---------Air Raid Pearl Harbor--------- A 4am crack 2017-07-12 --------------------------------------- Name: Air Raid Pearl Harbor Genre: simulation Year: 1990 Publisher: General Quarters Software Platform: Apple ][+ or later (64K) Media: double-sided 5.25-inch floppy OS: Pronto-DOS Previous cracks: none ~ The disk itself is unprotected (COPYA can copy it), but on boot it shows this screen: --v-- APPLE IIE & IIC MACHINES ENGAGE CAPS LOCK KEY (PRESS RETURN TO CONTINUE) --^-- Then this screen: --v-- ** AIR RAID PEARL HARBOR ** CODEWORD: ALPHA PASSWORD ?_ --^-- Entering the correct codeword from the manual shows a third screen: --v-- INITIAL ANTHEM (Y/N) ? --^-- According to the manual, there are five possible codewords: ALPHA, BETA, GAMMA, DELTA, and EPSILON. The correct answer will give you full access to the game; there doesn't appear to be any further protection. Obviously this is an unacceptable state of affairs. ~ Booting the disk and pressing gets me to a working prompt with DOS in memory. ]PR#6 ... BREAK ]LIST 5 IF PEEK (978) = 157 THEN PRINT CHR$ (4);"BRUN DOS-UP" 10 PRINT CHR$ (4);"BLOAD RUNTI ME" + CHR$ (13) + CHR$ (4) + "BRUN GS0" + CHR$ (13) 20 END ]CATALOG PRONTO-DOS V254 *T 006 AFILE *T 005 BFILE *B 008 CEDRIVER *B 007 DOS-UP *B 018 GS0 *B 064 GS1 *B 085 GS2 *B 018 GS3 *B 073 GS4 *B 032 GS5 *B 008 GS6 *B 071 GS7 *A 002 HELLO *B 033 MAP5 *B 012 PLAYERS *B 017 RUNTIME *B 033 STATDISPLAY *B 018 USS Turning to my trusty Disk Fixer sector editor, I can see the entirety of GS0 in hex and ASCII. It is illuminating. [Disk Fixer] ["D"irectory mode] [select "GS0"] --v-- -------------- DISK EDIT -------------- TRACK $1B/SECTOR $01/VOLUME $FE/BYTE$00 --------------------------------------- $00:>00<60 1F 10 20 03 08 B5 @ _P CH5 ^^^^^ ^^^^^ address len (DOS 3.3 file header) $08: 61 24 71 FF 5F FF 5F FF !$1._._. $10: 5F 1E 70 F2 70 24 71 00 _^0r0$1@ $18: 20 C8 6D 20 0C 70 4C 23 H- L0L# $20: 60 05 41 4C 50 48 41 20 EALPHA ^^^^^^^^^^^^^^^^^ length-prefixed string ("ALPHA") $28: C5 0E 1D 60 20 6F 0C 20 EN] /L $30: DD 6D 20 0C 70 4C 39 60 ]- L0L9 $38: 04 42 45 54 41 20 C5 0E DBETA EN ^^^^^^^^^^^^^^ "BETA" $40: 34 60 20 6F 0C 20 EF 6D 4 /L o- $48: 20 0C 70 4C 50 60 05 47 L0LP EG ^^^^^ $50: 41 4D 4D 41 20 C5 0E 4A AMMA ENJ ^^^^^^^^^^^ "GAMMA" and so on $58: 60 20 6F 0C 20 22 6E 20 /L ". $60: 0C 70 4C 67 60 05 44 45 L0L' EDE $68: 4C 54 41 20 C5 0E 61 60 LTA EN! $70: 20 6F 0C 20 61 6E 20 0C /L !. L $78: 70 4C 80 60 07 45 50 53 0L. GEPS $80: 49 4C 4F 4E 20 C5 0E 78 ILON EN8 $88: 60 20 6F 0C 20 58 FC 20 /L X| $90: 18 6F 20 A1 14 20 E2 6E X/ !T b. $98: 20 AA 14 4C B3 60 18 41 *TL3 XA ^^^^^ $A0: 50 50 4C 45 20 49 49 45 PPLE IIE ^^^^^^^^^^^^^^^^^^^^^^^ $A8: 20 26 20 49 49 43 20 4D & IIC M ^^^^^^^^^^^^^^^^^^^^^^^ $B0: 41 43 48 49 4E 45 53 20 ACHINES ^^^^^^^^^^^^^^^^^^^^^^^ I saw this string printed $B8: C5 0E 9A 60 20 EE 0E 20 EN. nN $C0: FB DA 20 0F 6F 20 AA 14 {Z O/ *T $C8: 4C DC 60 14 45 4E 47 41 L\ TENGA ^^^^^^^^^^^^^^ $D0: 47 45 20 43 41 50 53 20 GE CAPS ^^^^^^^^^^^^^^^^^^^^^^^ $D8: 4C 4F 43 4B 20 4B 45 59 LOCK KEY ^^^^^^^^^^^^^^^^^^^^^^^ I saw this string printed also $E0: 20 C5 0E C7 60 20 EE 0E ENG nN $E8: 20 FB DA 20 45 6F 20 41 {Z E/ A $F0: 17 20 9B 6D 20 54 14 20 W .- TT $F8: 96 6F 20 A1 14 20 27>16 ./ !T 'V --------------------------------------- BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL DOS3.3:GS0 /$00 --------------------------------------- COMMAND : _ --^-- Lots of interesting stuff going on, all in the first sector of the file! The standard 4-byte header tells me it's loaded at address $6000. Almost immediately I start seeing inline strings that were printed on screen when I ran the program. A few sectors later (press right arrow to "follow" a file based on its track/ sector list), I see the text of the codeword lookup screen: --v-- -------------- DISK EDIT -------------- TRACK $02/SECTOR $0D/VOLUME $FE/BYTE$8E --------------------------------------- $80: 70 20 58 FC 20 D0 6E 20 0 X| P. $88: AA 14 4C A7 63 1D>2A<2A *TL'#]** ^^^^^^^^ $90: 20 20 41 49 52 20 52 41 AIR RA ^^^^^^^^^^^^^^^^^^^^^^^ $98: 49 44 20 50 45 41 52 4C ID PEARL ^^^^^^^^^^^^^^^^^^^^^^^ $A0: 20 48 41 52 42 4F 52 20 HARBOR ^^^^^^^^^^^^^^^^^^^^^^^ "AIR RAID PEARL HARBOR" $A8: 20 2A 2A 20 C5 0E 89 63 ** EN.# $B0: 20 EE 0E 20 FB DA 20 FD nN {Z } $B8: 6E 20 AA 14 20 FD 6E 20 . *T }. $C0: A1 14 4C CC 63 0A 43 4F !TLL#JCO ^^^^^^^^ $C8: 44 45 57 4F 52 44 3A 20 DEWORD: ^^^^^^^^^^^^^^^^^^^^^^^ "CODEWORD:" $D0: 20 C5 0E C1 63 20 EE 0E ENA# nN $D8: 20 4A 6D 20 AA 10 20 0A J- *P J $E0: 70 20 EE 0E 20 FB DA 20 0 nN {Z $E8: FD 6E 20 AA 14 20 18 6F }. *T X/ $F0: 20 A1 14 20 27 16 4C 00 !T 'VL@ $F8: 64 0A 50 41 53 53 57 4F $JPASSWO ^^^^^^^^^^^^^^^^^^^^ "PASSWO[RD:]" --------------------------------------- BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL DOS3.3:GS0 /$03 --------------------------------------- COMMAND : _ --^-- Just before the "AIR RAID PEARL HARBOR" text, I see a familiar 3-byte opcode: 20 58 FC (at offset $81). This is 6502 code for "JSR $FC58", a standard entry point in ROM, equivalent to the "HOME" command in BASIC. It clears the screen and resets a bunch of text parameters in zero page so that subsequent "PRINT" commands start printing at the top of the screen. Looking back at the first sector of the file, I see the same 3-byte opcode at offset $8C: 20 58 FC. This program is not even attempting to hide what's going on. It's straightforwardly calling standard ROM routines to clear the screen and printing inline strings without any sort of encryption (not even XOR). It does not, however, have the actual codeword answers embedded anywhere. But I don't care about the answers; I want to bypass the question. Following the file to the very next sector, I see the text of the third screen, the one that's displayed after you enter the correct codeword in the second screen. And lo! The same call to $FC58 immediately before the text. --v-- -------------- DISK EDIT -------------- TRACK $02/SECTOR $0C/VOLUME $FE/BYTE$43 --------------------------------------- $00: 52 44 20 3F 20 C2 0E F5 RD ? BNu $08: 63 20 8A 12 20 17 70 20 # .R W0 $10: 87 13 20 86 6D 20 D1 6D .S .- Q- $18: 20 83 6D 20 86 6D 20 F8 .- .- x $20: 6D 20 19 15 D0 03 4C 2B - YUPCL+ $28: 64 20 D8 F3 4C 63 13 20 $ XsL#S $30: 4A 6D 20 AA 10 20 F5 6F J- *P u/ $38: 20 15 70 20 B7 15 F0 03 U0 7UpC $40: 4C B2 63>20<58 FC 20 18 L2# X| X ^^^^^^^^ JSR $FC58 (HOME) $48: 6F 20 A1 14 20 FD 6E 20 / !T }. $50: AA 14 4C 68 64 16 49 4E *TL($VIN ^^^^^^^^ $58: 49 54 49 41 4C 20 41 4E ITIAL AN ^^^^^^^^^^^^^^^^^^^^^^^ $60: 54 48 45 4D 20 28 59 2F THEM (Y/ ^^^^^^^^^^^^^^^^^^^^^^^ "INITIAL ANTHEM? (Y/N)" $68: 4E 29 20 3F 20 C5 0E 51 N) ? ENQ $70: 64 20 EE 0E 20 CC 10 20 $ nN LP $78: 02 70 20 EE 0E 20 FB DA B0 nN {Z --------------------------------------- BUFFER 0/SLOT 6/DRIVE 1/MASK OFF/NORMAL DOS3.3:GS0 /$04 --------------------------------------- COMMAND : _ --^-- Is it possible that I could bypass the codeword lookup screen by jumping from one "JSR $FC58" to the next? After some quick calculations, and taking into account the 4-byte offset because of the DOS 3.3 file header, it appears that the "JSR $FC58" for the third screen (shown above at offset $43 in T02,S0C) is in memory at $643F. Thus, to bypass the second screen (which contains the codeword lookup), I should change the "JSR $FC58" at offset $81 of T02,S0D to "JMP $643F". T02,S0D,$81: 2058FC -> 4C3F64 ]PR#6 ...works... There don't appear to be any side effects in the codeword lookup screen, so there are no ill effects of skipping it altogether. Quod erat liberandum. --------------------------------------- A 4am crack No. 1329 ------------------EOF------------------