found 3 hits: --v-- ------------- DISK SEARCH ------------- $05/$0A-$80 $05/$0A-$89 $05/$0A-$92 PRESS [RETURN] --^-- But this is not the code I want to disable. After all, if we're running the E7 protection check, it's because we've already asked the user to insert disk 1. What I really want is the code that runs just before this. Luckily, it appears to be on the same sector. Here is the disassembly listing from byte $05, edited for readability and annotated: --v-- T05,S0A ----------- DISASSEMBLY MODE ---------- ; boot slot 0005:A5 2B LDA $2B 0007:8D 15 25 STA $2515 ; ProDOS MLI call 000A:20 00 BF JSR $BF00 ; "ONLINE" command 000D:C5 ; address of parameter table -- looks ; like this sector is loaded at $2500, ; so the parameter table is just below 000E:14 25 ; branch on success 0010:F0 0B BEQ $001D ; set carry and exit if ONLINE command ; fails (yikes) 0012:38 SEC 0013:60 RTS ; MLI parameter table -- looks like we ; are storing the results of the ONLINE ; command at $6000 0014:02 0015:00 0016:00 0017:60 ; ProDOS-style string with length byte 0018:04 0019:"VCR1" ; execution continues here (from the ; BEQ at $2510) 001D:AD 00 60 LDA $6000 0020:29 0F AND #$0F ; check if 0022:C9 04 CMP #$04 0024:D0 EC BNE $0012 0026:AA TAX ; compare volume name to the string ; above ("VCR1") 0027:BD 00 60 LDA $6000,X 002A:DD 18 25 CMP $2518,X 002D:D0 E3 BNE $0012 002F:CA DEX 0030:D0 F5 BNE $0027 ; save some of zero page 0032:A2 F0 LDX #$F0 0034:B5 00 LDA $00,X 0036:9D 00 02 STA $0200,X 0039:E8 INX 003A:D0 F8 BNE $0034 ; set up zero page for the check 003C:A9 0A LDA #$0A 003E:85 F4 STA $F4 0040:A5 2B LDA $2B 0042:29 70 AND #$70 0044:85 2B STA $2B 0046:AA TAX ; turn on the drive motor manually 0047:BD 89 C0 LDA $C089,X 004A:BD 8E C0 LDA $C08E,X . . E7 protection check omitted (but it's . really interesting; read #681 The . Hangtown Trilogy if you don't know . how it works!) . ; compare out-of-phase nibbles to the ; expected values 00A9:A0 07 LDY #$07 00AB:BD 8C C0 LDA $C08C,X 00AE:10 FB BPL $00AB 00B0:D1 F6 CMP ($F6),Y 00B2:D0 05 BNE $00B9 00B4:88 DEY 00B5:10 F4 BPL $00AB 00B7:30 03 BMI $00BC ; failure path (decrements a Death ; Counter and eventually sets the carry ; and exits) 00B9:4C CC 25 JMP $25CC ; success path (from $25B7) ; restore zero page 00BC:A0 F0 LDY #$F0 00BE:B9 00 02 LDA $0200,Y 00C1:99 00 00 STA $0000,Y 00C4:C8 INY 00C5:D0 F7 BNE $00BE ; turn off drive motor 00C7:BD 88 C0 LDA $C088,X ; clear carry and exit 00CA:18 CLC 00CB:60 RTS --^-- To sum up: starting at $2505, we issue an "ONLINE" command through the ProDOS MLI, then check if the disk "VCR1" is in the drive. If so, we execute the E7 protection check and clear the carry on success. If anything goes wrong, we set the carry and exit. I should be able to clear the carry unconditionally and exit before issuing the MLI command, to fool the caller into thinking that disk "VCR1" is in the drive. T05,S0A,$05: A52B -> 1860 ]PR#6 ...works... I did test this patch thoroughly to confirm that it does not interfere with the normal operation of the program. If the program needs disk 1 for legitimate (non-protection-related) reasons, it uses a different routine altogther that displays a graphical dialog box. And if the program needs disk 2-4 for any reason, including during the hard drive install, it recognizes when they're not in any drive and recognizes when you insert them. So this patch only affects the copy protection check. Quod erat liberandum. ~ Changelog 2021-08-27 - updated text to latest Passport log for consistency, even though we don't end up using it 2017-01-17 - initial release --------------------------------------- A 4am crack No. 972 ------------------EOF------------------